Thursday, 21 May 2020 11:22

New Australian law will give Americans access to encrypted info: expert Featured

Helaine Leggat: "Much awareness, public debate and consideration is required. This bill should not be rushed." Helaine Leggat: "Much awareness, public debate and consideration is required. This bill should not be rushed." Supplied

Information that Australian law enforcement authorities collate using the country's 2018 encryption laws will be freely available to their US counterparts under the provisions of a new law which is currently the subject of a parliamentary inquiry, a legal expert says.

Helaine Leggat, managing partner of law firm ICT Legal Consulting Australia, told iTWire in response to queries that the Telecommunications Legislation Amendment (International Production Orders) Bill No. XX 2020 — legislation that seeks alignment with the US CLOUD (Clarifying Lawful Overseas Use of Data) Act so that Australian agencies can gain faster access to information than through the mutual exchange process — was also intended to amend the Telecommunications and Other Legislation Amendment (Assistance and Access) Act 2018, or TOLA Act – which in common parlance is the encryption law passed in 2018.

"The extra-territorial reach of TOLA means that it will ease access to encrypted data and work hand-in hand with the CLOUD Act to facilitate access to electronic data held by 'communications-service providers'", Leggat said.

"You will recall last year’s numerous debates regarding Australia becoming the pariah of the world for weakening trust and breaking security by mandating 'designated communications providers' (anywhere in the world) to 'do acts or things' by way of giving certain types of help to national security and law enforcement agencies.

"The net effect of the two laws is that information acquired through the application of TOLA can be made available to other countries who have entered into a CLOUD Agreement."

The US CLOUD Act was passed in 2018 to make it possible for warrants issued by an American authority to be used to seize data stored by branches of US firms abroad. The Act was passed to overcome an obstacle faced by the FBI in obtaining data which Microsoft had stored in Ireland. The agency said the data in question was related to a drug-trafficking case.

The corresponding Australian law would allow local authorities to have the same reach as the Americans, this time to data and individuals in the US, provided their data was needed for progressing a judicial or criminal case or investigation.

In the normal course of things, a request for data under the so-called mutual legal assistance treaty, takes a long time to deliver results, if any. That is the rationale behind the Australian move.

The UK has already passed a law that enables it to co-operate with the Americans in order to benefit from the reach of the CLOUD Act.

The Parliamentary Joint Committee on Intelligence and Security is conducting an inquiry into the new law, with submissions still being accepted. The PJCIS has been asked to submit its report by 26 June.

According to official statements, the changes being made are meant to:

  • "provide a framework for Australian agencies to obtain independently-authorised international production orders for interception, stored communications and telecommunications data directly to designated communications providers in foreign countries with which Australia has a designated international agreement;
  • "amend the regulatory framework to allow Australian communications providers to intercept and disclose electronic information in response to an incoming order or request from a foreign country with which Australia has an agreement;
  • "make amendments contingent on the commencement of the proposed Federal Circuit and Family Court of Australia Act 2020; and

    "remove the ability for nominated Administrative Appeals Tribunal members to issue certain warrants."

While the UK has laws on its books that provide for GDPR style privacy protections for individuals, Australian privacy law is not regarded as adequate by European standards.

Leggat said while she had not studied the new law in detail, "one point of interest is that, while the US-UK Agreement and the Privacy Shield arrangements between the EU and the US (in terms of which the US Government provides assurances for individuals to legal recourse), provide reasonable assurances for the protection of privacy, Australia does not have a Privacy Shield type arrangement with other countries.

"Again,  on an initial reading of the Bill, and mindful of the Regulatory Universe, (including related surveillance laws), I find the Australian provisions weighted in favour of law enforcement and surveillance at the cost of privacy and the protection of personal information."

Leggat said the claim, mentioned in one submission to the PJCIS inquiry, that Australia would not be able to pursue cases involving Americans and American data, was not correct.

"That is not what I understand. These are bilateral agreements with mutual reciprocal rights," she said. "I also read that what starts as bilateral agreements, eg between the US and the UK, and between the US and Australia, will have the effect of  becoming a multilateral agreement facilitating the access of data between the UK and Australia, and other signatory countries in future. I do not think that the provisions relating to restrictions on third-party sharing prevent this."

The question of encrypted data did not pose an obstacle to sharing data, Leggat said. "The way I read this is that under TOLA, encryption is no impediment to access. Australia requires all designated service providers, essentially to assist access to unencrypted information, and  under the Cloud agreement, the unencrypted information can be accessed by the US.

"This is the interesting part, that I do not think the Australian public really understands. Even encrypted messaging systems like WhatsApp offer no security of privacy or confidentiality under TOLA, and the CLOUD Agreement is intended to make the unencrypted data available, so the reach of law enforcement is greatly enhanced.

"In the UK, the Regulation of Investigatory Powers Act 2000 (RIPA), Part III, requires people to decrypt information and/or supply keys to government representatives to decrypt information without a court order)."

Leggat cautioned against rushing legislation of this nature through Parliament. "Much awareness, public debate and consideration is required. This bill should not be rushed. It is a monster piece of legislation, detailed, precise and procedural in its approach," she pointed out.

"The government must allow time for informed public participation. The devil is in the detail. There is no question that law enforcement powers are necessary, but they must be balanced and proportional to the needs of civilised societies."

WEBINAR event: IT Alerting Best Practices 27 MAY 2PM AEST

LogicMonitor, the cloud-based IT infrastructure monitoring and intelligence platform, is hosting an online event at 2PM on May 27th aimed at educating IT administrators, managers and leaders about IT and network alerts.

This free webinar will share best practices for setting network alerts, negating alert fatigue, optimising an alerting strategy and proactive monitoring.

The event will start at 2pm AEST. Topics will include:

- Setting alert routing and thresholds

- Avoiding alert and email overload

- Learning from missed alerts

- Managing downtime effectively

The webinar will run for approximately one hour. Recordings will be made available to anyone who registers but cannot make the live event.



Security requirements such as confidentiality, integrity and authentication have become mandatory in most industries.

Data encryption methods previously used only by military and intelligence services have become common practice in all data transfer networks across all platforms, in all industries where information is sensitive and vital (financial and government institutions, critical infrastructure, data centres, and service providers).

Get the full details on Layer-1 encryption solutions straight from PacketLight’s optical networks experts.

This white paper titled, “When 1% of the Light Equals 100% of the Information” is a must read for anyone within the fiber optics, cybersecurity or related industry sectors.

To access click Download here.


Sam Varghese

website statistics

Sam Varghese has been writing for iTWire since 2006, a year after the site came into existence. For nearly a decade thereafter, he wrote mostly about free and open source software, based on his own use of this genre of software. Since May 2016, he has been writing across many areas of technology. He has been a journalist for nearly 40 years in India (Indian Express and Deccan Herald), the UAE (Khaleej Times) and Australia (Daily Commercial News (now defunct) and The Age). His personal blog is titled Irregular Expression.



Recent Comments