Australia’s ‘encryption laws’ are “likely to be necessary” but require strict judicial oversight to ensure Australians’ rights are properly protected, a review into the controversial Assistance and Access Act has concluded.

Helmed by Independent National Security Legislation Monitor (INSLM) Dr James Renwick, the review of the Telecommunications and Other Legislation Amendment (Assistance and Access) Act 2018, also known as TOLA, was initiated by the Parliamentary Joint Committee on Intelligence & Security (PJCIS) to consider whether the legislation “is proportionate to the threats it seeks to meet and treats human rights properly”.

Renwick’s analysis concluded that TOLA “is or is likely to be necessary” with two amendments, and that it will meet proportionality and proper rights protection objectives “if, but only if,” a series of recommendations are implemented to change the operation of the TOLA provisions.

These recommendations include removing the power for government agency heads to issue Technical Assistance Notices (TANs) – compulsory notices that force an online provider to provide access to their communications services – and for the Attorney-General to compel Designated Communications Providers (DCPs) to build surveillance capabilities via Technical Capability Notices (TCNs).

Oversight of TANs and TCNs should, Renwick concluded, be transferred to the Administrative Appeals Tribunal to ensure independence of the process.

He also recommended the creation of a new statutory body, called the Investigatory Powers Commissioner and headed by a retired judge, that will oversee the issuing of TANs and TCNs.

“TANs and TCNs do not provide the authority to obtain content from a designated communications provider [such as Facebook, WhatsApp, and other encrypted communications services] without an underlying warrant,” he concluded.

The government had argued that TANs and TCNs were just a way of ensuring that data obtained under otherwise lawful warrants is “accessible and comprehensible”, but Renwick rejected this argument.

“I consider that there is a greater need for safeguards in the virtual world than in the physical world,” he concluded, “for both reasons of trust and the wide and unknown impact of technology”.

A matter of trust

The review validates the concerns of organisations such as the Australian Human Rights Commission, which like many critics had expressed concerns about TOLA’s delegation of powers and their potential to override fundamental human rights.

“TOLA has become an infamous example of legislation undermining encryption and the vital role it plays in security and privacy online,” said Access Now policy analyst Lucie Krahulcova, who welcomed the review’s findings and warned that its recommendations, “which mirror the concerns of many stakeholders, must be acted on by Parliament if the Australian Government wants to rebuild trust with its technical community and users.”

Extensive global precedent has affirmed privacy as one such right, with laws in Europe and elsewhere designed to protect citizens from “unlawful and unnecessary government surveillance.”

Although exemptions have been invariably tied to national security issues – an argument the Australian government used to push through the laws in late 2018 – the review’s conclusion is that national-security agencies should not manage TOLA’s usage by themselves.

The recommendations were welcomed by peak group Internet Australia, which welcomed the INSLM report’s recommendations but warned that “the legislation remains fundamentally flawed and is already causing damage to Australian industry”.

“These changes will assist the community to have some confidence that the use of these intrusive powers can be properly evaluated for balance and proportionality while being restricted to the most serious of investigations,” Internet Australia chair Dr Paul Brooks said.

Police decryption of instant-messaging communications was flagged as a key tool by which European police recently completed a massive operation that saw 746 arrests, the seizure of $97m in cash, and over 2 tonnes of drugs.

While such wins may support the government’s argument for access, oversight was crucial: as Brooks warned, “we must be vigilant to ensure well-intentioned measures to assist law-enforcement investigations do not reduce security or privacy… more must be done to ensure these laws don’t result in damaging the trust Australians must have in the security of the systems they use every day.”

Trust in the integrity of online systems has been a recurring theme recently as India’s government banned 59 Chinese apps on data-sovereignty concerns, the Australian government pushed for sensitive data to be hosted onshore, and a new AustCyber report warning that such integrity would be fundamental to Australia’s digital-led economic recovery.