UPDATED: May 2017 | SOURCE: Vodafone Group with support from Hogan Lovells
Provision of Real-time Lawful Interception Assistance
NOTE: Some of the pertinent legal frameworks have changed since this report was last updated, including the passing of both the Sharing of Violent Abhorrent Material Bill 2019, amending the Criminal Code Act 1995, and the Assistance and Access Bill 2018, amending the Telecommunications Act 1997.
TELECOMMUNICATIONS ACT 1997
Carriers and carriage service providers (carriers), such as Vodafone, have legislative obligations under the Telecommunications Act 1997 (TA) to provide assistance to law enforcement agencies and national security agencies with the interception of individual customer communications (live communications) where authorised.
Section 313(3) of the TA requires carriers to give officers and authorities of the Commonwealth such help as is reasonably necessary for the purposes of: (i) enforcing the criminal law and laws imposing pecuniary penalties; (ii) assisting the enforcement of the criminal laws in force in a foreign country; (iii) protecting the public revenue; and (iv) safeguarding national security. Section 313(7) of the TA specifies that a reference to ‘giving help’ under section 313(3) of the TA includes the provision of interception services, including services in executing an interception warrant under the Telecommunications (Interception and Access) Act 1979, and the providing of relevant information about any communication that is lawfully intercepted under an interception warrant (sections 313(7)(a) and 313(7)(c)(i) of the TA).
Section 313(1) of the TA requires a carrier to do its best to prevent telecommunication networks and facilities from being used in, or in relation to, the commission of offences against the laws of the Commonwealth or the States and Territories. Examples of the kind of help law enforcement and national security agencies might request under section 313(3) of the TA include: (i) the provision of interception services; (ii) information from a carrier’s information base, such as billing records; and (iii) assistance in tracing a call.
Under Part 16 of the TA, a carrier may be required to supply a carriage service for defence purposes or for the management of natural disasters.
TELECOMMUNICATIONS (INTERCEPTION AND ACCESS) ACT 1979
The Telecommunications (Interception and Access) Act 1979 (the TIA Act) gives law enforcement agencies and national security agencies the power to intercept live communications in specified circumstances. Under Chapter 2 of the TIA Act, interception warrants may be issued in respect of live communications to the Australian Security Intelligence Organisation (ASIO) and certain state and federal law enforcement agencies. Interception warrants permit such agencies to intercept telecommunications for national security, in emergencies and for law enforcement purposes.
Interception warrants may be issued by the Federal Attorney General to the Director-General of Security, or an ASIO employee or affiliate appointed by the Director-General of Security under sections 9 and 9A of the TIA Act for security purposes. Under section 10 of the TIA Act, the Director-General of Security can issue an interception warrant in certain specified emergencies where the Attorney General cannot issue the warrant in sufficient time. Under sections 11A, 11B and 11C of the TIA Act, telecommunications service warrants, named person warrants and foreign communications warrants, for the collection of foreign intelligence, may be issued to the Director-General of Security or an ASIO employee or affiliate appointed by the Director-General of Security. A named person warrant issued under section 11B may authorise entry on any premises specified in the warrant for the purpose of installing, maintaining, using or recovering any equipment used to intercept foreign communications (section 11B(1B) of the TIA Act). Under section 11C(4)(a), a foreign communications warrant must include a notice addressed to the carrier who operates the telecommunications system giving a description identifying the part of the telecommunications system that is covered by the warrant.
Under section 30 of the TIA Act, the interception of live communications may occur (without a warrant being issued) by the police in specified urgent situations; for example, where there is risk to loss of life or the infliction of serious personal injury or where threats to kill or seriously injure another person have been made. The police are able to request a carrier to intercept individual communications in these circumstances for the purposes of tracing the location of a caller. (Part 23 of Chapter 2 of the TIA Act).
Interception of live communications may also be authorised (without a warrant) under section 31A of the TIA Act by the Attorney General to enable security authorities for the purpose of developing and testing interception capabilities (Part 24 of Chapter 2 of the TIA Act).
Under Part 2-5 of Chapter 2 of the TIA Act, interception warrants may be issued to agencies that are defined as interception agencies, which in turn are defined as Commonwealth agencies or an eligible agency of a State in relation to which a declaration under section 34 of the TIA Act is in force. These agencies could include the Australian Federal Police (AFP), the Australian Crime Commission, the Independent Commission Against Corruption and the State Police Forces. Interception warrants are issued by an ‘eligible judge’, namely a judge of a court created by the Commonwealth Parliament who has consented to being nominated, or by nominated members of the Administrative Appeals Tribunal (AAT) (sections 46 and 46A of the TIA Act). Interception warrants may only be issued in relation to the investigation of serious offences as defined in section 5D of the TIA Act.
Parts 5-2 to 5-5 of Chapter 5 of the TIA Act impose obligations on carriers to ensure that it is possible to execute a warrant issued for interception purposes, unless an exemption has been granted. Specific technical capabilities are imposed, including, by way of example, the nomination of delivery points in respect of a particular kind of telecommunication service of a carrier (section 188). In practice, when served with a warrant, the carrier will be required to intercept all traffic transmitted, or caused to be transmitted to and from the identifier of the target service used by the interception subject and described on the face of the warrant. The carrier will also need to deliver the intercepted communications through an agreed delivery point from which the intercepting agency may access those communications.
Under Part 5-3 of Chapter 5 of the TIA Act, the minister may make determinations in relation to interception capabilities applicable to a specified kind of telecommunication service that involves, or will involve, the use of the telecommunication system. Carriers and nominated carriage service providers may be required under such determinations to lodge annual Interception Capability Plans (IC plan) with the Communications Access Co-ordinator of the Attorney General’s Department. Part 5-4 of Chapter 5 of the TIA Act specifies the obligations of a carrier in relation to an IC plan such as the matters to be set out in an IC plan (section 195(2)) and the time for delivering IC plans (sections 196 and 197).
Under Part 5-5 of Chapter 5 of the TIA Act, the Communications Access Co-ordinator may make determinations in relation to delivery capabilities applicable to specified kinds of telecommunications services, and to one or more specified interception agencies relating to such matters as the format in which lawfully intercepted information is to be delivered to an interception agency, the place and manner in which such information is to be delivered, and any ancillary information that should accompany that information.
THE AUSTRALIAN SECURITY INTELLIGENCE ACT 1979
While the Australian Security Intelligence Organisation Act 1979 (ASIO Act) enables ASIO to use listening devices under warrants issued by the Minister (section 26 of the ASIO Act), this section, or a warrant issued under this section, does not apply or relate to the use of a listening device for a purpose that would, under the TIA Act, constitute the interception of a communication passing over a telecommunications system operated by a carrier.
A computer access warrant may be issued under the ASIO Act and may allow the use of a telecommunications facility operated by a carrier for the purpose of obtaining access to data that is relevant to a security matter and is held in the target computer at any time while the warrant is in force (section 25A of the ASIO Act).
THE CRIMES ACT 1914
The Crimes Act 1914 (Cth) (Crimes Act) authorises certain officers of the AFP and State and Territory police to obtain information pursuant to search warrants issued under the Crimes Act from premises, computers or computer systems and information in relation to telephone accounts held by a person. The Crimes Act does not only apply to carriers.
Section 3LA of the Crimes Act enables a constable (a member or special member of the AFP or a member of the police force or police service of a state or territory) to apply to a magistrate for an order requiring a specified person to provide any information or assistance that is reasonable and necessary to enable a constable to access data held in, or that is accessible from, a computer or data storage device.
Under section 3ZQN of the Crimes Act, an authorised AFP officer may give a person a written notice requiring that person to produce documents that relate to serious terrorism offences.
Under section 3ZQO of the Crimes Act, an authorised AFP officer may apply to a judge of the Federal Circuit Court of Australia for a notice requiring a person to disclose documents relating to serious offences. Such documents may relate to a telephone account held by a specified person and details relating to the account, such as the details in respect of calls made to, or from, the relevant telephone number.
Disclosure of Communications Data
TELECOMMUNICATIONS(INTERCEPTIONS AND ACCESS) ACT 1997
Carriers have legislative obligations under the TA to provide assistance to law enforcement and national security agencies which includes an obligation to disclose information where authorised.
Under section 284 of the TA disclosure of information to the ACMA, the Australian Competition and Consumer Commission (“ACCC”), the Telecommunications Ombudsman or the Telecommunications Universal Services Agency is permitted where the information may assist those agencies to carry out their functions. Sections 279 and 280 of the TA permit the disclosure of information if the information is used in the performance of a person’s duties as an employee of a carrier or where the disclosure is authorised under a warrant and by law. Section 313(7) of the TA specifies that a reference to giving help under section 313 of the Act includes giving effect to a stored communications warrant and to providing relevant information about any communication that is lawfully accessed under a stored communications warrant (sections 313(7)(b) and 313(7)(c)(ii)).
TELECOMMUNICATIONS (INTERCEPTION AND ACCESS) ACT 1979
Under Part 3-1A of the TIA Act, certain agencies are allowed to give preservation notices to carriers to preserve stored communications that the carrier holds that relate to a person or particular telecommunications service. There are broadly two types of preservation notices: domestic preservation notices (which can be either historic or ongoing and which relate to stored communications that might relate to contraventions of certain Australian laws or to security); and foreign preservation notices (which relate to stored communications that might relate to contraventions of certain foreign laws). The purpose of these preservation notices is to prevent stored communications being destroyed before a warrant has been issued to access these stored communications.
Part 3 of the TIA Act enables ASIO and specified government agencies to access stored communications pursuant to a stored communication warrant issued under the TIA Act for the purpose of national security and law enforcement.
Under Part 3-3 of Chapter 3 of the TIA Act, stored communication warrants for law enforcement purposes may be issued to criminal law enforcement agencies for the purpose of investigating serious contraventions. Such agencies include but are not limited to agencies such as the ACCC, the Australian Securities and Investments Commission (ASIC) and the Independent Commission Against Corruption. ASIO can access stored communications using its existing interception warrants (section 109 of the TIA Act).
Stored communication warrants can be issued by certain nominated judges and nominated AAT members in relation to the investigation of serious contraventions. Serious contraventions, by way of example, include an offence under a law of the Commonwealth, a state or a territory that is punishable by imprisonment for a maximum period of at least three years. Stored communication warrants may also be issued as part of a statutory civil proceedings that would render the person of interest to a pecuniary penalty.
THE CRIMES ACT 1914
Under the Crimes Act an authorised AFP officer may access metadata or stored communications pursuant to a search warrant.
THE AUSTRALIAN SECURITY INTELLIGENCE ACT 1979
Under section 25A of the ASIO Act a stored communication may be accessed under a computer access warrant issued to ASIO. Additionally, a stored communication can be accessed by ASIO if the access results from, or is incidental to, action taken by an officer of ASIO, in the lawful performance of his or her duties, for the purpose of: (i) discovering whether a listening device is being used at, or in relation to, a particular place; or (ii) determining the location of a listening device (see section 108(2)(f) and (g) of the TIA Act).
DISCLOSURE OF TELECOMMUNICATIONS DATA
Chapter 4 of the TIA Act specifies the circumstances in which telecommunications data may be voluntarily disclosed to government and law enforcement agencies by carriers or carriage service providers and the conditions by which authorisations can be issued requiring the disclosure of information.
Telecommunications data is not defined in the TIA Act but is well understood to mean the metadata relating to communications, but not the contents or substance of communications themselves.
Sections 174 and 175 of the TIA Act provide for the disclosure of information to ASIO. Information may be disclosed voluntarily if it is in connection with the performance of ASIO’s functions. Information may otherwise be disclosed pursuant to an authorisation issued by the Director-General of Security, the Deputy Director-General of Security or a specified employee or affiliate of ASIO. Authorisations may be in respect of existing information or prospective information (specified information or documents that come into existence during the period for which the authorisation is in force).
Sections 177 to 180 of the TIA Act specify the circumstances in which disclosure of information or a document may be made to an enforcement agency. Voluntary disclosure of information may occur if the disclosure is reasonably necessary for the enforcement of the criminal law. Disclosure of information may also occur pursuant to authorisations issued by an authorised officer of an enforcement agency for the purpose of:
(i) the enforcement of the criminal law;
(ii) the location of missing persons; and
(iii) the enforcement of a law imposing a pecuniary penalty and for the protection of the public revenue.
Sections 180A to 180E of the TIA Act specify the circumstances in which disclosure of specified information or specified documents may be made to an officer of the AFP, or authorised by an authorised officer of the AFP, for the enforcement of the criminal law of a foreign country.
On 13 October 2015, the Telecommunications (Interception and Access) Amendment (Data Retention) Act 2015 (DR Act) came into force. The DR Act amended the TIA Act and introduced a requirement for network operators to retain and secure specific telecommunications data for a period of two years for each communications service they provide.
Under the new Part 5-1A, an obligation was introduced for carriers to retain certain specified data for two years from the date on which the information or document is created. Carriers must keep certain types of subscriber information throughout the life of the account and for a further two years after closure of the relevant account.
The DR Act permitted network operators to apply for a time extension during which they would be exempt from complying with the requirements of the DR Act applying from 13 October 2015 through the lodging of a Data Retention Implementation Plan (DRIP) and approval of this DRIP by the Communications Access Co-ordinator. This process was introduced to allow network operators additional time to implement a fully compliant data retention system.
The DR Act limited data access to an approved list of agencies that have operational or investigative need to access the retained metadata. However, existing state and territory-based laws continue to allow access to a wide range of agencies and bodies in those states and territories. Law enforcement and security agencies will continue to make requests for access to telecommunications data as previously.
TELECOMMUNICATIONS ACT1997
Carriers have legislative obligations under the TA to provide assistance to law enforcement and national security agencies, including an obligation to disclose information where authorised.
Under section 284 of the TA, disclosure of information to the ACMA, the Australian Competition and Consumer Commission (ACCC), the Telecommunications Ombudsman or the Children’s e-Safety Commissioner is permitted where the information may assist those agencies to carry out their functions.
Sections 279 and 280 of the TA permit the disclosure of information if the information is used in the performance of a person’s duties as an employee of a carrier or where the disclosure is authorised under a warrant and by law.
Section 313(7) of the TA specifies that a reference to giving help under section 313 of the Act includes giving effect to a stored communications warrant and to providing relevant information about any communication that is lawfully accessed under a stored communications warrant (sections 313(7)(b) and 313(7)(c)(ii)).
THE CRIMES ACT 1914
Under the Crimes Act, an authorised AFP officer may access metadata or stored communications pursuant to a search warrant.
National Security and Emergency Powers
TELECOMMUNICATIONS ACT 1997
The TA enables the Secretary of the Defence Department of the Chief of Defence Force to require the supply of a carriage service for defence purposes or for the management of natural disasters.
Under section 335 of the TA, a Defence authority may give a carriage service provider a written notice requiring the provider to supply a specified carriage service for the use of the Defence Department or the Defence Force. If a requirement is in force, the provider must supply the carriage service in accordance with the requirement, and on such terms and conditions as are agreed between the provider and the Defence authority or, failing agreement, determined by an arbitrator appointed by the parties.
Division 4 of Part 16 of the TA provides that a carrier licence condition may include a ‘designated disaster plan’ for coping with disasters and/or civil emergencies prepared by the Commonwealth, a state or a territory.
Oversight of the Use of Powers
TELECOMMUNICATIONS (INTERCEPTION AND ACCESS) ACT 1979
The TIA Act contains a number of safeguards and controls in relation to interception and access to stored communications and telecommunications data as well as a number of reporting requirements. These requirements are designed to ensure that appropriate levels of accountability exist.
Under the TIA Act, records relating to interception warrants and the use, decimation and destruction of intercepted information must be maintained by law enforcement authorities. The Commonwealth Ombudsman is required to inspect certain records (such as those maintained by the AFP) and report to the Minister (Part 2-7 of Chapter 2 of the TIA Act).
Part 2-10 of Chapter 2 of the TIA Act provides that a person who was a party to a communication, or on whose behalf a communication was made, can apply for a civil remedy to the Federal Court of Australia or a court of a state or territory if that communication was intercepted in contravention of the Act. Section 7(1) of the TIA Act prohibits the interception of a communication passing over a telecommunication system except in specified circumstances, for example where conducted under a warrant or by an officer of ASIO. Division 6 of Part 4-1 of Chapter 4 of the TIA Act creates offences for certain disclosures and uses of information and documents. By way of example, it is an offence to disclose information concerning whether an authorisation has been sought and the making of an authorisation unless disclosure is reasonably necessary to enable law enforcement agencies to enforce the criminal law.
Section 186 of the TIA Act requires an enforcement agency to give the minister a written report, no later than three months after 30 June, of all authorisations issued under Chapter 4 of the TIA Act in the preceding financial year. The Minister must then prepare a summary report of all reports received under section 186(1) and cause a copy of that report to be tabled before Parliament.
Similar reporting requirements are placed on criminal-law enforcement agencies and the minister in respect of stored communication warrants as in relation to interception warrants (Part 3-6 of Chapter 3 of the TIA Act). Part 3-7 of Chapter 3 of the TIA Act provides that an aggrieved person can apply for a civil remedy to the Federal Court of Australia or a court of a state or territory in relation to an accessed communication, if information relating to it is disclosed in contravention of section 108 of the TIA Act.
Under Chapter 4A of the TIA Act, the Commonwealth Ombudsman must inspect records of an enforcement agency to determine compliance with Chapter 4 of the TIA Act. This Chapter sets out the powers of inspection and powers of the Commonwealth Ombudsman to request information from agencies.
TELECOMMUNICATIONS ACT 1997
Section 314 of the TA provides that, when providing help to an officer or authority of the Commonwealth, a state or a territory under section 313(3) or (4), a party (carrier) must comply with the requirement to help on such terms and conditions as are agreed between the party and relevant agency or, failing agreement, as determined by an arbitrator appointed by the parties. Where the parties fail to agree on the appointment of an arbitrator, the ACMA is to appoint the arbitrator.
JUDICIAL REVIEW
Judicial review of government decision- making by a court is available under sections 39B(1) and 39B(1A) of the Judiciary Act 1903 (Cth) and section 75(v) of the Constitution. For example, in relation to the decision by a government officer to issue a warrant.
Section 39B(1) confers jurisdiction on the Federal Court with respect to any matter in which a writ of mandamus (that is, an order requiring a public official to perform a duty or exercise a statutory discretionary power), certiorari (that is, an order quashing an act), prohibition (that is, an order preventing someone from performing a specified act), or an injunction (a Court order requiring a person to do, or refrain from doing, a certain thing) is sought against an officer of the Commonwealth.
Section 39B(1A) provides that the Federal Court’s original jurisdiction also includes jurisdiction in any matter ‘arising under any laws made by the Parliament’ (other than a criminal matter).
Under section 75(v) of the Constitution, the High Court (Australia’s highest court) has original jurisdiction in all matters in which a writ of mandamus or prohibition or an injunction is sought against an officer of the Commonwealth.
Judicial review does not concern itself with the merits of a decision, but considers whether a decision-maker has made their decision within the limits of the powers conferred by statute, the Constitution and the common law. So, when reviewing a decision to issue an interception warrant, the Court will examine the legislation under which access to the data was granted and whether the requirements for granting access were met.
Censorship-related Powers
SHUT-DOWN OF NETWORK AND SERVICES
The government does not have the legal authority to require the shutdown of Vodafone’s entire network for censorship related purposes. However, the police can request the shut-down of an individual’s mobile service in limited circumstances.
Telecommunications Act 1997
Under Section 315 of the TA a police officer, not below the rank of Assistant Commissioner, may request a network provider (such as Vodafone) to suspend the supply of a mobile service in the case of an emergency. The police officer may only make such a request of Vodafone if he or she has reasonable grounds to believe that: (i) an individual has done (or has imminently threatened to do) an act that has resulted in, or is likely to result in, loss of life or serious personal injury, or the individual has made an imminent threat to cause serious damage to property or do an act that is likely to endanger their health or safety; (ii) the individual has access to Vodafone’s mobile service; and (iii) the suspension is reasonably necessary to prevent or reduce the likelihood of those acts occurring (or, as the case may be, recurring).
BLOCKING OF URLS & IP ADDRESSES
Telecommunications Act 1997
Regulatory bodies and law enforcement agencies can require network providers (such as Vodafone) to provide assistance necessary to enforce the law including by requesting the blocking of IP addresses and/or ranges of IP addresses under Section 313 of the TA. The Australian Federal Police have put in place a section 313 request to require Vodafone to block access to Interpol’s ‘worst of’ list of websites containing child sexual abuse images.
Broadcasting Services Act 1992
Under Schedule 5 and Schedule 7 of the Broadcasting Services Act 1992, the Australian Communications and Media Authority (ACMA) is empowered to require internet service providers (such as Vodafone) to take action in respect of websites where they contain prohibited content. Content is prohibited where it is, or in ACMA’s judgment is likely to be, a refused classification or classified X18+; classified R18+ and not protected by a restricted access system. Where the content is hosted within Australia, the ACMA may require removal of the content, the link or service, or require the use of a restricted access system (see Schedule 7, clauses 47, 56 and 62 of the Broadcasting Services Act 1992). Where the prohibited content is hosted outside of Australia, the blocking is carried out by use of filtering software that internet service providers are required to offer to their customers; the software works by referring to a list of banned websites (and their URLs) maintained by ACMA (see Schedule 5, clause 40(1)(b) of the Broadcasting Services Act 1992 and clause 19 of the Internet Industry Codes of Practice – Internet and Mobile Content 2005). ACMA also has the power to issue local websites with a ‘take-down’ notice in respect of content that must be removed (see Schedule 5, clause 47 of the Broadcasting Services Act 1992); the step of blocking the website’s URL usually follows when the requested take-down has not occurred.
POWER TO TAKE CONTROL OF VODAFONE’S NETWORK
The government does not have legal authority to take control of Vodafone’s network.
Oversight of the Use of Powers (Censorship-related)
JUDICIAL REVIEW
Under Section 75(v) of the Australian Constitution, the High Court has original jurisdiction in all matters in which a writ of mandamus, prohibition or injunction is sought against an officer of the Commonwealth.
At a lower level in the court hierarchy, the Federal Court has original jurisdiction over any matter arising under any laws made by Australia’s parliament, except for a criminal matter pursuant to Section 39B(1A). Under Section 39B(1), the Federal Court can decide on any matter in which a writ of mandamus, certiorari, prohibition or an injunction is sought against an officer of the Commonwealth.
Judicial review does not concern itself with the merits of a decision, but considers whether a decision-maker has made their decision within the limits of the powers conferred by Australia’s Constitution, statute and common law.
Encryption and Law Enforcement Assistance
1. Does the government have the legal authority to require a telecommunications operator to decrypt communications data where the encryption in question has been applied by that operator and the operator holds the key?
The following legislative provisions are relevant to this question.
Telecommunications Act 1997
Under section 313(3) of the TA, telecommunications operators must provide such help to agencies (for example, law enforcement agencies) as is ‘reasonably necessary’ for enforcing the criminal law and laws imposing pecuniary penalties, protecting public revenue and safeguarding national security. The reference to giving help in section 313(3) includes giving help by way of:
a. the provision of interception services, including services in executing an interception warrant under the Telecommunications (Interception and Access) Act 1979;
b. giving effect to a stored communications warrant under that Act;
c. providing relevant information about:
– any communication that is lawfully intercepted under such an interception warrant; or
– any communication that is lawfully accessed under such a stored communications warrant;
(ca) complying with a domestic preservation notice or a foreign preservation notice that is in force under Part 3-1A of that Act; giving effect to authorisations under Division 3 or 4 of Part 4-1 of that Act; or
d. giving effect to authorisations under Division 3 or 4 of Part 4-1 of that Act; or
e. disclosing information or a document in accordance with section 280 of this Act.
If a telecommunications operator has encrypted data and content, holds the encryption key and therefore has the technological ability to ‘unlock’ that data and content, we consider the requirements of Section 313(3) would extend to include a requirement to decrypt the data in circumstances where the required legal grounds for interception, access or disclosure are satisfied.
Telecommunications (Interception and Access) Act 1979
As set out in the interception and disclosure country annexe for Australia, the TIA Act gives law enforcement agencies and national security agencies the power to intercept live communications in specified circumstances. Part 3 of the TIA Act enables ASIO and specified government agencies to access stored communications pursuant to a stored communication warrant issued under the TIA Act for the purpose of national security and law enforcement. Chapter 4 of the TIA Act specifies the circumstances in which telecommunications data may be voluntarily disclosed to government and law enforcement agencies by carriers or carriage service providers and the conditions by which authorisations can be issued requiring the disclosure of information.
As is the case with Section 313(3) of the TA, our view is that the obligations under each of these provisions of the TIA Act extend to require telecommunications operators to decrypt content where they hold the encryption key in order to give full effect to the rights of the relevant agencies under the legislation.
Under the new Part 5-1A of the TIA Act, an obligation was introduced for carriers to retain certain specified data for two years from the date on which the information or document is created. Carriers must keep certain types of subscriber information for a longer period: throughout the life of the account and for a further two years after closure of the relevant account. Under section 187BA of the TIA Act introduced through the Telecommunications (Interception and Access) Amendment (Data Retention) Act 2015 (the DR Act), the carrier is expressly required to protect the confidentiality of information that it must keep under section 187A of the TIA Act by encrypting the information and protecting the information from unauthorised interference or unauthorised access.
The Explanatory Memorandum to the DR Act indicates that where a service provider encrypts retained data, the service provider must retain the technical capability to decrypt and disclose relevant retained data in a usable form in accordance with a lawful request under the TIA Act or the TA.
Vodafone notes that there is no applicable case law on these issues and this answer is therefore based on statute.
2. Does the government have the legal authority to require a telecommunications operator to decrypt data carried across its networks (as part of a telecommunications service or otherwise) where the encryption has been applied by a third party?
The government has no specific, express legal authority to require telecommunications operators to decrypt data carried on its networks as part of a telecommunications service where the encryption has been applied by a third party.
We do not consider that the requirement to give agencies ‘help’ under section 313(3) of the TA will extend to decrypting third party OTT or user-encrypted data that was not encrypted by a telecommunications operator and where the operator does not hold the encryption key. Decrypting, or attempting to decrypt, third party OTT or user-encrypted data would place financial and resource obligations on a telecommunications operator that we do not think are envisaged by the statute. In addition, decrypting or attempting to decrypt this data without the knowledge or consent of these third parties could, in some circumstances, lead to legal recourse against the telecommunications operator.
There are no provisions in the TIA Act that would extend to requiring a telecommunications operator to seek to decrypt such traffic. In the case of Part 5-1A (which relates to the retention of telecommunications data), there is an express provision that states that the carrier is not required to retain any information that is carried by means of another service (ie an OTT service).
We note that there is no applicable case law on these issues and this answer is therefore based on statute.
3. Can a telecommunications operator lawfully offer end-to-end encryption on its communications services when it cannot break that encryption and therefore could not supply a law enforcement agency with access to cleartext metadata and the content of the communication on receipt of a lawful demand?
No, a telecommunications operator would not be able to offer end-to-end encryption that it does not have the technological capacity to breach without breaching its existing law enforcement obligations.
Under Part 5-4 of the TIA Act, telecommunications operators are required to provide an interception capability plan to the Communications Access Co-ordinator (a function of the Attorney General’s Department) each year on or around 1 July. The interception capability plan must set out the strategies for compliance with an operator’s legal obligation to provide interception capabilities and a statement of the compliance by the operator with that legal obligation.
In addition, section 202B of Part 5-4A of the TIA Act requires telecommunications operators to notify the Communications Access Co-ordinator of any change to a service or system that is likely to have a material adverse effect on the capacity of it to comply with its obligations under the TIA Act or Section 313 of the TA (more particularly described in the answer to Question 1 above). The Communications Access Co-ordinator then has a period of 30 days to notify the operator that it must not implement the change.
In this scenario, we consider it highly likely that the Communications Access Co-ordinator would reject a proposal to implement end-to-end encryption that an operator does not have the capacity to break. That is because such implementation would have a material adverse effect on the ability of relevant agencies to intercept communications.
It is likely that the implementation of such a service would be treated as non-compliance with Section 313 of the TA. Finally, Section 106 of the TIA Act also provides that a person must not obstruct or hinder a person acting under a warrant. It is possible that this provision could be breached in circumstances where an operator unilaterally implements an end-to-end encryption service that it does not have the capacity to break. That is because such action would have the effect of preventing an agency from exercising the warrant.
Vodafone notes that there is no applicable case law on these issues and this answer is therefore based on statute.
4. Please provide examples in your jurisdiction where legislation that predated the advent of commercial encryption (which we estimate to be circa 1990) has been applied to contemporary cases involving encryption.
Vodafone is not aware of any legislation in Australia that predates the advent of commercial encryption used to produce judgments that are then applied to use of commercial encryption.