Encryption Laws – What does it mean for me?

In December of 2018, the Australian Government passed new laws that put our cyber security and privacy at risk. The Government self-admittedly rushed approval of the law, without concern to the negative impacts it may have on Australians and the world of cyber security.

Importantly, the law itself is vague in parts and there is no current oversight or supervision against potential abuse of the new powers.

What is encryption and why is it important?

Encryption is the scrambling of messages and information so that it can not be read other than by someone with the correct decryption key. In modern messaging platforms (Facebook, WhatsApp, Viber etc) the encryption is end-to-end. This means that the only people with the correct decryption key are the intended parties of the messages.

If Joe Blob sends a message to Laura Smith, only Joe and Laura can read that message; Facebook, or whichever messaging platform they use, would be unable to see the unencrypted message. This allows for each party to maintain their privacy.

So how can the Government read my messages?

Government agencies have previously told the public that 90% of communications they intercept are encrypted and unable to be read. The recently passed legislation intends to counter this by gaining access to communications that aren’t in their encrypted stage: before or after encryption.

Agencies wanting to read messages before they are encrypted can be likened to having somebody else (Government) looking over your shoulder as you write a letter, before you put the letter away in a ‘secure’ envelope.

Their other method relies on communications being accessed after they have been sent and received. Agencies intend to be able to read decrypted information and messages with the assistance of cyber companies.

How can they gain access to my messages?

The Government and / or security agencies now have the power to issue notices under any of 3 increasingly demanding categories. The notices may be issued to cyber companies that may include social media (Facebook, Instagram, Snapchat etc), messaging services (Whatsapp, Viber etc) and telcos (Telstra, Optus, Vodafone etc).

They may ask for voluntary assistance. This step allows cyber companies to grant access to the requesting agency to read unencrypted messages. Companies are not compelled to comply but if they do, they are not liable to any breach of privacy.

The second option is to request mandatory assistance. Cyber companies must then provide the requesting agency with access to the requested messages. Agencies can enforce these notices with severe fines if companies do not comply.

The third notice compels companies to ensure their systems have the capability to allow access to agents at a future time. Companies must then ensure that if they are issued one of the previous notices, they are ready and capable of providing the requested assistance. This level of power is a particular threat to the people of Australia as it potentially interferes and exposes methods of cyber security.

Surely this doesn’t affect me?

Lawmakers have publicly labelled the bill as an effort to ‘prevent and counter terrorism and pedophilia.’ Yet, the law contains vague terms and has no clear scope of power. IT companies and other industry groups have raised very public concerns that the new laws are open to abuse.

Terms used such as ‘reasonable’ and ‘proportionate’ are open to discretion and ultimately members of the general public may be left vulnerable. At this current stage, there is no direct and explicit authority preventing police from attempting to use the law in order to pursue charges unrelated to the previous 2.

What does this all mean for me?

At this stage, the laws remain open and untested. As of today’s date, it is unknown how many notices have been issued and if companies have started complying with any level of the notice. Some major companies such as Apple have publicly opposed the legislation, although it is unknown whether they are willingly to, or already have complied.

Keeping in mind, some companies have more secure encryption and claim to delete all message information (eg. Wickr). These companies are seemingly less vulnerable to compromise; however, the new laws give the potential power for agencies to access information – and to outlaw any knowledge of Government access being passed to the community.

The Labor Government claims it intends to review the legislation in 2019 and make amendments. Until that time, private messaging may be compromised.

What can I do now?

Some apps and services such as Wickr are more private and less likely to expose private data. If you may have any concern about breaches of your privacy, it may be in your best interest to seek immediate legal advice.

Our Michael Gatenby has extensive experience in issues relating to collection of evidence, including the Telecommunications (Interception and Access) Act 1976, Police Powers and Responsibilities Act 2000, Telecommunications Act 1997, Criminal Code Act 1995 and other related legislation.

If you have questions or concerns relating to your legal rights in criminal investigations, please feel free to contact our office at your earliest convenience.

Disclaimer

This website contains general information about legal matters.  The information is not advice, and should not be treated as such.  You must not rely on the information on this website as an alternative to legal advice from your lawyer or other professional legal services provider.  You should never delay seeking legal advice, disregard legal advice, or commence or discontinue any legal action because of information on this website.

For specific legal advice, you should immediately contact Gatenby Criminal Lawyers on (07) 5580 0120.

Liability limited by a scheme approved under professional standards legislation.