The Australian Federal Police used its new encryption-busting powers only three times in the last year and is still yet to call on the more forceful elements of the controversial regime.
The Telecommunications and Other Legislation Act (TOLA) hands powers to agencies and law enforcement to compel tech companies to provide access to encrypted communications.
They include technical assistance requests (TARs) which calls on a tech company to voluntarily provide access to data using existing capabilities, and technical assistance notices (TANs) and technical capability notices (TCNs) which compel a company to provide assistance and build new capabilities into products (such as the means to circumvent encryption).
In a submission to the Parliamentary Joint Committee on Intelligence and Security (PJCIS), the Australian Federal Police (AFP) said it had only called on the new encryption powers three times from 1 July 2019 to 30 June 2020, after using them five times in the first six months of 2019.
The AFP is yet to use the encryption powers for any terrorism-related offences, despite this being the primary justification for the rushed passing of the legislation at the end of 2018.
All of its use of TOLA in the last year were the voluntary TARs, which it issued in investigations on serious computer offences and “other serious crime types”. It did not issue any of the more serious TANs or TCNs, but this doesn’t mean that they are unnecessary, the AFP said.
“The AFP has good relationships with domestic communications providers and we are committed to proactively engaging them – recognising industry’s advice, expertise and knowledge is invaluable to our work,” the AFP said in the submission.
“Our experience is that Schedule 1 of TOLA has accelerated cooperation from industry, with providers increasingly willing to assist due to TOLA providing legal certainties and assurances regarding the commercial scope and impact of requests.
“The fact the AFP has not sought any TANs or TCNs to date does not indicate these provisions are not required. Rather, it demonstrates the effectiveness of TOLA’s tiered approach.”
From December 2018, when the new laws were passed, to June 2019, the AFP issued five TARs, for cybercrime, drug importation and the threat of transnational serious and organised crime. It also did not issue any TANs or TCNs in this timeframe.
The encryption powers had been used a total of 25 times as of November last year, and were used 18 times in the last six months of last year.
The submission was made ahead of the PJCIS’ public hearing for its inquiry into the encryption laws, where the AFP will be appearing alongside the Office of the Inspector General of Intelligence and Security, ASIO, and the Department of Home Affairs.
The PJCIS held its first public hearing as part of the inquiry last week, with various industry stakeholders raising significant concerns with the current powers and urging the government to adopt the recommendations made by the Independent National Security Legislation Monitor Dr James Renwick in his recent report.
Dr Renwick called for the power to authorise the issuing of notices to be taken away from ministers and handed to independent judiciary figures in the Administrative Appeals Tribunal. He also said that there needs to be a new definition for “systemic weakness” and that the term “systemic vulnerability” should be scrapped from the bill entirely.
The AFP also outlined a series of examples of when it has utilised the encryption-busting powers, including as part of an investigation into the possession and use of malware, with the notices allowing the police to “proactively investigate and capture relevant data and evidence”.
“An overt search warrant would have alerted the criminals using this malware, precluding further identification, disruption and prosecution on ancillary offending being facilitated by the malware,” the AFP said.
“A traditional search warrant would only yield a limited subset of the customer database, and this would not have assisted proactive or the targeting of investigations on the users of the malware.”
The AFP also used the TOLA powers as part of an eight-month investigation into the use of a carriage service to make threats, identify datasets of compromised personal information and inform government and telecommunications of vulnerabilities”, the AFP said.
The powers allowed officers to obtain evidence from “multiple electronic systems used by the alleged offender to commit offences.”