Labor demands AFP answers on encryption

Denham Sadler
Senior Reporter

Australian law enforcement agencies are yet to use the coercive anti-encryption powers handed to them nearly two years ago, with Labor MPs questioning whether they are necessary at all.

The Telecommunications and Other Legislation Amendment (TOLA) Act provides law enforcement with new powers to compel tech companies to provide access to encrypted data and build new capabilities to do so if needed.

The new powers come in three tiers. Technical Assistance Requests (TARs) can be issued to tech companies asking for voluntary assistance to provide access using existing capabilities, while Technical Assistance Notices (TANs) and Technical Capability Notices (TCNs) compel tech companies to provide this access, and build new capabilities to do so.

cybersecurity encryption
Encryption powers: Labor seeking clarity from AFP over the use of the new laws

The TOLA Act was passed in a hurry, with support from Labor, at the end of 2018, and has been the subject of a number of inquiries since. The justification for its rushed passing was the urgency of the need for new powers, which the government said needed to be in place by Christmas 2018.

But it has been revealed that the coercive powers included in the Act have not been used at all, by any level of law enforcement.

In a submission to the Parliamentary Joint Committee on Intelligence and Security (PJCIS), the Australian Federal Police (AFP) confirmed that it has issued 11 voluntary TARs since the Act was passed, but no compulsory notices of any form.

At a public hearing for the PJCIS inquiry on Friday, the AFP attempted to argue that this proved the effectiveness of TOLA and the tier approach adopted. It hinted that some tech companies may have voluntarily built a new capability to provide access to encrypted data, rather than being issued a compulsory notice.

“We haven’t been tentative in the use of the legislation. We have been very proactive. Potentially, some of our requests would have been covered under a TAN or TCN but because of a productive working relationship with the provider or industry they were prepared to give us that assistance under a TAR,” AFP deputy commissioner Ian McCartney told the committee.

“The lens I’m working through is not asking, but working cooperatively with industry in relation to some of these issues,” he said.

But shadow attorney-general Mark Dreyfus wasn’t buying it.

“The AFP told this committee and the Australian people that it needed these powers. It told this committee in 2018 that it urgently needed these new coercive powers, and now that the AFP has the powers, it’s not using them,” Mr Dreyfus said.

“You’re now telling the committee that the fact the powers haven’t been used is evidence that the powers are both needed and that they have been effective,” he said.

“Two-and-a-half years ago, the AFP told this committee that it urgently needed these powers and here we are two-and-a-half years on and you haven’t used them.”

The AFP argued that the new powers have been “extremely beneficial”, and the very presence of the more coercive elements of the laws have helped encourage tech companies to voluntarily provide assistance.

But Mr Dreyfus was unconvinced, asking for a “better explanation on notice”.

“There is a difference in the legislation between the coercive powers, which the AFP told this committee it urgently needed but has never used and the voluntary request arrangement which you have used. A bit more explanation would be helpful,” he said.

Mr Dreyfus also questioned the need for the TOLA Act at all, questioning the AFP’s claim that tech companies had been more willing to assist law enforcement since the new powers were introduced, and if they hadn’t been willing to do so before this.

“What is the evidence that you say that TOLA has increased the willingness of providers to assist the AFP? If providers were more willing to assist before and were willing to assist now, that’s not an increase in willingness,” he said.

“Have you got a single example of a provider who refused before December 2018 before the Act came in?”

AFP superintendent Robert Nelson, from the digital surveillance unit, said there were some tech companies that were “quite uncomfortable” with assistance requests that had become a “lot more receptive” after the TOLA Act was passed.

The PJCIS is set to table its report on the TOLA Act by the end of September.

Do you know more? Contact James Riley via Email.

Leave a Comment