Law enforcement agencies began using Australia’s controversial encryption-busting powers before they had established sound governance frameworks, leading to potential “non-compliance” with the laws, the Commonwealth Ombudsman has found.
The Ombudsman identified the issues with agencies’ early use of the industry assistance powers in a report on its findings from its initial round of inspections under the Telecommunications Act last year.
The inspections covered the 18-month period that followed the passage of the Telecommunications and Other Legislation Amendment (TOLA) (Assistance and Access Act) in late 2018 and the end of June 2020.
The encryption powers, which have been fiercely criticised since their introduction, give law enforcement and intelligence agencies the ability to request or compel technology companies and their employees to provide access to encrypted data.
Authorities can issue technical assistance requests (TAR), which voluntarily asks companies to help provide access to data using existing capabilities, or compulsory technical assistance notices (TAN) or technical capability notices (TCN).
Compulsory requests can require a company to provide assistance and build new capabilities, though only one of these requests had been issued by an Australian policing agency and the Australian Criminal Intelligence Commission (ACIC) at the end of June 2021.
In the report released on Thursday, the Ombudsman found shortcoming with the approach taken by ACIC, Australian Federal Police (AFP) and New South Wales Police when issuing TARs during the period.
“We found the agencies that used industry assistance powers during the reporting period had started using the powers before establishing comprehensive governance frameworks,” the report said.
“For example, agencies used industry assistance powers prior to having a completed policy document, formalised training procedures, a full suite of templates or guidance material and fully realised procedures for using the powers.
By the time of the inspection in 2021, however, both the AFP and NSW Police had comprehensive governance frameworks in place. The ACIC still had an incomplete governance framework in place, contributing “significantly to the instances of statutory non-compliance”.
The TARs were used to aid criminal investigations or intelligence-gathering activities relating to organised crime, cybercrime, drug offences, telecommunications offences, armed robbery, theft and conspiracy to murder.
The Ombudsman said that by not establishing comprehensive governance and compliance frameworks, “instances of statutory non-compliance, or, at best, a failure by agencies to demonstrate compliance with key safeguards and requirements” had occurred.
Examples of this included poor record-keeping practices during early use of the powers, meaning agencies could not demonstrate that they had fully considered the key decision-making criteria before issuing a TAR.
“Consequently, we were unable to determine that all legislative requirements were adhered to in the giving of these TARs,” the Ombudsman said.
“In some instance, TARs were given that requested the DCP [designated communications provider] to do acts or things that had the potential to affect the privacy of numerous individuals who were not the tart, or who were not of interest to the requesting interception agency.”
The Ombudsman also found that “agencies were unable to produce documents demonstrating the decision-maker’s consideration of whether the specified assistance requested in a TAR would create a systemic weakness or systemic vulnerability, as required under… the Act”.
It was also not satisfied that authorisations under the Act were “properly made” in several instance, with the Ombudsman suggesting to agencies that they “seek legal advice on whether these authorisations were properly made”.
The Ombudsman made two recommendations for the ACIC, as well as a further 29 suggestions for the ACIC (12), AFP (12), NSW Police (4) and Victoria Police (1). It also made 58 better practices suggestions across all eight agencies inspected.
The Ombudsman also noted that its oversight “identified some ambiguities and apparent inconsistencies” in the legislation. It met with Home Affairs to discuss these issues in October 2021 and will now continue this work with the new policy owner, the Attorney-General’s Department.
Do you know more? Contact James Riley via Email.