Director-General ASD statement regarding the TOLA Act 2018
Telecommunications and Other Legislation Amendment (Assistance and Access) Act 2018
There has been considerable inaccurate commentary on the Telecommunications and Other Legislation Amendment (Assistance and Access) Act 2018 (TOLA Act).
It is important to correct the record and reassure Australians about how the legislation will work in practice – and in reality.
Myth #1: Your information is no longer safe
If you are using a messaging app for a lawful purpose the legislation does not affect you.
The TOLA Act is specifically targeted at people suspected of committing serious criminal offences.
Encryption is a good thing. It is an essential part of a safe, secure online experience. The government does not want to change that. But if two Australians are using a messaging app to plot a terrorist attack, it is clearly crucial for the relevant authorities to find out what they are saying. But law enforcement and security agencies can only do so in very specific circumstances – with a warrant for example.
Which takes us to the second myth.
Myth #2: Agencies get unfettered power
There are significant checks and balances in the legislation. Nobody’s personal communications can be accessed under the Act without a warrant, in the same way other legislation has operated for decades.
Agencies can get a warrant to read the mail of criminals. Agencies can get a warrant to listen to the phone calls of criminals. Why shouldn’t these same agencies be able to get assistance to read the encrypted messages of criminals when Australian lives and livelihoods are at stake? Surely it is not the particular format of the communication that is important here, but the operational need?
Myth #3: The security of the internet is under threat
The Act will not “break the internet”.
By their very nature, security and law enforcement investigations are highly targeted. The legislation is structured to ensure that activities under the TOLA Act are similarly highly targeted.
Agencies cannot use the legislation to ask or require companies to create systemic weaknesses which would jeopardise the communications of other users.
The Director-General of Security recently suggested an analogy where a terrorist is plotting an attack in a hotel room. The authority the police would get under the Act is the equivalent of being able to ask the hotel for access to the room. The Act does not give the police the power to demand a master key be made for all rooms.
Myth #4: Tech companies will be forced offshore
Australia is not the first country to enact this sort of legislation – and we will not be the last. Agencies in the UK already have similar powers and other nations are considering their options.
The claims the legislation will drive tech companies offshore are similarly flawed.
Myth #5: There is no way to be sure that the communications of Australians won’t be jeopardised
The Act has in-built oversight mechanisms, including oversight from the Inspector-General of Intelligence and Security and the Commonwealth Ombudsman.
And the notices that legally require industry’s assistance can also be subject to review from technical assessors and former judicial officials, who are specifically appointed to provide an additional level of reassurance that the capability does not introduce a 'systemic weakness'.
Myth #6: ASD will be able to spy on Australians
The Australian Signals Directorate is a foreign intelligence agency. It does not collect the communications of everyday Australians.
Moreover, ASD’s powers under the Act are limited to requesting assistance from industry on cyber security matters – in connection with ASD’s function to protect Australian systems from cyber threats. The Act cannot be used to enable the interception of communications as part of a foreign signals intelligence collection program.
Myth #7: The reputation of Australian tech companies will suffer
It’s been repeatedly claimed that Australian tech companies will be regarded as no different to the high-risk foreign vendors that have been blocked from supplying equipment in Australian 5G networks.
The comparison is absurd. High-risk vendors have been banned from Australia’s 5G network because of the threat they pose when they could be subject to unbounded extrajudicial directions from a foreign government.
It is not in any way an equivalent comparison to the highly-targeted assistance that the Australian Government will be seeking under the TOLA Act.
Many of the claims about the “dangerous” nature of the Act are hyperbolic, inaccurate and influenced by self-interest, rather than the national interest.
The true danger is the thing the TOLA Act seeks to prevent: terrorists, paedophiles and other criminals communicating in secret, without law enforcement and security agencies being able to ‘crack their code’.
Australia’s law enforcement and national security agencies do not ask for legislative change lightly or routinely. But when technology evolves, the law should evolve too – so we can continue our mission to keep Australians safe.