What is TOLA?

Why should we care about TOLA?

The Telecommunications and Other Legislation Amendment (Assistance and Access) Bill is a set of laws rushed through the Australian parliament on its final day of 2018. The laws aim to “establish frameworks for voluntary and mandatory industry assistance to law enforcement and intelligence agencies in relation to encryption.” In other words, to compel technology and telecommunication companies to provide security agencies access to their clients’ encrypted messages.

Why the controversy?

The Bill was rushed through the parliament without proper consultation with technology leaders, privacy advocates, industry stakeholders and the wider public. This has created a scenario in which no one is clear on how to provide access to ‘encrypted message’ or indeed how to decrypt or introduce backdoors into their products. Also, while the government has positioned the Act as one which seeks to prevent terrorists and paedophiles communicating in secret, the Act can be used for any offence that is punishable by a maximum term of imprisonment of three years or more. It can therefore be used against people suspected of far less serious offences such as internet trolls or those suspected of theft or recklessly causing injury.

What do the supporters say?

The government says the laws – a world first – are necessary to help combat terrorism and crime. (side note; “World First?” – You are perhaps wondering what happens in China or Russia then? Well, services offering end-to-end encryption are banned in those countries. How about the EU you ask? EU member states have one of the world’s finest privacy laws.)

Mike Burgess, director-general of the Australian Signals Directorate went on the offensive in December last year and published his views on the seven ‘myths’ of the TOLA Act. He asserts that the government agencies “cannot use the legislation to ask or require companies to create systemic weaknesses which would jeopardise the communications of other users.” That is true, however, the definition of ‘systemic weakness’ is rather vague and so another point of controversy. Mike concludes; “Many of the claims about the “dangerous” nature of the Act are hyperbolic, inaccurate and influenced by self-interest, rather than the national interest. The true danger is the thing the TOLA Act seeks to prevent: terrorists, paedophiles and other criminals communicating in secret, without law enforcement and security agencies being able to ‘crack their code’.”

What do industry leaders say?

Some 300 tech sector leaders met in Sydney on Wednesday 27 March 2019, as part of a campaign called Safe Encryption Australia aimed to push policy makers to commit to overhauling the laws.

Scott Farquhar, the co-founder and co-CEO of Atlassian (Australia’s biggest tech company) believes the Act will put jobs at risk. His views were echoed by Francis Galbally, non-executive chairman of Senetas. Francis warned “this bill gives a perception of mistrust” in Australian cyber security and products which could lead to a loss in exports, and jobs.  “This legislation will force our company to go offshore” Francis said.

Microsoft president and chief legal officer Brad Smith said “when I travel to other countries I hear companies and governments say ‘we are no longer comfortable putting our data in Australia’… So they are asking us to build more data centres in other countries.”

And lastly, John Stanton the CEO of the Communication Alliance focused on the bill’s technical capability notices (TCNs) which could force companies to make secret modifications to their products, and the bill’s secrecy provisions which prevent the disclosure of a notice. He also voiced his concerns around lack of a warrant framework around the issuing of notices.

What should IT companies be concerned about?

  • Your employees could be ordered to modify your product without your knowledge and you could be unaware if your company is subject to an order
  • Your foreign customers may be concerned that their data may be exposed to the Australian government
  • You will need to understand how this impacts your customers in the EU where the General Data Protection Regulation
  • The technical challenge: Although the law prohibits the creation of “systemic vulnerabilities”, it is extraordinarily difficult to provide the request access to agencies while safeguarding others

What should we be concerned about?

  • The laws could undermine our overall security and privacy
  • Impact on jobs

Will this Act discourage criminals?

Not really. There are still tons of apps and organisations out there who could provide same type of services (end to end encryption) to their clients. The act will also encourage serious criminals to build their own tools (and they do exist already).

Industry’s demands from the government

  • Increase oversight of security agencies’ new powers to spy on suspects’ phones and computers, including introducing merit-based judicial review for requests or orders on technology companies to provide technical assistance.
  • Narrow the definition of crimes that can fall under the laws.
  • Ensure employees cannot be targeted to assist security agencies without their employer’s knowledge. As it stands, an employee could potentially be jailed for informing their employer, or for disclosing the TCN to their employer
  • The government to narrow the definition of a “designated communications provider” so it covers only those services authorities needs.

What is being done

The Parliamentary Joint Committee on Intelligence and Security (PJCIS) has for the first time referred legislation to the Independent National Security Legislation Monitor (INSLM) for scrutiny.