Australian watchdog recommends major changes to exceptional access law TOLA

Australia’s Independent National Security Legislation Monitor (INSLM) earlier this month released a 316-page report calling for significant, and much needed, reforms to the nation’s 2018 Telecommunications and Other Legislation Amendment (TOLA) law. The Parliamentary Joint Committee on Intelligence and Security (PJCIS) will meet later this month to consider the INSLM’s recommendations. While we still believe this dangerous law should be repealed, if enacted, these recommendations would go a long way in reducing the risk of this flawed piece of legislation.

This legislation – which Mozilla has continually opposed – allows Australian authorities to force nearly all actors in the digital ecosystem (Designated Communications Providers or DCPs) to do “acts or things” with an explicit goal of weakening security safeguards. For example, under this law, using a Technical Assistance Notice (TAN), Australian authorities could force a company to turn over sensitive security information, or using a Technical Capability Notice (TCN), they could force a company to redesign its software.

In his report, the INSLM offered a wide range of critiques and recommendations to limit the scope of TOLA. Of particular note, the INSLM offered the following key proposals:

  • Judicial review – The INSLM noted that all non-government stakeholders, including Mozilla, raised concerns that expansive new powers granted by TOLA could be used without judicial review or authorization. The most important recommendation in the INSLM’s report is to require TANs and TCNs to be reviewed and approved by the Administrative Appeals Tribunal (AAT). The AAT is a well-respected, quasi-judicial body with the power to conduct classified hearings and adjudications which the INSLM proposes would be led by a new Investigatory Powers Commissioner (IPC). As in the UK, the IPC would be a retired high ranking judge with access to its own independent technical advisors. While implementation of these recommendations will help in limiting the harm of TANs and TCNs, we still do not think Australian authorities should have these powers.
  • Definitions of systemic weakness and target technology – While there is a safeguard in TOLA that orders under this law cannot be used to force the creation of a systemic weakness or vulnerability, these terms are worryingly, vaguely defined: “a systemic vulnerability means a vulnerability that affects a whole class of technology, but does not include a vulnerability that is selectively introduced to one or more target technologies that are connected with a particular person.” The INSLM’s report recommends helpful amendments to the definition of systemic weakness, and recommends the removal of the term “systemic vulnerability” entirely. Furthermore, we’ve previously noted that TOLA is unclear on what constitutes a “class of technology.” Is the Firefox browser a class of technology unto itself? It seems contrary to the spirit of this limitation to allow Australian authorities to compromise the security of the hundreds of millions of Firefox users who have never been under suspicion of any wrongdoing. Crucially, the INSLM clarifies that target technology should refer to “the specific instance used by the intended target,” which would narrow the scope so that targeting is more likely to affect the target alone.
  • Employee protection – Mozilla, among many other DCPs, has been concerned by the risk that the definition of DCP in the law could be read to allow Australian authorities to serve an order on any employee of a DCP. The INSLM recommended that a natural person should only be considered to be a DCP where that natural person is a sole trader. We agree with the INSLM that “it is necessary to put this issue beyond doubt” and urge the PJCIS to amend TOLA to reflect this interpretation.

While the INSLM has suggested a number of positive changes, we were disappointed by his recommendations regarding restrictions on disclosure. As it stands, TOLA limits companies from disclosing the fact that they have been served with these orders. The INSLM’s report suggests that Commonwealth officials be authorized to disclose TAN/TCN info (as well as that of TARs, which are voluntary Technical Assistance Requests) to the public and to government officials when disclosure is in the national or public interest. In our view this is inadequate to address the underlying concern. Companies can’t be transparent with their users nor can there be a robust public debate about the wisdom of certain technical capabilities when companies are still restricted from disclosure. Moreover, such a lack of transparency is at odds with basic open source and security engineering principles.

TOLA also presently lacks crucial restrictions on the ability of foreign authorities to exercise the powers the law grants. The INSLM notes that a large overhaul of the procedural safeguards around mutual legal assistance in criminal matters is likely forthcoming in the International Production Orders (IPO) Bill, which Australia is expected to enact later this year as it pursues acceptance under the U.S. Cloud Act. We continue to advocate for strict limitations on how and when foreign countries can request the assistance of Australian authorities through TOLA.

Mozilla has been involved throughout the legislative process and the development of the INSLM’s report. We filed comments to the PJCIS in late 2018 and early 2019 warning of TOLA’s dangerous effects. Martin Thomson, Mozilla Distinguished Engineer, testified at a hearing held by the INSLM – which ultimately proceeded to quote a portion of Martin’s testimony in his final report. Moreover, our team has provided comments to the Australian Ministry of Communications, Cyber Safety & the Arts relating specifically to the significant security risks posed by TCNs. Our December 2019 cover letter to the INSLM contributing input to his report can be found here. A detailed list of Mozilla’s recommendations alongside related INSLM recommendations can be found here.

The PJCIS will hold a hearing later this month to discuss the recommendations and likely begin the process of discussing amendments to TOLA. This presents the PJCIS with a unique opportunity to demonstrate leadership in defending individuals’ online privacy and security while enabling effective access to justice. The implementation of TOLA continues to pose serious privacy, security, and due process issues for both users and developers, and Mozilla will continue to oppose this law. In the event that the bill is not repealed, we strongly urge the involved MPs and Senators to adopt the INSLM’s recommendations which may help soften the blow of some of the law’s most damaging provisions.