In December 2018, the so-called ‘encryption laws’ were passed, allowing law enforcement agencies to ask or compel certain technology companies to assist with criminal or national security investigations. The laws are supposed to help investigate serious crimes such as terrorist activity and child pornography.  As a developer, the laws may affect your current products or services. This article will highlight how the laws will affect your business. 

Encryption Laws Overview

The new encryption laws allow law enforcement agencies such as ASIO or the Australian Federal Police to issue certain requests or notices to ‘designated communications providers’. The laws will cover developers, as well as IT and online businesses. You may receive one (or more) of these types of requests or notices, such as: 

  • TAR (technical assistance requests);
  • TAN (technical assistance notices); or
  • TCN (technical capability notices).

Complying with a technical assistance request is voluntary. However, complying with a technical assistance notice or technical capability notice is compulsory.

What Can The Notice or Request Say?

The notice or request could suggest that you: 

  • remove electronic protection from your product;
  • provide technical information about your product;
  • build a capability into your software to obtain information in a particular format, such as for custom reporting;
  • provide law enforcement with access to your software;
  • assist with the testing, modification, development or maintenance of a technology product;
  • provide notice of developments about your products; and
  • modify your product.

This list of potential requirements under a notice or request for software developers represents a potential range of requirements. They provide a starting point for whether you can comply with the notice or request. 

Does the Notice Create a Systemic Weakness?

You cannot be required to build a systemic weakness in your product. The law does not clearly define the meaning of systemic weakness. However, a developer may be capable of building a feature that creates a ‘backdoor’ access for law enforcement agencies to investigate crimes. The same backdoor could be exploited by hackers to cause criminal damage or compromise user privacy. 

For example, you have an app that markets itself as providing end-to-end encryption of messages. However, a law enforcement agency may ask you to create a feature that means encryption can be removed in certain situations That might undermine the overall encryption of all messages for the app, which may become a ‘systemic weakness’ for the product.

A proposed amendment to the law will clarify the meaning of ‘systemic weakness’ to provide further guidance. The Federal Parliament will consider the amendment in May 2019.

How Do I Comply with the Encryption Laws?

If you receive a notice or request, you must find out if you received a voluntary request (TAR) or a mandatory notice (TAN or TCN). If you must comply with the notice, you must ensure that you do not disclose that you have received a notice or request in the first place. You can download the following checklist below for your reference. 

LegalVision Encryption Checklist
LegalVision Encryption Checklist

If you are a startup or small business, you may feel overwhelmed by the time and cost of trying to comply with the laws. However, the laws will allow you to recover any costs incurred for complying with the request.

How Will The Encryption Laws Affect My Business? 

The laws have created enormous uncertainty for Australian software developers. You may be worried that the laws will limit your competitiveness with overseas software developers. However, foreign companies who want to serve Australian customers will have to comply with the encryption laws. 

If you are an Australian-based company with foreign companies, you may consider restructuring your business so that the Australian company deals with Australian customers only. The laws do not apply to any foreign companies who deal with overseas clients. Therefore, you may limit your business’ exposure to complying with the encryption laws if your foreign entities are pitching for overseas business. 

Key Takeaways

The encryption laws are broad-ranging and may affect the security of your products or services. However, as the laws are now operating, you should have an internal plan on how you can comply with the laws. If you have any questions or need assistance on how to comply with the laws, get in touch with LegalVision’s IT lawyers on 1300 544 755 or fill out the form on this page. 

About LegalVision: LegalVision is a tech-driven, full-service commercial law firm that uses technology to deliver a faster, better quality and more cost-effective client experience.
James Adler

Get a Free Quote Now

If you would like to receive a free fixed-fee quote or get in touch with our team, fill out the form below.

  • We will be in touch shortly with a quote. By submitting this form, you agree to receive emails from LegalVision and can unsubscribe at any time. See our full Privacy Policy.
  • This field is for validation purposes and should be left unchanged.

Privacy Policy Snapshot

We collect and store information about you. Let us explain why we do this.

What information do you collect?

We collect a range of data about you, including your contact details, legal issues and data on how you use our website.

How do you collect information?

We collect information over the phone, by email and through our website.

What do you do with this information?

We store and use your information to deliver you better legal services. This mostly involves communicating with you, marketing to you and occasionally sharing your information with our partners.

How do I contact you?

You can always see what data you’ve stored with us.

Questions, comments or complaints? Reach out on 1300 544 755 or email us at info@legalvision.com.au

View Privacy Policy