mnot’s blog

Design depends largely on constraints.” — Charles Eames

Monday, 29 June 2020

Law Internet Australia

What limits legal access to cloud data in Australia?

The Telecommunications and Other Legislation Amendment (Assistance and Access) Act 20181 has proven controversial both before and after passage,2 with considerable debate about the nature of its industry assistance framework and its potential to systemically weaken encryption on the Internet - a framing emphasised by the explanatory memorandum, which introduced the legislation as ‘measures to better deal with the challenges posed by ubiquitous encryption.’3

While there has been substantial review and discussion regarding its impact upon encryption, other consequences of this legislation have not received as much scrutiny. In particular, many Internet services only encrypt data when ‘on the wire’ and ‘at rest’, not when it is being processed. How is this ‘cloud data’ protected under Australian law, and how do these changes affect it?

This article examines what cloud data is, how it relates to telecommunications law (or, rather, doesn’t), and how legal access to it is currently enabled by Australian law, with special attention paid to two mechanisms introduced by the Telecommunications and Other Legislation Amendment (Assistance and Access) Act 2018 - computer access warrants and the industry assistance instruments. I contend that the extension of the legal access mechanisms used for telecommunications without the protections afforded to them is inappropriate, and furthermore that computer access warrants afford to cloud data without appropriate safeguards.

I am not a lawyer, but I am starting a degree in a law masters program. As a result, this post is likely to demonstrate my very limited powers of statutory interpretation. Corrections and criticism – especially from the Australian legal community – are welcome via e-mail or Twitter.

What is cloud data?

In 2009, Robert Gellman’s report to the World Privacy Forum opined that ‘computing activity occurring today entirely on computers owned and controlled locally by users will shift to “the cloud” in the future.’4

Eleven years later, Australians are fulfilling that prediction, storing an ever-increasing amount of their personal and business data with Internet services. E-mail (e.g., Fastmail, Gmail) has effectively been a cloud service since before people started using the term. Services like social networking (Facebook) and cloud backup and file sharing (Dropbox, iCloud, Box) have been widely adopted for some time, as has cloud music sharing (Spotify, iHeart) and calendaring (Google Calendar, Office365). More recently, people have increasingly stored financial data (Xero, Pocketbook), business data (Amazon Web Services, Google Cloud, Github), health data (HealthVault, FitBit), and indeed legal data (LexisNexis) on other people’s servers. It is forecast that the Australian public cloud market will soon be worth AUD10 billion.5

This trend reflects the greater convenience, reliability and availability that these services offer, in contrast to keeping data only on a local computer. Considering the expense and complexity of setting up, running, monitoring and updating a highly available, redundant data store it makes sense to keep data in the cloud; not only is doing so cheaper and safer, it makes the data easily and globally available to multiple devices – an important consideration when many people have multiple phones and computers.

However, much of this data is available to the cloud provider; it is either unencrypted when residing on the cloud server or the cloud provider has access to the encryption key. So-called end-to-end encryption (where only the user of the service is able to decrypt their data) is a comparative rarity; none of the services mentioned above offer it. This is not surprising; often, a service adds value to the data or must otherwise process it, and so needs access.

Notably, when end-to-end encryption is not in use, the much-discused requirement that a designated communications provider must not be required to ‘implement or build a systemic weakness or a systemic vulnerability into a form of electronic protection’6 is prima facie not applicable, because requiring data to be supplied by a cloud provider who has unencrypted access to it is not creating such a vulnerability.

Thus putting aside discussion of encryption, let us examine how cloud data fits into the current legal access landscape.

What cloud data is not

Because the Telecommunications and Other Legislation Amendment (Assistance and Access) Act 2018 primarily modifies telecommunications legislation, it is natural to look at it through that lens first.

The 2005 Blunn review acknowledged the dual purpose of telecommunications interception legislation, explaining that ‘the protection of privacy should continue to be a fundamental consideration in, and the starting point for, any legislation providing access to telecommunications for security and law enforcement purposes’ but also that ‘access to telecommunications data is, and for the foreseeable future will remain, fundamental to effective security and law enforcement.’7

In 2006, the report of the Security Legislation Review Committee reinforced the focus on privacy, stating that ‘[t]he primary purpose of the Telecommunications (Interception) Legislation Act 1979 (Interception Act) is to protect the privacy of individuals who use the Australian telecommunications system.’8

In this spirit, the Telecommunications Act 1997 and the Telecommunications (Interception and Access) Act 19799 create both legal protections and access regimes for three classes of information:

Communications data have strong protections; interception of ‘a communication passing over a telecommunications system’ is prohibited,10 unless it is done on behalf of the carrier as part of their duties, under a warrant, or as allowed by other legislation.11 Likewise, telecommunications providers are prohibited from disclosing communications data12 unless done in the course of their duties13 or when an appropriate warrant is in place.14

However, cloud data is likely not included in these protections, because it is not ‘passing over a telecommunications system’; that ends once it ‘becomes accessible to the intended recipient of the communication.’15 In the case of most cloud services, the service itself could be interpreted to be the intended recipient.

Stored communications have similar protections,16 but again most cloud data does not qualify, because almost all cloud services in Australia are not ‘held on equipment that is operated by, and is in the possession of, a carrier’.17

For example, e-mail stored on Telstra’s servers is likely to qualify for protection as stored communications (depending on how its corporate structure is interpreted); that stored on a non-carrier ISP, Fastmail, or Gmail is not.

Finally, telecommunications data is information used to provide a service - for example, a log of telephone calls made and received for billing and technical purposes (sometimes called traffic data), or the contact details for a customer (sometimes called account data).

Putting aside significant uncertainty around what counts as metadata,18 cloud data does not seem to generally qualify for whatever protections metadata does have (such as the need to follow certain procedures for access),19 for the same reason as stored communications - in most cases, cloud data is not held or controlled by a carrier.

Cloud data is just business data

If cloud data has no relevant protection under telecommunications law, we can view it in the same way as any other information held by a person. Under the Privacy Act 1988,20 a cloud provider is bound by the Australian Privacy Principles, provided they do not qualify as a small business.

Australian Privacy Principle 6 prohibits disclosure of personal information unless it ‘is required or authorised by or under an Australian law or a court/tribunal order.’21 That might happen when they have ‘reason to suspect that unlawful activity, or misconduct of a serious nature, that relates to [the cloud provider’s] functions or activities has been, is being or may be engaged in.’22

However, the definition of personal information is restricted to ‘information or an opinion about an identified individual, or an individual who is reasonable identifiable’,23 and there is some precedent that reads this strictly. For example, an IP address is not considered personal information in Australia,24 despite it being considered Personally Identifying Information in European courts.25

These limited protections and the exceptions to them are evident in most cloud providers’ agreements. For example, Google’s terms and conditions state:

We will share personal information outside of Google if we have a good-faith belief that access, use, preservation, or disclosure of the information is reasonably necessary to … [m]eet any applicable law, regulation, legal process, or enforceable governmental request[, or p]rotect against harm to the rights, property or safety of Google, our users, or the public as required or permitted by law.26

Note that both in the legislation and in the typical contractual terms, it is clear that a warrant or other enforceable request from a government can cause disclosure, but there is also considerable room for the providers’ judgement to allow it.

Cloud data and computer access warrants

The Telecommunications and Other Legislation Amendment (Assistance and Access) Act 2018 introduced computer access warrants to the Surveillance Devices Act 2004, designed to ‘[take] into account the increasing use of distributed and cloud-based services for processing and storing data’27 - clearly aiming them at cloud data, not just ‘legal hacking’.

A request for a computer access warrant with a cloud service as its target is valid, even if no offence had yet taken place; the requesting officer need only suspect ‘one or more relevant offences have been, are being, or about to be, or are likely to be, committed’ and ‘access to data held in a computer … is necessary … for the purposes of enabling evidence to be obtained.’28

Notably, there is not a legislated requirement for a specified person as the target of the request, and there is no real limit on what is considered ‘relevant data’.29

Instead, restrictions on the execution of a computer access warrant are in the hands of the eligible Judge30 or a nominated Administrative Appeals Tribunal member31 who receives the application. There are several guidelines as to what they must have regard to, including ‘the extent to which the privacy of any person is likely to be affected’,32 but they are discretionary.

A computer access warrant can be in effect for up to 90 days,33 and can be extended in 90 day increments.34

There are limits on the use of information obtained by a computer access warrant,35 but with broad exceptions like ‘a person who believes on reasonable grounds that the use or communication is necessary to help prevent or reduce the risk of serious violence to a person or substantial damage to property’.36 Intriguingly, there is also a carve-out for ‘general computer access intercept information’37 - which could include metadata.

Notably, computer access warrants are secret.38 Furthermore, the information collected by a law enforcement officer using a computer access warrant is allowed to be kept as long as the ‘the chief officer of the law enforcement agency … is satisfied that access to data under the warrant is no longer required.’39

Cloud data and industry assistance

Another contribution of the Telecommunications and Other Legislation Amendment (Assistance and Access) Act 2018 was expansion of the Telecommunications Act 1997 to encourage or require industry assistance not only from telecommunications carriers, but also from a wide variety of designated communication providers40 – including cloud providers.

Like computer access warrants, an industry assistance instrument applied to a cloud provider could affect a large number of its users. While there are guidelines in the legislation – for example, regarding whether a Technical Assistance Notice is reasonable and proportionate,41 they are discretionary, and require understanding of the technical options at hand. It may well be felt that the ‘least intrusive form of industry assistance’42 available is casting the net widely, when the ‘interests of national security’43 are at stake.

However, these instruments are defined to have no effect if they require a warrant or authorisation under Commonwealth or State law.44 Given that computer access warrants already afford lawful access to data on an arbitrary computer, it is reasonable to ask why these instruments are necessary, at least in the case of cloud providers.

One reason may be to offer a ‘carrot’ for cooperation by designated communications providers, who are indemnified from civil liability related to execution of the compulsory instruments.45 Unlike telecommunications providers, who are dependent upon the government for licensing and have a history of close collaboration with them, cloud providers often have a more distant relationship.

A closer reading, however, suggests access to metadata without a warrant as a potential motivation.

Can cloud metadata be accessed without a warrant?

‘Metadata’ is not a well-defined concept outside of telecommunications,18 but the extension of telecommunications interception law brings the question of whether or not there are certain types of data which can be requested using an industry assistance instrument without a warrant, due to the presence of some other authorisation.

Initially this seems straightforward, but the clause requiring a warrant or authorisation has a proviso to ‘assume that each reference in Part 13 to a carriage service provider included a reference to a designated communications provider.’46

When read in isolation, Part 13 creates no direct requirements for a warrant or authorisation, and so this proviso would seemingly be inoperative. Reading it in combination with Chapter 4 of the Telecommunications (Interception and Access) Act 1979 is more illuminating, because that chapter relies upon Part 13 for its definition of metadata: ‘Divisions 3, 4 and 4A set out some circumstances when sections 276, 277 and 278 of the Telecommunications Act 1997 do not prohibit a disclosure of information or a document.’47

Chapter 4 then creates several authorisations for access to telecommunications data. For example, an enforcement agency can authorise the disclosure of existing documents48 or for documents that come into existence during the period for which the authorisation is in force,49 provided that it is not the content or substance of a communication.50

Notably, the ‘specified information or specified documents’ that Chapter 4 creates authorisations for are not defined to be specific to telecommunications; they are only specified in terms of what they are not: ‘information that is the contents or substance of a communication.’50

So, does this provisio effectively create the an authorisation to gather metadata without a warrant from designated service providers?

One argument against that interpretation is the limitation on what an industry assistance instrument can request or compel.51 However, one of the ‘acts or things’ is anything done to assist in or facilitate ‘giving effect to a warrant or authorisation’.52 So, if reinterpretation of Part 13 indeed creates an authorisation, one reading is that might be enough to justify the use of an industry assistance instrument. Another reading is that the reinterpretation of Part 13 only applies to determining whether a warrant or authorisation is required in that clause, not for the purposes of defining the ‘act or thing.’

Yet another potential barrier is a subsequent proviso that an industry assistance instrument has no effect if it were to ‘request or require a designated communications provider to … access data held in a computer (within the meaning of the Surveillance Devices Act 2004).’53

There is also a qualification in effect here: ‘…if a law of a State or Territory requires a warrant or authorisation for that use or access.’54 For example, in Victoria unauthorised access to a computer is an offence55 and so the usual mechanism for legal access to it is a search warrant.

On balance, it seems unlikely that a court would interpret the legislation as allowing access to cloud metadata (however defined) without a warrant, but I am far from certain about that; the ‘assume that each reference in Part 13’ clause is perplexing.

If there is a sound legal interpretation, I would very much like to hear it. Absent that, we’re unlikely to get a definitive answer, because the operation of the industry access instruments is secret.56

Conclusions

The changes brought by the Telecommunications and Other Legislation Amendment (Assistance and Access) Act 2018 were intended to address the problems brought by ubiquitous encryption, and they did so by enabling legal access to data where it is increasingly available unencrypted – in the cloud. This could be seen as proportionate if it were limited to services like Voice over IP, but instead the legislation seems to equate access to voice calls with access to an significantly richer source.

And, while carefully thought out protections for private telephone calls were embedded in Australian telecommunications legislation, that protection was not expanded to match the access that was granted by these amendments, even as most communication as well as personal and business data shifted from telephone calls and filing cabinets to cloud services.

This is arguably a major shortcoming of the Telecommunications and Other Legislation Amendment (Assistance and Access) Act 2018.

In particular, computer access warrants have significant potential for overreach when applied to cloud data; if law enforcement officer formed a belief that, for example, accessing the social graph of every Australian would help prevent terrorism, they would only need an eligible Judge or nominated Administrative Appeals Tribunal member to agree. Given the likely disparity in knowledge of modern computing in that group, it’s probable that some at least will not understand the full consequences of doing so.

The lack of effective limits on what can be done with the information so obtained are also troubling. Material that is collected opportunistically can be saved and repurposed, resulting in a troubling capability for surveillance that has many parallels in the programs that Edward Snowden disclosed in the USA.

There is no current evidence of such abuse; the mandated annual reports for these instruments have been published once since the legislation was enacted, and they disclose only seven voluntary Technical Assistance Requests57 and eight computer access warrants (with two extensions).58

However, the secrecy measures surrounding these instruments means that any abuse would be unlikely to be evident unless one of the relatively small number of people with the power to do so chose to intervene. The numbers in these reports record instruments issued, not the number of individuals affected, meaning that in theory those eight computer access warrants could collect the activity of tens of thousands or more, 90 days at a time.

That is not to say that these instruments are without merit; as the Blunn report said, access to telecommunications (in a broad sense) is important to law enforcement, and thus is important to society. However, if we expand the scope of the powers afforded to law enforcement, the protections for the modern communications should be expanded in a commensurate way, and the oversight and transparency mechanisms for these instruments should be robust and likely more adversarial. In particular, the number of people (or accounts, or some other measure) affected by the instruments should be surfaced, rather than merely the number of instruments issued.


  1. Telecommunications and Other Legislation Amendment (Assistance and Access) Act 2018 (Cth). 

  2. See, eg, Stilgherrian, ‘What’s actually in Australia’s encryption laws? Everything you need to know’ ZDNet (online, 10 December 2018) https://www.zdnet.com/article/whats-actually-in-australias-encryption-laws-everything-you-need-to-know/

  3. Explanatory Memorandum, Telecommunications and Other Legislation Amendment (Assistance and Access) Act 2018 (Cth), 2 [1]. 

  4. Robert Gellman, Privacy in the Clouds: Risks to Privacy and Confidentiality from Cloud Computing (Report, February 23, 2009) 4. 

  5. Eleanor Dickinson, ‘Australia public cloud services spending to hit $10B by 2022’ ARN (online, 3 April 2019) https://www.arnnet.com.au/article/659610/australia-public-cloud-services-spending-hit-10b-by-2022/

  6. Telecommunications Act 1997 (Cth), s 317GZ. 

  7. Anthony S Blunn, Report of the review of the regulation of access to communications (Report, August 2005). 

  8. Report of the Security Legislation Review Committee (Report, June 2006) [15.1]. 

  9. Telecommunications (Interception and Access) Act 1997 (Cth). 

  10. Telecommunications (Interception and Access) Act 1997 (Cth), s7(1). 

  11. Telecommunications (Interception and Access) Act 1997 (Cth), s7(2). 

  12. Telecommunications Act 1997 (Cth), s 276. 

  13. Telecommunications Act 1997 (Cth), s 279. 

  14. Telecommunications Act 1997 (Cth), s 280. 

  15. Telecommunications (Interception and Access) Act 1997 (Cth), s 5F. 

  16. Telecommunications (Interception and Access) Act 1997 (Cth), s 108. 

  17. Telecommunications (Interception and Access) Act 1997 (Cth), s5 (definition of ‘stored communication’). 

  18. Jaan Murphy, ‘Access to and retention of internet metadata’, FlagPost (Blog Post, 2014) https://www.aph.gov.au/About_Parliament/Parliamentary_Departments/Parliamentary_Library/FlagPost/2014/August/Access_to_and_retention_of_internet_metadata 2

  19. Telecommunications (Interception and Access) Act 1997 (Cth), pt 4-2. 

  20. Privacy Act 1988 (Cth). 

  21. Privacy Act 1988 (Cth), sch 1 pt 6. 

  22. Privacy Act 1988 (Cth), s 16A. 

  23. Privacy Act 1988 (Cth), s 6 (definition of ‘personal information’). 

  24. Telstra Corporation Ltd v Privacy Commissioner [2015] AATA 991 [13]. 

  25. Breyer v Germany (CJEU, C‑582/14, 19 October 2016). 

  26. ‘Google Privacy Policy’, (Web Page, 31 March 2020) https://www.gstatic.com/policies/privacy/pdf/20200331/acec359e/google_privacy_policy_en.pdf

  27. Explanatory Memorandum, Telecommunications and Other Legislation Amendment (Assistance and Access) Act 2018 (Cth), 88 [421]. 

  28. Surveillance Devices Act 2004 (Cth), s 27A(1). 

  29. Surveillance Devices Act 2004 (Cth), s 27E(2). 

  30. Surveillance Devices Act 2004 (Cth), s 12. 

  31. Surveillance Devices Act 2004 (Cth), s 13. 

  32. Surveillance Devices Act 2004 (Cth), s 27C(2)(e). 

  33. Surveillance Devices Act 2004 (Cth), s 27D(3). 

  34. Surveillance Devices Act 2004 (Cth), s 27F. 

  35. Surveillance Devices Act 2004 (Cth), s 45. 

  36. Surveillance Devices Act 2004 (Cth), s 45(4)(b). 

  37. Surveillance Devices Act 2004 (Cth), s 44(1)(aa). 

  38. Surveillance Devices Act 2004 (Cth), s 44(1)(b). 

  39. Surveillance Devices Act 2004 (Cth), s 27H. 

  40. Telecommunications Act 1997 (Cth), s 317C. 

  41. Telecommunications Act 1997 (Cth), s 317RA. 

  42. Telecommunications Act 1997 (Cth), s 317RA(ea). 

  43. Telecommunications Act 1997 (Cth), s 317RA(a). 

  44. Telecommunications Act 1997 (Cth), s 317ZH(1). 

  45. Telecommunications Act 1997 (Cth), s 317ZJ. 

  46. Telecommunications Act 1997 (Cth), s 317ZH(2). 

  47. Telecommunications (Interception and Access) Act 1997 (Cth), s 171(1). 

  48. Telecommunications (Interception and Access) Act 1997 (Cth), s 178. 

  49. Telecommunications (Interception and Access) Act 1997 (Cth), s 180. 

  50. Telecommunications (Interception and Access) Act 1997 (Cth), s 172.  2

  51. Telecommunications Act 1997 (Cth), s 317E. 

  52. Telecommunications Act 1997 (Cth), s 317E(da). 

  53. Telecommunications Act 1997 (Cth), s 317H(3)(b). 

  54. Telecommunications Act 1997 (Cth), s 317ZH(3). 

  55. Crimes Act 1958 (Vic), s 247B. 

  56. Telecommunications Act 1997 (Cth), s 317ZF. 

  57. Telecommunications (Interception and Access) Act 1979 Annual Report 2018-19 (Report, 2019) 76. 

  58. Surveillance Devices Act 2004 Annual Report 2018-19 (Report, 2019) 19.