mark nottingham

recent entries all entries feed

What limits legal access to cloud data in Australia?

Monday, 29 June 2020

Australia

The Telecommunications and Other Legislation Amendment (Assistance and Access) Act 20181 has proven controversial both before and after passage,2 with considerable debate about its industry assistance framework and its potential for systemically weakening encryption on the Internet - a framing emphasised by the explanatory memorandum which introduced the legislation as ‘measures to better deal with the challenges posed by ubiquitous encryption.’3

While there has been substantial review and discussion regarding its impact upon encryption, other consequences of this legislation have not received as much scrutiny. In particular, many Internet services only encrypt data when ‘on the wire’ and ‘at rest’, not when it is being processed. How is this ‘cloud data’ protected under Australian law, and how do these changes affect it?

This article examines what cloud data is, how it relates to telecommunications law (or, rather, doesn’t), and how Australian law enables legal access to it, with special attention paid to two mechanisms introduced by the Telecommunications and Other Legislation Amendment (Assistance and Access) Act 2018 - computer access warrants and the industry assistance instruments.

I contend that when Parliament extended telecommunications-related access regimes to cover cloud data, they failed to extend the corresponding protections that telephony in Australia enjoys, amounting to a major oversight in this new law. Furthermore, despite repeated reassurances that the protections and oversight of this legislation are adequate, I find several concerning shortcomings.

I am not a lawyer, but I am starting a degree in a law master’s program. As a result, this post is likely to demonstrate my very limited powers of statutory interpretation. Corrections and criticism – especially from the Australian legal community – are welcome via e-mail or Twitter.

What is cloud data?

In 2009, Robert Gellman’s report to the World Privacy Forum opined that ‘computing activity occurring today entirely on computers owned and controlled locally by users will shift to “the cloud” in the future.’4

Eleven years later, Australians fulfil that prediction, storing an ever-increasing amount of their personal and business data with Internet services. E-mail (e.g., Fastmail, Gmail) has been a cloud service since before people started using the term. People have used services like social networking (Facebook) and cloud file sharing (Dropbox, iCloud, Box) some time, along with cloud music sharing (Spotify, iHeart) and calendaring (Google Calendar, Office365). More recently, people have increasingly stored financial data (Xero, Pocketbook), business data (Amazon Web Services, Google Cloud, GitHub), health data (HealthVault, FitBit), and indeed legal data (LexisNexis) on other people’s servers. Gartner forecasts that the Australian public cloud market will soon be worth AUD10 billion.5

This trend reflects the greater convenience, reliability and availability that these services offer, in contrast to keeping data only on a local computer. Considering the expense and complexity of setting up, running, monitoring and updating a highly available, redundant data store, it makes sense to keep data in the cloud; not only is doing so cheaper and safer, it makes the data easily and globally available to multiple devices – an important consideration when many people have multiple phones and computers.

However, much of this data is available to the cloud provider; it is unencrypted when residing on the cloud server or the cloud provider has access to the encryption key. So-called end-to-end encryption (where only the user of the service can decrypt their data) is a comparative rarity; none of the services mentioned above offer it. This is not surprising; often, a service adds value to the data or must otherwise process it, and so needs access.

Notably, when end-to-end encryption is not in use, the much-discussed requirement that a designated communications provider must not be required to ‘implement or build a systemic weakness or a systemic vulnerability into a form of electronic protection’6 is prima facie not applicable, because requiring a cloud provider who has access to unencrypted data to supply it is not creating such a vulnerability.

Thus putting aside discussion of encryption, let us examine how cloud data fits into the current legal access landscape.

What cloud data is not

Because the Telecommunications and Other Legislation Amendment (Assistance and Access) Act 2018 primarily modifies telecommunications legislation, it is natural to look at it through that lens first.

The 2005 Blunn review acknowledged the dual purpose of telecommunications interception legislation, explaining that ‘the protection of privacy should continue to be a fundamental consideration in, and the starting point for, any legislation providing access to telecommunications for security and law enforcement purposes’ but also that ‘access to telecommunications data is, and for the foreseeable future will remain, fundamental to effective security and law enforcement.’7

In 2006, the report of the Security Legislation Review Committee reinforced the focus on privacy, stating that ‘[t]he primary purpose of the Telecommunications (Interception) Legislation Act 1979 (Interception Act) is to protect the privacy of individuals who use the Australian telecommunications system.’8

In this spirit, the Telecommunications Act 1997 and the Telecommunications (Interception and Access) Act 19799 create both legal protections and access regimes for three classes of information:

Communications data have powerful protections; interception of ‘a communication passing over a telecommunications system’ is prohibited,10 unless it is done on behalf of the carrier as part of their duties, under a warrant, or as allowed by other legislation.11 Likewise, telecommunications providers are prohibited from disclosing communications data12 unless done in the course of their duties13 or when an appropriate warrant is in place.14

However, cloud data is likely not included in these protections, because it is not ‘passing over a telecommunications system’; that ends once it ‘becomes accessible to the intended recipient of the communication.’15 For most cloud services, a reasonable interpretation is that the service itself is that intended recipient.

Stored communications have similar protections,16 but again most cloud data does not qualify, because almost all cloud services in Australia are not ‘held on equipment that is operated by, and is in the possession of, a carrier’.17

For example, e-mail stored on Telstra’s servers is likely to qualify for protection as stored communications (depending on how one interprets its corporate structure); that stored on a non-carrier ISP, FastMail, or Gmail is not.

Finally, telecommunications data is information used to provide a service - for example, a log of telephone calls made and received for billing and technical purposes (sometimes called traffic data), or the contact details for a customer (sometimes called account data).

Putting aside significant uncertainty around what counts as metadata,18 cloud data does not seem to generally qualify for whatever protections metadata does have (such as the need to follow certain procedures for access),19 for the same reason as stored communications - in most cases, a carrier does not hold or control cloud data.

Cloud data is just business data

If cloud data has no relevant protection under telecommunications law, we can view it in the same way as any other information held by a person. Under the Privacy Act 1988,20 a cloud provider is bound by the Australian Privacy Principles, provided they do not qualify as a small business.

Australian Privacy Principle 6 prohibits disclosure of personal information unless it ‘is required or authorised by or under an Australian law or a court/tribunal order.’21 That might happen when they have ‘reason to suspect that unlawful activity, or misconduct of a serious nature, that relates to [the cloud provider’s] functions or activities has been, is being or may be engaged in.’22

However, the definition of personal information is restricted to ‘information or an opinion about an identified individual, or an individual who is reasonable identifiable’,23 and there is some precedent that reads this strictly. For example, an IP address is not considered personal information in Australia,24 despite it being considered Personally Identifying Information in European courts.25

These limited protections and the exceptions to them are evident in most cloud providers’ agreements. For example, Google’s terms and conditions state:

We will share personal information outside of Google if we have a good-faith belief that access, use, preservation, or disclosure of the information is reasonably necessary to … [m]eet any applicable law, regulation, legal process, or enforceable governmental request[, or p]rotect against harm to the rights, property or safety of Google, our users, or the public as required or permitted by law.26

Note that both in the legislation and in the typical contractual terms, a warrant or other enforceable request from a government can cause disclosure, but there is also considerable room for the providers’ judgement to allow it.

Cloud data and computer access warrants

The Telecommunications and Other Legislation Amendment (Assistance and Access) Act 2018 introduced computer access warrants to the Surveillance Devices Act 2004, designed to ‘[take] into account the increasing use of distributed and cloud-based services for processing and storing data’27 - clearly aiming them at cloud data, not just ‘legal hacking’.

A request for a computer access warrant with a cloud service as its target is valid, even if no offence had yet taken place; the requesting officer need only suspect ‘one or more relevant offences have been, are being, or about to be, or are likely to be, committed’ and ‘access to data held in a computer … is necessary … for the purposes of enabling evidence to be obtained.’28

Notably, there is not a legislated requirement for a specified person as the target of the request, and there is no real limit on what a requestor might consider ‘relevant data’.29 Instead, restrictions on the execution of a computer access warrant are in the hands of the eligible Judge30 or a nominated Administrative Appeals Tribunal member31 who receives the application. There are several guidelines for what they must have regard to, including ‘the extent to which the privacy of any person is likely to be affected’,32 but they are discretionary.

A computer access warrant can be in effect for up to 90 days,33 and can be extended in 90 day increments.34

There are limits on the use of information obtained by a computer access warrant,35 but with broad exceptions like ‘a person who believes on reasonable grounds that the use or communication is necessary to help prevent or reduce the risk of serious violence to a person or substantial damage to property’.36 Intriguingly, there is also a carve-out for ‘general computer access intercept information’37 - which could include metadata.

Notably, computer access warrants are secret.38 Furthermore, the information collected by a law enforcement officer using a computer access warrant may be kept as long as the ‘the chief officer of the law enforcement agency … is satisfied that access to data under the warrant is no longer required.’39

Cloud data and industry assistance

Another contribution of the Telecommunications and Other Legislation Amendment (Assistance and Access) Act 2018 was expansion of the Telecommunications Act 1997 to encourage or require industry assistance not only from telecommunications carriers but also from a wide variety of designated communication providers40 – including cloud providers.

Like computer access warrants, an industry assistance instrument applied to a cloud provider could affect many of its users. While there are guidelines in the legislation – for example, regarding whether a Technical Assistance Notice is reasonable and proportionate,41 they are discretionary, and require an understanding of the technical options at hand. It may well be felt that the ‘least intrusive form of industry assistance’42 available is casting the net widely, when the ‘interests of national security’43 are at stake.

However, these instruments have no effect if they require a warrant or authorisation under Commonwealth or State law.44 Given that computer access warrants already afford lawful access to data on an arbitrary computer, it is reasonable to ask why these instruments are necessary, at least for cloud providers.

One reason may be to offer a ‘carrot’ for cooperation by designated communications providers, who are indemnified from civil liability related to execution of the compulsory instruments.45 Unlike telecommunications providers, who depend on the government for licensing and have a history of close collaboration with them, cloud providers often have a more distant relationship. A closer reading, however, suggests access to metadata without a warrant as a potential motivation.

Can agencies access cloud metadata without a warrant?

‘Metadata’ is not a well-defined concept outside of telecommunications,18 but the extension of telecommunications interception law brings the question of whether or not an industry assistance instrument can be used to request certain types of data without a warrant, due to some other authorisation.

Initially this seems straightforward, but the clause requiring a warrant or authorisation has a proviso to ‘assume that each reference in Part 13 to a carriage service provider included a reference to a designated communications provider.’46

When read in isolation, Part 13 creates no direct requirements for a warrant or authorisation, and so this proviso would seemingly be inoperative. Reading it in combination with Chapter 4 of the Telecommunications (Interception and Access) Act 1979 is more illuminating, because that chapter relies upon Part 13 for its definition of metadata: ‘Divisions 3, 4 and 4A set out some circumstances when sections 276, 277 and 278 of the Telecommunications Act 1997 do not prohibit a disclosure of information or a document.’47

Chapter 4 then creates several authorisations for access to telecommunications data. For example, an enforcement agency can authorise the disclosure of existing documents48 or for documents that come into existence during the period for which the authorisation is in force,49 provided that it is not the content or substance of a communication.50

Notably, the ‘specified information or specified documents’ that Chapter 4 creates authorisations for are not specific to telecommunications; it only specifies them in terms of what they are not: ‘information that is the contents or substance of a communication.’50

So, does this clause create an authorisation to gather metadata without a warrant from designated service providers?

One argument against that interpretation is the limitation on what an industry assistance instrument can request or compel.51 However, one of the ‘acts or things’ is anything done to assist in or facilitate ‘giving effect to a warrant or authorisation’.52 So, if reinterpretation of Part 13 indeed creates an authorisation, one reading is that might be enough to justify the use of an industry assistance instrument. Another reading is that the reinterpretation of Part 13 only applies to determining whether that requires a warrant or authorisation, not for the purposes of defining the ‘act or thing.’

Yet another potential barrier is a subsequent clause that an industry assistance instrument has no effect if it were to ‘request or require a designated communications provider to … access data held in a computer (within the meaning of the Surveillance Devices Act 2004).’53

There is also a qualification in effect here: ‘…if a law of a State or Territory requires a warrant or authorisation for that use or access.’54 For example, in Victoria unauthorised access to a computer is an offence55 and so the usual mechanism for legal access to it is a search warrant.

On balance, it seems unlikely that a court would interpret the legislation as allowing access to cloud metadata (however defined) without a warrant, but I am far from certain about that; the ‘assume that each reference in Part 13’ clause is perplexing.

If there is a sound legal interpretation, I would very much like to hear it. Absent that, we’re unlikely to get a definitive answer, because the operation of the industry access instruments is secret.56

Conclusions

The Telecommunications and Other Legislation Amendment (Assistance and Access) Act 2018 was introduced to address the problems brought by increasing use of encryption. It achieved this by enabling legal access to data where it is increasingly available unencrypted: in the cloud. While one could view such powers as a logical extension of existing telecommunications arrangements if limited to services like Voice over IP, this legislation falsely equates access to voice calls with access to a significantly richer and broader source.

While previous Parliaments carefully embedded safeguards for private telephone calls in Australian telecommunications legislation, that protection was not expanded to match the access enabled by these amendments, even as most communications (along with personal and business data) shifted from telephone calls and filing cabinets to cloud services.

This is arguably a major shortcoming of the Telecommunications and Other Legislation Amendment (Assistance and Access) Act 2018. Parliament could remedy this by introducing explicit legal protections for cloud data, to mirror those we enjoy for telecommunications.

Additionally, computer access warrants have significant potential for overreach when applied to cloud data. For example, if a law enforcement officer formed a belief that accessing the social graph or e-mail of every Australian would help prevent terrorism, they could get a warrant to do so merely by convincing an eligible Judge or nominated Administrative Appeals Tribunal member that it was necessary. Given the range of technical knowledge in that group, it’s probable that some will not understand the full consequences of doing so.

After executing such a warrant, the Act only requires them to inform the Commonwealth Ombudsman and the Minister; the secrecy measures around these instruments prevent disclosure to others. The resulting report tabled in Parliament would only list a single Computer Access Warrant for such an incident, no matter how many accounts (or real people) were involved. Thus, if an agency, a Minister and the Ombudsman become convinced that such pervasive surveillance is in Australia’s interest, they could, in theory, act upon it without additional oversight, 90 days at a time.

This scenario may be far-fetched; I fervently hope it is. However, I will point out that people with strong convictions and a deep faith that they were doing the right thing for their country created the programs and capabilities revealed by Edward Snowden. TOLA appears to open the legal possibility of programs like PRISM — collecting bulk data from popular cloud services — in Australia, if there is motivation to do so.

Parliament could avoid this possibility by introducing more adversarial oversight to these instruments and expanding reporting to include the number of people and accounts affected by them. Parliament should also consider how to relax the Act’s secrecy measures after a reasonable amount of time has passed.

Finally, the lack of effective limits on what agencies can do with the information obtained by Computer Access Warrants is troubling. Opportunistically collected data can be saved and repurposed, resulting in a troubling capability for surveillance — again with parallels in the US programs revealed by Edward Snowden. Parliament could mitigate this concern by more carefully constraining how data obtained through Computer Access Warrants is kept and used.

Despite all the above, I believe that these instruments have merit; as the Blunn report said, access to telecommunications is important to law enforcement, and thus is important to society. It’s also important to remember that there is no current evidence of abuse; the first mandated annual reports for these instruments disclose only seven voluntary Technical Assistance Requests57 and eight computer access warrants (with two extensions).58 In their current form, however, these instruments don’t achieve the balance that is so critical to their acceptance by society.

  1. Telecommunications and Other Legislation Amendment (Assistance and Access) Act 2018 (Cth). 

  2. See, eg, Stilgherrian, ‘What’s actually in Australia’s encryption laws? Everything you need to know’ ZDNet (online, 10 December 2018) https://www.zdnet.com/article/whats-actually-in-australias-encryption-laws-everything-you-need-to-know/

  3. Explanatory Memorandum, Telecommunications and Other Legislation Amendment (Assistance and Access) Act 2018 (Cth), 2 [1]. 

  4. Robert Gellman, Privacy in the Clouds: Risks to Privacy and Confidentiality from Cloud Computing (Report, February 23, 2009) 4. 

  5. Eleanor Dickinson, ‘Australia public cloud services spending to hit $10B by 2022’ ARN (online, 3 April 2019) https://www.arnnet.com.au/article/659610/australia-public-cloud-services-spending-hit-10b-by-2022/

  6. Telecommunications Act 1997 (Cth), s 317GZ. 

  7. Anthony S Blunn, Report of the review of the regulation of access to communications (Report, August 2005). 

  8. Report of the Security Legislation Review Committee (Report, June 2006) [15.1]. 

  9. Telecommunications (Interception and Access) Act 1997 (Cth). 

  10. Telecommunications (Interception and Access) Act 1997 (Cth), s7(1). 

  11. Telecommunications (Interception and Access) Act 1997 (Cth), s7(2). 

  12. Telecommunications Act 1997 (Cth), s 276. 

  13. Telecommunications Act 1997 (Cth), s 279. 

  14. Telecommunications Act 1997 (Cth), s 280. 

  15. Telecommunications (Interception and Access) Act 1997 (Cth), s 5F. 

  16. Telecommunications (Interception and Access) Act 1997 (Cth), s 108. 

  17. Telecommunications (Interception and Access) Act 1997 (Cth), s5 (definition of ‘stored communication’). 

  18. Jaan Murphy, ‘Access to and retention of internet metadata’, FlagPost (Blog Post, 2014) https://www.aph.gov.au/About_Parliament/Parliamentary_Departments/Parliamentary_Library/FlagPost/2014/August/Access_to_and_retention_of_internet_metadata 2

  19. Telecommunications (Interception and Access) Act 1997 (Cth), pt 4-2. 

  20. Privacy Act 1988 (Cth). 

  21. Privacy Act 1988 (Cth), sch 1 pt 6. 

  22. Privacy Act 1988 (Cth), s 16A. 

  23. Privacy Act 1988 (Cth), s 6 (definition of ‘personal information’). 

  24. Telstra Corporation Ltd v Privacy Commissioner [2015] AATA 991 [13]. 

  25. Breyer v Germany (CJEU, C‑582/14, 19 October 2016). 

  26. ‘Google Privacy Policy’, (Web Page, 31 March 2020) https://www.gstatic.com/policies/privacy/pdf/20200331/acec359e/google_privacy_policy_en.pdf

  27. Explanatory Memorandum, Telecommunications and Other Legislation Amendment (Assistance and Access) Act 2018 (Cth), 88 [421]. 

  28. Surveillance Devices Act 2004 (Cth), s 27A(1). 

  29. Surveillance Devices Act 2004 (Cth), s 27E(2). 

  30. Surveillance Devices Act 2004 (Cth), s 12. 

  31. Surveillance Devices Act 2004 (Cth), s 13. 

  32. Surveillance Devices Act 2004 (Cth), s 27C(2)(e). 

  33. Surveillance Devices Act 2004 (Cth), s 27D(3). 

  34. Surveillance Devices Act 2004 (Cth), s 27F. 

  35. Surveillance Devices Act 2004 (Cth), s 45. 

  36. Surveillance Devices Act 2004 (Cth), s 45(4)(b). 

  37. Surveillance Devices Act 2004 (Cth), s 44(1)(aa). 

  38. Surveillance Devices Act 2004 (Cth), s 44(1)(b). 

  39. Surveillance Devices Act 2004 (Cth), s 27H. 

  40. Telecommunications Act 1997 (Cth), s 317C. 

  41. Telecommunications Act 1997 (Cth), s 317RA. 

  42. Telecommunications Act 1997 (Cth), s 317RA(ea). 

  43. Telecommunications Act 1997 (Cth), s 317RA(a). 

  44. Telecommunications Act 1997 (Cth), s 317ZH(1). 

  45. Telecommunications Act 1997 (Cth), s 317ZJ. 

  46. Telecommunications Act 1997 (Cth), s 317ZH(2). 

  47. Telecommunications (Interception and Access) Act 1997 (Cth), s 171(1). 

  48. Telecommunications (Interception and Access) Act 1997 (Cth), s 178. 

  49. Telecommunications (Interception and Access) Act 1997 (Cth), s 180. 

  50. Telecommunications (Interception and Access) Act 1997 (Cth), s 172.  2

  51. Telecommunications Act 1997 (Cth), s 317E. 

  52. Telecommunications Act 1997 (Cth), s 317E(da). 

  53. Telecommunications Act 1997 (Cth), s 317H(3)(b). 

  54. Telecommunications Act 1997 (Cth), s 317ZH(3). 

  55. Crimes Act 1958 (Vic), s 247B. 

  56. Telecommunications Act 1997 (Cth), s 317ZF. 

  57. Telecommunications (Interception and Access) Act 1979 Annual Report 2018-19 (Report, 2019) 76. 

  58. Surveillance Devices Act 2004 Annual Report 2018-19 (Report, 2019) 19. 


about blog home