Key takeaways

• The Assistance and Access Act endangers the security of everyone who uses online services. It also significantly weakens online privacy.
• The Surveillance Legislation Amendment Bill may allow the Australian government to access users’ data without their consent.

The Assistance and Access Act

The law was adopted on December 9, 2018. It aimed to provide police with more freedom to investigate criminals who use encrypted communications software.

The Surveillance Legislation Amendment (Identify and Disrupt) Bill

The Australian Senate passed the bill on August 25, 2021. The bill grants law enforcement agencies the power to disrupt data by modifying, copying, or deleting it. This would help in stopping serious offenses online.

• The Data Disruption Warrant enables agencies to “add, copy, delete or alter” data on devices.
• The Account Takeover Warrant enables law enforcement agencies to take control of an account and even lock its holder out of it.
• The Network Activity Warrants allow access to networks if there is suspicion of serious online offenses. Yet the term “serious” has a variety of definitions in the legislation.

Key takeaways

• Article 5 of the Constitution ensures the right of private communication. Suspending this right is only possible in the case of a criminal investigation.
• The encryption debate in Brazil focuses on finding the balance between the needs of law enforcement and the promotion of secure encryption systems.

The Constitution of the Federative Republic of Brazil

The Constitution was passed in 1988 and is Brazil’s supreme law. Article 5 of the Constitution guarantees “secrecy of correspondence and of telegraphic, data and telephonic communications is inviolable, except, in the latter case, by court order, in the situations and manner established by law for purposes of a criminal investigation or the fact-finding phase of a criminal prosecution.”

The General Data Protection Law

The law was passed in 2018. It’s a comprehensive data privacy law that aims to protect “the fundamental rights of freedom and privacy and the free development of the personality of the natural person.”

Lexology, a comprehensive source of international legal updates and analysis, writes: “However no explicit right to encryption exists in Brazil, although its constitution guarantees the secrecy of correspondence and telegraphic, data, and telephonic communications.”

The Carnegie Endowment for International Peace, a think tank, writes: “The encryption debate in Brazil focuses on balancing the needs of law enforcement and the promotion of secure encryption systems. One of the main issues is the use of end-to-end encryption by communications applications (apps). Some companies have adopted technological architecture that inhibits the government’s ability to obtain access to communications data that could be of use to officials investigating and prosecuting criminal activities.”

Key takeaways

• Laws in China impose a range of restrictions on the manufacturing, import, export, and use of encryption.
• The commercial use of encryption technologies requires certification from the government.

The Cryptography Law of the People’s Republic of China

The law took effect in 2020. It recognizes three different types of cryptography: core, common, and commercial. Core and common cryptography are used to protect the state secrets of the Chinese government, while commercial cryptography is used to protect the information of citizens and businesses. More importantly, the new law also states that it welcomes foreign providers of cryptography services. But is that really the case?

While this might look like an appealing opportunity for encryption businesses, there are certain limits. According to the Chinese authorities, the commercial use of encryption cannot harm the state or public security. Furthermore, encryption technologies must be handed over to the government for certification.

The Data Security Law of the People’s Republic of China

Key takeaway

• Telecom operators and ISPS can use data encryption only after receiving the government’s approval.

The Telecommunication Regulation Law

It prevents Telecom operators and service providers from using encryption equipment without specific clearance from the governmental agencies and requires them to provide all technical assistance. This includes software to enable governmental agencies to exercise their powers within the law. You can read the full text of this law here.

Key takeaways

• The Internal Security Code forces cryptology service providers to decrypt data if the French government demands that.
• The Penal Code states that a refusal to decrypt required data may result in imprisonment or fines up €450,000.

The Law on Confidence in the Digital Economy

Before starting to supply cryptography services or export cryptography products and services, a person must inform the Prime Minister. Failure to do so can be punished by up to two years imprisonment and a fine of up to €30,000. The original text of this law is here.

The Internal Security Code

Under certain circumstances, the code obliges the provider’s cryptology services to deliver to government agents the means of enabling the decryption of the data encrypted by their services within 72 hours or decrypt the data themselves. The full text is here.

The Penal Code

The code states that refusing to give the judicial authorities the “secret convention for deciphering a means of cryptology” likely to have been used to prepare, facilitate, or commit a crime or misdemeanor is punished by three years imprisonment and a €270,000 fine.

If the refusal to cooperate happens at the time when this information would have made it possible to prevent the commission of a crime or misdemeanor or to limit its effects, the penalty is increased to five years imprisonment and a fine of up to €450,000.

Key takeaways

• The National Security Law allows authorities to access people’s personal data. This legislation is a clear threat to encryption.
• The Personal Data Ordinance aims to protect private data. Yet there have been many exemptions.

The National Security Law

This National Security Law was passed on June 30, 2020 by the Standing Committee of the National People’s Congress. The law aims to resolve the anti-extradition bill protests of 2019. The legislation, among others, established the crimes of secession, subversion, terrorism, and collusion with foreign organizations.

The National Security Law allows authorities to surveil, detain, and search people who are suspected of a crime. It also lets law enforcement require content publishers, hosting services, and ISPs to block, remove, and restrict content that’s deemed in violation of the crimes.

The law gives a straight backdoor to what people do and say online. Many pro-democracy news media portals have been closed since 2020, and many people were arrested.

It is the first and longest-used personal data privacy legislation in Asia. Enacted in 1996, with the purpose “to protect the privacy of individuals in relation to personal data, and to provide for matters incidental thereto or connected therewith.” However, it has a long list of exemptions when authorities can access and share personal data.

Key takeaways

• The Criminal Procedure Code allows law enforcement to demand data decryption if it could help a criminal investigation.
• The Privacy Code states that internet service providers must comply with law enforcement requests to access the metadata that relates to a person who could be involved in criminal activity.

The Criminal Procedure Code

According to the relevant provisions of the Italian Criminal Procedure Code and Legislative Decree No. 271 of 1989, cloud service providers (CSPs) and agencies for services and payment (ASPs) can be required to provide the metadata relating to customers’ communications within a criminal investigation as follows:

• Seizure of data in possession of CSPs or ASPs within criminal proceedings. The judicial authority has the power to order the seizure of any information that CSPs possess.
• Access to customers’ data by LEAs. For the purpose of preventing crimes by criminal associations and international terrorist organizations or crimes committed for terrorism purposes through electronic devices, CSPs or ASPs could be ordered to trace telephony and data communications and to authorize access to data relating to such communications.

The Privacy Code

The code states that service providers must comply with law enforcement requests for users’ activity records, known as metadata, under a variety of circumstances, including in the course of a criminal investigation or “for the purpose of preventing crimes by criminal associations and international terrorist organizations.”

Despite civil society protests, there was virtually no public or parliamentary debate on the measure, which had been added to unrelated legislation following a European Council directive before passage. The DPA expressed its objection to the bill, citing its incompatibility with EU law and case law.

Key takeaways

• The Constitution protects everyone’s right to privacy of correspondence. Exceptions are possible in criminal cases only.
• Research assignment-oriented interception (OOG) allows the government to intercept private communication if it poses a threat to national security.

The Constitution of the Kingdom of the Netherlands

The Constitution states that everyone shall have the right to respect for their privacy. The privacy of correspondence shall not be violated except in cases established in law.

The Intelligence and Security Services Act

The act (accessible here in Dutch) was passed in 2017. It allows the authorities to intercept, receive, record, and listen in on any form of communications or data transmission, including decrypting the intercepted data. The authorities may use this power with the prior permission of a relevant minister.

Research assignment-oriented interceptions (OOG)

The General Intelligence and Security Service (AIVD) is a government agency dealing with domestic non-military threats to Dutch national security. One of the AIVD’s powers is research assignment-oriented interceptions (OOG). This means that the agency can intercept certain communications from the airwaves and on Internet cables for further investigation.

The procedure concerns the data of many people, so strict conditions apply before the agency can use OOG interception. It can only be a tool for investigating threats to national security. The government determines which investigations the AIVD conducts.

Key takeaway

• After the legal notice by the Pakistan Telecommunications Authority came into force, it banned encryption software in the country.

The legal notice by the Pakistan Telecommunications Authority

This notice, issued by the Pakistan Telecommunications Authority (PTA), states that the license and access providers shall ensure that signaling information is uncompressed, unencrypted, and not formatted in a manner that the installed monitoring system is unable to decipher it. It requires internet service providers to report customers using “all such mechanisms including EVPNs (encrypted virtual private networks) that conceal communication to the extent that prohibits monitoring.” According to the notice, anyone using this technology needs to apply for special permission.

Key takeaways

• To perform communication interceptions in Portugal, authorization from a judge is always required.
• Only the police could be authorized to carry such interceptions.

Law No. 9

It came to force on February 19, 2007. The law sets out the legal framework for the Portuguese Information Security System (Sistema de Informações/SIS) and for the Portuguese Services for Strategic Defence (SIED). It does not grant powers of interception, encryption or decryption, direct access to communications, or the possibility of requesting such access being granted by electronic communications service providers.

Law No. 53

Released on August 29, 2008, the law establishes the legal provisions applicable to homeland security in Portugal. This law states that access and control of communications may only be carried out following judicial authorization and performed solely by the police.

Key takeaway

• Spanish authorities can request the decryption of data in specific cases and during criminal court proceedings.

The Spanish Constitution

Key takeaways

• The Surveillance Act obliges telecommunication companies to assist the government when it needs to decrypt specific information.
• Telecommunications operators also have to assist law enforcement agencies in setting up and maintaining systems used for surveillance purposes.

The Communications Security and Surveillance Act

It does not specifically address government access to encrypted communications. The legal obligations of telecommunications companies in assisting government surveillance may include enabling the decryption of encrypted communications.

Under Taiwanese law, an interception warrant generally needs to be sought by a prosecutor upon request by the judicial police authorities and issued by a court before interception can commence. The intelligence agency, however, does not appear to need a warrant from the court when intercepting the communications of foreign governments or cross-border terrorist organizations for national security purposes.

Moreover, telecommunications operators are required by the Surveillance Act to assist law enforcement agencies in setting up and maintaining systems used for surveillance purposes. A failure to fulfill the obligations of assisting surveillance is punishable by a fine of 500,000– 2,500,000 TWD (about $15,500–$77,000), an additional accumulative daily fine, and revocation of licenses. The full text of the Surveillance act is available here.

Key takeaways

• The EARN IT act aims to fight the spread of child sexual abuse material online. Yet it threatens the safety of millions who rely on strong encryption every day.
• The LAED act is an explicit attack on encryption. It could weaken the lawful use of encryption in communication services.

The Eliminating Abusive and Rampant Neglect of Interactive Technologies Act (EARN IT)

The bill was introduced on March 5, 2020. It seeks to set best practices to detect and report child sexual exploitation materials. Although the act has good intentions, it has received a lot of criticism.

The ACLU’s senior legislative counsel Kate Ruane said: “The EARN IT Act threatens the safety of activists, domestic violence victims, and millions of others who rely on strong encryption every day. Because of the safety and security encryption provides, Congress has repeatedly rejected legislation that would create an encryption backdoor.”

Matthew Green, a cryptographer and professor at Johns Hopkins University, called the bill a direct attack on end-to-end encryption. He wrote: “This bill is a backdoor way to allow the government to ban encryption on commercial services. And even more beautifully: it doesn’t come out and actually ban the use of encryption, it just makes encryption commercially infeasible for major providers to deploy, ensuring that they’ll go bankrupt if they try to disobey this committee’s recommendations.”

The Lawful Access to Encrypted Data (LAED) Act

The act was introduced on June 23, 2020. It aims to provide police and security agencies with the ability to quickly access information on a suspect’s encrypted device.

Richie Koch from ProtonMail said: “LAED targets all data that is encrypted, both in transit and at rest. So not only would a tech company be forced to help the FBI break into a smartphone seized from a suspect, but it would also have to build a way to let officials monitor end-to-end encrypted communications, including whoever the suspect is talking to. <...> This law would require any American company with more than 1 million users in the US to be able to decrypt its users’ data and present it to law enforcement.”

Privacy Shield 2.0

President Biden signed an Executive Order to implement Privacy Shield 2.0. The order will create a new body within the U.S. Department of Justice that will oversee how American national security agencies are able to access and use information from both European and U.S. citizens.