Version 27.0, February 2013
© Bert-Jaap Koops **Portions © Analog Devices, Inc. **
Licensed under Creative Commons Attribution Share Alike 4.0 International.
SPDX-License-Identifier: CC-BY-SA-4.0
[Australia]{#aus} [Sources 1, 3, 5, 8]
Export is regulated through the Defence and Strategic Goods List, last changed in June 1999 according to the December 1998 Wassenaar Arrangement. This includes the General Technology Note, exempting public-domain software from controls. Mass-market software is regulated according to the Wassenaar limits. There is a personal-use exemption (export is allowed for lawful permanent residents, provided they keep control of the crypto and make sure it is not transferred anywhere; a record must be kept for 3 years).
Before the 1999 implementation of Wassenaar, export regulations of December 1996 (see Cat 5.doc) were in accordance with the pre-December 1998 Wassenaar Arrangement, with the exception of the General Software Note. Written permission was needed for exporting cryptographic equipment designed to ensure the secrecy of communications or stored information. Public-domain or generally available crypto-software were included in the export controls (only public-domain "technology" (i.e. specific information necessary for the use of goods) was excluded).
Approval is also required for software that does not itself contain cryptography, but which has an interface specially designed for plugging in cryptography.
Crypto software transmitted electronically (e.g., over the Internet) was apparently not controlled. In mid-1998, the Defence Department became concerned that electronic exports were not covered by the controls, and to counter this, they have apparently threatened to use the Weapons of Mass Destruction Act. This in turn triggered a campaign by Electronic Frontiers Australia. After six months, the Defence Signals Directorate determined that no license was required for an online mirror of PGPi, provided that a warning is contained in the download page that the downloader may infringe Australian export rules if he does not have export approval; apparently, the burden of seeking a license is thus shifted to the downloader rather than the person who makes software available electronically.
Compare Nick Ellsmore's Cryptology for background on the Australian situation.
On 27 September 2001, the Cybercrime Act, No. 161, 2001, was passed, based on the Council of Europe's (then draft) Convention on Cybercrime. Item 12 of the law inserts a section 3LA in the Crimes Act 1914, that requires release of encryption keys or decryption of encrypted data, upon a magistrate's order. The order may be granted if there are reasonable grounds for suspecting evidential material is held in or accessible from a computer, and the specified person is a suspect or (an employee of) the owner or lessee of the computer, who has relevant knowledge of the encryption. Failure to comply with the order was initially punishable with up to six months' imprisonment; this was later raised to two years' imprisonment. The same power is granted in section 201A of the Customs Act 1901, which retains the maximum punishment of six months' imprisonment. Since the order can explicitly be given to suspects, the privilege against self-incrimination (section 128 Evidence Act 1995) seems overruled by this statutory provision and hence would not apply. In practice, the focus of s. 3LA seems to be on non-suspects such as system administrators rather than suspects; for a critical discussion of this addressing non-suspects to assist in law enforcement, see James, Nickolas John (2004) Handing over the keys : Contingency, power and resistance in the context of section 3LA of the Australian Crimes Act 1914. The University of Queensland Law Journal, 23 1: 7-21.
- There has been an apparently unfounded rumour in the mid-1990s that Australia was planning to restrict banks to Government Access to Keys.
At the OECD meeting of December 1995, Australia expressed little interest in the use of Trusted Third Parties for judicial access to keys. Instead, the paper of the delegation suggested to require suspects to decrypt in case of a warrant; this would require the rules against self-incrimination to be adapted.
A 1996 report by Gerard Walsh, Review of policy relating to encryption technologies, was barred from public release in February 1997 by the Attorney-General's Department. After a freedom of information request by Electronic Frontiers Australia (EFA), it was released, and it is now available online at EFA. The main finding of the Review was that major legislative action was not advised at the time to safeguard national security and law-enforcement interests, although a range of minor legislative and other actions were indicated (such as the creation of an aggregate statute on intrusive investigative powers). The review did not recommend specific options for encryption legislation at the time. One action indicated was to consider establishing a further and more serious category of offence where encryption is used to obstruct government investigation into a criminal offence, and to consider creating a power to require production of crypto keys (or other recovery information). The review did not support mandatory key recovery at that stage.
Compare Nick Ellsmore's Cryptology for background on the Australian situation.
Back to the Table of Contents