Encryption is a crucial enabler of the rights to privacy and freedom of expression, however its legal situation varies from country to country. We look at some common encryption laws around the world and how they apply to Australia, the U.S., Canada, New Zealand and the UK.
What are some common encryption laws and policies around the world?
General right to encryption
This refers to the existence of national legislation which establishes a general right for individuals to use encryption products and services.
Countries with a general right to encryption
There are no known policies or legislation in Australia, New Zealand, the U.S. and the U.K. regarding a general right to Encryption.
In Canada there is no specific right to encryption, however the Canadian Charter of Rights and Freedoms protects the right to “freedom of thought, belief, opinion and expression, including freedom of the press and other media of communication” (section 2(b)) and that “everyone has the right to be secure against unreasonable search or seizure” (section 8). The government of Canada has recognised that these rights would be engaged by any restrictions relating to encryption.
Mandatory minimum or maximum encryption strength
This refers to national legislation which sets down either minimum or maximum standards for encryption products and services.
Countries with minimum/maximum encryption standards
Neither Australia, New Zealand, the U.S., Canada or the U.K. have any known legislation or policies regarding minimum/maximum encryption standards.
This refers to national legislation which requires providers (or users) of encryption products or services to be licensed or registered in some manner.
Countries with licensing/registration requirements
Neither Australia, New Zealand, the U.S., Canada or the U.K. have any known legislation or policies regarding licensing/registration requirements.
This refers to national legislation which sets out limitations or conditions on the lawful importation or exportation of encryption products or services.
Countries with import/export controls
Neither Australia, New Zealand or the UK have any known legislation or policies regarding import/export controls.
In the U.S., the International Traffic in Arms Regulations and the Export Administration Regulations both impose controls on the export of certain forms of encryption.
In Canada, Section 3 of the Export and Import Permits Act allows the government to establish an Export Control List, setting out restrictions on the export of certain articles. Items on the list must generally be authorised by an export permit before they can be exported from Canada, and include certain forms of cryptography. A permit is not required, however, if the cryptographic item is being exported to the USA, nor if the cryptographic item is one that is marketed to the general public.
Obligations on providers to assist authorities
This refers to national legislation or policies which require or request private entities to assist state authorities to access the content of encrypted communications.
Countries with obligations on providers
Crimes Act 1914: Section 3LA (inserted by the Cybercrimes Act 2001) allows a law enforcement officer, subject to obtaining a warrant from a magistrate, to require a person to “provide any information or assistance that is reasonable and necessary to allow a constable to”:
(a) access data held in, or accessible from, a computer or data storage device that:
(i) is on warrant premises; or
(ii) is at a place for examination or processing; or
(iii) has been seized under the Act
(b) copy data held in, or accessible from, such a computer, or data storage device to another data storage device
(c) convert into documentary form or another form intelligible to a constable:
(i) data held in, or accessible from, such a computer, or data storage device or
(ii) data held in a data storage device to which the data was copied as described in paragraph (b); or (iii) data held in a data storage device removed from warrant.
Failure to comply is punishable with up to two years’ imprisonment.
Section 9(1) of the Telecommunications (Interception Capability and Security) Act 2013 requires all network operators to ensure that public telecommunications networks and telecommunications services have “full interception capability”. This includes a duty to ensure that the interception capability is developed, installed, and maintained (section (9(3)).
The United States
There is no legislative power which can be used to require telecommunication or online service providers to facilitate the decryption of encrypted communications.
However, section 103(a) of the Communications Assistance for Law Enforcement Act of 1994 requires all telecommunications carriers to ensure that their equipment, facilities or services that provide a customer or subscriber with the ability to originate, terminate or direct communications have certain capabilities. These include interception of communications and delivering intercepted communications to the government, where the government obtains a court order or there is some other lawful authorisation.
No known legislation or policies.
Regulation of Investigatory Powers Act 2000: Part III regulates the investigation of electronic data protected by encryption. It allows for certain law enforcement agencies, normally with judicial authorisation, to require a person holding encrypted information to produce the data in an intelligible format or to provide the key for its disclosure. Failure to so is a criminal offence (punishable by up to five years’ imprisonment in cases involving national security or child indecency, and by up to two years’ imprisonment in all other cases).
Investigatory Powers Act 2016: Sections 254 to 259 regulate “technical capability notices”. They allow the Secretary of State, where they consider it to be “necessary” and “proportionate”, and with the authorisation of a Judicial Commissioner, to impose a “technical capability notice” on a service provider imposing certain obligations. Such an obligation could include that they to remove encryption that they have applied on communications (but not encryption that those communicating have applied).
Obligations on individuals to assist authorities
This refers to national legislation or policy which provides for state authorities to be able to require individuals to decrypt (or assist in the decryption) of encrypted communications.
Countries with obligations on individuals
The provisions of Section 3LA of the Crimes Act 1914 impose the same obligations on individuals as on providers (see above).
Under section 130 of the Search and Surveillance Act 2012, a person with a search power in respect of data held in a computer system or other data storage device may require a specified person to provide access information and other information or assistance that is reasonable and necessary to allow the person exercising the search power to access that data. This could include a requirement that they decrypt information which is necessary to access a particular device.
It is an offence to fail to assist a person exercising a search power when requested to do so under section 130(1), without reasonable excuse, punishable with imprisonment for up to three months (section 178).
No known legislation or policies.
No known legislation or policies.
The provisions of Part III of the Regulation of Investigatory Powers Act 2000 impose the same obligations on individuals as on providers (see above).