Regulatory arbitrage and transnational surveillance: Australia’s extraterritorial assistance to access encrypted communications

: This article examines developments regarding encryption law and policy within ‘Five Eyes’ (FVEY) countries by focussing on the recently enacted Telecommunications and Other Legislation Amendment (Assistance and Access) Act 2018 (Cth) in Australia. The legislation is significant both domestically and internationally because of its extraterritorial reach, allowing the development of new ways for Australian law enforcement and security agencies to access encrypted telecommunications via transnational designated communications providers, and allowing for Australian authorities to assist foreign counterparts in both enforcing and potentially circumventing their domestic laws. We argue that Australia is the ‘weak link’ in the FVEY alliance as - unlike other FVEY members - has no comprehensive enforceable human rights protections. Given this, there is a possibility for regulatory arbitrage in exploiting these new surveillance powers to undermine encryption via Australia.


INTRODUCTION
Since the Snowden revelations in 2013 (see e.g., Lyon, 2014;Lyon, 2015) an ongoing policy issue has been the legitimate scope of surveillance, and the extent to which individuals and groups can assert their fundamental rights, including privacy. There has been a renewed focus on policies regarding access to encrypted communications, which are part of a longer history of the 'cryptowars' of the 1990s (see e.g., Koops, 1999). We examine these provisions in the Anglophone 'Five Eyes' (FVEY) 1 countries -Australia, Canada, New Zealand, the United Kingdom and the United States (US) -with a focus on those that attempt to regulate communications providers. The paper culminates with the first comparative analysis of recent developments in Australia. The Australian developments are novel in the breadth of entities to which they may apply and their extraterritorial reach: they attempt to regulate transnational actors, and may implicate Australian agencies in the enforcement -and potential circumvention -of foreign laws on behalf of foreign law enforcement agencies. This latter aspect represents a significant and troubling development in the context of FVEY encryption-related assistance provisions.
We explore this expansion of extraterritorial powers that extend the reach of all FVEY nations via Australia, by requesting or coercing assistance from transnational technology companies as "designated communications providers", and allowing foreign law enforcement agencies to request their Australian counterparts to make such requests. Australia has unique domestic legal arrangements, which includes an aggressive stance on mass surveillance (Molnar, 2017), an absence of comprehensive constitutional or legislated fundamental rights at the federal level (Daly & Thomas, 2017;Mann et al., 2018), and has recently enacted the Telecommunications and Other Legislation Amendment (Assistance and Access) Act 2018 (Cth) 2, the focus of this article. We demonstrate that Australia's status as the 'weak link' in the FVEY alliance enables the introduction of laws less likely to be constitutionally or otherwise legally permissible elsewhere. We draw attention to the extraterritorial reach of the Australian provisions which affords the possibility for other FVEY members to engage in regulatory arbitrage to exploit the weaker human rights protections and oversight measures in Australia.
Regulatory arbitrage and transnational surveillance: Australia's extraterritorial assistance to access encrypted communications Yet, unlike any of the other FVEY members, Australia has no comprehensive enforceable human rights protection at the federal level (Daly & Thomas, 2017;Mann et al., 2018). 3 Australia does not have comprehensive constitutional rights (like the US and Canada), a legislated bill of rights (like NZ and the UK) nor recourse to regional human rights bodies (like the UK and its relationship with the European Convention on Human Rights) (Refer to Table 1).
Given this situation, we argue Australia is a 'weak link' among FVEY partners because its legal framework allows for a more vigorous approach to legislating for national security at the expense of human rights protections, including but not limited to, privacy (Williams & Reynolds, 2017;Mann et al., 2018). Australia's status as a human rights 'weak link' affords the 'legal possibility' for measures which may be 'legally impossible' in other jurisdictions, including those of the other FVEY countries, given peculiar domestic and regional rights protections.

ENCRYPTION LAWS IN THE FIVE EYES
FVEY governments have made frequent statements regarding their surveillance capabilities 'going dark' due to encryption, with consequences for their ability to prevent, detect and investigate serious crimes such as terrorism and the dissemination of child exploitation material (Comey, 2014). This is despite evidence that the extensive surveillance powers that these agencies maintain are mostly used for the investigation of drug offences (Wilson & Mann, 2017;. Further, there is an absence of evidence that undermining encryption will improve law enforcement responses (Gill, Israel, & Parsons, 2018), coupled with disregard for the many legitimate uses of encryption (see e.g., Abelson et al., 2015), including the protection of fundamental rights (see e.g., Froomkin, 2015).
It is important to note, as per Koops and Kosta (2018), that communications may be encrypted by different actors at different points in the telecommunications process. Where, and who applies encryption, will affect which actors have the ability to decrypt communications, and accordingly where legal obligations to decrypt may lie, or be actioned. For example, in some scenarios the service provider maintains the means of decrypting the communications, but this would not be the case where the software provider or end user has the means to decrypt (i.e., 'at the ends'). More recently, the focus has shifted to communications providers offering encrypted services or facilitating a third party offering such services over their networks. These actors can be forced to decrypt communications either via 'backdoors' (i.e., deliberate weaknesses or vulnerabilities) built into the service, or via legal obligations to provide assistance. The latter scenario is not a technical backdoor per se, but could be conceptualised as a 'legal' means to acquire a 'backdoor' as the government agency will obtain covert access to the service and communications therein, thus having a similar outcome to a technical backdoor. It is these measures which are the focus of our analysis. We provide a brief overview of the legal situation in each FVEY country (Table 1), before turning to Australia as our main focus.

UNITED STATES
The legal situation in the US to compel decryption depends, at least in part, on the actor targeted. The US has no specific legislation dealing with encryption although other laws on government investigatory and surveillance powers may be applicable (Gonzalez, 2019). Forcing an individual to decrypt data or communications has generally been considered incompatible with the Fifth Amendment to the US Constitution (i.e. the right against self-incrimination), although there is no authoritative Supreme Court decision on the issue (Gill, 2018).
Furthermore, the US government may be impeded by arguments that encryption software Regulatory arbitrage and transnational surveillance: Australia's extraterritorial assistance to access encrypted communications constitutes 'speech' protected by the First Amendment and Fourth Amendment (Cook Barr, 2016;Gonzalez, 2019; see also Daly, 2017).
For communications providers, the US has a provision in the Communications Assistance for Law Enforcement Act (CALEA) §1002 on Capability Requirements for telecommunications providers, which states that providers will not be required to decrypt or ensure that the government can decrypt communications encrypted by customers, unless the provider has provided the encryption used (see e.g., Koops & Kosta, 2018). 4 In an attempt to avoid the difficulty of forcing individuals to decrypt, and the CALEA requirements' application only to telecommunications companies, attention has been turned to technology companies, including equipment providers. Litigation has been initiated against companies that refuse to provide assistance; the most notable being the FBI-Apple dispute concerning the locked iPhone of one of the San Bernardino shooters (Gonzalez, 2019).
Ultimately the FBI were able to unlock the iPhone without Apple's assistance, by relying on a technical solution from Cellebrite (Brewster, 2018), thereby engaging in a form of 'lawful hacking' (Gonzalez, 2019). Absent a superior court's ruling, or legislative intervention, the legal position regarding compelled assistance remains uncertain (Abraha, 2019). which obliges providers to decrypt any communications they have encrypted on receiving a lawful request, but excludes end-to-end encryption "that can be employed without the service provider's knowledge" (Gill, Israel, & Parsons, 2018, p. 59;West & Forcese, 2020). It appears the requirements only apply to encryption applied by the operator itself, can involve a bulk rather than case-by-case decryption requirement, do not require the operator to develop "new capabilities to decrypt communications they do not otherwise have the ability to decrypt", and do not prevent operators employing end-to-end encryption (Gill, Israel, & Parsons, 2018, p. 60;West & Forcese, 2020).

CANADA
There are provisions of the Canadian Criminal Code which give operators immunity from civil and criminal liability if they cooperate with law enforcement 'voluntarily' by preserving or disclosing data to law enforcement, even without a warrant (Gill, Israel, & Parsons, 2018, p. 57).
There are also production orders and assistance orders that can be issued under the Criminal Code to oblige third parties to assist law enforcement, and disclose documents and records which could, in theory, be used to target encrypted communications (Gill, Israel, & Parsons, 2018, pp. 62-63), but West and Forcese (2020, p. 13) cast doubt on this possibility. There are also practical limitations, including the fact that many digital platforms and service providers do not have a physical presence in Canada, and thus are effectively beyond the jurisdiction of Canadian authorities (West & Forcese, 2020). Here, Mutual Legal Assistance Treaty (MLATs) could be used, although their use is notoriously beset with delay, and may only be effective if the other jurisdiction has its own laws to oblige third parties to decrypt data or communications (West & Forcese, 2020).
The Canadian Charter of Rights and Freedoms has a number of sections relevant to how undermining encryption can interfere with democratic freedoms, namely sections 2 (freedom of expression), 7 (security of the person), 8 (right against unreasonable search and seizure), and the right to silence and protection from self-incrimination contained in sections 7, 11 and 14 (West & Forcese, 2020). Case law from Canadian courts suggests that individuals cannot be compelled to decrypt their own data (Gill, 2018, p. 451). The Charter implications of BlackBerry's assistance to the Canadian police in the R v Mirarchi 5 case was never ruled on as the case was dropped (Gill, Israel, & Parsons, 2018, p. 58).
In absence of a legislative proposal before the Canadian Parliament, it is difficult to surmise how, and whether, anti-encryption powers would run up against human rights protections. Yet any concrete proposal would likely face scrutiny in the courts given the impacts on Canadians' Charter-protected rights.

NEW ZEALAND
In New Zealand, provisions in the Telecommunications (Interception Capability and Security) Act 2013 (TISCA) require network operators to ensure that their networks can be technically subjected to lawful interception (Cooper, 2018). 6 Section 10(3) requires that public telecommunications network operators, on receipt of a lawful request, must decrypt encrypted communications carried by its network, if that operator has provided the means of encryption.
Subsection 10(4) states that an operator is not required to decrypt communications that have been encrypted using a publicly available product supplied by another entity, and the operator is not under any obligation to ensure that a surveillance agency has the ability to decrypt communications.
It appears these provisions may entail that an operator cannot provide end-to-end encryption on its services so that their networks can be subject to lawful interception -that is, they must maintain the cryptographic key where encryption is managed centrally by the service provider (Global Partners Digital, n.d.) and engineer a 'back door' into the service (Cooper, 2018).
However, NGO NZ Council for Civil Liberties considered the impact of this provision is theoretical as most services are offshore, and this provision does not apply extraterritorially (Beagle, 2017). Yet, section 38 of TICSA allows the responsible minister to make "service providers" (discussed below) subject to provisions such as this on the same basis as "network operators", which may involve section 10 having an extraterritorial reach (Keith, 2020).
There is a further provision in section 24 of TISCA that places both network operators and service providers (defined as anyone, whether in New Zealand or not, who provides a communications service to an end user in New Zealand) under obligations to provide 'reasonable' assistance to surveillance agencies with interception warrants or lawful interception authorities, including the decryption of communications, when they were the source of the encryption. Such companies do not have to decrypt encryption they have not provided nor "ensure that a surveillance agency has the ability to decrypt any telecommunication" (TICSA s 24 (4)(b)). It is unclear what "reasonable assistance" entails, and how that would apply to third party app providers such as WhatsApp (to which section 24 would prima facie apply but not section 10 in the absence of a section 38 decision). It is also unclear how this provision would be enforced against offshore companies (Dizon et al., 2019, pp. 74-75).
There are further provisions in the Search and Surveillance Act 2012 which affect encryption.
Section 130 includes a requirement that "the user, owner, or provider of a computer system […] offer reasonable assistance to law enforcement officers conducting a search and seizure including providing access information" which could be used to force an individual or business to decrypt data and communications (Dizon et al., 2019, p. 61). There is a lack of clarity as to how the privilege against self-incrimination operates (Dizon et al., 2019, pp. 62-63). There is Regulatory arbitrage and transnational surveillance: Australia's extraterritorial assistance to access encrypted communications also a lack of clarity about what "reasonable assistance" from companies, which will likely be third parties, and not able to avail themselves of the protection against self-incrimination, may entail (Dizon et al., 2019, pp. 65-66).
New Zealand has human rights protections enshrined in its Bill of Rights Act 1990, and section 21 contains the right to be secure against unreasonable searches and seizures. However, it "does not have higher law status and so can be overridden by contrary legislation…but there is at least some effort to avoid inconsistencies" (Keith, 2020). There is also the privilege against selfincrimination, "the strongest safeguard available in relation to encryption as it works to prevent a person from being punished for refusing to provide information that could lead to criminal liability" (Dizon et al., 2019, p. 7). There is no freestanding right to privacy in the New Zealand Bill of Rights, and so aspects of privacy must be found via other recognised rights (Butler, 2013), or may be protected via data protection legislation and New Zealand courts' "relatively strong approach to unincorporated treaties, including human rights obligations" (Keith, 2020).
Despite being part of the FVEY communiques on encryption mentioned below, Keith (2020) views New Zealand's domestic approach as more "cautious or ambivalent", with "no proposal to follow legislation enacted by other Five Eyes countries".

UNITED KINGDOM
The most significant law is the UK's Investigatory Powers Act 2016 (henceforth IPA). 7 Section providers to remove "electronic protection" applied by, or on behalf of, the provider "where reasonably practicable" (Ni Loideain, 2019, p. 186). This would seem to entail that encryption methods applied by the user are not covered by this provision (Smith, 2017b). However, Keenan (2019) argues that the regulations may "compel […] operators to facilitate the 'disclosure' of content by targeting authentication functions" which may have the effect of secretly delivering messages to law enforcement.
While some of the issues identified above with the UK's TCNs may be clarified by these regulations, other issues remain. For example, the situation remains unclear for a provider wanting to offer end-to-end encryption to its customers without holding the means to decrypt them. Practical questions remain about how the provisions can be enforced against providers which may not be geographically based in the UK, such as technology companies and platforms which may or may not maintain offices in the UK. To date, there is also no public knowledge of whether any TCNs have been made, approved by Judicial Commissioners, and complied with by operators (Keenan, 2019).
In addition to TCNs, section 49 of the Regulation of Investigatory Powers Act (2000) (RIPA) allows law enforcement agencies in possession of a device to issue a notice to the device user or device manufacturer to compel them to unlock encrypted devices or networks (Keenan, 2019).
The law enforcement officer must obtain permission from a judge on the grounds that it is "necessary in the interests of national security, for the purpose of preventing or detecting crime, or where it is in the interest of the economic well-being of the United Kingdom" (Keenan, 2019).
Case law on section 49 notices in criminal matters has generally not found the provision's use to force decryption to violate the privilege against self-incrimination, in sharp distinction to the US experience (Keenan, 2019).
It is unclear whether these provisions would withstand such a challenge before the European Court of Human Rights on the basis of incompatibility with ECHR rights, especially Article 6 (right to a fair trial) and Article 8 (right to privacy).

AUSTRALIA
In Australia the encryption debate commenced in June 2017 when then-Australian Prime Minister Turnbull (in)famously stated that "the laws of mathematics are very commendable, but the only law that applies in Australia is the law of Australia" (Pearce, 2017, para. 8). This remark, interpreted colloquially as a 'war on maths' (Pearce, 2017), gestured at an impending legislative proposal that would introduce provisions to weaken end-to-end encryption.
In August 2018, the Five Eyes Alliance met in a 'Five Country Ministerial' (FCM) and issued a communique that stated: " We agreed to the urgent need for law enforcement to gain targeted access to data, subject to strict safeguards, legal limitations, and respective domestic consultations" (Australian Government Department of Home Affairs, 2018, para. 18). The communique was accompanied by a Statement of Principles on Access to Evidence and Encryption, assented to by all FVEY governments (Australian Government Department of Home Affairs, 2018). The statement affirmed the important but non-absolute nature of privacy, and signalled a "pressing international concern" posed by law enforcement inability to access encrypted content. FVEY partners also agreed to abide by three principles in the statement: mutual responsibility; the paramount status of rule of law and due process; and freedom of choice for lawful access solutions. "Mutual responsibility" relates to industry stakeholders being responsible for providing access to communications data. The "freedom of choice" principle relates to FVEY members encouraging service providers to "voluntarily establish lawful access Regulatory arbitrage and transnational surveillance: Australia's extraterritorial assistance to access encrypted communications solutions to their products and services that they create or operate in our countries", with the possibility of governments "pursu[ing] technological, enforcement, legislative or other measures to achieve lawful access solutions" if they "continue to encounter impediments to lawful access to information" (Australian Government Department of Home Affairs, 2018, paras. 34-35).
In the month following this meeting, the Australian government introduced what became the Technical Assistance Notices (TANs) 10 and Technical Capability Notices (TCNs). 11 TARs can be issued by Australian security agencies 12 that may "ask the provider to do acts or things on a voluntary basis that are directed towards ensuring that the provider is capable of giving certain types of help." 13 TARs escalate to TANs compelling assistance and impose penalties for noncompliance. The Australian Attorney-General can also issue TCNs which "may require the provider to do acts or things directed towards ensuring that the provider is capable of giving certain types of help" or to actually do such acts and things.
While the language of TCN is similar to the UK IPA, there is a much longer and more broadly worded list of "acts or things" that a provider can be asked to do on receipt of a TCN. 14 Although, as per section 317ZG, "systemic weaknesses" cannot be introduced, 15 there is still a significant potential impact on the security and privacy of encrypted communications. An important distinction between Australian and the UK TCNs is that the Australian notices are issued by the executive and are not subject to judicial oversight ( Table 1).
The AA Act has extraterritorial reach beyond Australia in two main ways. The first is via obligations imposed on "designated communications providers" located outside Australia.
"Designated communications providers" is defined extremely broadly to include, inter alia, carriers, carriage service providers, intermediaries and ancillary service providers, and any provider of an "electronic service" with any end-users in Australia, or of software likely to be used in connection with such a service, that has any end-users in Australia. It includes any "constitutional corporation" 16 that manufactures, installs, maintains or supplies devices for use, or likely to be used, in Australia, or develops, supplies or updates software that is capable of being installed on a computer or device that is likely to be connected to a telecommunications network in Australia (Ford & Mann, 2019). Thus a very wide range of providers from Australia and overseas will fall within these definitions (McGarrity & Hardy, 2020). Failure to comply with notices may result in financial penalties for companies, yet it is not clear how such penalties may be enforced vis-à-vis companies which are not incorporated or located in Australia. In any case in which a TAR is issued, it provides designated communications providers with civil immunity 9 from damages that may arise from the request (for example, rendering phones or devices useless), which may incentivise compliance prior to escalation to an enforceable TAN or TCN (Ford & Mann, 2019).
The second aspect of the AA Act's extraterritorial reach is the provision of assistance by Australian law enforcement to their counterparts via the enforcement of foreign laws. The TARs, TANs, and TCNs all involve "assisting the enforcement of the criminal laws of a foreign country, so far as those laws relate to serious foreign offences". 17 This is also reinforced by further amendments to the Mutual Assistance in Criminal Matters Act 1987 (Cth) that bypass MLAT processes, and provide a conduit to the extraterritorial application of Australia's surveillance laws. That is, Australian law enforcement agencies are able to assist foreign governments through their requests for Australian assistance, including in the form of accessing encrypted communications and/or designing new ways to access encrypted communications (as per TCNs), for the enforcement of their own criminal laws. 18 This may operate as a loophole through which foreign law enforcement agencies circumvent their own legal system's safeguards and capitalise on Australia's lack of a federal human rights framework (Ford & Mann, 2019).

Entities targeted
Application only to "telecommunications companies." Application only to "wireless communication providers." Section 10 applies to "network operators" and section 24 applies to "network operators" and "service providers".
Any "communications operator" (which includes telecoms companies, internet service providers, email providers, social media platforms, cloud providers and other 'overthe-top' services).
The definition of "designated communications provider" is set out in section 317C. It includes but is not limited to "a carrier or carriage service provider", "person provides an electronic service that has one or more end-users in Australia", or "the person manufactures or supplies customer equipment for use, or likely to be used, in Australia".

Statutory obligations imposed on target
Companies will not be required to decrypt or ensure that the government can decrypt communications encrypted by customers, unless the provider itself has provided the encryption used.
Providers must decrypt any communications they have encrypted themselves on receiving a lawful request. Seems not to apply to end-toend encryption not applied by the provider.
Operators, on the receipt of a lawful request to provide interception, must decrypt encrypted communications carried by its network, if that operator has provided the means of encryption (s 10). Operators and providers must provide "reasonable" assistance to surveillance agencies with interception warrants or lawful interception authorities, including the decryption of communications when they have provided the encryption (s 24).
Operators obliged to do certain things which can include the removal of "electronic protection applied by or on behalf of that operator to any communications or data". It is unclear whether a provider receiving a TCN would be able provide end-toend encryption for its customers.
Providers may be issued with Technical Assistance Requests (TARs), Technical Assistance Notices (TANs) and/or Technical Capability Notices (TCNs). TARs can be issued by Australian security agencies that may "ask the provider to do acts or things on a voluntary basis that are directed towards ensuring that the provider is capable of giving certain types of help." TARs escalate to TANs compelling assistance and impose penalties for non-compliance. The Australian Attorney-General can also issue TCNs which "may require the provider to do acts or things directed towards ensuring that the provider is capable of giving certain types of help" or to actually do such acts and things.

Human rights protections
US Constitution, notably the Fourth and Fifth Amendment. Also, First Amendment in terms of cryptographic code as a possible form of protected free speech.
Canadian Charter of Rights and Freedoms: Section 2 (freedom of expression), Section 7 (security of the person), Section 8 (right against unreasonable search and seizure), and the right to silence and protection from selfincrimination contained in sections 7, 11 and 14.
Human Rights Act 1993.
Human Rights Act 1998, European Convention on Human Rights.
No comprehensive protection at the federal level; no right to privacy in Australian Constitution.

Approval mechanisms for encryption powers' exercise
N/A Minister of Public Safety (executive branch).
Powers subject to interception warrants or other lawful interception authority. "Indirect" judicial supervision (Keith, 2020).
Approval by Judicial Commissioner.
Approval by administrative or executive officer (TCNs are approved by the Attorney-General). If a warrant or authorisation was previously required for the activity, it is still required after these reforms.

Extraterritorial application
Does not apply extraterritorially Does not apply extraterritorially.
Section 10 does not apply extraterritorially unless section 38 decision made. Section 24 applies to both NZ providers and foreign providers providing a service to any enduser in NZ.
Applies to both UK-based and foreign-based communications operators.
Applies to both Australian and foreign-based providers. Providers can receive notices to assist with the enforcement of foreign criminal laws.

Relevant court cases
Apple-FBI R v Mirarchi None known. None known. Not applicable.

DISCUSSION
The recent legislative developments in Australia position it as a leading actor in the ongoing calls for a broader set of measures to weaken or undermine encryption. The AA Act introduces wide powers for Australian law enforcement and security agencies to request, or mandate assistance in, communications interception from a wide category of communications providers, internet and equipment companies, both in Australia and overseas, and permits foreign agencies to make requests to Australian agencies to use these powers in the enforcement of foreign laws. Compared to the other FVEY jurisdictions' laws in Table 1, the AA Act's provisions cover the broadest category of providers and companies, to do the broadest category of assistance acts, with the weakest oversight mechanisms and no protections for human rights.
Australia's AA Act also gives these provisions the most broad and significant extraterritorial reach of the FVEY equivalent. While New Zealand and the UK also extend their assistance obligations to foreign entities, Australia's AA Act surpasses this to provide assistance to foreign law enforcement agencies. This is a highly worrying development since the AA Act facilitates the paradoxical enforcement (of criminal laws) and circumvention of (human rights) foreign laws on behalf of foreign law enforcement agencies, through inter alia the coercion of transnational technology companies into designing new ways of undermining encryption at a global scale via Australian law in the form of TCNs.
The idea of jurisdiction shopping by FVEY law enforcement agencies may be applicable, whereby Australia has enacted powers that have extraterritorial consequence, and that could operate to serve the wider FVEY alliance, especially given the lack of judicial oversight of TCNs, and Australia's weak human rights protections. Jurisdiction shopping concerns the strategic pursuance of legislative, policy and operational objectives in specific venues to achieve outcomes that may not be possible in other venues due to the local context. 19 The AA Act provisions expand legally permissible extraterritorial measures to obtain encrypted communications, and in theory, this enables FVEY partners to 'jurisdiction shop' to exploit the lack of human rights protections in Australia. This is not the first time Australia has been an attractive jurisdiction shopping destination. One previous example relates to Operation Artemis run by the Queensland Police where a website used for the dissemination of child exploitation material was relocated to Australian servers so that police could engage in a controlled operation and commit criminal offences (including the dissemination of child exploitation material) without criminal penalty (Høydal, Stangvik, & Hansen, 2017;McInnes, 2017 Act, which aims to facilitate US and foreign law enforcement access to data held by US-based communications providers in criminal investigations, bypassing MLAT procedures (Abraha, 2019; see also Gstrein, 2020, this issue;Vazquez Maymir, 2020, this issue). Bilateral negotiations regarding mechanisms for accessing (via US technology companies) and sharing eevidence under the CLOUD Act between the US and Australia are underway, and there have been some early questions and debates (Bogle, 2019;Hendry, 2020) as to whether Australia will comply with CLOUD requirements. Specifically, the CLOUD Act allows "foreign partners that have robust protections for privacy and civil liberties to enter into executive agreements with the United States to use their own legal authorities to access electronic evidence" (Department of Justice, n.d) (PDF). CLOUD agreements between the US and foreign governments should not include any obligations forcing communications providers to maintain data decryption capabilities nor should they include any obligation preventing providers from decrypting data. 22 It is uncertain whether Australia would comply with CLOUD requirements given its aforementioned weak human rights framework, and the absence of judicial oversight for the authorisation of the anti-encryption powers.
These concerns seem to have motivated the current Australian opposition party, Labor, to introduce a private member's bill into the Australian Parliament in late 2019 to 'fix' some aspects of the AA Act, despite their bipartisan support in passage of the law at the end of 2018.
Notable fixes sought include the introduction of enhanced safeguards, including judicial oversight and clarification that TARs, TANs, and TCNs cannot be used to force providers to build systemic weaknesses and vulnerabilities in their systems, including implementing or building a new decryption capability. At the time of writing, the Australian Parliament is considering the bill, although it is unlikely it will be passed given the government has indicated it will vote down Labor's proposed amendments (Stadler, 2020b).

CONCLUSION
Laws to restrict encryption occur in the context of regulatory arbitrage (Citron & Pasquale, 2010). This paper has analysed new powers that allow for Australian law enforcement and security agencies to request or mandate assistance in accessing encrypted communications, and permits foreign agencies to make requests to Australian agencies to use these powers in the enforcement of foreign laws, taking advantage of a situation where there is less oversight and fewer human rights or constitutional protections. The AA Act presents new opportunities for FVEY partners to leverage access to (encrypted) communications via Australia's 'legal backdoors', which may undermine protections that might otherwise exist within local legal frameworks. This represents a troubling international development for privacy and information security.
Regulatory arbitrage and transnational surveillance: Australia's extraterritorial assistance to access encrypted communications Regulatory arbitrage and transnational surveillance: Australia's extraterritorial assistance to access encrypted communications Regulatory arbitrage and transnational surveillance: Australia's extraterritorial assistance to access encrypted communications