TOLA Act

TOLA creates three types of notices: Technical Assistance Requests (voluntary), Technical Assistance Notices (mandatory), and Technical Capability Notices (requiring new capabilities). Companies can be compelled to assist with decryption, modify systems, and build new interception capabilities. Gag orders prevent disclosure.

Australia’s Assistance and Access Act 2018 is among the most far-reaching encryption legislation in democratic countries. It allows authorities to issue: Technical Assistance Requests (TARs) asking for voluntary help; Technical Assistance Notices (TANs) compelling specific assistance within existing capabilities; and Technical Capability Notices (TCNs) requiring companies to build new capabilities. Critically, TCNs can require companies to create technical means for accessing encrypted communications. While the law technically prohibits requiring ‘systemic weaknesses’ in encryption, the definition is ambiguous and companies cannot publicly discuss what they’ve been compelled to do due to secrecy provisions. This creates uncertainty about whether Australian-linked technology products contain mandated vulnerabilities. The law applies to Australian companies and foreign companies with Australian nexus, raising concerns for any software or service developed or operated from Australia.