For seven years, Australia's most controversial piece of surveillance legislation sat dormant. Passed in a rush before Christmas 2018, the Assistance and Access Act gave federal agencies the power to compel technology companies to assist with accessing encrypted data. Critics called it an encryption backdoor by another name. The government called it a necessary tool. For seven years, neither was proved right.
In March 2026, the AFP used it for the first time against a terrorism target — forcing a tech company to provide access to encrypted communications.
This is the moment privacy advocates always warned about. Not because the target wasn't serious. But because of what comes next.
Section 01What the Law Actually Does
The Assistance and Access Act — formally the Telecommunications and Other Legislation Amendment (Assistance and Access) Act 2018, known as TOLA — created three categories of powers.
Voluntary. Agencies ask a company to help. No legal compulsion. Companies can say no.
Compulsory. A company is required to provide assistance — including, in some interpretations, decrypting communications. Refusal means substantial fines.
The most extreme. Requires a company to build a new capability it does not currently have. In other words, engineer a backdoor to order. Requires Attorney-General sign-off.
The law specifically prohibits any order that creates a "systemic weakness" in encryption — meaning, in theory, it cannot be used to break encryption across an entire platform. In practice, the line between targeted access and systemic weakness is a question nobody has cleanly answered, least of all the government that wrote the law.
"The Australian Criminal Intelligence Commission once stated there is no legitimate reason for a law-abiding member of the community to own or use an encrypted communication platform. They later walked it back. The original quote is still in the record."
Section 02Why the First Use Matters More Than the Target
Nobody reasonable objects to intelligence agencies pursuing terrorism. That is not what this is about.
The first use of any extraordinary power is a threshold moment. Before March 2026, TOLA was hypothetical. Law firms could advise clients that the powers existed but had never been exercised. Technologists could argue about whether they were technically feasible. After March 2026, none of that is available. The powers work. The AFP used them. A tech company complied — or was made to.
The question that follows every first use of exceptional legislation is not whether this specific use was justified. It is whether the next use will be, and the one after that. TOLA's threshold for activation covers any offence carrying three years imprisonment or more — not just terrorism. Tax evasion. Corporate fraud. Drug offences. The terrorism justification that pushed the law through parliament in 2018 does not limit how it is applied in 2026.
Section 03What They Can and Cannot Compel
Under TOLA, agencies can compel a communications provider — which includes app developers, device manufacturers and cloud services — to assist with accessing data. They cannot, in law, compel the creation of a systemic backdoor. But they can compel assistance where a company has existing capability to access data that it is choosing not to provide.
This is why zero-knowledge architecture matters. If a service is designed so that even its operators cannot read user data, there is nothing to compel. You cannot hand over what you do not have.
This is also why device-level security matters. A properly installed and configured GrapheneOS device encrypts everything with keys derived from the user's passphrase and hardware tokens stored in the Titan M2 security chip. Without the device and the passphrase, the data is inaccessible — to anyone, including the device manufacturer. There is no cloud backup to subpoena, no account to compel, no server to raid.
Section 04The Official Position, Presented Fairly
The government's case for TOLA has always been coherent: encryption has created a genuine "going dark" problem for law enforcement, where suspects can communicate in complete secrecy. ASIO has repeatedly stated that encryption affects intelligence coverage in the majority of its priority counter-terrorism cases. These are real operational problems, not manufactured ones.
The safeguards written into the law — no systemic weaknesses, oversight by the Commonwealth Ombudsman, Attorney-General approval for TCNs — were genuine attempts to constrain the powers. The government is not wrong that unconstrained encryption creates genuine challenges for legitimate law enforcement.
Section 05Where It Falls Apart
The safeguard against systemic weaknesses is written into the law. It is not written into physics. Building targeted access capability for one user on one platform requires engineering work that weakens the overall system whether the law says it shouldn't or not. Security researchers are unanimous on this — there is no such thing as a backdoor that only the right people can use.
The oversight mechanisms assume that agencies will apply the powers narrowly. ASIO's annual reports redact the number of TOLA notices issued. The specific details of any request or order are secret by law. There is no public accountability mechanism for how the powers are being used beyond what agencies choose to disclose.
"The first use of TOLA was against a terrorism suspect. The law that enabled it applies to anyone facing three years imprisonment. Those are two very different things dressed in the same justification."
Section 06What This Means Practically
If you use a mainstream messaging app that holds your data on its servers, you are relying on that company's willingness and legal ability to resist a government order. After March 2026, you know that Australian law enforcement is willing to compel that assistance and that tech companies will comply.
If you use end-to-end encrypted services where the provider genuinely holds no keys — Signal, for example, or a properly configured GrapheneOS device with no cloud backup — there is nothing to compel. The architecture protects you regardless of what any law says, because the data does not exist in accessible form anywhere except on your device.
This is not paranoia. It is a reasonable operational response to a known legal framework that has now demonstrated it will be used.
Section 07What You Can Do With This Information
Understand where your data lives. Every piece of information you generate either exists on your device, on a provider's server or both. Anything on a server is subject to legal compulsion in the jurisdiction where that server sits. Anything backed up to a cloud service is accessible to whoever controls that service.
Use services that cannot comply even if compelled. Signal cannot hand over message content because it does not have it. A GrapheneOS device with full-disk encryption and no cloud backup cannot be remotely accessed because the keys exist only on the device. These are not workarounds — they are the correct architecture for anyone who takes data security seriously.
Understand the law you are operating under. TOLA is not hypothetical anymore. It has been used. The question is not whether it will be used again but against whom and for what.
Seven years ago the government said these powers were necessary and would be used responsibly. This month they were used for the first time. Both things can be true simultaneously. The more useful question is: what does your digital life look like if they are used against you or someone you work with — and what would change if the answer were nothing?