The South Australian Supreme Court has published a potentially important first instance decision about the admissibility of the evidence obtained by the Australian Federal Police using the AN0M messaging application.
AN0M was an app that was ostensibly highly encrypted and secure. However, it was designed with a back door. Every message sent was copied to the AFP without a warrant.
The decision in R v TB & CD
In R v TB & CD [2023] SASC 45 Kimber J considered an application by the accused to exclude the AN0M messages on the ground that the messages were copied by the AFP contrary to the Telecommunications (Interception and Access) Act 1979 (Cth) (TIAA).
I don’t intend in this post to summarise the entire decision. Rather I wish to highlight what I believe is one flaw in the Court’s reasoning. It relates to the second ground raised by the accused. Discussion of the ground starts at [94] and the key reasoning starts at [99].
The key facts
The decision attaches great significance and weight to the following facts:
- The AN0M app sat on top of the Android Operating System,
- Messages were typed in the AN0M app,
- The user would hit ‘send’. The app would (without the user knowing) make a copy of the message which it would immediately transmit to the AFP (along with other information such as the sender’s GPS location). It would also send the encrypted message to the intended recipient.
- The copying occurred in the AN0M app, before the intended message was encrypted and sent to the Android Operating System for delivery over the telecommunications network.
The accused’s second contention
The accused submitted an interception occurred upon the pressing of the send button as it was that act which caused the copy of their outgoing message to be created and then sent to the AFP. ((At [94] and [104].))
Kimber J commences analysis of this contention at [95]:
“In my view, what is important … is the undisputed evidence that the separate copy was created within the application itself being sent to the Android Operating System for transmission to the network. … [T]he issue is whether [the sender’s] message was passing over the telecommunications system when the [copy to be sent to the AFP] was created within the application”.
(emphasis added)
Centrally Kimber J opines at [100] “in my view, a messaging application is not part of the telecommunications system” even though it was not disputed ((At [101].)) that a mobile telephone itself is.
At [105] his Hon held that a communication is not sent and transmitted by the action of a person pressing a button and no more. Certain things have to occur between the ANOM app and the Android Operating System before the Android Operating System transmits the data over the cellular network.
With respect I have some difficulty with both above findings.
Separation of the an0m app from the operating system
Just as the Android Operating System is not where the AN0M messages were copied, the Android Operating System does not enable users to make phone calls. There is a ‘dialler’ app that is a standard application installed over the operating system that allows the making of phone calls. Without a dialler app, an Android phone cannot make a phone call. The dialler app nevertheless must communicate with the Operating System to originate (or terminate) an ordinary phone call.
If his Honour’s conclusions about what occurs in the AN0M app are taken to their logical conclusions, the dialler app is not part of the telecommunications network or system and the protections in the TIAA are useless in relation to Android mobile telephones. On his Honour’s reasoning, all that needs to occur is for Police to ‘intercept’ (in lay terms) the communication in the dialler app before it is transmitted to the Android Operating System. That in my view cannot have been the legislative intention.
It is with respect extremely artificial to separate the operating system from the apps that run on it. It would be akin to saying that an interception inside the handset of a traditional landline phone did not occur within the ‘body’ of the phone or the network that the phone connected to.
Identifying the ‘network’ for the purposes of the Telecommunications (Interception and Access)Act 1979
As an aside, the decision also appears to assume that the relevant telecommunications network is the cellular network operated by the telephone company (eg Telstra, Optus) that the Android Operating System connected to. There is no analysis of whether the ANOM ecosystem may itself be a telecommunications network (as defined in s5(1) of the TIAA). I don’t have a firm view one way or the other on this issue. It seems likely that the accused didn’t raise it, and it may well be that there was no ‘interception’ of the ‘AN0M network’ because it was the AFP’s (and FBI’s) network to begin with.
GPS location of the sender
As a further aside, the decision does not address whether the transmission to the AFP of the sender’s GPS location may have been a breach of surveillance devices legislation.
Phill Moore says
In this case I agree with his Hon.
Lets take a similar use-case such as the traditional facsimile ( one could argue that this is a good example of a precursor to the more modern messaging apps and the process of transmitting a message).
A fax machine is broken into 3 components (and is essentially the same functional process to the more modern case of sending a text message);
1. A scanner.
2. A copier
3. A telecommunications transmission device
When faxing, the message is scanned, a digital copy is made for transmission and then that copy is both transmitted and locally copy is printed (copy).
The local printed copy is not an intercept, it is created prior to any transmission and is not related at all to the telecommunications transmission of what is sent.
One could pick up that local copy and re-fax it to any other destination.