The Australian government has released details of a new telecommunications bill that grants agencies new powers to access encrypted communications data, including enhancing the obligations of companies to provide assistance and new warrants to covertly obtain evidence directly from devices.
In the following piece, Ethan Nash breaks down the legislation, including historical and technical contexts, details of both major schedules in the drafted legislation, and reasons for concerns associated with the broadened power scope granted.
UPDATE: 11/12/18 | Anti-encryption legislation has now been passed into law, clearing the Senate 42-12 this week. Read more about this here.
UPDATE: 03/10/18 | Technology giants and human rights groups have formed an alliance to fight the Australian government’s new bill. Read more about this here.
In 2017, the Prime Minister, Attorney-General and Department of Home Affairs began discussions about a new bill that would make it a legal requirement for tech and communications firms to help the authorities crack encrypted messages.
The discussions followed similar criticised moves by government authorities at the end of last year to amend current ‘anti-terrorism’ legislative pieces to include a new national facial recognition system, all with the intended purpose of ‘combating terrorism’ domestically.
Following some extended delay by the Turnbull cabinet, the Telecommunications and Other Legislation Amendment (Assistance and Access) Bill 2018 draft has been published for the public to view that sets out Australia’s plans to access encrypted messages.
According to the Australian government, accessing encrypted information and technology has become a vital necessity in the number of terrorist investigations and other high-level criminal cases recorded in the last few years.
“Encryption and other forms of electronic protection are vital security measures that protect private, commercial and Government data and make the communications and devices of all people more secure.
However, these security measures are also being employed by terrorists, child sex offenders and criminal organisations to mask illegal conduct.
The exploitation of modern communications technology for illicit ends is a significant obstacle to the lawful access of communications by Australia’s law enforcement and national security agencies.”
Currently, law enforcement agencies may access data by employing ‘specialist techniques’ to decrypt data, or access data at points where it is not encrypted.
Government agencies have previously access telephone and internet data records an astonishing 250,000 times in one year without even recording why and when these intercepts had taken place.
According to authorised agencies, however, this process can take considerable time and in order to do this more effectively, Australia’s agencies need assistance from companies and individuals involved in the supply of communications services and devices.
To this notion, The Department of Home Affairs has drafted new legislation in close cooperation with a number of intelligence and law enforcement agencies, including the Australian Criminal Intelligence Commission (ACIC), Australian Federal Police (AFP) and ASIO.
Throughout the drafting process, the Australian government has consulted with a range of international and domestic technology companies about the proposed reforms.
Secure end-to-end encryption (e2e) cannot be intercepted without some kind of backdoor, and this is how the Australian government insists is how the new legislation will work, by allowing agencies to seek help from providers, both domestic and offshore, in the execution of their functions.
PART I –
The new legislation introduces a suite of measures that will improve the ability of agencies to access communications content and data, including enhancing the obligations of domestic providers to provide assistance, and new computer warrants and methods that will enable authorities to covertly obtain evidence directly from a device.
The draft significantly extends the reach of government and agencies, as well as the types of assistance that can be requested or required from telecommunications players in Australia or companies providing communications products and services overseas:
According to the Explanatory Document, the first half of the Bill proposes three key ways for technology companies, software developers and others third-parties to assist spy agencies like ASIO and police to access your information.
These options will require providers to offer up details about technical characteristics of their systems that could help agencies exploit weaknesses that have not been patched. It also includes installing software, and designing and building new systems:
- A technical assistance request – A company can choose to “voluntarily” help, such as give details about the development of a new service or program to use.
- A technical assistance notice – A company is required to give assistance if they can. For example, if they have the ability to decrypt a specific communication, they must comply with the orders or face fines.
- A technical capability notice – The company must build a new function so it can assist police access information, as long as it does not force encryption to be broken.
The new measures would force communications providers to work extensively with government agencies to gain access to a target’s data where it was in their power to do so – whilst also compelling them to keep all of this a secret.
Even a basic understanding of secure e2e encryption instantly brings to light the problem with this proposal, as the options listed above – for all intents and purposes – are requests for providers to create a backdoor into their encryption platforms disguised with broad language.
The government is adamant the bill would not force the likes of Apple or Google to undermine encryption, however the idea that tech firms will have to crack their own encryption, without weakening that encryption or creating a backdoor, is just not possible.
One way technology companies could assist agencies would be to target an individual with a tailored modification to an app to compromise their messages, Fergus Hanson, head of International Cyber Policy Centre at the Australian Strategic Policy Institute (ASPI), suggested:
“Assistance is expected to be provided on a no-profit, no-loss basis and immunities from civil liability are available for help given. The Bill maintains the default position that providers assisting Government should not absorb the cost of that assistance nor be subject to civil suit for things done in accordance with requests from Government.”
Despite an “underlying warrant or authorisation” required to access the content of the encrypted communications, critics have expressed concerned that once made, holes in the security of individual smartphones, chips and other devices would be difficult to control.
PART II –
NEW ASIO POWERS
The second half the new legislation also amends the computer access provisions in the ASIO Act to address particular ‘operational challenges’, as currently agencies need to use other powers and techniques to access information at points where it is not encrypted.
The bill will enable ASIO to intercept communications for the purpose of executing a computer access warrant, with schedules 2 to 5 addressing capability gaps and how to strengthen agencies’ “alternative-collection” capabilities.
This includes a permit for ASIO to temporarily ‘remove a computer or thing’ from a premise, for the purpose of executing a warrant, and to return that computer or thing, and enable ASIO to take steps to conceal its access to a computer following the expiry of the warrant:
The Bill will allow law enforcement agencies to collect evidence from electronic devices under an overt warrant remotely. Law enforcement agencies will be able to execute a warrant without having to be physically on the premises.
A new definition of “account-based data” will be also be inserted to ensure that accessing a computer under warrant enables law enforcement officers to access information associated with an online account, like an email service or Facebook account.
CONCERNS WITH THE BILL
The legislation has been slammed by civil liberty advocates and privacy groups across Australia since being released. Here is a brief collection of responses:
Christopher Parsons, a research associate at the Citizen Lab, University of Toronto:
“While the Australian government’s recently proposed bill asserts that businesses could not be compelled to add ‘systemic’ weaknesses into their software and processes, government agencies would be permitted to compel businesses to selectively weaken the security afforded to some persons.
Such weaknesses could include less robust encryption that could be decrypted by government agencies, or the full-scale removal of encryption for targeted persons.”
Digital Rights Watch chair Tim Singleton Norton summed it up best when he pointed out that accessing encrypted messages without breaking the underlying platform that makes them secure in the first place is “ludicrous” and “a privacy nightmare”.
Greens digital rights spokesperson Jordon Steele-John, recently also went on the record to explain:
”This is extremely problematic whichever way you look at it because if end-to-end encryption is working properly, then you are legislating companies to do the impossible. There is no method of accessing data if it has been properly encrypted.
Companies will be forced to undermine their own encryption in order to comply with Australian law, therefore undermining the privacy and security of user’s data.
Quite simply this will necessitate surveillance codes, key escrow or some other backdoor methodology of decrypting data to allow it to be handed over if the Australian government produces a warrant.”
You can submit feedback to firstname.lastname@example.org by 10 September 2018.
For more TOTT News, SUBSCRIBE to the website on the right hand panel for FREE and follow us on social media for more exclusive content: