Australian Gov't Floats New Batch Of Compelled Access Legislation With An Eye On Encryption

The Australian government is looking to revamp its compelled access laws to fight encryption and other assorted technological advances apparently only capable of being used for evil. It's getting pretty damn dark Down Under, according to the Department of Home Affairs' announcement of the pending legislation.

Encryption conceals the content of communications and data held on devices, as well as the identity of users. Secure, encrypted communications are increasingly being used by terrorist groups and organised criminals to avoid detection and disruption. The problem is widespread, for example:

• Encryption impacts at least nine out of every ten of ASIO's priority cases.

• Over 90 per cent of data being lawfully intercepted by the AFP now use some form of encryption.

• Effectively all communications among terrorists and organised crime groups are expected to be encrypted by 2020.

An example of harmful encryption is provided for readers at home, so they can weigh their own security and privacy against an anecdote about a registered sex offender who may or may not have escaped prosecution (the outcome of the case isn't provided) by using encrypted messaging apps. And it includes an inadvertently helpful lesson about the stupidity of targeting encryption with legislation, even if the DHA likely doesn't realize it.

The suspect was arrested and his mobile phone was seized but despite legislative requirements he refused to provide his passcode.

There's the limitation of lawmaking. Lawbreakers break laws and they're not going to stop just because you've told them not to with a government mandate. Legislation [PDF] like this does little more than make life more difficult for service providers and device makers while undermining the privacy and security of millions of law-abiding citizens.

The explanation sheet [PDF] notes the government is not seeking to mandate encryption backdoors. That being said, it would like providers of encrypted services/devices to leave the door cracked open so the government can step inside whenever it feels the need to look around.

The type of assistance that may be requested or required under the above powers include (amongst other things):

• Removing a form of electronic protection applied by the provider, if the provider has an existing capability to remove this protection.

• Providing technical information like the design specifications of a device or the characteristics of a service.

• Installing, maintaining, testing or using software or equipment given to a provider by an agency.

• Formatting information obtained under a warrant.

• Facilitating access to devices or services.

• Helping agencies test or develop their own systems and capabilities.

• Notifying agencies of major changes to their systems, productions or services that are relevant to the effective execution of a warrant or authorisation.

• Modifying or substituting a target service.

• Concealing the fact that agencies have undertaken a covert operation.

The law can't retroactively force companies to produce crackable devices and messaging systems. But the first bullet point could see the Australian government demanding they do so in the future if they want to provide goods and services to the Australian public. Fortunately, the bill includes a clause making future demands along these lines impossible for the time being.

The Bill expressly prohibits technical assistance notices or technical capability notices from requiring a provider to build or implement a systemic weakness or systemic vulnerability into a form of electronic protection. This includes systemic weaknesses that would render methods of authentication or encryption less effective. The Australian Government has no interest in undermining systems that protect the fundamental security of communications. The new powers will have no effect to the extent that requirements would reasonably make electronic services, devices or software vulnerable to interference by malicious actors. Importantly, a technical capability notice cannot require a provider to build a capability to remove electronic protection and puts beyond doubt that these notices cannot require the construction of decryption capabilities.

Without further discussion by the legislature, it's tough to tell whether creating an escrow system would be considered a "system weakness" or make "encryption less effective." I mean, it obviously is and does, but does the DHA see it that way? And will this clause survive the final markup? Compelling decryption using "existing" methods seems especially useless if most services and devices cannot currently be decrypted by providers. The government is better off seeking outside help from contractors who do nothing else but find ways to crack or bypass encryption, rather than dropping language into the law that suggests backdoors the government won't call "backdoors" will be mandated in the future.

It also gives the government a considerable expansion of power, allowing it to peruse private companies' design specs and a heads up if any redesigns are in the works. It also forces companies to be compliant partners in government surveillance by mandating their assistance in man-in-the-middle attacks ("modifying or substituting a target service") and ordering them to withhold information from affected customers.

There is a public comment period, which is a nice touch. There also appears to be some respect for the good encryption does, rather than simply viewing it as an escape route for criminals and terrorists. But there's also a good deal of power expansion tied to rickety wording that suggests backdoors might be mandated if the government can talk itself into viewing proposals as something other than backdoors. And there's no guarantee this vague promise will make the final cut.