Australian Government Agencies Already Flexing Their New Encryption-Breaking Powers

Claiming the nation was beset on all sides by national security threats and rampant criminality, the Australian government hustled an encryption-breaking law through Parliament (and past concerned members of the public) at the end of last year. The law compels companies to break encryption at the drop of a court order to give government agencies access to data and communications they otherwise can't access.

Supporters of the law did everything they could to avoid using the term "backdoor," but backdoors are what they're expecting. How this will all work in practice is anyone's guess, as each demand for "exceptional access" will likely collide head-on with quality assurance processes meant to prevent the creation of security flaws in software and hardware. Agencies that want exceptional access will either have to bring a majority of a company's personnel on board (and hope no one leaks anything to the public) or risk having their "not a backdoor" rejected after the code is submitted for approval.

No details have come to light (yet!) about companies being approached to punch holes in their own products, but it appears the Australian government has wasted no time putting its new powers to use.

Federal law enforcement and national security agencies have started using encryption-busting powers passed by parliament in December last year, and state-based police are set to be trained in using the powers this month.

This conclusion comes from the Department of Home Affairs' first report [PDF] on the new compelled access powers. The introduction contains several paragraphs about the new law and the Department's supposed oversight of its roll out. It concludes with this statement:

The Department continues to work closely with law enforcement and national security agencies and industry to facilitate the implementation of the Act. This will support the key measures in the Act, including the industry assistance measures in Schedule 1, so that they are being used consistently and appropriately. The Department has also been advised by Commonwealth law enforcement and national security agencies that the powers in the Act have been used to support their work.

The report also continues the fine Australian government tradition of denying the law has anything to do with encryption backdoors. Here's the latest lingo dodge, which comes from a list of amendments made in response to recommendations from Australia's intelligence committee.

[Introduces] a definition for 'systemic weakness' and 'systemic vulnerability' to clarify and prohibit those proposed requirements in a request or notice which will lead to unlawful and systemic intrusions into devices and networks. This enhances the operation of existing safeguards that prevents the creation and implementation of 'backdoors.'

The Department's new definition of these terms appears to limit encryption breaking to single devices/users, rather than entire communications platforms or operating systems.

The selective introduction of a vulnerability or weakness, as it relates to a target technology connected with a particular person is allowable. The definition of target technology further reinforces the specificity and precision through which interaction with electronic protections such as encryption is permissible. This definition takes each likely item of technology, like a carriage service or electronic service, which may be supplied by a designated communications provider, and reinforces that a weakness or vulnerability may only be introduced to the particular technology that is used, or likely to be used by a particular person. For example, a single mobile device operated by a criminal, or likely to be used by a criminal, would be classified as a target technology for the purpose of paragraph (e) of that definition. However, a particular model of mobile devices, or any devices that are not connected with the particular person, would be far too broad to fall within the definition. This ensures that the services and devices enjoyed by innocent parties or persons not of interest to law enforcement and security agencies remain out of scope and unaffected.

This could reduce the scope of what can be targeted with assistance requests, but nothing in the report suggests the government should abandon requests that fall outside of these definitions. If accessing a single target's communications can only be done by introducing a systemic vulnerability, it's safe to say the government will find a way to make the requested assistance adhere to the definitions its provided -- anything to avoid having to use the phrase "backdoor" anywhere in reports or public statements.

This assurance that the government won't demand full-fledged backdoors isn't very assuring, especially since it appears the government still doesn't know what requests meet the constraints built into the law.

Home Affairs said it was also in the process of sourcing technical and judicial assessors and experts that can be used to determine whether an agency request is permissible or not.

Cool. Some requests have already been issued and Home Affairs hasn't gotten any further than begin the process of sourcing experts to help decide whether these requests are even lawful.