In 2017, the Australian government started murmuring about a new bill that would make it a legal requirement for tech and communications firms to help the authorities crack encrypted messages. According to Turnbull’s government, accessing encrypted messages had become a vital necessity in terrorist investigations and other high-level criminal cases.
At that time, the authorities claimed that 90% of messages intercepted by the police during investigations were being protected with some form of encryption. In the past year, it is claimed that encryption hindered police investigations during approximately 200 cases.
Now, a draft bill proposal has been published that sets out Australia’s plans to deal with those troublesome encrypted messages. The newly published document is entitled the Telecommunications and Other Legislation Amendment (Assistance and Access) Bill 2018 [PDF] and it is a massively concerning and contradictory piece of legislation.
The laws of Australia versus the laws of mathematics
Despite the fact that secure end-to-end encryption (e2e) cannot be intercepted without some kind of backdoor, Australia’s government insists that is how the new legislation will work.
In a statement made to the press on Tuesday, Australia’s Minister for Law Enforcement and Cyber Security, Angus Taylor, claimed that the new legislation would “allow law enforcement and interception agencies to access specific communications without compromising the security of a network."
According to Taylor, the legislation “expressly forbids” any “systemic weakness, or a systemic vulnerability” to be enacted on securely encrypted communications.
"These reforms will allow law enforcement and interception agencies to access specific communications without compromising the security of a network. The measures expressly prevent the weakening of encryption or the introduction of so-called backdoors."
If that is the case, the Australian government may as well have stayed in bed, because it means that the bill expressly forbids the only mechanisms for breaking e2e encryption that actually exist.
Christopher Parsons, a research associate at the Citizen Lab, University of Toronto, told ProPrivacy.com:
“While the Australian government’s recently proposed bill asserts that businesses could not be compelled to add ‘systemic’ weaknesses into their software and processes, government agencies would be permitted to compel businesses to selectively weaken the security afforded to some persons. Such weaknesses could include less robust encryption that could be decrypted by government agencies, or the full-scale removal of encryption for targeted persons.”
So, how do Australia’s authorities expect to perform this seemingly impossible task? Part 15 of the conflicted surveillance bill proposes three “tools” that high-ranking security officials would use to request information from communications providers. The first of these is a voluntary “technical assistance request” that encourages tech and telecom firms to hand over the contents of encrypted messages of their own volition (go on sonny, you know you want to).
The next tool is a “technical assistance notice” that forcibly compels firms to cooperate with decrypting messages if they already have the technical capability to do so.
The third and most impressive tool is a compulsory request called a “technical capability notice”. This warrant would essentially force a “communications provider” to develop the capability to provide Australian authorities with its desired access to encrypted messages.
An understanding of secure e2e encryption instantly brings to light the problem with Australia’s proposed legislation. The “technical capability notice” is, for all intents and purposes, a request for providers to create a backdoor into their encryption platforms.
The idea that tech firms should be able to crack their own encryption - without weakening that encryption or creating a backdoor - is technically unfeasible. Digital Rights Watch chair Tim Singleton Norton summed it up best when he pointed out that accessing “encrypted messages without breaking the underlying platform that makes them secure in the first place” is “ludicrous.”
So who would this new law apply to? The explanatory document (ED) published alongside the draft bill makes it clear that its new law would apply to all "foreign and domestic communications providers, device manufacturers, component manufacturers, application providers, and traditional carriers and carriage service providers."
So, the act would apply to the likes of Apple, Google, Microsoft, Facebook, Whatsapp, Open Whisper (Signal), Telegram, and other encrypted messaging services or hardware that provide e2e encryption. In fact, the ED states that email accounts and physical device storage will also be considered game for decryption.
For tech firms, whose motivations are driven by consumer desires for private communications, the policy is bound to cause discord. Nicole Buskiewicz, Managing Director at DIGI, the firm that represents Facebook, Google, Twitter, Oath, and Amazon, told ProPrivacy.com:
"Protecting the public is a priority for both Government and industry. But included in that is protecting the public’s privacy and data from attack, which would likely be an unintended consequence of this Bill. The reality is that creating security vulnerabilities, even if they are built to combat crime, leaves us all open to attack from criminals. This could have devastating implications for individuals, businesses, public safety and the broader economy.We are extremely concerned at the lack of judicial oversight and checks and balances with this legislation.
"The industry has also developed a set of global principles that call on governments around the world — including Australia — to adopt surveillance laws and practices that are consistent with established norms of privacy, free expression, and the rule of law. We hope that there is a constructive and public dialogue with the Government around these principles as the Bill continues its progress through Parliament."
What the Australian government doesn’t seem to fully comprehend, is that when you create access to encrypted messages for the authorities, you also produce a vulnerability that can be exploited by unwanted third parties; such as cybercriminals and state-sponsored hackers.
Solid end0to-end encryption works by using mathematical cryptographic principles that can’t simply be undone. This means that to comply with a technical capability notice, firms would indeed need to create a weakness in their encryption - aka - a backdoor.
Greens digital rights spokesperson Jordon Steele-John, recently went on the record to explain:
“This is extremely problematic whichever way you look at it because if end-to-end encryption is working properly, then you are legislating companies to do the impossible. There is no method of accessing data if it has been properly encrypted.
“Companies will be forced to undermine their own encryption in order to comply with Australian law, therefore undermining the privacy and security of user’s data.
"Quite simply this will necessitate surveillance codes, key escrow or some other backdoor methodology of decrypting data to allow it to be handed over if the Australian government produces a warrant."
Australia’s draft legislation is now available for public discussion until September 10, 2018. At that time, the bill will be considered for amendments before making its way through the Australian Parliament. Anybody wishing to express concerns about the draft can submit comments to: [email protected]s.gov.au
ProPrivacy.com encourages Australians to stand up against this alarming legislation. As Parsons at the Citizen Lab points out:
"Should this legislation be passed into law, unamended, it could have the effect of seriously and significantly weakening the public’s trust in the security and integrity of their communications and the communications products they use in their daily lives. Further, it could upset years of hard-earned work by industry to develop and produce the most secure products and services possible, as the same companies that work to keep us safe online might be forced to work against their own years of security progress. This is dangerously drafted legislation, and I hope that the Australian government either retracts it or extensively amends it to protect, rather than endanger, Australian citizens.”
Article updated 21/08/2018 to include DIGI's updated statement
Image credits: GarryKillian/Shutterstock.com, enzozo/Shutterstock.com, hvostik/Shutterstock.com, Sergey Nivens/Shutterstock.com