Australia Just Became The Testing Ground For Breaking Into Encryption
Australia's new law goes well beyond those that are being used in the United States or the United Kingdom.
At the end of August, the Gold Coast hosted a meeting of politicians from the nations that make up the Five Eyes intelligence partnership: the US, the UK, Canada, New Zealand and Australia. Out of that meeting the nations vowed to ramp up work to break into encrypted communications.
In the communique the nations revealed that there was "urgent need for law enforcement to gain targeted access to data, subject to strict safeguards, legal limitations, and respective domestic consultations", and there was a need to resolve "challenges to lawful access posed by encryption, while respecting human rights and fundamental freedoms".
Australia is the first Five Eyes nation to put that agreement into practice.
In the dying days of the 2018 parliamentary year, Australia legislated to give law enforcement much larger powers to force tech companies to develop ways into encrypted communications services such as WhatsApp, Wickr or iMessage.
And now Australia is the test lab.
What is the new law?
The Telecommunications and Other Legislation Amendment (Assistance and Access) Bill 2018 empowers law enforcement agencies in Australia to issue three types of notices to companies:
- Technical Assistance Notices (TAN) — to provide interception powers to law enforcement that they already have access to, i.e. reading text messages
- Technical Capability Notices (TCN) — to force companies to build new ways into communications on their services
- Technical Assistance Requests (TAR) — to ask companies to voluntarily build new means into communications, with the threat of having a TCN issued on them if they don't comply.
The TCNs can only be issued by the attorney-general at the request of police or intelligence agencies, with the approval of the minister for communications.
These notices can only be issued for criminal cases involving a maximum jail term of three years or more.
The kinds of agencies that can ask for help include state police and Australia's spy agencies.
How is it different to other countries' laws?
Australian officials argue it was largely based on the UK's Investigatory Powers Act, which was a much larger piece of legislation that included metadata retention laws.
Under that legislation companies can be required to provide communications "without electronic protection", provided the request is reasonable and proportionate.
But under that legislation the "technical capability notices" issued to companies by government ministers must be approved by a judge.
In the United States, US deputy attorney-general Rod Rosenstein said last month that tech companies should develop "responsible encryption" that allows access by law enforcement "with judicial authorisation".
Australia has no such judicial oversight for notices issued to tech companies. An 11th hour amendment to the legislation last week requires a former judge and a technical expert to decide whether the notice should go ahead, but only if a tech company objects to what police are asking it to do.
For example, if access was required into a suspect's iMessages and Apple refused to assist, the judge and the technical expert, likely with a background in surveillance, would be brought in to decide if the request is reasonable and proportionate, and technically feasible.
Proponents of the legislation argue that because there is an underlying warrant issued to obtain a specific person's communications, that is tantamount to judicial approval, but the lack of judicial oversight over the issuing of notices to the companies has raised concern about how it will work in practice, and what they will be forced to do.
Is this the end of encryption?
Unlike the UK legislation, Australia's version is more detailed on what companies can and cannot be required to do.
The government has said it is not about creating backdoors into encrypted communications, and the legislation specifies that the notices issued cannot require companies to build a "systemic weakness" into electronic protection on services like encryption or passwords, or build a decryption capability.
And companies cannot be prevented from fixing identified system vulnerabilities at the behest of law enforcement.
The legislation has defined an exhaustive "list of acts or things" the companies can be required to do including removing "electronic protection", installing software or equipment, providing access to a facility or device, and helping out with law enforcement developing its own equipment.
The concern comes down to what is defined as a "systemic weakness". One of the late amendments to the legislation actually defined this in the bill – it was not previously defined – as something that would affect a "whole class of technology".
Experts BuzzFeed News has spoken to are concerned that the definition is so broad that anything that does not affect every single user of say, an Android device, could be considered a "systemic weakness".
What if the companies say no, or want to tell the public about it?
There are fines up to $10 million for companies that do not comply with the notices, and up to $50,000 for individuals. People who disclose the notices to the public without authorisation face up to five years in jail.
There is a 12-month time limit on the notices, but they can be renewed. Companies can only disclose the capability they have been forced to make with the approval of the agency.
The government will provide a breakdown of how many notices have been issued each year, and individual companies can say how many notices they have received at least every six months.
Can other countries have access to these new powers?
This is where Australia is the test lab for this new law. In the legislation, the government has the provision that agencies can issue these notices as part of "assisting the enforcement of the criminal laws in force in a foreign country, so far as those laws relate to serious foreign offences".
What that means in practice has yet to be determined.
The Australian test lab
The opposition Labor party agreed to support the legislation late on the last parliamentary sitting day of 2018 after close to 200 rushed amendments were made to the bill.
Several more amendments were dropped in order to give the law effect before the Christmas break. Labor stated it has an agreement with the government to pass the amendments when parliament returns in February, but attorney-general Christian Porter said the government would just consider the amendments next year.
In the meantime, law enforcement agencies are reportedly "rushing" to use the new powers, but a 28-day consultation period for notices means companies will not be required to start complying with the notices before early next year.
A parliamentary committee is going to continue to review the legislation and the independent national security legislation monitor will review the legislation's effectiveness in 2020.
This means that now police have the powers to test out what companies can do to get past encryption, with no judge overseeing how the whole scheme is operating.
This was a point raised by Labor's shadow minister for the digital economy, Ed Husic, last weekend.
"You know, we’ll be watching very carefully as to whether or not the government's using this period as a sort of lab environment to test out what it can do on encryption," he told the ABC. "We'd be very careful or concerned about what they might do there."
Husic said a "specialist judge" was needed to go through the notices, as was better reporting on how the powers were being used.
"Because at the moment I just frankly don't think that's a longer term proposition that we should be embracing."
The bigger tech companies contacted by BuzzFeed News since the passage of the legislation have declined to comment on the new law, but voiced their concerns about the legislation during the parliamentary debate, with some warning that they may even pull out of the Australian market.