Australian law enforcement has a problem that people are increasingly using encrypted communications, and the government will soon introduce legislation aimed at overcoming this problem. Unfortunately, no-one knows exactly how it will work.
Before it became fairly easy for the average person to use encryption on their smartphone, law enforcement agencies would be able to get warrants to intercept or access communications made via phone, email or in other ways to investigate serious crime.
But the rise in popularity of encryption and a lot of companies now including it in their communication services by default now means that 65% of all data being intercepted by the Australian Federal Police uses some form of encryption, and the Australian Security Intelligence Organisation (ASIO) has said nine out of every 10 priority cases investigated by them is impacted by the use of encryption.
Legislation is currently being developed by the Turnbull government that would, in theory, allow law enforcement agencies to access encrypted communications on end-to-end apps such as Signal, Telegram or Wickr.
Despite announcing the plan in the middle of last year, the government still cannot say exactly what the legislation would do.
When governments talk about bypassing encryption, it is often interpreted as police wanting a key or a backdoor to allow them to crack into any encrypted communication they need at any time.
It's not a backdoor?
In a speech to the National Press Club last month, home affairs minister Peter Dutton stressed that this was not what the government was looking to do. He didn't go into much detail, except to say that it was about requiring tech companies to assist law enforcement agencies to access communications when needed for terrorism, child abuse and other investigations.
"We will ... introduce legislation to ensure companies providing communications services and devices in Australia have an obligation to assist agencies with decryption," he said. "And as a society we should hold these companies responsible when their service is used to plan or facilitate unlawful activity."
Home Affairs Department secretary, Michael Pezzullo told Senate Estimates last month that it was "cartoon-like" to assume that the government wanted a back door.
"There is no intention that we have ... to undermine legitimate encryption," he said. "The specifics of any scheme that may or may not be legislated in due course would have regard to those societal balances.
"You assume that a back door has to be created. I am just saying that that is a cartoon-like assumption, not that you are making, but you have seen the literature."
He said a "more detailed discussion" could take place on what exactly the government proposes to do when legislation is brought to parliament.
The Home Affairs Department, in a submission to a Senate inquiry on emerging technologies last month, repeated that companies such as Apple, Google and Facebook would not be required to break their encryption via a back door.
"The government has committed that companies will not be required to build so-called ‘back doors’," the submission stated. "This will mean that encryption will continue to secure the private and sensitive information of businesses, governments and the general public."
The department flagged that law enforcement might need greater powers to bypass encryption.
"While a legislative response can address some of the challenges posed by encryption, it is likely that agencies will continue to face challenges accessing end-to-end encrypted communications," the submission stated.
"In this environment, it will be increasingly important for law enforcement agencies to utilise alternative methods to investigate serious crimes and combat threats to public safety and national security. For this purpose, the range of powers available to agencies must continually be examined."
The department pointed to work done in the United Kingdom, where tech companies can be issued with a "technical capability" notice requiring them to provide data in an intelligible format to law enforcement where it is "proportionate, technically feasible and reasonably practicable" to do so.
One of the ways that people say you could get past encryption without the need to break it would be to specifically target certain devices with software updates so law enforcement can see the communication when it is decrypted.
So if the AFP was targeting a device owned by a suspected criminal, for example, it would ask the company that made the device or app to push out a software update just to that specific user that would allow tracking of communications.
It's not as much about a master key, but re-designing the door.
But experts don't buy it.
Dr. Vanessa Teague, from the University of Melbourne School of Engineering, said in her submission that this method also creates its own problems, as people can check to see if the update they're installing is a genuine update.
Plus it raises the problem of what happens when another country asks for the same power.
"If we force a company, e.g. Apple, to be able to turn over data, what happens if other governments (perhaps ones we don't like) insist on Apple turning over data on visiting Australians' devices?" she said.
Digital Industry Group, which represents companies including Facebook, Google, Microsoft and Twitter, has urged the government to look at technical training, new investigative techniques with a focus on metadata (call logs, who sent messages to who and when) over encrypted data, and working with the companies, rather than focusing on new laws aimed at compromising encryption.
The Law Council of Australia has called on the government to release an exposure draft of the proposed legislation that would detail exactly how it would work.
Dutton's office did not respond to a list of questions about the proposal from BuzzFeed News.