Australian Gov't Floats New Batch Of Compelled Access Legislation With An Eye On Encryption

from the hello-darkness-my-old-friend dept

The Australian government is looking to revamp its compelled access laws to fight encryption and other assorted technological advances apparently only capable of being used for evil. It's getting pretty damn dark Down Under, according to the Department of Home Affairs' announcement of the pending legislation.

Encryption conceals the content of communications and data held on devices, as well as the identity of users. Secure, encrypted communications are increasingly being used by terrorist groups and organised criminals to avoid detection and disruption. The problem is widespread, for example:

  • Encryption impacts at least nine out of every ten of ASIO’s priority cases.

  • Over 90 per cent of data being lawfully intercepted by the AFP now use some form of encryption.

  • Effectively all communications among terrorists and organised crime groups are expected to be encrypted by 2020.

An example of harmful encryption is provided for readers at home, so they can weigh their own security and privacy against an anecdote about a registered sex offender who may or may not have escaped prosecution (the outcome of the case isn't provided) by using encrypted messaging apps. And it includes an inadvertently helpful lesson about the stupidity of targeting encryption with legislation, even if the DHA likely doesn't realize it.

The suspect was arrested and his mobile phone was seized but despite legislative requirements he refused to provide his passcode.

There's the limitation of lawmaking. Lawbreakers break laws and they're not going to stop just because you've told them not to with a government mandate. Legislation [PDF] like this does little more than make life more difficult for service providers and device makers while undermining the privacy and security of millions of law-abiding citizens.

The explanation sheet [PDF] notes the government is not seeking to mandate encryption backdoors. That being said, it would like providers of encrypted services/devices to leave the door cracked open so the government can step inside whenever it feels the need to look around.

The type of assistance that may be requested or required under the above powers include (amongst other things):

  • Removing a form of electronic protection applied by the provider, if the provider has an existing capability to remove this protection.

  • Providing technical information like the design specifications of a device or the characteristics of a service.

  • Installing, maintaining, testing or using software or equipment given to a provider by an agency.

  • Formatting information obtained under a warrant.

  • Facilitating access to devices or services.

  • Helping agencies test or develop their own systems and capabilities.

  • Notifying agencies of major changes to their systems, productions or services that are relevant to the effective execution of a warrant or authorisation.

  • Modifying or substituting a target service.

  • Concealing the fact that agencies have undertaken a covert operation.

The law can't retroactively force companies to produce crackable devices and messaging systems. But the first bullet point could see the Australian government demanding they do so in the future if they want to provide goods and services to the Australian public. Fortunately, the bill includes a clause making future demands along these lines impossible for the time being.

The Bill expressly prohibits technical assistance notices or technical capability notices from requiring a provider to build or implement a systemic weakness or systemic vulnerability into a form of electronic protection. This includes systemic weaknesses that would render methods of authentication or encryption less effective. The Australian Government has no interest in undermining systems that protect the fundamental security of communications. The new powers will have no effect to the extent that requirements would reasonably make electronic services, devices or software vulnerable to interference by malicious actors. Importantly, a technical capability notice cannot require a provider to build a capability to remove electronic protection and puts beyond doubt that these notices cannot require the construction of decryption capabilities.

Without further discussion by the legislature, it's tough to tell whether creating an escrow system would be considered a "system weakness" or make "encryption less effective." I mean, it obviously is and does, but does the DHA see it that way? And will this clause survive the final markup? Compelling decryption using "existing" methods seems especially useless if most services and devices cannot currently be decrypted by providers. The government is better off seeking outside help from contractors who do nothing else but find ways to crack or bypass encryption, rather than dropping language into the law that suggests backdoors the government won't call "backdoors" will be mandated in the future.

It also gives the government a considerable expansion of power, allowing it to peruse private companies' design specs and a heads up if any redesigns are in the works. It also forces companies to be compliant partners in government surveillance by mandating their assistance in man-in-the-middle attacks ("modifying or substituting a target service") and ordering them to withhold information from affected customers.

There is a public comment period, which is a nice touch. There also appears to be some respect for the good encryption does, rather than simply viewing it as an escape route for criminals and terrorists. But there's also a good deal of power expansion tied to rickety wording that suggests backdoors might be mandated if the government can talk itself into viewing proposals as something other than backdoors. And there's no guarantee this vague promise will make the final cut.


Reader Comments

Subscribe: RSS

View by: Time | Thread


  • icon
    PaulT (profile), 15 Aug 2018 @ 3:28am

    "Secure, encrypted communications are increasingly being used by terrorist groups and organised criminals to avoid detection and disruption"

    ...and by many, many more individuals and business to avoid being attacked by those same people. Almost as if it's a tool that can be used for any purpose, and so should be treated as such.

    Funny how they always leave that part out.

    "Removing a form of electronic protection applied by the provider, if the provider has an existing capability to remove this protection."

    Cue services that have no such capability becoming more popular...

    "Modifying or substituting a target service."

    ...but that seems like they can just force them to change anyway. That's the worrying part, as it means that they'd possibly be able to force companies to break their encryption for everyone silently whenever they have a user that's being investigated. They'll claim it will be more targeted than that, but we all know how that normally goes...

    reply to this | link to this | view in chronology ]

    • identicon
      Anonymous Coward, 15 Aug 2018 @ 3:59am

      Re:

      Modifying or substituting a target service.

      That could also mean a capability forcing a silent software update onto a device to bypass encryption. Just think how valuable that would be to criminals.

      reply to this | link to this | view in chronology ]

      • icon
        PaulT (profile), 15 Aug 2018 @ 4:27am

        Re: Re:

        "Just think how valuable that would be to criminals"

        Indeed, that's always the major issue here. Anything that gets built in for law enforcement can be exploited by criminals. That's just the reality of tools - they are tools, they can be used for any purpose the user wishes, good or evil.

        These people seem to buy into the fantasy that people can make tools that magically operate differently depending on the intent of the person using them. That's no more true for encryption devices than it is for a screwdriver. The problem here is that in trying to stop the "bad guys" using the tools effectively, they break them for everyone else to be exploited.

        reply to this | link to this | view in chronology ]

        • identicon
          Anonymous Coward, 15 Aug 2018 @ 6:48am

          Re: Re: Re:

          "Anything that gets built in for law enforcement can be exploited by criminals."

          It is becoming more difficult to tell the difference between them, perhaps it has always been this way.

          reply to this | link to this | view in chronology ]

    • identicon
      Anonymous Coward, 15 Aug 2018 @ 10:05am

      Re:

      Over 90% of stolen property recovered last year was found held in locked rooms; obviously the only logical step is to abolish all locks and doors.

      reply to this | link to this | view in chronology ]

    • icon
      Ninja (profile), 15 Aug 2018 @ 11:31am

      Re:

      One has to wonder how they have been dealing with those pesky in person conversations that won't have any recorded content or those destroyed pieces of paper with information critical to cases. It's almost as if law enforcement has multiple means of acquiring evidence to build a solid case instead of just encrypted communications eh?

      reply to this | link to this | view in chronology ]

  • icon
    The Central Scrutinizer (profile), 15 Aug 2018 @ 4:07am

    For those who don't live here, we are fast becoming a police state. This bullshit plus a notably racist speech in the senate yesterday plus a generally apathetic public equals a country heading into some very dark times.

    reply to this | link to this | view in chronology ]

  • icon
    orbitalinsertion (profile), 15 Aug 2018 @ 6:27am

    If you believe your only evidence of anything exists solely on devices which may use encryption, i believe you have larger issues.

    Never mind that any serious bad actors (think terrorists, people in the child porn market, foreign governments pulling the same crap they do; the examples they are always touting) are early adopters of things like encryption, and will add further layers of encryption and other obfuscation methods which are not created by large corporations which might be compelled to do your work for them. What you always have left is a giant, rights-trodding, expensive machine going after low-hanging fruit which is... well, low-hanging fruit. (Or shit they totally make up or otherwise induce themselves.)

    Lots of sound and fury signifying tantrums, security theatre, and probably some issue with intestinal gasses.

    reply to this | link to this | view in chronology ]

  • identicon
    Anonymous Coward, 15 Aug 2018 @ 6:32am

    And that's not all. Window blinds!

    Window blinds and curtains conceal the activities within buildings, as well as the identity of occupants. Enclosed structures are increasingly being used by terrorist groups and organised criminals to avoid detection and disruption. The problem is widespread.

    reply to this | link to this | view in chronology ]

    • icon
      Toom1275 (profile), 16 Aug 2018 @ 9:34am

      Re: And that's not all. Window blinds!

      In Eoin Colfer's Supernaturalist, blinds and curtains have mostly been replaced by windows having toggleable electronicpolarization filters to black them out.

      They make a crackling sound when the police remotely depolarize them.

      reply to this | link to this | view in chronology ]

  • identicon
    Anonymous Coward, 15 Aug 2018 @ 6:45am

    "Secure, encrypted communications are increasingly being used by terrorist groups and organised criminals to avoid detection and disruption."

    Yes, this is true - many governments worldwide routinely use encryption to avoid detection and disruption. They also use it to cover up their illegal activities.

    reply to this | link to this | view in chronology ]

  • identicon
    G. Day-Mate, 15 Aug 2018 @ 8:19am

    That's nothing! Look what confiscation UK serfs are "subject" to

    reply to this | link to this | view in chronology ]

  • icon
    ECA (profile), 15 Aug 2018 @ 10:44am

    A few strange things..

    Why not create a Cellphone system that WONT/Dont use encryption?? That only accepts Straight texts, and nothing else.
    YOUR CORPS WILL LOVE YOU..(not really)

    In all the occurrences of anything happening, HOW many persons have used SMART phones, and installed information of what they did, who helped, or anything else on the SMART phone??

    90% of them used CHEAP throw away old phones FOR REASONS.
    its not easy to track, no GPS, No browser that tells EVERY site who and where you are, NO chance of a INSERTED BOT/VIRUS that would copy everything you Wrote and send it to the POLICE..

    I love persons that HATE, the built-in encoding, because its THERE so others cant decode and USE YOUR PHONE, REMOTELY CONTROL your phone,
    THEN they HATE persons that CRACK those encodings and MESS up any USe of it...forcing the Tech corps to Create ANOTHER encoding to PROTECT YOUR PHONE..

    reply to this | link to this | view in chronology ]

  • identicon
    Don'tWannaRegister, 15 Aug 2018 @ 11:58am

    Industry Assistance Process Flowchart

    Page 12 of 110 in the document that's written for the simple folk. It's a weird flowchart. Everything leads to the same conclusion: the government will compel industry to write bad code. Of course it's totally voluntary. Companies can volunteer to write bad code, or the government will volunteer to compel them to write bad code by threatening them with bullets or jail.

    Australia is a free country, which means the people have the ultimate say on how they choose to be controlled. If a government shifts too far toward tyranny, a free society has the right to change the org chart. The USA uses the 2nd amendment as the ultimate guarantee if things become extreme. Isn't there something simil... oh, wait... They took all the guns away and threw them in the garbage. Bummer.

    reply to this | link to this | view in chronology ]

    • identicon
      Lawrence D’Oliveiro, 15 Aug 2018 @ 7:51pm

      Re: The USA uses the 2nd amendment ...

      ... as a wonderful red herring the Government can deploy to distract the populace from encroachment on its important rights -- just make a feint towards the “right to bear arms”, and in the ensuing brouhaha, you can quietly bring some other restriction to bear, and nobody will notice.

      Also, encryption is a tool with constructive, nonviolent uses. Unlike weapons like guns, which are purely destructive.

      reply to this | link to this | view in chronology ]

  • identicon
    Anonymous Coward, 15 Aug 2018 @ 2:55pm

    As with every country bringing in these type of laws, they are nothing to do with stopping terrorists or criminals and everything to do with stopping the public from being able to say, read, write, go to, download, upload, make or disassemble anything and everything and to stop said public from finding out what lying, cheating, self-service assholes all government members and 'big business's leaders are! It makes no difference if there's are defeated when introduced because they just get re- introduced or tagged on to the back of something so ridiculous, so obscure, it's missed or ignored until it's too late and is in! Shame when something that would benefit the people but is defeated. It NEVER gets chance to be introduced ever again!

    reply to this | link to this | view in chronology ]

  • identicon
    Anonymous Coward, 15 Aug 2018 @ 5:50pm

    Do you remember how, under Obama, techdirt was warning about making bad laws with a "trust us" component, because what happens if the worst person takes over the office?

    Australia isn't going through those stages. The first minister in charge of Home Affairs (it has only been established this term) is already the worst person you can imagine in the role

    reply to this | link to this | view in chronology ]

  • identicon
    Anonymous Coward, 17 Aug 2018 @ 4:08pm

    No surprise: Australia is part of the Five spying Eyes.

    reply to this | link to this | view in chronology ]


Add Your Comment

Have a Techdirt Account? Sign in now. Want one? Register here
Get Techdirt’s Daily Email
Use markdown for basic formatting. HTML is no longer supported.
  Save me a cookie
Follow Techdirt
Techdirt Gear
Show Now: Takedown
Advertisement
Report this ad  |  Hide Techdirt ads
Essential Reading
Techdirt Deals
Report this ad  |  Hide Techdirt ads
Techdirt Insider Chat
Advertisement
Report this ad  |  Hide Techdirt ads
Recent Stories
Advertisement
Report this ad  |  Hide Techdirt ads

Close

Email This

This feature is only available to registered users. Register or sign in to use it.