Australian Government Agencies Already Flexing Their New Encryption-Breaking Powers

from the sure,-cops-are-right-on-top-of-this-law-and-its-implications dept

Claiming the nation was beset on all sides by national security threats and rampant criminality, the Australian government hustled an encryption-breaking law through Parliament (and past concerned members of the public) at the end of last year. The law compels companies to break encryption at the drop of a court order to give government agencies access to data and communications they otherwise can't access.

Supporters of the law did everything they could to avoid using the term "backdoor," but backdoors are what they're expecting. How this will all work in practice is anyone's guess, as each demand for "exceptional access" will likely collide head-on with quality assurance processes meant to prevent the creation of security flaws in software and hardware. Agencies that want exceptional access will either have to bring a majority of a company's personnel on board (and hope no one leaks anything to the public) or risk having their "not a backdoor" rejected after the code is submitted for approval.

No details have come to light (yet!) about companies being approached to punch holes in their own products, but it appears the Australian government has wasted no time putting its new powers to use.

Federal law enforcement and national security agencies have started using encryption-busting powers passed by parliament in December last year, and state-based police are set to be trained in using the powers this month.

This conclusion comes from the Department of Home Affairs' first report [PDF] on the new compelled access powers. The introduction contains several paragraphs about the new law and the Department's supposed oversight of its roll out. It concludes with this statement:

The Department continues to work closely with law enforcement and national security agencies and industry to facilitate the implementation of the Act. This will support the key measures in the Act, including the industry assistance measures in Schedule 1, so that they are being used consistently and appropriately. The Department has also been advised by Commonwealth law enforcement and national security agencies that the powers in the Act have been used to support their work.

The report also continues the fine Australian government tradition of denying the law has anything to do with encryption backdoors. Here's the latest lingo dodge, which comes from a list of amendments made in response to recommendations from Australia's intelligence committee.

[Introduces] a definition for ‘systemic weakness’ and ‘systemic vulnerability’ to clarify and prohibit those proposed requirements in a request or notice which will lead to unlawful and systemic intrusions into devices and networks. This enhances the operation of existing safeguards that prevents the creation and implementation of ‘backdoors.’

The Department's new definition of these terms appears to limit encryption breaking to single devices/users, rather than entire communications platforms or operating systems.

The selective introduction of a vulnerability or weakness, as it relates to a target technology connected with a particular person is allowable. The definition of target technology further reinforces the specificity and precision through which interaction with electronic protections such as encryption is permissible. This definition takes each likely item of technology, like a carriage service or electronic service, which may be supplied by a designated communications provider, and reinforces that a weakness or vulnerability may only be introduced to the particular technology that is used, or likely to be used by a particular person. For example, a single mobile device operated by a criminal, or likely to be used by a criminal, would be classified as a target technology for the purpose of paragraph (e) of that definition. However, a particular model of mobile devices, or any devices that are not connected with the particular person, would be far too broad to fall within the definition. This ensures that the services and devices enjoyed by innocent parties or persons not of interest to law enforcement and security agencies remain out of scope and unaffected.

This could reduce the scope of what can be targeted with assistance requests, but nothing in the report suggests the government should abandon requests that fall outside of these definitions. If accessing a single target's communications can only be done by introducing a systemic vulnerability, it's safe to say the government will find a way to make the requested assistance adhere to the definitions its provided -- anything to avoid having to use the phrase "backdoor" anywhere in reports or public statements.

This assurance that the government won't demand full-fledged backdoors isn't very assuring, especially since it appears the government still doesn't know what requests meet the constraints built into the law.

Home Affairs said it was also in the process of sourcing technical and judicial assessors and experts that can be used to determine whether an agency request is permissible or not.

Cool. Some requests have already been issued and Home Affairs hasn't gotten any further than begin the process of sourcing experts to help decide whether these requests are even lawful.

Filed Under: australia, backdoors, encryption, security


Reader Comments

Subscribe: RSS

View by: Time | Thread


  • icon
    Mason Wheeler (profile), 7 Feb 2019 @ 9:18am

    Crikey! This 'ere's a Snapchat message, the most dyngerous encryption in all the Web!

    *manic grin*

    I think I'll poke it with a mandatory-backdoor bill!

    reply to this | link to this | view in chronology ]

  • identicon
    Anonymous Coward, 7 Feb 2019 @ 10:15am

    The selective introduction of a vulnerability or weakness, as it relates to a target technology connected with a particular person is allowable.

    How does that work when all similar devices on the same service run the same encryption? Does that mean that companies have to be able to control updates and reinstalls at the individual user level?

    reply to this | link to this | view in chronology ]

    • identicon
      Anonymous Coward, 8 Feb 2019 @ 3:25am

      Its what the IEFT and others have been saying for years

      The way to defeat encryption is to infect the target device and view the content after its been decrypted.

      This is what I have been hoping for all along. This allows targeted surveillance, hopefully approved by a court. It also increases the cost, which is important. We want governments to have to spend money/effort to surveil people so that they have to choose who to expend the effort on.

      If this is where the Aus government sees the "scope" and that is what happens, I approve.

      Its bullshit like the "ghost" members of encrypted group chats that GCHQ were talking about that should get you worried. Read Bruce Schneier or Matthew Green to get the background on that one.

      Backdoors do not work. You cannot control who will use them.

      reply to this | link to this | view in chronology ]

    • identicon
      Anonymous Coward, 8 Feb 2019 @ 10:18am

      Re:

      It may mean, rather, that if they do it at that level, their users will be vulnerable. Such designs are common but have long been noted as a security risk. Australia might push us toward more secure designs, e.g. where Windows Update will not install anything whose hash hasn't appeared on a public blockchain (preferably accessed in an anonymous way, or verified through independent sources)โ€”this is basically Certificate Transparency.

      reply to this | link to this | view in chronology ]

  • identicon
    Anonymous Coward, 7 Feb 2019 @ 10:20am

    Maybe a dingo ate your encryption

    reply to this | link to this | view in chronology ]

  • icon
    Matthew Cline (profile), 7 Feb 2019 @ 10:32am

    If the tell the maker of an smartphone app to break security for one particular user, how will that work what with the app being distributed through the Android or iPhone app store? Have Google and Apple already put in the capability for an app developer to do that?

    reply to this | link to this | view in chronology ]

    • identicon
      Anonymous Coward, 8 Feb 2019 @ 6:51am

      Re:

      Arent there apps that use screen recording already? The govt just need to lure you into installing some app - I'm surprised they havent released a free tax app.

      reply to this | link to this | view in chronology ]

  • identicon
    Anonymous Coward, 7 Feb 2019 @ 10:33am

    just proves was urgently needed

    if not used, you'd say wasn't necessary

    reply to this | link to this | view in chronology ]

  • identicon
    Glenn, 7 Feb 2019 @ 10:37am

    "Rampant criminality" ...how apt.

    "We have met the enemy, and he is us." (though, of course, they'll never see it)

    reply to this | link to this | view in chronology ]

  • identicon
    Baron von Robber, 7 Feb 2019 @ 10:44am

    "Federal law enforcement and national security agencies have started using encryption-busting powers passed by parliament in December last year, and state-based police are set to be trained in using the powers this month."

    Using their powers to bust encryption. It sounds like their people were bitten by radioactive mathematicians.

    reply to this | link to this | view in chronology ]

    • identicon
      Prinny, 7 Feb 2019 @ 10:54am

      Re:

      I can see it now, dood:

      ๐ŸŽถ Crypto-Man! Crypto-man! ๐ŸŽถ Undoes whatever crypto he can. ๐ŸŽถ Breaks the Web with his hands, ๐ŸŽถ catches thieves, we say he can! ๐ŸŽถ Look out! He's the Crypto-Man!

      reply to this | link to this | view in chronology ]

  • icon
    sumgai (profile), 7 Feb 2019 @ 12:12pm

    half-baked?

    This assurance that the government won't demand full-fledged backdoors...

    Hmmm. Would that be as versus a half-fledged backdoor? Said door being either open or closed, but this isn't Schrodinger's cat we're talking about here. Either the encryption is intact, or it had been compromised. Completely, not partially.

    Like the EU and it's never-to-be-sufficiently-damned copyright cartel sponsered triumvirate of leaders, this will do nothing to stop what I view as common behavior (and I make no judgments here), it will only make, automatically, criminals where there were none ere now.

    Actually, all encryption can be broken, given enough time. The gist of the law can be restated thusly: since it can be broken, then it must be broken... but instantly - time be damned! Not to mention several and various other Laws Of The Universe.

    Wouldn't it be nice if everyone just started using the same encryption schema instead of trying to make up their own? I can picture it now: "Hey there officer, I can't break this, it comes from Company X in [name your favorite country here], and they have laws against giving out keys or "shudder" backdoors. So sorry, have a nice day!".

    sumgai

    reply to this | link to this | view in chronology ]

  • icon
    ECA (profile), 7 Feb 2019 @ 12:12pm

    everyone here understands whats baout to happen..

    Lets ask.. HOW the gov. think s they wish to make this happen.. They are already setting people up to DO this job. HOW? Only 1 corp can make modems for the country? Only 1 corp can set the encoding?? Register each modem TO 1 person, and 1 new code per person/family?(thats fun and who has the book of Who has what code) 1 code to be used for everyone?? F'ing stupid as hell..

    And what stops the USER from creating a honey trap, for the gov to look at? so their main computer is never seen from the internet?? It only takes 1 rasp Pi to create it..

    Those persons you hired?? I HOPE, you can keep them along time. As any smart person will figure out HOW this works.. Or copy your access program with all the Backdoors(to sell to the highest bidder and the RIAA/MPAA assoc) AND PAY then very good wages, so they dont use this ability to SPY on your government personell.. OR are your federal reps, NOT covered by this STUPID IDEA... PS...how about the Corps in your nation.. Do they have to have a backdoor into the their system..(I dont think so)

    Which makes this law Unfair.

    reply to this | link to this | view in chronology ]

  • identicon
    Chris, 7 Feb 2019 @ 9:09pm

    Ofcourse they are starting to use this law

    One thing about this, just because they are using it doesn't necessarily mean they need to use it or it's being used as a last resort.

    Why go through due process with the old methods (warrants, etc) when you can just slap one of these on to someone?

    reply to this | link to this | view in chronology ]


Add Your Comment

Have a Techdirt Account? Sign in now. Want one? Register here



Subscribe to the Techdirt Daily newsletter




Comment Options:

  • Use markdown for basic formatting. (HTML is not supported.)
  • Remember name/email/url (set a cookie)

Close

Add A Reply

Have a Techdirt Account? Sign in now. Want one? Register here



Subscribe to the Techdirt Daily newsletter




Comment Options:

  • Use markdown for basic formatting. (HTML is not supported.)
  • Remember name/email/url (set a cookie)

Follow Techdirt
Techdirt Gear
Show Now: Takedown
Advertisement
Report this ad  |  Hide Techdirt ads
Essential Reading
Techdirt Deals
Report this ad  |  Hide Techdirt ads
Techdirt Insider Chat
Advertisement
Report this ad  |  Hide Techdirt ads
Recent Stories
Advertisement
Report this ad  |  Hide Techdirt ads

Close

Email This

This feature is only available to registered users. Register or sign in to use it.