Australia has made itself a global guinea pig in testing a regime to crack encrypted communication
In the hit US TV series The Wirepolice are initially baffled when the criminal suspects they are investigating begin to communicate through photographic messages of clock faces.
After several seasons of plots driven by the legalities and logistics of setting up telephone intercepts on suspected drug dealers, the police can’t keep up when overheard conversations are replaced by an inscrutable form of pictorial code.
The Wire cops eventually break the clock-face code but they’d have a great deal more difficulty in 2018 if they were chasing criminals using WhatsApp, Wicker, iMessage or other encrypted communications.
End-to-end encryption is a code so strong that only the communicating users can read the messages.
As a result, law enforcement agencies the world over are struggling with a wicked problem: what can they do when the suspect or target of investigation “goes dark”?
In Australia, the government claims to have found the solution to that problem in the form of a new law not necessarily to break encryption itself – as the equivalent United Kingdom legislation allows – but to co-opt technology companies, device manufacturers and service providers into building the functionality needed for police to do their spying.
The mind-bogglingly complex law, more than a year in the making, passed the Australian parliament on Thursday. The opposition Labor party shelved its plans to improve the scheme and waved it through in response to overwhelming pressure from the Liberal-National Coalition government, desperate to see it made law before Christmas.
But with digital rights and technology experts warning that government amendments are confusing or counterproductive, it’s questionable whether Australia has finally unscrambled the encryption omelette or set its law enforcement agencies and IT industry up to fail.
No back doors but a window into your digital life
The Telecommunications (Assistance and Access) Act starts with a golden rule about what law enforcement agencies cannot do: they cannot require technology companies to build a “systemic weakness”, or back door, into their products.
Instead, agencies gain new powers to issue notices for companies to render assistance, or build a new capability, to help them snoop on criminal suspects.
John Stanton, the chief executive of the Communications Alliance, said it was concerned about “the breadth and range of activities” law enforcement agencies could require companies to do.
The list of acts or things is long and includes: removing one or more forms of electronic protection, providing technical information, facilitating access to services and equipment, installing software, modifying technology, and concealing that the company has done any of the above.
With these compulsory notices subject to varying levels of safeguards police could, for example, send a suspect a notification to update software such as Facebook Messenger that in fact allows police access to their messages.
Agencies may not be able to directly decrypt messages, especially if they are located overseas such as the Russian app Telegram, a key weakness of the UK security architecture.
But using these notices, Australian agencies could install key logging software to enable them to see, keystroke by keystroke, what users type into a message. Similarly, software could take repeated screenshots that don’t break encryption but photograph everything going in and out of the communications app.
Other examples include: modifying a device such as an Apple Home or Amazon Alexa to record audio continuously; requiring a service provider to generate a false website that appears to be protected but isn’t, similar to a phishing email; or requiring companies to hand over more accurate phone geolocation data.
Nothing to hide but everything to fear
The Australian prime minister, Scott Morrison, and the home affairs minister, Peter Dutton, characterise the targets of the new law as terrorists, paedophiles and organised criminals.
Numerous parties to a parliamentary committee inquiry including the Australian Human Rights Commission and Law Council of Australia argued the powers should be limited to the “most serious” criminal and national security offences.
In a deal with Labor, the government agreed to limit the powers to investigation of terrorism, child sexual offences or other offences punishable by a term of three years or more in prison.
That opens the laws up to use on investigations of a very wide range of offences, including: using a carriage service to menace, improper use of an emergency call service, possession of equipment used to make identification documentation, interference with political rights and duties and importation of a thing with intent to dishonestly obtain or deal in personal financial information.
The Australian Human Rights Commissioner, Edward Santow, said Australia had “passed more counter-terrorism and national security legislation than any other liberal democracy since 2001”.
One of those bills – the Espionage and Foreign Interference Act in 2018 – makes it unlawful for a current or former public servant to communicate information that “is likely to cause harm to Australia’s interests” – including its foreign or economic relations. The offence can be punished by seven years in prison.
That act also contains an offence of “communicating and dealing with information by non-commonwealth officers” with a five-year prison sentence. So it could be journalists and whistleblowers, not just paedophiles, in the frame.
Santow noted technical assistance requests could be issued to protect “Australia’s national economic wellbeing”. “It’s really worrying, that’s an incredibly broad concept that goes well beyond the protection of national security.”
Santow said the threshold for “serious offence” meant that a person who failed to comply with a notice – for example by refusing to unlock their phone – could be jailed for 10 years: “a longer sentence than for the underlying offence” under investigation.
“That seems to be a disproportionate impact on human rights.”
Santow suggested that if the public became aware that law enforcement agencies could push an update of WhatsApp, for example, at one targeted user “it might discourage people from downloading security updates”.
“That could effectively weaken those communications platforms – we are worried about that phenomenon.”
One crack is all it takes
While a law enforcement agency may only be targeting one criminal suspect, that does not mean a technological trap will not harm others.
Patrick Fair, a partner at law firm Baker and McKenzie who represents telecommunications providers, said “the fear is that an agency will actually build a virus based on information you give them that will be used by bad actors as well if it gets out in the public domain”.
Fair argues that compromising a messaging system, website or cloud storage system to get at one user may affect others.
“Web services include many things that are shared – they could take down a webmail system that a whole lot of people use, or create a major vulnerability … as they are going after a particular unnamed person.”
Stanton noted the example of Wannacry in which “the biggest ransomware attack the world has ever seen originated with code written by the [National Security Agency]”.
“If the NSA – one of the world’s most capable agencies – can lose something that causes damage like that, who’s to say that Australian state police agencies are going to be any less likely to unleash unintended consequences?”
Communications Alliance – the lobby group for Australia’s communications industry – was one of the bodies calling for a rethink on the laws, joining an unprecedented campaign that included Digital Industry Group Inc (Digi), an industry body representing Google, Facebook, Twitter and Amazon.
Because the new law includes secrecy provisions, Stanton warned that companies would be unwittingly operating networks and devices with security flaws.
“A device manufacturer could be told to make a modification that gets passed on via a service provider who doesn’t know it’s compromised, it’s then very hard to guard against what might flow from that because they don’t know they’re offering a compromised service.”
Fair says law enforcement agencies “ought to go talk to the parties they need information from and let them decide how to get it rather than undermine the system”.
One of the biggest concerns to emerge from inquiry hearings was the risk to Australia’s $3.2bn IT export sector.
In August Australia banned Huawei from building its 5G network owing to concerns of potential Chinese government interference and the access and assistance act could lead to the same distrust of Australian technology abroad.
Metadata retention risk
The precise bounds of the acts or things that companies can be required to do is still untested, but there are fears the access and assistance act will extend the reach of Australia’s controversial metadata retention laws – which passed in 2015.
Loopholes in that law have already allowed 80 agencies to request access to Australians’ metadata when the list was supposed to be limited to just 21.
Christiane Gillespie-Jones, the director of program management at the Communications Alliance, told the inquiry that the new law appears to give agencies the power to use “technical assistance notices” to require tech giants like Facebook and Google’s Gmail to retain users’ metadata, including browsing histories.
When the former attorney general George Brandis was selling the Coalition’s metadata policy he famously claimed access to metadata was like capturing “the name and address on the envelope, not the content of the letter”.
The fear is if technical assistance notices can be used to retain browsing histories, authorities are creeping closer to the content of the letter and not just the envelope.
A weakness or a back door?
One of the ironies of the unfolding suite of objections about the bill has been that its greatest safeguard has proved to be its greatest flaw.
The original bill failed to define what a “systemic weakness” is, so it was very hard to say what limit was placed on law enforcement agencies’ power to ask tech companies to build a new capability for them.
Government amendments moved after the deal with Labor added the definition that a systemic weakness is one that “affects a whole class of technology, but does not include a weakness that is selectively introduced to one or more target technologies that are connected with a particular person”.
Fair said the idea of a “whole class of technology” is “a nonsense and nobody knows what it refers to”, comments echoed by Stanton.
“Does that mean you can do something to every iPhone because you haven’t also done it to Android phones?” Stanton asks.
Amendments also introduce a new range of safeguards including the requirement that “technical capability notices” require the sign-off of both the attorney general and communications minister.
They can be disputed to a panel consisting of a former judge and technical expert who assess whether a proposed back door is “reasonable and proportionate” or is an impermissible “systemic weakness”.
But while those new safeguards apply to “technical capability notices” they do not apply to “technical assistance notices” which are in many respects as far-reaching.
Law passes in final week shambles
The unsatisfactory destination owes much to the ragged journey of the legislative process.
After the bill was unveiled in August, the parliamentary joint committee on intelligence and security offered careful scrutiny, preparing to improve it.
Dutton then demanded the Labor opposition pass it, accusing them of “ending any claim to bipartisanship on national security” while Morrison claimed the opposition leader Bill Shorten is “a threat to national security”.
The government cited security agencies’ warnings that they urgently need the new powers to fight crime and terrorism.
This pressure produced a bipartisan deal, cobbled together in a last-minute rush in the final two days of parliamentary sittings. Labor produced its own amendments to improve judicial oversight and further clarify the definition of “systemic weakness” but was forced to drop them to pass the law in the last session of 2018 on Thursday.
The result was, as the Law Council of Australia’s president, Morry Bailes, described it “a situation where unprecedented powers to access encrypted communications are now law, even though parliament knows serious problems exist”.
The shadow attorney general, Mark Dreyfus, said Labor “acknowledges that there are legitimate concerns about this legislation”, pointing to a commitment from the government to a further review and consideration of amendments in the new year.
“I hope that any unintended consequences of this legislation can be brought to light over the next few months.”
But the former national security legislation monitor Brett Walker said it was the issue that is urgent, not this particular solution.
On Monday – before the legislation passed – Walker warned that “it is important that a bad bill not be passed and that a bill that is good is passed”.
He said that national security legislation was “not like many laws where we can say we won’t make the perfect the enemy of the good” because they “alter security settings for everyone in the community and once done, it may not be able to be fixed”.
Australia has made itself the guinea pig of the world in testing a regime to circumvent encryption. It’s a highly technical experiment being conducted in real time with a legislative process yet again asked to catch up with the messiness and uncertainty of the world of crime and its concealment.
1 Australia’s War On Encryption: The Sweeping New Powers Rushed Into Law Photos