How the Australian Government plans to breach your online privacy
From as far back as April 2016, the federal government has been talking about the trouble that encryption causes for law enforcement. In June 2017, the then Attorney-General George Brandis started talking about governments globally working to find ways to “break into” encrypted communications by working “with” the companies that provide end-to-end encrypted communications tools such as WhatsApp, Signal, Telegram, Viber, but not by introducing flaws or backdoors into the apps.
Over the last 18 months or so, various comments were made by government representatives around breaking encryption — and fast forward to August 2018, we now have a proposed bill to be introduced into parliament — The Assistance and Access Bill 2018. You can read the bill here.
Sadly, despite more than 12 months during which the government could have consulted with organisations with real experience and understanding of the idea and come up with a balanced and mature proposal, the proposed bill shows that not only did the government not listen to the concerns that were raised when the idea was originally floated, but it has also introduced new concerns which ultimately make the proposed bill completely incapable of achieving either of its stated goals — breaking the encryption of criminals or protecting the rights of law-abiding citizens.
Talk of a government attack on encryption began with George Brandis back in 2016, when he cited legislation in the UK as an example of what was needed. Brandis announced his resignation from politics in December 2017, but the idea of the government breaking encryption persisted. In February 2018, Peter Dutton (Minister for Home Affairs) delivered an address to the National Press Club, again broaching the subject of a change to legislation to allow easier access to encrypted data for law enforcement agencies.
When it was (once again) pointed out by a number of parties (technology groups, privacy groups, even the tech media) that the very nature of end-to-end encryption meant that viewing messages within these apps without flaws or backdoors being introduced was basically mathematically impossible, Prime Minister Malcolm Turnbull (in)famously said, “The laws of Australia prevail in Australia, I can assure you of that. The laws of mathematics are very commendable, but the only law that applies in Australia is the law of Australia.”
Corporate organisations such as Facebook and Google, technology organisations such as the ITPA and the Internet Society, and privacy groups such as the Electronic Frontiers Foundation and Privacy International, all criticised the idea as not only being technical infeasible but also “throwing the baby out with the bathwater” — seriously compromising the right to privacy of law-abiding citizens in the hope that it would make it easier for law enforcement agencies to catch ‘the usual suspects’ (paedophiles, terrorists and organised crime syndicates) that are mentioned when government wants to start eroding the privacy of law-abiding citizens.
The bill proposes three levels of assistance to be granted to law enforcement agencies — one is voluntary, two are legally enforceable. Despite claims by politicians that the bill requires Designated Communications Providers to act “without requiring companies to weaken their systems”, the bill clearly states that a Technical Capability Notice requires “a designated communications provider to build a new capability that will enable them to give assistance as specified in the legislation to ASIO and interception agencies”.
Given that the bill expressly excludes a requirement to weaken systems or encryption directly, if the data being sought by an interception agency is encrypted end-to-end with strong ciphers and rigorous coding practices (ie, it’s basically uncrackable except by brute force, which takes significant time), there are only a limited number of ways this can be achieved. Effectively, the data has to be collected before it is encrypted, and then exfiltrated via a back-channel to the provider for the purpose of sharing with authorised interception agencies.
From an oversight perspective, while warrants via the judicial system are still required to obtain data, it is left to the Attorney-General to decide if the method of obtaining the data is appropriate, with review only carried out after the fact — a little late if your private data has just been obtained inappropriately. Before the fact, there is a requirement for 28 days of industry consultation which must be taken into consideration before a notice is enforced. Of course, there is nothing to stop the Attorney-General from ignoring the advice given by industry, as we’ve already seen with the drafting of this bill to start with, not to mention other legislation such as the mandatory metadata retention laws that passed in 2017.
Even if the government did manage to draft a bill that offered more appropriate levels of protection, and had sufficient protections for individual privacy, there are other concerns. There are multiple examples already of retained metadata being inappropriately obtained (warrants not sought or obtained before a metadata request is made and fulfilled) and misused by privileged individuals in law enforcement agencies for their own personal benefit. Once a tool exists to exfiltrate previously secure data, it will almost certainly fall into the wrong hands.
We also know that, quite simply, if the government starts to gain access to existing encryption tools, the real criminals — the smart, dangerous ones — will simply move to using tools that the Australian Government has no control over. This will leave only two groups using the encryption apps that the government (and others) now have the ability to break into — incompetent criminals (who are likely part of the 10% of interceptions that ASIO says are still unencrypted anyway) and law-abiding citizens.
This bill, as it currently stands, and no matter how much better it becomes, is simply doomed to fail in its stated aims — at a massive cost to the privacy of individuals. We’ve already lost metadata; this bill would effectively kill encryption. With comments from government that they need the same capability online as they previously had on traditional media (telephone, television, radio and mail services), one wonders what will come next in the government’s futile attempts to apply outdated thinking to the modern world.
ITPA will be making a formal submission to the government regarding this bill, recommending that it is discarded by the parliament due to both the technical inability for it to achieve its desired aims and the “collateral damage” that it will cause to individual privacy if it is passed. If you support us in this position, and want to see us continue to oppose bad policy and to provide expert guidance to government on technology matters, please consider becoming a financial member of ITPA.
Information Technology Professionals Association (ITPA) is a not-for-profit organisation focused on continual professional development for its 18,700 members. To learn more about becoming an ITPA member, and the range of training opportunities, mentoring programs, events and online forums available, go to www.itpa.org.au.
With a view to improving my 'leanness' and stop myself working so many extra hours, I...
In light of the current situation in Ukraine, the ACSC is urging all Australian organisations to...
Attempting major IT changes late in the day — or week — can be a recipe for disaster.