After being caught up in the broader drama of the last day of Parliament for 2018, the Telecommunications and Other Legislation Amendment (Assistance and Access) Bill 2018 passed both houses on Thursday, with the support of the Coalition and Labor.
The bill is long and complex, but arguably its most significant new provision is the ability to issue companies or individuals with a “technical capability notice”.
These notices compel companies to modify software and the services they provide to allow access to information that could not otherwise be obtained. There are large financial penalties for companies that do not comply.
A technical capability notice can be issued at the behest of law enforcement bodies, including state, federal, in some circumstances foreign law enforcement bodies (via the federal Attorney-General), and the Australian Security Intelligence Organisation (ASIO).
The capabilities permitted in the bill can only be used by law enforcement when investigating crimes with a maximum penalty of three years’ jail or more. This covers a much broader range of offences than terrorism or the distribution of child abuse material.
Law enforcement bodies must obtain judicial warrants to use the capability.
The bill is very broad in the types of assistance that could be requested. The one attracting most attention is the ability to intercept messages sent using end-to-end encryption used by tools such as WhatsApp, iMessage and Telegram.
Messages in the ‘dark’
It was claimed that without this bill, law enforcement agencies face risks of “going dark” – a term used by the FBI to describe when communications can’t be intercepted.
We’ve heard … that members of the Parliamentary Joint Committee on Intelligence and Security have heard evidence from security, intelligence and law enforcement agencies about the risks of the surveillance environment going dark because of some of this technology where terrorists, paedophiles, organised crime and drug traffickers all utilise encrypted technologies and applications for their communications and their planning.
In practice, the picture for law enforcement is more grey than completely dark.Israeli company NSO group already sells spyware that is reportedly able to gain full access to iPhone and Android smartphones.
It is almost certain that Australian intelligence and some law enforcement bodies have software with similar capabilities.
But this type of spyware relies on accidental security flaws in Android and iOS, which may be fixed by updates from Google or Apple at any time.
Would the new laws be effective?
There has been considerable debate as to how effective the bill will be in enabling access to end-to-end encrypted messaging, were a warrant to be issued.
In my opinion, a law enforcement body could use capabilities gained from issuing technical capability notices to get access to just about anything on a standard smartphone or PC, including end-to-end encrypted messages. This would be the case even if the encrypted messaging system was developed by a foreign company beyond the direct reach of Australian law.
A technical capability notice could be used to compel the supplier of system software for a smartphone or PC (for instance, Google, Apple, Microsoft, a smartphone hardware manufacturer, or even an Australian telecommunications company that distributes custom firmware for the phones it sells) to hide spyware in an update targeted at a specific smartphone or computer user who is the subject of a law enforcement warrant or an ASIO investigation.
The spyware would be able to see everything done on the device. This includes the contents of end-to-end encrypted messages after they are decrypted, or the decrypted contents of a hard disk encrypted using full disk encryption.
But while the act is an extremely powerful tool for law enforcement seeking help to access encrypted information, there will be circumstances where it will not be effective.
Not every system that can be used to run an end-to-end encrypted messaging system has an Australian corporate or individual presence that can be served with a technical capability notice.
So what are the risks?
In theory, only law enforcement and intelligence agencies will be able to gain access to material through the mechanisms detailed in the new law.
The law specifically prohibits the creation of “systemic vulnerabilities”. That includes changes to systems that might allow hackers to gain access to information from other users of the system.
But it is extraordinarily difficult to create mechanisms that allow law enforcement to gain access to information about specific people from specific systems, while posing no risk that anyone else can use the same mechanism to gain unauthorised access to other information. In other words, a “targeted capability” could easily end up becoming a “systemic vulnerability”.
Access tools used by intelligence agencies have been stolen and used in extremely damaging ways in the past. It’s impossible to guarantee that it won’t happen with the access mechanisms created under this law.
What happens now?
One major concern with the bill is its potential effect on parts of the Australian IT industry, as foreign customers may be concerned that their own secrets may not be protected from Australian governments.
This may pose a particular problem for companies selling into the European Union, where a strict data privacy law known as the General Data Protection Regulation applies.
Encryption system provider Senetas was one of the several companies that expressed concern over the bill. It warned of the potential loss of trust in Australian cyber security and products and that could lead to a loss in exports, and jobs and technical expertise relocating overseas.
For regular users of computers and smartphones, in theory, things won’t change much.
If you get caught up in the investigation of a serious crime, or are of interest to intelligence agencies (a group which could easily include journalists receiving leaks of classified material), the new powers will make it much easier for government agencies to gain full access the information, encrypted or not, on your computers and smartphones.
But for the majority of us, life goes on. We can only hope that in the process of trying to fight crime and protect Australia’s national security, that the Australian government doesn’t accidentally facilitate events like the WannaCry ransomware attack.
Authors: Robert Merkel, Lecturer in Software Engineering, Monash University