Daily Bulletin


The Conversation

  • Written by Robert Merkel, Lecturer in Software Engineering, Monash University
The government's encryption laws finally passed despite concerns over security

After being caught up in the broader drama of the last day of Parliament for 2018, the Telecommunications and Other Legislation Amendment (Assistance and Access) Bill 2018 passed both houses on Thursday, with the support of the Coalition and Labor.

The bill is long and complex, but arguably its most significant new provision is the ability to issue companies or individuals with a “technical capability notice”.

These notices compel companies to modify software and the services they provide to allow access to information that could not otherwise be obtained. There are large financial penalties for companies that do not comply.

Read more: Yes, a WhatsApp message could be subject to FOI – but you'd have to find it first

A technical capability notice can be issued at the behest of law enforcement bodies, including state, federal, in some circumstances foreign law enforcement bodies (via the federal Attorney-General), and the Australian Security Intelligence Organisation (ASIO).

The capabilities permitted in the bill can only be used by law enforcement when investigating crimes with a maximum penalty of three years’ jail or more. This covers a much broader range of offences than terrorism or the distribution of child abuse material.

Law enforcement bodies must obtain judicial warrants to use the capability.

The bill is very broad in the types of assistance that could be requested. The one attracting most attention is the ability to intercept messages sent using end-to-end encryption used by tools such as WhatsApp, iMessage and Telegram.

Messages in the ‘dark’

It was claimed that without this bill, law enforcement agencies face risks of “going dark” – a term used by the FBI to describe when communications can’t be intercepted.

Labor MP Peter Khalil told Parliament:

We’ve heard … that members of the Parliamentary Joint Committee on Intelligence and Security have heard evidence from security, intelligence and law enforcement agencies about the risks of the surveillance environment going dark because of some of this technology where terrorists, paedophiles, organised crime and drug traffickers all utilise encrypted technologies and applications for their communications and their planning.

In practice, the picture for law enforcement is more grey than completely dark.Israeli company NSO group already sells spyware that is reportedly able to gain full access to iPhone and Android smartphones.

It is almost certain that Australian intelligence and some law enforcement bodies have software with similar capabilities.

But this type of spyware relies on accidental security flaws in Android and iOS, which may be fixed by updates from Google or Apple at any time.

Would the new laws be effective?

There has been considerable debate as to how effective the bill will be in enabling access to end-to-end encrypted messaging, were a warrant to be issued.

In my opinion, a law enforcement body could use capabilities gained from issuing technical capability notices to get access to just about anything on a standard smartphone or PC, including end-to-end encrypted messages. This would be the case even if the encrypted messaging system was developed by a foreign company beyond the direct reach of Australian law.

A technical capability notice could be used to compel the supplier of system software for a smartphone or PC (for instance, Google, Apple, Microsoft, a smartphone hardware manufacturer, or even an Australian telecommunications company that distributes custom firmware for the phones it sells) to hide spyware in an update targeted at a specific smartphone or computer user who is the subject of a law enforcement warrant or an ASIO investigation.

The spyware would be able to see everything done on the device. This includes the contents of end-to-end encrypted messages after they are decrypted, or the decrypted contents of a hard disk encrypted using full disk encryption.

But while the act is an extremely powerful tool for law enforcement seeking help to access encrypted information, there will be circumstances where it will not be effective.

Not every system that can be used to run an end-to-end encrypted messaging system has an Australian corporate or individual presence that can be served with a technical capability notice.

So what are the risks?

In theory, only law enforcement and intelligence agencies will be able to gain access to material through the mechanisms detailed in the new law.

The law specifically prohibits the creation of “systemic vulnerabilities”. That includes changes to systems that might allow hackers to gain access to information from other users of the system.

But it is extraordinarily difficult to create mechanisms that allow law enforcement to gain access to information about specific people from specific systems, while posing no risk that anyone else can use the same mechanism to gain unauthorised access to other information. In other words, a “targeted capability” could easily end up becoming a “systemic vulnerability”.

Access tools used by intelligence agencies have been stolen and used in extremely damaging ways in the past. It’s impossible to guarantee that it won’t happen with the access mechanisms created under this law.

What happens now?

One major concern with the bill is its potential effect on parts of the Australian IT industry, as foreign customers may be concerned that their own secrets may not be protected from Australian governments.

This may pose a particular problem for companies selling into the European Union, where a strict data privacy law known as the General Data Protection Regulation applies.

Encryption system provider Senetas was one of the several companies that expressed concern over the bill. It warned of the potential loss of trust in Australian cyber security and products and that could lead to a loss in exports, and jobs and technical expertise relocating overseas.

Read more: Protecting our digital heritage in the age of cyber threats

For regular users of computers and smartphones, in theory, things won’t change much.

If you get caught up in the investigation of a serious crime, or are of interest to intelligence agencies (a group which could easily include journalists receiving leaks of classified material), the new powers will make it much easier for government agencies to gain full access the information, encrypted or not, on your computers and smartphones.

But for the majority of us, life goes on. We can only hope that in the process of trying to fight crime and protect Australia’s national security, that the Australian government doesn’t accidentally facilitate events like the WannaCry ransomware attack.

Authors: Robert Merkel, Lecturer in Software Engineering, Monash University

Read more http://theconversation.com/the-governments-encryption-laws-finally-passed-despite-concerns-over-security-108409

Writers Wanted

Matt Canavan suggested the cold snap means global warming isn't real. We bust this and 2 other climate myths

arrow_forward

Do I Need a Financial Planner or Should I Just Do It Myself?

arrow_forward

The Conversation
INTERWEBS DIGITAL AGENCY

Politics

Prime Minister interview with Karl Stefanovic and Allison Langdon

Karl Stefanovic: PM, good morning to you. Do you have blood on your hands?   PRIME MINISTER: No, it's obviously absurd. What we're doing here is we've got a temporary pause in place because we'v...

Karl Stefanovic and Allison Langdon - avatar Karl Stefanovic and Allison Langdon

Prime Minister Scott Morrison delivered Keynote Address at AFR Business Summit

Well, thank you all for the opportunity to come and be with you here today. Can I also acknowledge the Gadigal people, the Eora Nation, the elders past and present and future. Can I also acknowled...

Scott Morrison - avatar Scott Morrison

Morrison Government commits record $9B to social security safety net

The Morrison Government is enhancing our social security safety net by increasing support for unemployed Australians while strengthening their obligations to search for work.   From March the ...

Scott Morrison - avatar Scott Morrison

Business News

Where Does Australia Stand in the Global Green Energy Transition?

Renewable energy sources seem to be the solution for a less polluted environment, but the transition from fossil fuel is not that easy to make. After all, we still have entire industries that base...

NewsServices.com - avatar NewsServices.com

Elegant Media honoured as a Deloitte APAC Technology Fast 500 Winner

Elegant Media has been awarded a place in the prized 2021 Deloitte APAC Technology Fast 500TM. This recognition stands as a testament to Elegant Media’s dedication and success in producing outstandi...

Tess Sanders Lazarus - avatar Tess Sanders Lazarus

Seeking Funding for Your Business Development and Growth

When you are looking to fund your business's growth and development, it can be difficult knowing what to ask for and what process to undertake. There are many funding options available to business...

NewsCo - avatar NewsCo