Daily Bulletin

The Conversation

  • Written by Robert Merkel, Lecturer in Software Engineering, Monash University
The government's encryption laws finally passed despite concerns over security

After being caught up in the broader drama of the last day of Parliament for 2018, the Telecommunications and Other Legislation Amendment (Assistance and Access) Bill 2018 passed both houses on Thursday, with the support of the Coalition and Labor.

The bill is long and complex, but arguably its most significant new provision is the ability to issue companies or individuals with a “technical capability notice”.

These notices compel companies to modify software and the services they provide to allow access to information that could not otherwise be obtained. There are large financial penalties for companies that do not comply.

Read more: Yes, a WhatsApp message could be subject to FOI – but you'd have to find it first

A technical capability notice can be issued at the behest of law enforcement bodies, including state, federal, in some circumstances foreign law enforcement bodies (via the federal Attorney-General), and the Australian Security Intelligence Organisation (ASIO).

The capabilities permitted in the bill can only be used by law enforcement when investigating crimes with a maximum penalty of three years’ jail or more. This covers a much broader range of offences than terrorism or the distribution of child abuse material.

Law enforcement bodies must obtain judicial warrants to use the capability.

The bill is very broad in the types of assistance that could be requested. The one attracting most attention is the ability to intercept messages sent using end-to-end encryption used by tools such as WhatsApp, iMessage and Telegram.

Messages in the ‘dark’

It was claimed that without this bill, law enforcement agencies face risks of “going dark” – a term used by the FBI to describe when communications can’t be intercepted.

Labor MP Peter Khalil told Parliament:

We’ve heard … that members of the Parliamentary Joint Committee on Intelligence and Security have heard evidence from security, intelligence and law enforcement agencies about the risks of the surveillance environment going dark because of some of this technology where terrorists, paedophiles, organised crime and drug traffickers all utilise encrypted technologies and applications for their communications and their planning.

In practice, the picture for law enforcement is more grey than completely dark.Israeli company NSO group already sells spyware that is reportedly able to gain full access to iPhone and Android smartphones.

It is almost certain that Australian intelligence and some law enforcement bodies have software with similar capabilities.

But this type of spyware relies on accidental security flaws in Android and iOS, which may be fixed by updates from Google or Apple at any time.

Would the new laws be effective?

There has been considerable debate as to how effective the bill will be in enabling access to end-to-end encrypted messaging, were a warrant to be issued.

In my opinion, a law enforcement body could use capabilities gained from issuing technical capability notices to get access to just about anything on a standard smartphone or PC, including end-to-end encrypted messages. This would be the case even if the encrypted messaging system was developed by a foreign company beyond the direct reach of Australian law.

A technical capability notice could be used to compel the supplier of system software for a smartphone or PC (for instance, Google, Apple, Microsoft, a smartphone hardware manufacturer, or even an Australian telecommunications company that distributes custom firmware for the phones it sells) to hide spyware in an update targeted at a specific smartphone or computer user who is the subject of a law enforcement warrant or an ASIO investigation.

The spyware would be able to see everything done on the device. This includes the contents of end-to-end encrypted messages after they are decrypted, or the decrypted contents of a hard disk encrypted using full disk encryption.

But while the act is an extremely powerful tool for law enforcement seeking help to access encrypted information, there will be circumstances where it will not be effective.

Not every system that can be used to run an end-to-end encrypted messaging system has an Australian corporate or individual presence that can be served with a technical capability notice.

So what are the risks?

In theory, only law enforcement and intelligence agencies will be able to gain access to material through the mechanisms detailed in the new law.

The law specifically prohibits the creation of “systemic vulnerabilities”. That includes changes to systems that might allow hackers to gain access to information from other users of the system.

But it is extraordinarily difficult to create mechanisms that allow law enforcement to gain access to information about specific people from specific systems, while posing no risk that anyone else can use the same mechanism to gain unauthorised access to other information. In other words, a “targeted capability” could easily end up becoming a “systemic vulnerability”.

Access tools used by intelligence agencies have been stolen and used in extremely damaging ways in the past. It’s impossible to guarantee that it won’t happen with the access mechanisms created under this law.

What happens now?

One major concern with the bill is its potential effect on parts of the Australian IT industry, as foreign customers may be concerned that their own secrets may not be protected from Australian governments.

This may pose a particular problem for companies selling into the European Union, where a strict data privacy law known as the General Data Protection Regulation applies.

Encryption system provider Senetas was one of the several companies that expressed concern over the bill. It warned of the potential loss of trust in Australian cyber security and products and that could lead to a loss in exports, and jobs and technical expertise relocating overseas.

Read more: Protecting our digital heritage in the age of cyber threats

For regular users of computers and smartphones, in theory, things won’t change much.

If you get caught up in the investigation of a serious crime, or are of interest to intelligence agencies (a group which could easily include journalists receiving leaks of classified material), the new powers will make it much easier for government agencies to gain full access the information, encrypted or not, on your computers and smartphones.

But for the majority of us, life goes on. We can only hope that in the process of trying to fight crime and protect Australia’s national security, that the Australian government doesn’t accidentally facilitate events like the WannaCry ransomware attack.

Authors: Robert Merkel, Lecturer in Software Engineering, Monash University

Read more http://theconversation.com/the-governments-encryption-laws-finally-passed-despite-concerns-over-security-108409

Writers Wanted

Drones, detection dogs, poo spotting: what’s the best way to conduct Australia’s Great Koala Count?


The Conversation


Prime Minister Interview with Ben Fordham, 2GB

BEN FORDHAM: Scott Morrison, good morning to you.    PRIME MINISTER: Good morning, Ben. How are you?    FORDHAM: Good. How many days have you got to go?   PRIME MINISTER: I've got another we...

Scott Morrison - avatar Scott Morrison

Prime Minister Interview with Kieran Gilbert, Sky News

KIERAN GILBERT: Kieran Gilbert here with you and the Prime Minister joins me. Prime Minister, thanks so much for your time.  PRIME MINISTER: G'day Kieran.  GILBERT: An assumption a vaccine is ...

Daily Bulletin - avatar Daily Bulletin

Did BLM Really Change the US Police Work?

The Black Lives Matter (BLM) movement has proven that the power of the state rests in the hands of the people it governs. Following the death of 46-year-old black American George Floyd in a case of ...

a Guest Writer - avatar a Guest Writer

Business News

Nisbets’ Collab with The Lobby is Showing the Sexy Side of Hospitality Supply

Hospitality supply services might not immediately make you think ‘sexy’. But when a barkeep in a moodily lit bar holds up the perfectly formed juniper gin balloon or catches the light in the edg...

The Atticism - avatar The Atticism

Buy Instagram Followers And Likes Now

Do you like to buy followers on Instagram? Just give a simple Google search on the internet, and there will be an abounding of seeking outcomes full of businesses offering such services. But, th...

News Co - avatar News Co

Cybersecurity data means nothing to business leaders without context

Top business leaders are starting to realise the widespread impact a cyberattack can have on a business. Unfortunately, according to a study by Forrester Consulting commissioned by Tenable, some...

Scott McKinnel, ANZ Country Manager, Tenable - avatar Scott McKinnel, ANZ Country Manager, Tenable

News Co Media Group

Content & Technology Connecting Global Audiences

More Information - Less Opinion