In brief
The Australian Government continues to stoke controversy with its mooted reforms to encryption laws, which would seek to provide law enforcement agencies with access to encrypted communications and information. While little detail as to the shape that the reforms will ultimately take has been provided, there are concerns that the Government's proposal may undermine commercial data security and personal privacy. Similar controversy has surrounded recent reforms in the United Kingdom and New Zealand, and comments by senior United States Government officials.
How does encryption work?
Encryption involves the use of complex mathematical algorithms to encode communications or other data so that they can only be read by the intended recipient. A 'public key' is used to encode the communication, which is then unlocked by a corresponding 'private key' at the other end. Encryption is so secure because the private key necessary to decode it is only held by the recipient.
Why the controversy?
While encryption may have its origins in the encoding of government communiques, it is now widely used by private individuals (eg through the use of the popular WhatsApp messaging service) and commercial entities (eg to protect online credit card transactions). Accordingly, encryption provides near-unbreakable security not simply for state secrets and risk-averse technophiles, but for millions of people and businesses worldwide. Proponents also argue that it serves an important function in protecting political dissidents from oppressive regimes.1
Some regulations mandate, or at least encourage, the use of encryption in relation to certain communications and data. Eg the EU General Data Protection Regulation, which takes effect on 25 May 2018, provides that controllers of personal data are exempt from notifying data subjects in the event of a data breach where the controller has implemented appropriate technological protection measures, such as encryption.2 The French Government is even building its own encrypted messenger service for use by ministers and other top officials, given concerns over the security of conventional encryption services that may be subject to the laws of other countries.
However, encryption also has the effect of inhibiting the ability of law enforcement and intelligence agencies to access communications and devices in the course of criminal investigations and counter-terrorism operations. This challenge, described as 'going dark', has prompted governments across the world, particularly the Five Eyes intelligence partnership, to consider legislative means of regulating and accessing encrypted services.3
Tech experts and human rights groups have reacted strongly to efforts to force providers of encrypted services and devices to build a 'back door' into those products, which would enable government agencies to decode and monitor encrypted data. In February 2016, Apple went so far as to publish an open letter to the US Government detailing how the creation of a back door into encrypted communication services and devices would undermine fundamental freedoms while providing little assistance to law enforcement, given criminal organisations would continue to use unregulated encryption.
The debate has now reached Australia.
Debate in Australia
As recently as 16 April 2018, Communications Minister Mitch Fifield confirmed that the Australian Government intends to introduce legislation giving law enforcement agencies greater powers to access encrypted communications and devices.4
This follows similar comments by the Home Affairs Minister, Peter Dutton, in February 2018 and the initial announcement in July 2017 by the Australian Prime Minister, Malcolm Turnbull, and then the Attorney-General, George Brandis, that the Government would develop legislation to overcome the challenges posed to law enforcement by criminal groups using end-to-end encryption services, such as WhatsApp.5 Responsibility for the development of the new legislation now rests with the newly created Department of Home Affairs.
While the Government has not clarified what the new laws will entail, the general understanding is that they would compel companies to cooperate with law enforcement agencies seeking to obtain access to encrypted communications as part of criminal investigations. Minister Dutton also recently indicated that such access will be subject to a judicial warrant, as is currently the case in relation to wiretaps and other intercepted communications.
However, this presents challenges, in that encryption is generally designed to be unbreakable by both third parties and the communication carrier.
The Government has denied its goal would be achieved by forcing tech companies to create a so-called 'back door' in encrypted communication services, through which government agencies would be able to monitor encrypted communications (with or without judicial authorisation). But cyber experts have also expressed doubt that access can be achieved without such a back door, prompting Turnbull to declare 'The laws of Australia prevail in Australia'; ie over the laws of mathematics.6
The concern with a 'back door' approach is that it potentially undermines the security of end-to-end encryption services more broadly, by also providing criminal hackers with a means of access. Encryption, which is often built in at both the hardware and software levels, is widely used by a range of government, commercial and private actors. Mandating law enforcement access to encrypted information would therefore have ramifications for a large range of encryption users, both individuals and companies, including banks and cloud service providers.
Human rights groups have also criticised giving government agencies access to encrypted communications, arguing that this would undermine civil liberties and raises significant privacy concerns.
Overseas experiences
United Kingdom
The debate in Australia follows the 2016 enactment of the UK's Investigatory Powers Act, which, as well as granting wide-ranging surveillance powers, authorises the UK Government to compel communications providers to remove 'electronic protection' applied to communications or data in its control. In requiring a person to remove such electronic protection, which would include encryption, the Government 'must in particular take into account the technical feasibility, and likely cost, of complying with those obligations'.
New Zealand
In NZ, the Telecommunications (Interception Capability and Security) Act was introduced in 2013. It provides for the issuing to NZ surveillance agencies of warrants, under which they may require a telecommunications service to decrypt a telecommunication on its service if it has provided the encryption.
United States
In the US, the Trump administration and FBI officials have also publicly canvassed the possibility of cracking down on the use of encryption technology. This follows the 2016 legal battle between the Obama administration and tech giant Apple over whether Apple should be compelled to develop software allowing it to break into its own iPhone devices, in response to a terrorist attack in California.7 Ultimately, the FBI withdrew its request the day before the hearing of this dispute, claiming it had found a third party who was able to assist in unlocking the iPhone.
Similarly to the situation in Australia, concerns in the US revolve around the inability to guarantee the security of decryption keys stored in a central location. This is why providers of encrypted communication services generally do not hold keys themselves. It is also unclear how the UK and NZ laws will work in such circumstances, where service providers are unable to decrypt, or have great difficulty in decrypting, communications.
Forced decryption in Australia?
Even if the new laws give agencies the authority to require service providers to assist them in decrypting communications, as with similar legislative reforms in the UK and NZ, it is not clear what this will mean in practice. The Australian Government has not confirmed whether the legislation will include a mere obligation to cooperate, or whether it will dictate a particular technical approach to decryption.
No doubt, both users and providers of encryption services will be anxious to see the form of any legislative change – watch this space.
Footnotes
- Andy Yen, 'Why we should all care about encryption. Really', TED, 12 March 2015; Human Rights Watch, 'Perils of Back Door Encryption Mandates:'Five Eyes Nations Should Support, Not Threaten, Digital Security', 26 June 2017.
- General Data Protection Regulation, article 34.
- Paul Farrell, 'Australian push to make decryption easier 'could threaten global internet security', The Guardian, 16 June 2017.
- George Nott, 'Govt encryption crackdown 'crazy idea', Apple 'toey'', CIO, 17 April 2018.
- Nick Evershed, 'Australia's plan to force tech giants to give up encrypted messages may not add up', The Guardian, 14 July 2017.
- Chris Duckett and Asha McLean, 'The laws of Australia will trump the laws of mathematics: Turnbull', ZDNet, 14 July 2017.
- Michael D Shear, 'In Nod to Law Enforcement in Apple Case, Obama Ends Attempt to Straddle Privacy Divide', New York Times, 19 February 2016.
Other articles in this edition of Pulse
- Code breakers – Australian Government flags forced decryption reforms
- Backing up the backups – a practical guide to cyber insurance
- APRA proposes cross-industry framework for management of information security
- The walking dread – fostering cyber awareness in the age of killer viruses
- Coming clean – OAIC releases first quarterly report on data breach notifications
- One click from meltdown – cyber attacks on critical infrastructure