Like the FBI, Australia has been finding ways to get past encryption, with big tech companies famously not making it easy for authorities.
In response, Australia’s government unveiled draft plans on Tuesday to make companies help intelligence and law enforcement agencies with access to encrypted messages and devices — but without building a backdoor.
In a new bill, the government argued encrypted messaging services and devices are being increasingly used by criminals to carry out activities like terrorism and drug trafficking.
“95 percent of the Australian Security Intelligence Organisation’s (ASIO) most dangerous counter-terrorism targets actively use encrypted messages to conceal their communications,” the government said.
The proposed laws target companies which provide any communications services in Australia, ranging from device manufacturers, messaging services like WhatsApp, to mobile carriers.
How the government plans to get access
The Assistance and Access Bill gives Australian law enforcement and intelligence agencies three new powers.
These powers will allow authorities to ask or try to make providers cooperate by allowing access to devices or services, or remove security protection, if possible by the provider. Authorities will need a warrant or authorisation to use these powers.
The first, dubbed a Technical Assistance Request (TAR), allows agencies to ask providers for help, where they can voluntarily choose to assist or not.
If the provider has the ability to provide assistance, but chooses not to, they can be issued with a Technical Assistance Notice (TAN). This is a compulsory order, meaning that providers need to assist or be fined up to A$10 million (USD$7.2 million), or A$50,000 (USD$36,000) for an individual.
The third power is the Technical Capability Notice (TCN). This means tech giants like Facebook and Apple could be asked to build tools which would allow law enforcement access to encrypted communications.
The TCN is issued by the Attorney-General, and providers have 28 days to explain whether the proposal is feasible or not.
Despite this, the government repeatedly stated it won’t make providers build a backdoor to their products, stating it has “no interest in undermining systems” designed to protect users.
“The new powers will have no effect to the extent that requirements would reasonably make electronic services, devices or software vulnerable to interference by malicious actors,” the bill reads.
If issued with a request or notice, a provider is also legally required to keep those details secret, as to not jeopardise an investigation.
The bill also introduces a revised “computer access warrant,” which allows ASIO to covertly access information on a computer.
Leveling the playing field
Matthew Warren, a cybersecurity professor at Deakin University, said it was an attempt by the government to “try and level the playing field” with tech companies.
“What it highlights is the government realises they’re in a situation where they can’t intercept data,” he told Mashable.
“The government is realising from a law enforcement/intelligence perspective, is that even if they can get access to data, they can’t actually use that data in a meaningful situation.”
Authorities could use these powers against tech companies like Facebook which have a presence in Australia — Facebook received more than 1,400 government requests in 2017. But Warren questions whether the government could do the same to a provider with no presence in the country.
“A lot of those messaging apps, those app developers won’t give backdoor access to Australian government because they’re based in China. Why would they give access?” he said.
Australian Greens Senator Jordon Steele-John said the proposed law “undermines the very principle of end-to-end-encryption,” and that it constitutes overreach by the government.
“Installing malware on people’s devices to read encrypted data is not a solution to catching criminals but it is weakening the defences of every single device that receives encrypted messages, therefore making it easier for criminals who want to steal data,” he said in a statement.
The Australian government has opened the bill to public feedback. Submit any comments by Sept. 10. We expect there’ll be a few.