The Parliament of Australia has passed a bill the obliges technology businesses to weaken encryption on its products and services. The legislation, which has been branded “Anti-Crypto bill” by its critics, compels companies to provide law enforcement with access to encrypted user data, even if it requires the introduction of vulnerabilities in the system. Such a bill is the latest development in the global conflicts concerning encryption regulation.
In today’s blog post, we examine some of the most controversial aspects of the new legislation, known as Access an Assistance Act.
The most recent chapter in the crypto wars
Ever since the Edward Snowden revelations about the mass surveillance programs conducted by several governments, there has been a remarkable increase in encryption deployment in digital systems. Encryption supports the protection of information integrity and confidentiality. As a resource, it is used in several products and services: e-commerce, financial transactions and communication platforms such as WhatsApp and Skype, for instance. It is a fundamental tool for ensuring privacy and safety in the digital age.
But if it is undisputed that encryption is an indispensable protection in the information society, law enforcement institutions around the world have been arguing that this technology has become an obstacle for pursuing their functions. Encryption, according to these institutions, hinders the police unable to access information needed to carry out criminal investigations.
In this narrative, encrypted applications create “digital havens” in which crime can occur unobstructed. The alleged solution would be obliging companies to insert vulnerabilities in their applications to grant law enforcement with exceptional access to the protected content for criminal investigation ends. From that, several conflicts emerge because inserting such vulnerabilities would mean to reduce the entire system security. Doing so would render users more vulnerable to digital criminals and repressive state surveillance.
In the U.S., a noteworthy case was the contentious between Apple and the FBI surrounding the unblocking of one of the San Bernardino attack shooters in 2016. In Brazil, these debates were the main theme of the public hearing conducted by the Supreme Court on the blockings of WhatsApp. In 2018, the Telegram blockages in Russia garnered much attention from the technological community in april. Another 2018 milestone was a statement from the Five Eyes Intelligence Alliance (Australia, USA, Canada, UK, and New Zealand). In the document, the countries reaffirm the demand for exceptional access in cryptographic systems for police ends.
With the new legislation passing, Australia puts itself in the latest chapter of these conflicts known as crypto wars.
A legislation that passed in haste
The first noteworthy aspect of the Anti-Crypto bill is related to the noticeable celerity that was observed in its legislative process.
Initially proposed in August, the entirety of the bill’s process until its passing lasted no more than a few months. This raises concerns regarding the depth of the debates and analysis performed by policymakers before ending the production of the legal text.
Markedly, it has been observed that the bill passed without the 173 amendments proposed by the Labor Party to the original text even being debated. Labor is the current opposition party to the Australian government. It has agreed in revoking all of the proposals so that the bill could pass this year, under the justification of keeping the Australian population protected in this year’s end – the country’s time of the year when it is allegedly most likely for terrorist attacks occur.
Due to this repeal of the ammendment proposals to the legal text, the Australian government had committed itself to pass the Labor Party’s amendment proposals next year. However, recent statements from Peter Dutton, from the country’s Ministry of Home Affairs, raise doubts regarding this issue.
What does the act say, specifically?
Section 1 of the legislation, which is this post’s focus, in summation, establishes amendments to several Australian laws previously in effect, such as the Criminal Code Act, the Telecommunications Act, the Telecommunications (Interception and Access) Act, amongst others.
The changes in the Telecommunications Act are the most striking, including the addition of an entirely new part to the law – Part 15 – to insert legal basis by which it is possible to request (or compel, depending on the case) the assistance from “designated communications providers”.
There are three modalities of assistance provided by the Act:
- Technical Assistance Requests (TAR): Voluntary requests for a designated communications provider assist the competent authorities in safeguarding the interests of Australia’s national security, foreign relations, economic well-being, information integrity of data stored, processed or communicated, amongst others.
Can be issued by: The Director-General of Security, the Director-General of the Australian Secret Intelligence Service, the Director-General of the Australian Signals Directorate and heads of interception agencies.
- Technical Assistance Notices (TAN): Mandatory notices for a designated communications provider to assist, by means of a capacity which it has, the competent authorities in enforcing the Australian criminal law. This includes situations in which the provider of an application involving encryption maintains a vulnerability that makes exceptional access possible. It can be issued in cases of serious offenses to national legislation.
Can be issued by: Director-General of Security ou heads of interception agencies
- Technical Capability Notices (TNC): Mandatory notices for a designated communications provider to assist, by means that include developing a new capacity that it doesn’t has, the competent authorities to enforce criminal law. This includes compelling an application provider deploying encryption to insert a vulnerability to make exceptional access possible
Can be issued by: Attorney General.
The interception agencies referred are those provided in the Telecommunications (Interception and Access) Act as competent to intercept communications or obtain access to stored communications. They are the Australian Federal Police, the Australian Commission for Law Enforcement Integrity, the Australian Criminal Intelligence Commission, state and territory police agencies and anti-corruption commissions.
Non-compliance with compulsory notifications, in turn, has the effect of making some measures directed toward enforcing the Act applicable. Those measures include civil penalties, injunctions, and enforceable undertakings.
Types of assistance actions that can be demanded
The new legislation determines a set of assistance actions that can be demanded. Below, we reproduce the main ones, according to the bill’s explanatory document:
- Removing a form of electronic protection applied by the provider, which includes encryption and other authentication mechanisms
- Providing technical information like the design specifications of a device or the characteristics of a service.
- Installing, maintaining, testing or using software or equipment given to a provider by an agency.
- Formatting information obtained under a warrant.
- Facilitating access to devices or services.
- Helping agencies test or develop their own systems and capabilities.
- Notifying agencies of major changes to their systems, productions or services that are relevant to the effective execution of a warrant or authorization.
- Modifying or substituting a target service.
- Concealing the fact that agencies have undertaken a covert operation
The excessive broadness of the concept of “designated communications provider”
Potential designated communication service providers from which such assistance may be demanded are listed in an extense set. In summation, they refer to foreign and domestic communications providers, device manufacturers, component manufacturers, application providers, traditional carriers and carriage service providers, amongst others.
It is a sizable list which might include an individual if the person “the person develops, supplies or updates software used, for use, or likely to be used, in connection with: (a) a listed carriage service; or (b) an electronic service that has one or more end users in Australia” (317C), for instance.
This is one of the main concerns regarding the legislation. The generality of this concept allows for the inclusion of both a legal and a natural person, which results in considerable uncertainty concerning its application. There is nebulosity, for instance, surrounding the effects of a notice directed towards a company employee individually demanding assistance through activities that he or she carries out as the company’s employee.
On the same matter, another concern is that an employee could be coerced to act against the interests of his or her own company, which could be, besides could generate a series of legal conflicts. Besides that legal aspect, complying with such a notice could be technically unfeasible due to the existence of version control systems that are commonly used in software development and would reveal the changes made by the employee.
Limitations to demands and their lack of scientific grounds
Division 7 of the legislation establishes limitations to what can be demanded through notices and requests. The main such limitation is that they must not have the effect of producing a “systemic vulnerability” ou “systemic weakness” in an electronic protection.
The bill’s text defines such terms, respectively, as a vulnerability and/or a weakness that affects a “whole class of technology”. The legislation does not define what is a “whole class of technology”, but it places the concepts of systemic vulnerability and systemic weakness as opposed to vulnerabilities and weaknesses inserted “introduced to one or more target technologies that are 15 connected with a particular person” (317B).
The issue resides in the fact that both of these concepts don’t have any scientific foundation in the field of information security. Even if legally applied only to a specific user, the development and implementation of a vulnerability that allows bypassing system security make it possible to be used by any user.
This is because, even if guarded in secrecy, a mechanism developed to comply with a notice or request could still be obtained by malicious actors. This was observed, for example, in the case of the WannaCry ransomware, which, in 2017, was created from a Windows vulnerability previously kept in secrecy by the U.S. National Security Agency for surveillance ends. WannaCry was disseminated globally and put at risk uncontable systems both in the public and in the private sphere.
Due to that, from a security standpoint, it is seriously dubious the distinction presented by the Australian bill between a “vulnerability inserted in a specific device” and a “systemic vulnerability” that deactivates encryption to every user of the application. Once that a security vulnerability exists and is applicable to any user, it becomes exploitable for malicious adversaries against any user
The opacity regarding notices and requests contents
The bill determines (317ZS) that annual repports should be produced containing the number of each type of notice and request made that year, as well as the number of TCN directed towards ensuring that designated communications providers could assist interception agencies. The only data required about the content of the notices and requests is the specification if any of them is related to compliance with criminal legislation in cases involving serious offenses.
The absence of such information requirements concerning the content of the demands might result in a very low level of institutional transparency and accountability. In this perspective, it is important to recall what lead to the popularization of encryption in the last five years: the revels of mass surveillance programs carried out in an opaque way by government agencies with the cooperation of technology companies. In consequence, there is a present and empirically grounded concern with lack of transparency from institutions.
It is noticeable that the Access and Assistance Bill takes shape as a legislation filled with dubious definitions and provisions overly generic predictions. Since before the legislation passing, representatives of several sectors of society showed discontempt regarding the statements presented in the bill. According to them, it is a legal mechanism that puts every internet user at risk. Apple submitted, in October, a letter to the parliament of Australia positioning itself in opposition to the new legislation and in defense of encryption.
In the previously mentioned Five Eyes statement, the signing countries are clear in claiming that, despite being important, privacy is not absolute. This is one of the main arguments employed in justifying the creation of the bill that we analyze here: that the debate is a confrontation between “privacy” versus “security”, and that security, in the cases described, is the interest that should be prioritized.
It is important to remember, however, that encryption does more than safeguard privacy of internet users nowadays: the technique is a mean to protect their very safety. This is because, in the widely connected world that we inhabit, reducing the protection of stored information digitally constitutes a real danger to the well-being of each of us.
What is at stake, therefore, is not weighting between “privacy” and “security”, but between “security” and “security” itself. In other words, the bill grounds itself in the preservation of an alleged idea of national security in detriment of the individual and collective security of each and every internet user, which justifies the several critiques that have been directed towards the Access and Assistance Bill during the last days.
Are you interested in themes related to encryption and digital security? Click here and find out more IRIS content on the matter!