The industry has responded with cautious optimism in the wake of the federal government’s long-awaited publication of its plan to enable law-enforcement agencies to intercept the encrypted communications of the people they are investigating.
A newly-released exposure draft of the Telecommunications and Other Legislation Amendment (Assistance and Access) Bill 2018 – also called the ‘Encryption Bill’ – confirmed that the government would not, as some had feared, require software developers to build their products with back-door access to render built-in encryption useless.
Rather, the legislation is designed to force such developers to build mechanisms to allow access to communications either before they are encrypted, or after.
The approach is “comforting” compared to a policy built around brute-forcing encrypted communications, McAfee APAC chief technology officer Ian Yip said in a statement.
“While it does provide the government with easier access to what could be thought of as personal data and thus have some privacy implications, the fact that there will be no vulnerabilities or backdoors required to be built into encryption frameworks is comforting, thus addressing much of the initial concerns raised.”
“The key is to ensure the right checks and balances are put in place, that the right legal procedures are followed, that the justification for access holds up to scrutiny, and that the privacy implications are always factored in to any actions that may impinge on the right to anonymity for innocent parties.”
Minister for law enforcement and cyber security Angus Taylor recently told an audience at ASIAL’s Security conference that industry had so far provided ”a high level of cooperation” to overtures from the government.
An explanatory document accompanying the draft legislation noted that increasing use of encryption “is a great outcome for cyber security. However, encrypted devices and applications are eroding the ability of our law enforcement and security agencies to access the intelligible data necessary to conduct investigations and gather evidence.”
Fully 95 percent of ASIO’s “most dangerous counter-terrorism targets” are actively using encryption to communicate in secret, the document notes. “The purpose of the Bill is to allow agencies to seek help from providers, both domestic and offshore, in the execution of their functions.”
Just how much help can be requested, and what kind, is still up in the air. Previous criticism has flagged the failure of a similar UK law that has yet to produce a working model for law-enforcement intervention, while Facebook and Apple are on the record arguing against intervention that would compromise a right to privacy that has been vociferously supported by a broad range of tech companies including prime minister Malcolm Turnbull’s onetime favourite secure-messaging app, Wickr.
Regardless of the longtime opposition from many, the government’s proposed legislation will pursue three key reforms including a new framework for industry assistance – which empowers ‘designated communications providers’ to provide voluntary assistance, under a ‘technical assistance request’ (TAR); technical assistance they are already capable of providing, under a ‘technical assistance notice’ (TAN); or a ‘technical capability notice’ (TCN) that requires them to build a new capability to meet ASIO and interception agencies’ requirements.
The legislation indemnifies providers from civil consequences if they render assistance to government bodies, and clauses allow for enforcement action for non-compliance including civil penalties, injunctions, or enforceable undertakings.
Significantly, the legislation won’t prevent software providers from updating their software even to fix vulnerabilities that are being actively exploited by investigators. TAN or TCN notifications must be revoked “if satisfied that any ongoing requirements are no longer reasonable, proportionate, practical or technically feasible”. The scope of assistance is limited to core functions, and the Bill includes a list of the types of things that a provider may be required to do under a TAN.
Industry group the Communications Alliance is among those reviewing the legislation, and CEO John Stanton said in a statement that the group “naturally takes a strong interest in the Bill [and is] working through the details of what is a very complex piece of legislation.”
“It will take some time to get a clear picture as to what is being proposed and whether the draft legislation is practical and provides sufficient clarity to allow our industry to implement the new regime in the relevant timeframes envisaged by the law.”