Responding to the encryption challenge
4.1
As discussed in Chapter 1, the increasing prevalence of encrypted data
and communications represents a significant challenge to current investigative
and interception capabilities in law enforcement. As the Australian Securities
and Investments Commission (ASIC) stated:
While encryption has clear benefits in safeguarding the
privacy and security of sensitive data, it poses challenges for law enforcement
agencies in obtaining access, in appropriate cases, to the encrypted content
and devices.[1]
4.2
The Australian Criminal Intelligence Commission (ACIC) and Australian
Institute of Criminology (AIC) emphasised the increasing role of encrypted
communication devices and applications in criminal activities:
Increasingly, criminal activities are committed with the
assistance of technology either via the online environment or through advances
in technological capabilities, such as secure communications which include but
are not limited to communication devices with military grade encryption, remote
wipe capabilities, duress passwords and secure cloud-based services...The online
environment enables crime to be committed with relative anonymity, a
characteristic that is attractive to serious and organised crime groups and
other motivated individuals, making the identification and prosecution of
offenders more difficult.[2]
4.3
Similarly, ISACA noted that nations across the world have been grappling
with the encryption challenge for several years, and submitted that the most
effective way to address this challenge is to focus law-enforcement efforts on
research and development.[3]
4.4
Drs Monique Mann, Adam Molnar, Ian Warren and Angela Daly, Australian
Privacy Foundation, Digital Rights Watch Australia, Electronic Frontiers
Australia and Future Wise noted that governments continue to argue for greater
powers to address the encryption challenge:
The rationale behind this argument is that encrypted
messaging apps are having detrimental impacts on their ability to prevent,
detect and investigate serious crimes such as terrorism and the distribution of
child exploitation material. Accordingly, these agencies insist that further
powers are needed to enable access to encrypted communications.[4]
4.5
Dr Mann et al rejected this claim, instead arguing that:
In spite of any claims that end-to-end encryption tools
introduce insurmountable obstacles for intelligence gathering and criminal
investigation, we insist that our present digital age offers an unparalleled
opportunity for intelligence gathering and criminal investigation compared with
any previous point in history. Australian authorities already have extensive
technical and legal capabilities at their disposal to gather, store, and
analyse social and geolocational data to facilitate operations.[5]
Five Eyes Alliance Statement of Principles
4.6
As outlined in Chapter 2, the Five Eyes Alliance is an intelligence
alliance formed in 1946 and now comprising the United Kingdom (UK), United
States (US), Canada, Australia and New Zealand (NZ).
4.7
On 26 June 2017, the Five Country Ministerial Meeting of the Five Eyes
Alliance partners discussed the shared challenge of encryption, noting that it
can severely undermine public safety efforts by 'impeding lawful access to the
content of communications during investigations into serious crimes'. In
response, the partners committed to engaging with communications and technology
companies to explore shared solutions which 'proportionately balance the
cybersecurity and the rights and freedoms of individuals'.[6]
4.8
On 29 August 2018, a joint meeting was held between the
Attorneys-General and Interior Ministers from the Five Eyes nations to further discuss
encryption and the problem of 'going dark'. This meeting resulted in the
development of a framework for discussion with industry to resolve the
challenge of encryption 'while respecting human rights and fundamental freedoms'.[7]
4.9
The agreement was set out in the Five Eyes Alliance Statement of
Principles on Access to Evidence and Encryption (Statement of Principles),
affirming:
-
a mutual public safety responsibility between governments and technology
providers that obliges assistance, while recognising the need to 'ensure the
ability of citizens to protect their sensitive data';
-
the primacy of the rule of law and due process protections to ensure
that 'lawful access should always be subject to oversight by independent
authorities and/or subject to judicial review'; and
-
'[f]reedom of choice for lawful access solutions' so that technology
providers can 'voluntarily establish...customised solutions, tailored to their
individual system architectures that are capable of meeting lawful access
requirements'.[8]
4.10
The Statement of Principles explain that 'appropriate government
authorities should be able to seek access to otherwise private information when
a court or independent authority has authorised such access based on
established legal standards', similar to the principle that allows government
authorities to search homes, vehicles, and personal effects with valid legal
authority.[9]
4.11
The Statement of Principles notes the 'increasing gap between the
ability of law enforcement to lawfully access data and their ability to acquire
and use the content of that data'. It indicates that each of the Five Eyes
jurisdictions will consider how best to implement the principles, including
with the voluntary cooperation of industry partners.[10]
Five Eyes encryption laws
4.12
Of the Five Eyes partners, the UK and New Zealand have existing laws obliging
industry to assist with access to encrypted communications, whereas the US and
Canada have not as yet amended existing provisions to impose comparable
requirements on technology providers.[11]
4.13
The Investigatory Powers Act 2016 (UK) extends the Secretary of
State's power to issue 'technical capability notices to require
telecommunications operators to maintain the capability to provide data in an
intelligible format where it is proportionate, technically feasible and
reasonably practicable to do so'.[12]
4.14
New Zealand's powers are broadly analogous to technical capability
notices under the UK's legislation, whereby the New Zealand government can
'compel assistance from service providers to decrypt information in response to
a warning provided by a "surveillance agency"'.[13]
Australia's new encryption laws
4.15
Australia was the first of the Five Eyes Alliance to introduce
encryption legislation since the release of the Statement of Principles.
4.16
The Minister for Home Affairs, the Hon Peter Dutton MP, introduced the Telecommunications
and Other Legislation Amendment (Assistance and Access) Bill 2018 on 20
September 2018. The Explanatory Memorandum outlined the purpose of the legislation
as follows:
National security and law enforcement agencies already work
cooperatively with industry and other partners in relation to a range of
telecommunications interception matters. The Bill will enhance cooperation by
introducing a new framework for industry assistance, including new powers to
secure assistance from key companies in the communications supply chain both
within and outside Australia (Schedule 1). It will also strengthen agencies'
ability to adapt to a digital environment characterised by encryption by
enhancing agencies' collection capabilities such as computer access (Schedules
2, 3, 4 and 5).
The computer access powers in Schedules 2 to 5 will enable
domestic law enforcement agencies to better assist international law
enforcement partners by undertaking these powers on behalf of those partners
where approved through Australia's mutual assistance framework. These powers
recognise the fact that computers, communications and encryption are now global
and perpetrators of crimes and terrorist acts have a global reach through these
mediums. This will be based on the principle of reciprocity—that Australia will work
with those who work with Australia—and
any other conditions the Attorney-General deems appropriate.[14]
4.17
The Attorney-General, the Hon Christian Porter MP, referred the Bill to
the Parliamentary Joint Committee on Intelligence and Security (PJCIS) for
consideration.
4.18
Following a government request to expedite the inquiry, the Chair and
Deputy Chair of the PJCIS issued a statement pointing to the committee's
reviews of previous national security laws, stating that its reports had 'been
carefully developed to ensure that new powers are proportionate and
appropriately balanced with human rights and privacy, and that commensurate
oversight and accountability is provided'.[15]
4.19
On 22 November 2018, the committee received advice from the Minister for
Home Affairs that 'there was an immediate need to provide agencies with
additional powers and to pass the Bill in the last sitting week of 2018'.[16]
4.20
The Minister explained that the request for acceleration of the
committee's consideration of the Bill was made 'in light of the recent fatal
terrorist attack in Melbourne and the subsequent disruption of alleged planning
for a mass casualty attack by three individuals', and concern that Australia's
agencies could not rule out the possibility that others may have been inspired
to plan and execute terrorist attacks in the forthcoming Christmas-New Year
period.[17]
The committee stated in its Advisory Report that it accepted:
...that there is a genuine and immediate need for agencies to
have tools to respond to the challenges of encrypted communications. The
absence of these tools results in an escalation of risk and has been hampering
agency investigations over several years. As the uptake of encrypted messaging
applications increases, it is increasingly putting the community at risk from
perpetrators of serious crimes who are able to evade detection.[18]
4.21
The committee recommended that the Parliament immediately pass the Bill,
following inclusion of amendments recommended by the committee in its Advisory
Report. The committee also recommended that, once the Bill (as amended) was
passed by the Parliament, the committee undertakes a review of the new
legislation to be completed by 3 April 2019.[19]
The Bill, with amendments, passed both Houses on 6 December 2018.
4.22
On 6 December 2018, the Senate referred the Telecommunications and
Other Legislation Amendment (Assistance and Access) Act 2018 (TOLA Act) to
the PJCIS for review and report by 3 April 2019.[20]
Balancing privacy and risk
4.23
The provisions of the new legislation attracted debate in Australia and
overseas. Some technology experts warned, for example, that despite the
last-minute amendments, the legislation has the potential to damage the
credibility of the ICT industry as a result of its provision for voluntary and
mandatory industry assistance to help government access the content of
encrypted communications.[21]
4.24
The credit ratings group Fitch observed that the new encryption laws
would weaken the security of messages, and could harm Australia's flourishing
tech sector as well as global operations of tech giants such as Google,
Facebook and Apple.[22]
4.25
The Inspector-General of Intelligence and Security (IGIS) submitted to
the PJCIS review of the TOLA Act that she had a number of outstanding concerns
relating to the scope of IGIS oversight of the new and expanded powers
contained in Schedules 2 and 5 to the Act.[23]
4.26
However, Mr Mike Burgess, Director-General of the Australian Signals
Directorate (ASD), argued that the new legislation provided 'significant checks
and balances' on law enforcement agencies, and was designed to target
terrorists, paedophiles and criminals, not law-abiding Australians.[24]
4.27
The Department of Home Affairs (DHA), Attorney-General's Department
(AGD) and Australian Border Force (ABF) also pointed out—in their submission to
this inquiry—that domestic carriers are already required under the Telecommunications
Act 1997 to provide 'reasonable assistance' to agencies seeking to
implement warrants and enforce the law, and noted that the Australian
government has stated that companies would not be required to build so-called
'backdoors'. In other words, encryption would continue to secure the private
and sensitive information of businesses, governments and individuals.[25]
4.28
Several submitters and witnesses outlined what they saw as potential implications
of the new encryption laws. Some raised broader concerns about 'bans',
'backdoors' or other 'weakening' of encryption technologies, and whether it was
feasible to facilitate decryption by law enforcement agencies without also
making it easier for criminals and foreign spy agencies to access the data.[26]
4.29
Others argued that weakening encryption tools will weaken security of
digital communications generally, 'criminalising activities that are important
for maintaining public safety, cyber security and digital innovation', as well
as having a negative impact on individual privacy and freedom of expression.[27]
4.30
Drs Mann, Molnar, Warren and Daly stated that:
While it might be the case that such proposals may facilitate
law enforcement access to communications at a network-level scale, they will
similarly do so for criminal hackers, organised criminals, or foreign state
actors who acquire access. Computer scientists have noted that any introduction
of a 'backdoor' vulnerability for law enforcement and security intelligence
will similarly do so for malicious actors.[28]
4.31
They noted that Australian officials already have a range of selective
and targeted technical and legal powers to address the issue of 'going dark'.
These include existing powers, via amendments to the Cybercrime Act 2001
(Cth) that introduced a new section 3LA under the Crimes Act 1914 (Cth)
to provide for lawful authorities to compel passwords, as well as existing powers
to facilitate targeting hacking of end-point devices.[29]
4.32
Mr Nathan White, Senior Legislative Manager, Access Now warned that
enabling law enforcement agencies to bypass encryption poses security threats
and is unlikely to solve law enforcement's problems, and advocated other means
to assist law enforcement in dealing with cybercrime:[30]
...undermining encryption hurts security. Every proposal for a
mechanism to allow law enforcement to bypass encryption has been found to have
security flaws that could, if deployed, cause great damage to people,
governments and infrastructure. It could also have knock-on effects that we cannot
anticipate today...undermining encryption will not solve law enforcement's
problems. Principles of sovereignty and criminal incentives will likely drive
law enforcement targets toward tools and technologies that are beyond the reach
of any mandated access mechanism, leaving those who are less technically
sophisticated or financially privileged to bear the brunt of any insecurity
caused by the mandate.[31]
4.33
Dr John Coyne similarly argued that:
...the idea that you can legislate your way out of the
encryption challenge is deeply flawed....The bigger debate on this—and the public
needs to know this—is that by wiring in back doors and by doing those sorts of
approaches, we weaken and undermine all the benefits that come from encryption.
It's part of our everyday life. It's what facilitates ease.[32]
4.34
The Law Council of Australia expressed concern that proposed powers
contained in the Australian government's new encryption laws could have
unintended consequences for the 'privacy and cybersecurity of individuals and
regulation of the telecommunications sector'.[33]
The Law Council considered that:
...any restrictions on encryption and online anonymity must be
provided for by law and are precise, public and transparent, must only be
imposed for legitimate grounds under Article 19(3) of the ICCPR, and must
conform to the strict tests of necessity and proportionality. This includes
consideration of the possibility that encroachments on encryption and anonymity
may be exploited by the same criminal and terrorist networks that the limitations
deter.[34]
4.35
Dr Vanessa Teague, Melbourne School of Engineering, The University of
Melbourne, stated that compliance to the new laws will only apply to encryption
implemented by the company that owns the system, and that it is possible for a
user to install some encryption software from elsewhere and use it to encrypt
files on that company's system.[35]
4.36
In response to the question as to whether it is possible to 'facilitate
decryption by legitimate law enforcement, without also making it easier for bad
actors such as criminals and foreign spy agencies to access the data too', Dr
Teague responded 'No':
The reason is simply that the legitimate law enforcement
operatives are doing (for good reasons) exactly what criminals and other bad
actors do: exposing someone else's data without their consent. Any change that
makes this easier is likely, unfortunately, to make malicious hacking easier
too. There are numerous examples of tools or weaknesses that were employed
first for legitimate law enforcement and intelligence purposes, but were later
shown to be exploitable by everyone (FREAK/Logjam, Dual-EC-DRBG, Wannacry).[36]
4.37
Ms Lizzie O'Shea and Ms Elise Thomas noted that overseas governments
have had little success in regulating encryption, most recently in the UK where
the Investigatory Powers Act 2016 (UK) required technology
companies to assist the government to decrypt messages where 'technically
feasible':
Approaches proposed or used in other countries include
outright prohibitions on encryption, escrow of encryption keys, or limitations
on the strength of encryption. Each of these has been demonstrated to have
serious risks...Built-in weaknesses in encryption systems are not features that
can be exploited only by the government; they can also be used by criminals and
foreign enemies. Information about any backdoor will be highly valuable, and a
honeypot for hackers, making it hard to keep safe.[37]
4.38
The Digital Industry Group Incorporated (DIGI) argued that great care
must be taken in developing government policy around investigatory powers to
ensure that the effectiveness of encryption technology is not comprised, stating
that other countries have chosen alternative approaches to legislated
intervention:
A number of governments around the world have rejected such legal
and market interventions in favour of a broader policy response which embraces
international engagement, technical training for agencies, investment in new
investigatory techniques and enhanced company engagement.[38]
4.39
The Law Council also noted that regulation of encryption by other
nations has not been shown to be necessary when considering 'the breadth and
depth of other tools, such as traditional policing and intelligence and
transnational cooperation, that may already provide substantial information for
specific law enforcement or other legitimate purposes'.[39]
4.40
DHA, AGD and ABF stated that legal frameworks need to be monitored
regularly in order to keep pace with community expectations in this rapidly
changing environment. Legal frameworks must 'balance the legitimate needs of
law enforcement with the privacy, rights and freedoms of individuals'.[40]
4.41
DHA, AGD and ABF also noted that the legislative response will only ever
address some of the law enforcement issues posed by encryption, and predicted
that the continuing challenges posed by end-to-end encrypted communications
mean that agency powers will need to be continually reviewed:[41]
In this environment, it will be increasingly important for
law enforcement agencies to utilise alternative methods to investigate serious
crimes and combat threats to public safety and national security. For this
purpose, the range of powers available to agencies must continually be
examined.[42]
Committee view
4.42
Over recent years, the Australian government has introduced a series of
legislative reforms with the aim of supporting law enforcement in their ability
to respond to the threats posed by new and emerging ICTs.
4.43
The government's response to the challenges arising from new and
emerging ICTs must balance the needs of law enforcement with the civil rights
and liberties of Australians. The committee acknowledges there is an inherent
tension between these and those engaged in this debate have, at times, strongly
held and opposing views. It is for this reason that where the appropriate
balance lies between law enforcement needs and civil rights and liberties must
be resolved by the Australian government together with the Australian public,
and not just by one or the other.
4.44
The committee accepts that there are cogent arguments put by government
and law enforcement agencies for legislative reform to occur expeditiously.
However, that need for swift enactment of law enforcement powers should not
come at the expense of public engagement and debate on these issues.
4.45
The committee is aware that the UK government ran a seven week formal
consultation process on its proposed amendments to the Investigatory Powers Act
and the associated draft communications data code of practice, which
provided 'more detail on how the new regime will work in practice'. The UK
government stated that it 'does not normally consult on such regulations' but
'given the ongoing public interest in investigatory powers we consider it
important to consult on potential changes to the legislative regime in order to
inform the legislative response and subsequent Parliamentary debate'.[43]
4.46
The UK process was not without criticism, but the committee acknowledges
the UK government's efforts to engage the public in the debate about the extent
and appropriateness of certain investigatory powers for law enforcement in the
cyber environment. The committee urges the Australian government to ensure that
public consultation is undertaken when investigatory powers to tackle cybercrime
are similarly amended or introduced in this country.
4.47
The committee acknowledges the public debate that has occurred in
relation to the TOLA Act, and the range of different views amongst
policymakers, law enforcement agencies, legal and technology experts, and users
of ICTs, as to the most appropriate balance between law enforcement powers and
human rights. The committee expects that the Australian government will
carefully consider the views put and these will be appropriately reflected in
the legislation.
4.48
The committee recognises that Australia's new encryption laws represent
the first legislation to be introduced by a Five Eyes Alliance member since the
release of the Alliance's Statement of Principles, and that the new legislation
is entering new territory in extending law enforcement powers to access
otherwise private information. The committee reiterates the view expressed by
the DHA, AGD and ABF that the relevant legislative and regulatory regimes need to
be continuously monitored and reviewed in order to identify, in a timely
manner, gaps and constraints that may be limiting the ability of Australian law
enforcement agencies to respond to the challenges of new and emerging ICTs.
4.49
The committee also considers that the powers given to law enforcement agencies
must be subject to regular monitoring to ensure that the legislative and
regulatory framework is keeping pace with new and emerging ICTs while
respecting the human rights and fundamental freedoms of Australians.
4.50
To this end, the committee suggests that a task force would be an
effective and flexible mechanism for monitoring the development of new and
emerging ICTs and identifying gaps and vulnerabilities in Australia's law
enforcement legislative and regulatory framework, as well as consulting and
advising on the balance between investigatory powers and civil rights and
liberties.
4.51
The committee envisages that such a task force would comprise ICT,
legal, law enforcement and security experts (including academia), and be
responsible for reporting to the Australian government at regular intervals on
aspects of the legislative and regulatory framework that may require amendment
in order for law enforcement to keep pace with this rapidly changing
environment.
Recommendation 2
4.52
The committee recommends that the Australian government considers
establishing a task force comprising information and communications technology
(ICT), legal, law enforcement and security experts, including from academia,
to:
-
monitor the development, and examine and advise on the impact of
new and emerging ICTs on Australian law enforcement;
-
identify specific gaps and vulnerabilities in the current
legislative and regulatory frameworks that may be limiting the ability of
Australian law enforcement agencies to investigate, disrupt or otherwise deal
with cybercrime, including encryption services and encrypted devices;
-
consult and advise on the balance between investigatory powers to
tackle cybercrime and their impact on civil rights and liberties;
-
report to the Australian government at regular intervals on the appropriateness
of current legislative and regulatory frameworks; and
-
recommend any changes that may be necessary to ensure that law
enforcement agencies are keeping pace with and capable of tackling new cyber challenges
as they arise.
Navigation: Previous Page | Contents | Next Page