This article was written by Michael Swinson and Louise Yun.
On July 14, the Australian Government announced plans to introduce new legislation to force global tech companies to unlock and provide encrypted information to authorities for law enforcement purposes.
Under the proposed reforms, authorities would be allowed to obtain a warrant to compel tech companies to provide information requested by authorities such as encrypted communications, or otherwise cooperate with investigations into paedophile networks, majored organised crime and terrorism. It has also been suggested that the new laws would give the Australian Federal Police the ability to remotely monitor computer networks and devices. This could potentially require tech companies to weaken their encryption technology in order to allow authorities to gain access to the content of communications carried on their services.
Surge in encrypted communications in criminal investigations
The flagged changes are in response to a surge in the use of encrypted communications. Encryption protects communications as they move between devices, preventing third parties from accessing the information, and is a feature of many websites and common messaging applications such as Whatsapp, Facebook Messenger and iMessage. End-to-end encryption technologies used by these service providers provide full security from sender to recipient, so that not even the service provider itself can access the content of the encrypted message.
However, increased use of encrypted communications by terrorists, paedophiles, and organised crime rings has created concerns about the potential impact on intelligence and law enforcement capabilities. Data from the Government indicates that the proportion of communication traffic monitored by police that is encrypted has grown rapidly from 3% to 55% over the last few years. Reports have suggested that difficulty accessing encrypted communications affected around 60% of terrorism and organised crime operations in June 2017. Evidently, such technology raises increased concerns for the effectiveness of police operations.
Alignment with international regimes
The proposed laws would sit alongside a raft of recent legislative changes as international governments seek powers to compel access to information to address global threats in sectors such as cybersecurity, as well as in criminal investigations. Singapore’s new Cybersecurity Bill provides regulators with sweeping powers to investigate cybersecurity threats, and China’s Cybersecurity Law imposes obligations on network operators to cooperate with law enforcement bodies and fulfil other security requirements. New Zealand also enacted similar legislation in 2013 to compel tech companies to cooperate with law enforcement in investigations.
Government announcements indicate that the Australian reforms will be modelled on Britain’s Investigatory Powers Act 2016, which imposes obligations on communications service providers to cooperate with investigators by assisting with targeted interception of communications and removing encryption. In addition, the changes are set to be discussed with Australia’s ‘Five Eyes’ intelligence partners, the United States, Britain, Canada and New Zealand, in order to advance a common approach.
Alignment with other sectors
If successfully enacted, the reforms will sit alongside telecommunications-focussed mandatory data retention laws enacted in 2015, as well as the Telecommunications Sector Security Reforms (TSSR) currently under consideration by Parliament, as examples of recent legislative changes designed to boost the investigatory powers of law enforcement authorities to deal with criminal activity.
The mandatory data retention regime requires telecommunication and internet providers to retain certain communications metadata for all customers for a period of two years. Law enforcement agencies are able to gain access to the retained metadata without necessarily obtaining a warrant, provided it is reasonably necessary for their law enforcement activities. With the new reforms purporting to grant Government access to online communications as well, individuals may find it harder to use the internet to hide their communication activity from authorities.
Furthermore, the proposed TSSR legislation would strengthen the Government’s ability to manage national security risks affecting telecommunications networks and facilities. This proposed legislation seeks to impose new obligations on carriers and carriage service providers to protect the integrity of their communications networks, and give the Attorney-General greater powers to require companies to take specific actions in order to meet these obligations and require disclosure of information required to assess their compliance.
Potential consequences of the reforms
Privacy and security concerns
A major concern raised by both internet companies and privacy advocates is that the proposed security measures could not only undermine privacy, but also compromise security for all users of a messaging service. Security experts and tech companies have repeatedly flagged that any weaknesses built into the encryption processes for law enforcement to access communications would also make the encryption vulnerable to hackers, creating a risk for the wider public. In particular, they have raised concerns that service providers would need to build a ‘backdoor’ into their service, in order to enable enforcement agencies to access messages carried on the service. Any such backdoor could obviously potentially be exploited by wrongdoers as well as law enforcement bodies. The Government has indicated that this is not its intention. However, it is hard to reconcile the Government’s stated purpose with the practical reality that any weakening of encryption technology, whether by the introduction of a backdoor or otherwise, will present new security risks.
Difficulties in enforcing compliance
The Government has not revealed its plans for how its proposed reforms should be implemented in practice by tech companies. However, it is clear that there will be a few roadblocks in doing so. Practically, there are significant technical and jurisdictional challenges. As flagged above, with the widespread use of end-to-end encryption, whereby only the communicating users can read messages, tech companies typically do not have access to encrypted messages themselves. In addition, the majority of these tech companies are based overseas, with limited or no actual presence in Australia, making it potentially difficult to enforce Australian laws against them if they fail to comply.
Unsurprisingly, the proposals were poorly received by tech companies, many of which have robustly defended the security of their services from what they see as dangerous government interference. Facebook has declared that it will resist these reforms, arguing that its existing protocols which respond to government requests for information are sufficient. Apple has also historically refused to comply with government requests that might weaken the security applied to its devices, evident from its 2015-2016 challenges against FBI requests to assist in unlocking iPhones so that authorities could access cryptographically protected data. It remains to be seen whether global reform in such laws will change these companies’ stance on government cooperation. Given they use the same technology around the world, it is unlikely that these companies will technically be able to create exceptions only for Australian customers or use cases.
In light of these proposals, there are a few major takeaways for both tech companies and internet users:
The Government has flagged its intention to introduce legislation to give effect to its proposals by November 2017. This ambitious timeline suggests that companies should remain vigilant as further details of the reforms become available.
The Government’s approach will likely be developed in the context of a coherent global framework, so Australia’s interactions with the ‘Five Eyes’ intelligence sharing allies, along with the cyber investigative laws of each ally, may give good indications of what the proposed Australian laws will entail.
If the reforms are successfully passed, tech companies will potentially need to make technical changes to their services in order to ensure that they are able to comply (or else, in a worst case, consider withdrawing from the Australian market). In addition, in this case, users will need to keep in mind that communications through online messaging platforms can be accessed by authorities in particular circumstances.