Encryption legislation is "fatally flawed" 
Wednesday, October 31, 2018
Justinian in Comment, Legislation, National security

The government's proposed law to unscramble encrypted communications ... Threats to citizens and journalists in particular ... Confidential sources placed at greater risk of exposure ... A new invasion of privacy amid an abundance of government intrusions ... Cybersecurity threatened ... Criticism from UN privacy rapporteur ... Nick Bonyhady reports 

The United Nations Special Rapporteur for Privacy, Professor Joseph Cannataci, has criticised the Morrison government’s planned anti-encryption legislation, describing it as “fatally flawed”. 

The Assistance and Access Bill 2018, gives law enforcement agencies broad powers to access online communications.

While warrants are still required, the method by which information is accessed has alarmed Professor Cannataci:

“The Bill is… a poorly conceived national security measure equally as likely to endanger security as not; it is technologically questionable if it can achieve its aims and avoid introducing vulnerabilities to the cybersecurity of all devices.”  

Encryption protects online communications by scrambling the contents of a transmission – which could be anything from a text message, to stock market data, to self-driving instructions – using a randomised key.

When the transmission arrives at the correct device it is unscrambled using the proper key, which is determined through an exceptionally complex mathematical process.

This prevents third parties by intercepting and reading the contents without the key. With encryption, companies can trust critical online services with market-sensitive information and information about individuals’ political preferences, sexuality and personal lives would less likely be accessible online to bad actors.

recent United States Supreme Court case on a similar issue illustrates the potential for overreach using digital surveillance.

In that case, US authorities tracked suspected thieves using the locations of their mobile phones. It showed which church one target attended, where his family was located, and also that he was having an affair.

According to the Department of Home Affairs fact sheets, the government is alive to this issue. 

“Systemic weakness, so-called ‘backdoors’, weaken the digital security of Australians and others,” according to this report on the Department of Home Affairs website.

The legislation purports to only target specific devices used by criminals rather than authorising wholesale weakening of encryption.

ASIO has defended the new legislation, pointing out that without it future surveillance of terror plots may be made difficult by encryption.

Yet any method employed by the government to access encrypted data – such as installing secret monitoring apps on targets’ smartphones – could conceivably be used by Australia’s enemies, whether criminals or states.

With concerns about Russian interference in the United States election and Chinese government theft of intellectual property, this is not an idle consideration. 

“At a practical level, it is difficult to see how the Australian government can achieve its aims without weakening encryption and thereby Australia’s cybersecurity”, Professor Cannataci concludes.

Cannataci: the legislation will weaken cybersecurity In a previous era of communications surveillance, police could tap suspects’ phones, revealing only what was spoken by a suspect.

The new bill goes much further. It permits authorities to demand technology companies give them access to almost any device or service that transmits information over the internet, so long as it is for a purpose connected to the enforcement of the criminal law or a law with a pecuniary penalty.

That could include accessing smart home speakers and cameras and continuously recording everyone in a private residence, including children.

Agencies do not even have to be seeking to enforce an Australian law; foreign laws are included too.

And Dr Chris Culnane, a lecturer in IT at the University of Melbourne, also notes that the oversight mechanisms in the legislation are weak.

Technology companies can only reveal how many demands for access they have received from the government every six months, and cannot reveal any information about those demands.

Where the government issues a voluntary request for help – which is secret – technology companies are not to release any information.

Culnane says that companies have strong incentives to comply with these voluntary requests.

“The government wields enormous amounts of soft power, [so] the suggestion that companies, whose revenue could be impacted by the exercising of that soft power, are going to sacrifice profit for their users is fanciful.”

Users trying to work around the legislation are at risk as well. The Bill makes it an offence to “aid, abet, counsel or procure a contravention of” a government demand for access to an online communication.

It is clearly reasonable that a criminal or foreign actor ought to be prohibited from protecting their own communications, but the language of the legislation is broad. It suggests that a journalist who writes a guide to the use of a new secure messaging service so that confidential whistleblowers can get in touch may have procured a contravention of the legislation and opened themselves to prosecution.

In its submission to the Joint Committee on Law Enforcement, which is considering the bill, the Law Council of Australia draws on the work of David Kaye, the UN special rapporteur on the promotion and protection of the right to freedom of opinion and expression. The Law Council notes:

“The regulation of encryption by other nations has not been shown to be necessary to meet a legitimate interest, when considering ‘the breadth and depth of other tools, such as traditional policing and intelligence and transnational cooperation, that may already provide substantial information for specific law enforcement or other legitimate purposes’.”

In a 2015 report, Kaye points out that the European Union Court of Human Rights has held that encryption is a means by which freedom of expression can be exercised.

The technical complexity of encryption and the vague drafting of the legislation has not produced any significant public response. It is hoped that great attention will be paid to the problems inherent in this proposed law – for citizens generally and journalists in particular.

Article originally appeared on Justinian: Australian legal magazine. News on lawyers and the law (http://justinian.com.au/).
See website for complete article licensing information.