Attorney General's new war on encrypted web services

Powered by SC Magazine
 

How you might be forced to unlock seized packets.

Australia's Attorney-General's department wants new laws to force users and providers of encrypted internet communications services to decode any data intercepted by authorities.

The proposal is buried in a submission (pdf) by the department to a Senate inquiry on revision of the Telecommunications Interception Act.

The Attorney General's submission makes it clear that its proposal is a "preliminary view" that may not align with that of the broader Australian Government, which it says has made "no decision" on any TIA-related revision.

The department argues the rise of over-the-top communications (OTT) makes it more difficult to guarantee that intercepted communications will be in an "intelligible" format. The rising adoption of encryption to thwart mass surveillance attempts is irking authorities.

"Sophisticated criminals and terrorists are exploiting encryption and related counter-interception techniques to frustrate law enforcement and security investigations, either by taking advantage of default-encrypted communications services or by adopting advanced encryption solutions," the submission noted.

Though it does not name its key targets, Yahoo!, Google and Microsoft already enable encryption by default for their respective web-based email services. BlackBerry's messaging encryption has also previously been raised as a law enforcement issue.

Under the department's plan, "law enforcement, anti-corruption and national security agencies … [would be able] to apply to an independent issuing authority for a warrant authorising the agency to issue 'intelligibility assistance notices' to service providers and other persons".

The department argues the obligation on service providers would merely "formalise" existing arrangements. However, forcing individual suspects to unlock encrypted messages would be a new power for authorities.

The department sees the scheme acting in a similar way to section 3LA of the Crimes Act, under which authorities can get a warrant that compels an individual to turn over passwords to seized hard drives.

Under 3LA, the individual is compelled to "'provide any information or assistance that is reasonable and necessary’ to allow information held on the device to be converted into an intelligible form", the department said.

The department isn't specific about what it believes individual users could provide authorities that would aid in making sense of encrypted data from internet communication services.

It appeared to acknowledge that it could not "compel a person to do something which they are not reasonably capable of doing". Users would also not simply be told to turn over unencrypted content to authorities.

However, the department wants failure to comply with a notice to "constitute a criminal offence, consistent with the Crimes Act." It does not suggest what types of penalties it would seek if users did not help unlock their encrypted communications.

Encryption has been high on the agenda since revelations that the US National Security Agency (NSA) and its British counterparts were surreptitiously targeting encrypted communications on the internet.

Even before those revelations, agencies were known to be hitting up providers of web services to obtain master encryption keys in order to aid interception.

Copyright © iTnews.com.au . All rights reserved.


Attorney General's new war on encrypted web services
 
 
 
Top Stories
Earning the right to innovate
Breaking down the barriers to innovation is a long, but rewarding process, says Bank of Queensland Group CIO, Julie Bale.
 
A call for timely reporting
[Blog post] Businesses need incentives to keep customer data secure.
 
Doubts cast on Queensland's ICT Dashboard
Opposition, former Govt CIO say it can't be trusted.
 
 
Sign up to receive iTnews email bulletins
   FOLLOW US...
Latest Comments
Polls
What is delaying adoption of public cloud in your organisation?







   |   View results
Lock-in concerns
  25%
 
Application integration concerns
  3%
 
Security and compliance concerns
  29%
 
Unreliable network infrastructure
  9%
 
Data sovereignty concerns
  22%
 
Lack of stakeholder support
  3%
 
Protecting on-premise IT jobs
  5%
 
Difficulty transitioning CapEx budget into OpEx
  3%
TOTAL VOTES: 819

Vote