Suspects in criminal cases are turning over cloud service and device passwords more easily in the wake of beefed-up penalties for non-cooperation, the Australian Federal Police says.
The new penalties form part of a package of laws known as the Assistance and Access bill, more commonly known as anti-encryption laws.
Most attention around this package of laws focuses on what is known as ‘Schedule One’, under which federal and state agencies can force technology companies to create - and then seed - a vulnerability on "one or more target technologies”.
The Department of Home Affairs said last week that the “powers in the Act” were already in use.
It’s now clear that some of those powers aren’t the encryption-breaking mechanisms per se, but rather others designed to avoid police having to jailbreak or compromise devices or services to gain entry.
The Australian Federal Police (AFP) cited two recent investigations where suspects had handed over passwords more easily under threat of lengthy jail time.
‘Schedule Three’ of the Assistance and Access bill significantly beefed up punishments for not giving passwords when asked.
This falls under Section 3LA of the Crimes Act, which was introduced back in 2001 to force the disclosure of PINs, passwords, encryption keys and other personal data protection and access mechanisms.
When the laws were first introduced, the punishment for non-compliance was up to six months in jail. It was later raised to a maximum two years, but under the changes passed at the end of last year, is now five years (or 10 years for a more serious offence, such as terrorism).
The AFP said the heavier penalties meant more passwords were being turned over.
It cited one case of “suspected procurement and importation of illegal drugs with cryptocurrency via a dark web marketplace” in which a 3LA order was issued to the suspect.
“Following consideration of the order and being advised of the new penalties, the accused advised the AFP of the passwords to a number of devices as well as a number of cloud hosted accounts in which he had facilitated the importation,” police said.
“Through the provision of this assistance, the AFP was able to successfully access, identify and collect otherwise secure and encrypted communications and digital records as evidence of the alleged offending.”
In another case involving child exploitation material, the AFP said it identified “several devices” of interest but couldn’t gain access to them “due to the application of encryption and electronic protections”.
“The accused was issued a section 3LA order. Following being advised of the conditions of the order and the penalties that can apply for non-compliance, the accused provided information to enable access to the contents of the locked devices, which identified further evidence,” the AFP said.
Technical feasibility explored
Federal police also confirmed they had used the ‘Schedule One’ powers designed to force technology companies to weaken security protections.
Exactly how they have used the powers is unclear since the laws contain extensive secrecy provisions that will mean any compromises remain unknown to the public.
“Schedule One has provided significant operational benefit to address a number of emerging and urgent operational issues,” the AFP said.
The federal police said it had also “provided industry with the legal confidence to productively engage on potential technical options” and had “accelerated collaboration previously being experienced”.
“The AFP is in the advanced stages of negotiation in relation to forms of assistance that will be provided pursuant to the issuing of multiple TARs [technical assistance requests],” it said.
“This has involved engagement and collaboration between the AFP and designated communications providers to ensure that the forms of assistance are proportionate and technically feasible.
“These TARs are being sought in support of active AFP investigations into serious Commonwealth crime.”