The government has raised the prospect of using so-called decryption laws to simply get a provider to turn over a user’s PIN or password to get access to a target’s encrypted communications.
While much of the debate on the Assistance and Access Bill so far has concentrated on the prospect of encryption being weakened, the Department of Home Affairs indicated today encryption may not even be its primary target.
At a joint parliamentary committee hearing, shadow Attorney-General Mark Dreyfus QC noted the bill contained just one reference to encryption in its 171 pages, preferring instead to use an umbrella term “electronic protection”.
“We’ve purposely not used [the term] encryption in the bill because it’s about the framework and access to the issues that encryption causes,” Home Affairs National Security & Law Enforcement Policy Division first assistant secretary Hamish Hansford said.
“The term is much broader than the narrow encryption. It includes things like passwords which get you through an electronic protection to a level of encryption.”
Hansford was supported by Australia's chief domestic spy, ASIO’s director-general Duncan Lewis.
“One of the big distinctions between electronic protection and encryption is that electronic protection is inclusive of things such as a PIN or password,” Lewis said.
This morning’s hearing featured representations from a large cross-section of federal law enforcement agencies and policymakers.
Dreyfus also took the government to task over the lack of definition of what constitutes a “systemic weakness or vulnerability” for the purpose of the legislation.
The bill expressly prohibits a “systemic weakness or vulnerability” from being created to satisfy a law enforcement request or technical notice, but never says exactly what that would be.
It appears the government has no intention of defining it for the purposes of the bill, and representatives offered varying takes on what it might mean.
Department of Home Affairs chief Michael Pezzullo said that “no one’s requiring at the enterprise level when you manufacture a device or when you set up a network, that there’s a general and universal way of flicking a switch and all of a sudden rendering encrypted communications clear.”
ASD’s director-general Mike Burgess defined a systemic weakness as “one which would be available to everyone.”
“It’d be one thing to ask for assistance to get access to something but [another for] the action undertaken to provide that in that targeted case [to] jeopardise the information of other people as a result of that action taken,” he sad. “That’s not being asked.”
Home Affairs’ Hamish Hansford said that the systemic weakness provision was added “due to industry concern” and claimed it had been purposely left undefined.
“The industry we’re talking about is broad so to try and define what a systemic weakness is for every individual company relies on an understanding of what their business structures are,” Hansford said.
“What a systemic weakness might be for Apple or Google might not be for Microsoft.”
Pressed by Dreyfus for clarity, Hansford then confirmed that “systemic weakness or vulnerability” had its “ordinary meaning in English”.
“It’s the ordinary meaning,” he said.
“Is it defined very discreetly in the bill? No, because systemic weakness means very many different things to different companies, and companies wanted in the legislation the express provision about systemic weakness.”
Dreyfus quizzed Home Affairs on examples raised by Apple and Cisco of actions they believe could be permissible through the legislation, such as implanting an eavesdropping capability in a target’s smart home speakers.
The panel of agencies largely declined to rule use cases for the law in or out; Hansford noted he would “have to explore” them more to make a determination.
“The answer depends on the company, how they’re structured and how they use their technology,” he said.
The government has copped considerable criticism in recent weeks over the lack of judicial oversight of assistance requests and notices that can be served on technology companies under the bill.
But law enforcement agencies returned fire today, saying they intended to use the new powers to get access to information they already had a warrant for.
“The power and authority has already been vested in the agency to [access the information], but the fact is we can’t exercise that power because of technical blockers,” AFP commissioner Andrew Colvin said.
“If we get a search warrant... I don’t then have to get another warrant once I get to the front door before I open the door.
“At the moment, what some submissions suggest is that’s what we should do, whereas I’m saying we’ve already reached a threshold where a federal court judge or member of the AAT [Administrative Appeals Tribunal] has said that is content that you are authorised to get. This is about how we get to it.”
Home Affairs chief Michael Pezzullo said the decryption bill offered more protections than the physical world.
He said that police with lawful authority to enter a premises could simply “ring an accredited locksmith” to get past any security locks on a door.
“What we’re saying with this legislation is not only do you need the warrant, but you need a notice [to get access to encrypted data],” Pezzullo said.
“It’s a double level of authority. The protections provided in this bill are actually greater than what presently exists in the physical world.”