Defence dumped unrestricted crypto research permits without warning

The Department of Defence quietly stopped renewals of unrestricted communication exemptions for cyber security and cryptography researchers subject to export control laws at the end of 2018, a move that came without warning to the research community.

iTnews reported the apparent change to policy around permits allowing researchers to communicate about cryptography with any non-sanctioned country earlier this week.

The general permission was introduced on a trial basis in 2017 to bypass the Defence Trade Controls (DTC) Act 2012, which regulates the supply of military and so-called ‘dual-use’ technologies overseas.

This was done to “achieve a balance between the need for free flow of information for research purposes in the initial stages of a research project and national security interests”, following feedback from the implementation of the legislation.

Cryptographic researcher and associate professor at the University of Melbourne’s School of Computing and Information Systems, Dr Vanessa Teague, was one of those affected by the change.

She told iTnews that, without any warning or explanation, Defence’s export controls (DEC) arm had not renewed the university’s general permission to communicate about cryptography to researchers in all non-sanctioned countries.

This has limited her work to just three countries: Canada, the UK and Belgium, which she just happened to have been working with at the time of the permits renewal.

But a Defence spokesperson told iTnews that the department had not cancelled any export permits for universities.

“When a permit expires, Defence asks the applicant to specify the countries they will be collaborating with so that the risks of the collaboration can be assessed before a new permit is issued,” the spokesperson said.

However the department appears to have ended the trial of the general permit to communicate with researchers in any non-sanctioned without the department notifying the research community.

“Defence has previously trialled two-step cryptography research permits that expired in December 2018,” the spokesperson said, adding that it would work with stakeholders to “consider whether this approach should be implemented on an ongoing bases”.

Defence declined to say why this was or if the research community had been consulted about the latest sudden change. Clarification has been requested by iTnews.

The ability to communicate with research peers is a pivotal point in terms of funding certainty for many researchers, academics and industry participants.

Without the general permission to communicate, researchers will be required to ask DEC each time they want to communicate with a researcher from a non-sanctioned country outside their pre-approved list.

Teague has described this approach, which could delay research by months at time, as “unworkable in the context of an international, competitive scientific community”.

Changes to exemptions for researchers in the field of information security and cryptography comes ahead of the publication of the independent review of the DTC Act, which is being headed by former Inspector General of Intelligence and Security Vivienne Thom.

The Thom review is looking at whether it continues to “adequately safeguards national defence capability and prevents trade and collaboration that could unwittingly advance the military capabilities of potential adversaries”.

iTnews understands the review was completed last October and is waiting to be tabled when Parliament returns later this month.

In its submission to the review, Defence launched an unprecedented bid to be able to retrospectively re-classify research as dual use or security sensitive, which provoked an unprecedented backlash from Australia’s top universities.

The release date of the Thom review is still unknown. The Defence spokesperson said the government was considering the recommendations of the Thom review’s report.