Govt finally reveals how it plans to target encryption

The government will target encrypted communications with a wide range of methods that could require service providers to build new tools, run government-built software, or facilitate access to targeted devices.

An exposure draft of the legislation, published today [pdf], explicitly bans the use of “backdoors” or “systemic weaknesses or vulnerabilities” to access encrypted communications.

“The Australian government has no interest in undermining systems that protect the
fundamental security of communications,” it said.

However, the government plans to compel a range of companies that make up end-to-end communications services "to enable access to a particular service, particular device or particular item of software".

The targeted provider must come up with a method "which would not systemically weaken these products across the market."

The government acknowledged the legislation would involve weakening the security of services. What is and isn't permissible would be left to government officials and industry to privately negotiate.

"The mere fact that a capability to selectively assist agencies with access to a target device exists will not necessarily mean that a systemic weakness has been built," the government argued [pdf].

"The nature and scope of any weaknesses and vulnerabilities will turn on the circumstances in question and the degree to which malicious actors are able to exploit the changes required.

"Likewise, a notice may require a provider to facilitate access to information prior to or after an encryption method is employed, as this does not weaken the encryption itself.

"A requirement to disclose an existing vulnerability is also not prohibited."

The government said it would not try to stop providers from patching vulnerabilities that its agencies could otherwise exploit.

“Agencies cannot prevent providers from fixing existing systemic weaknesses,” it said.

“Notices cannot prevent a provider from fixing a security flaw in their products and services that may be being exploited by law enforcement and security agencies.

“Providers can, and should, continue to update their products to ensure customers enjoy the most secure services available.”

Greens Senator Jordon Steele-John said that the government's plan would "completely undermine the point of end-to-end encryption" and the privacy of all Australians.

“Regardless of what Minister [for Law Enforcement and Cybersecurity Angus] Taylor claims, installing software or legislating some other means to capture data as it is unencrypted on the receiving device undermines the very principle of end-to-end-encryption," he said in a statement.

“Installing malware on people’s devices to read encrypted data is not a solution to catching criminals but it is weakening the defences of every single device that receives encrypted messages, therefore making it easier for criminals who want to steal data".

Three forms of notices

Providers can either be asked or compelled to perform a wide range of tasks at the behest of the government or federal law enforcement.

This would take the form of a new Part 15 to the Telecommunications Act.

Select agencies would be able to issue a “technical assistance request” for voluntary assistance from the service provider.

"A technical assistance request can ask a provider do a thing currently within their capacity or request that they build a new capability to assist agencies," the government said.

Where the provider has “existing means to decrypt” communications, however, they are likely to receive a “technical assistance notice”.

“This may be the case where a provider holds the encryption key to communications themselves (i.e. where communications are not end-to-end encrypted),” the government said.

These could be requested by the “head of ASIO or an interception agency, or a senior official in their organisation delegated by them.”

A third type of notice, called a “technical capability notice”, would compel the provider “to build a new capability that will enable them to give assistance” to law enforcement or the government.

“The power to issue technical capability notices is reserved for the Attorney-General,” the government said.

Providers would be given 28 days to outline to the Attorney-General whether what was requested to be built was actually technically feasible.

Importantly, this notice can be served not just in criminal or "national security" matters, but also for matters related to "protecting the public revenue".

In all cases, investigators would still need an “underlying warrant or authorisation” to access the content of the encrypted communications (or to force a provider to hand it over).

According to a flowchart, the different types of notices act as a gradient response, depending on the provider’s willingness to cooperate and then its technical capability.

For example, if it is unwilling to voluntarily cooperate, it would face being served with a notice to either use an encryption key it holds or to build something to help law enforcement out.

The requesting agency and provider would “negotiate terms, conditions and any costs”. The government said providers would not need to absorb costs incurred.

Section 317E

The important section of the new Part 15 is called 'Section 317E' and describes - though inexhaustively, according to explanatory notes - the kinds of assistance expected from providers that don't offer to help voluntarily.

This includes:

• Removing one or more forms of electronic protection that are, or were applied by, or on behalf of, the provider
• Providing technical information
• Installing, maintaining, testing or using software or equipment
• Ensuring that information obtained in connection with the execution of a warrant or authorisation is given in a particular format
• Facilitating or assisting access to whatever law enforcement wants: a facility, device, service and any software used in conjunction with those things
• Assisting with the testing, modification, development or maintenance of a technology or capability
• Notifying particular kinds of changes to, or developments affecting, eligible activities of the provider
• Modifying, or facilitating the modification of, any of the characteristics of a service provided by the provider
• Substituting, or facilitating the substitution of, a service

Broad brush use

The proposed legislation offers a wide definition of just which "providers" can be targeted for assistance.

It appears to have the effect that anyone responsible for any part of an end-to-end service can be targeted.

This "includes the full range of participants in the global communications supply chain, from carriers to over-the-top messaging service providers", the government said.

"This reflects the multi-layered nature of the communications environment and the types of entities that could meaningfully assist law enforcement and national security agencies," it noted.

Section 317C of the new Part 5 lists what kind of companies these might be.

In addition to those directly in the telco industry, the laws net a broad range of companies in the ecosystem.

This includes any software providers to the telco, no matter how small a part their code plays in the overall telecommunications service.

It also includes facility builders and operators, with a clause that covers those that "manufacture, supply, install, maintain or operates a facility"; parties that build any components for those facilities; and any interconnections to telecommunications networks, which could net data centres that house points of presence (PoPs).

It also covers any person or company that makes customer premises equipment (CPE) or "data processing devices", the software that runs on that equipment, and anyone that installs or maintains it.

New computer access warrants

A separate new power is to be inserted in the Surveillance Devices Act 2004 to give federal, state and territory agencies an ability to “search electronic devices and access content on those devices.”

“These warrants are distinct from surveillance device warrants, which enable agencies to use software to monitor inputs and outputs from computers and other devices,” the government said.

Investigators would be able to enter a premises, access devices, copy data (or take the device themselves) and conceal their tracks.

The warrants can be issued by either a judge or “AAT [Administrative Appeals Tribunal] members”.

The government noted that a warrant did not afford powers to add, delete or alter data “or the doing of anything that is likely to materially interfere with, interrupt or obstruct a communication in transit or the lawful use by other persons of a computer.”