Home Affairs says crypto-busting preferable to buying greyhat cracks

The department of Home Affairs is pursuing decryption laws in part to avoid paying “greyhat” companies to access tools that use unpublished exploits to break into devices and messaging services.

The new justification for the proposed laws is contained in a parliamentary submission [pdf] that also rules out handing law enforcement access to encryption keys (though it is not clear if this will now be reflected in the bill before parliament).

The submission to the Parliamentary Joint Committee on Intelligence and Security contains other material not previously raised in explanatory memorandums for the proposed law, including why the government wants to limit judicial review of the notice regime.

Greyhat services

Home Affairs said it wants a regime that asks - or forces - service providers and device makers to cooperate and come up with ways to circumvent security, rather than going to the grey market for jailbreaks or exploits.

“In the absence of active cooperation from primary vendors, the services are of ‘grey hats’ vendors can become the only viable technical solution,” Home Affairs said.

“This is a less than ideal situation, as it assists in perpetuating a cottage industry that includes vendors willing to provide capabilities to any nation state or other actor regardless of intended use.”

Home Affairs said it wanted to “reduce the reliance on a grey hat community”, in part over ethics but also over cost.

“Engaging these third party vendors attracts premium costs, particularly as agencies are competing for their services with malicious actors and manufacturers providing rewards,” Home Affairs said.

Such costs are likely to prohibitive for all but the most critical of cases.

The FBI’s unlocking of an iPhone allegedly belonging to one of the San Bernardino shooters reportedly cost between US$900,000 and US$1 million.

NSO Group’s “powerful iPhone malware” is also described as expensive.

There has been considerable concern raised through the consultation process that law enforcement agencies could bombard communications providers with voluntary and compulsory requests to decrypt data.

Though it is intended that the government pay the costs of these decryption methods being implemented, the cost price is likely to be substantially less than the charges imposed by greyhat vendors - lowering the barriers of use substantially for agencies.

Home Affairs said it “is not seeking for primary manufacturers and industry to provide the functionality of the grey hat community, but rather that industry proactively identifies opportunities to address current content loss through encryption.”

Encryption keys

Home Affairs also used its submission to rule out seeking certain types of “exceptional access” to encrypted services.

By this, it listed four potential scenarios involving encryption keys which it suggested would not seek under the proposed laws.

The department said it still wanted “exceptional access” to services and devices “where possible” but the exact nature would need to be negotiated. It was unclear what form this would take.

Judicial review

The Law Council of Australia has been particularly vocal about the lack of judicial oversight of the processes laid out in the bill.

Home Affairs’ submission provides, for the first time, details of how and when it believes judicial review could be called upon.

The department confirms that a provider that believes a technical assistance or technical capability notice they received would introduce a systemic weakness or vulnerability “has a firm basis for not complying with the requirements of a notice and could seek judicial review for the administrative decision.”

“The presence of any systemic weakness or vulnerability could then be assessed by a court with the aid of expert testimony,” Home Affairs said.

The Law Council had raised concerns that providers could be forced to implement changes that would be later deemed unlawful and be overturned by a court.

Home Affairs appears to suggest that filing a court case could halt requirements for compliance.

However, it also notes elsewhere that providers that “cannot agree on the terms of conditions for compliance with a notice” would be put before “an independent arbitrator appointed by the Australian Communications Media Authority or the Attorney-General”, and it is unclear which would take precedence.

Home Affairs also ruled out a default process whereby law enforcement requests or notices required judicial oversight in the first instance - putting the onus on providers to mount a challenge.

“Security and law enforcement agencies may require a technical assistance notice (TAN) in order to access appropriate electronic evidence for an investigation that is underway and evolving,” the department said.

“It is imperative that a TAN can be issued and used quickly. It would not be appropriate for a decision to issue a TAN to be subject to judicial review ... or merits review as review could adversely impact the effectiveness and outcomes of an investigation.

“Decisions by the Attorney-General to issue a TCN [technical capability notice] are particularly unsuitable for review as they are ministerial decisions to develop law enforcement and national security capabilities.”