ASIO chief says encryption-busting scheme would not involve persistent monitoring

Head of ASIO Duncan Lewis has said there is a time limit to any assistance rendered under the Assistance and Access Bill.

duncanlewis.jpg
(Image: ParlView screenshot by Josh Taylor/ZDNet)

The Director-General of Security at the Australian Security Intelligence Organisation (ASIO) Duncan Lewis told Senate Estimates on Monday that a persistent encryption workaround would not fall under the auspices of the proposed Assistance and Access Bill, which would allow the nation's interception agencies to request or demand access to encrypted content.

"In order to enable us to get through the encryption and understand what the content is behind the communication, it is very important we have the assistance of the company -- nobody would be better informed as to how the system operates than the company themselves -- but importantly it is not systemic, it doesn't have an enduring time, it doesn't have a breadth of -- it's not going to be ubiquitous across the community, it's quite specific," Lewis said.

Under the proposed law, Australian government agencies would be able to issue three kinds of notices:

  • Technical Assistance Notices (TAN), which are compulsory notices for a communication provider to use an interception capability they already have;
  • Technical Capability Notices (TCN), which are compulsory notices for a communication provider to build a new interception capability, so that it can meet subsequent Technical Assistance Notices; and
  • Technical Assistance Requests (TAR), which have been described by experts as the most dangerous of all.

Lewis struck out at claims, some of which were raised in the Parliamentary Joint Committee on Intelligence and Security hearing on Friday, that the legislation could force a smart speaker vendor to install an always-on listening feature.

Must read: Why Australia is quickly developing a technology-based human rights problem (TechRepublic)

"The notion of persistent monitoring could be put into a device into somebody's house, or into all devices ... into all devices of a particular type would have some sort of implant put in them, is completely beyond the scope and the intent of the legislation, and it is quite specific, the draft is quite specific about that," the ASIO chief said.

"That there can be no systemic weakness -- it's very important, that bit is repeated as I recall at a number of places in the draft legislation -- but that there is no systemic weakness in the encryption processes or in the encryption technology that's on board the device."

Stating that a request from interception access would introduce a systemic weakness is one of the few avenues that would allow service providers to push back and deny government demands to access encrypted content.

For his part, Lewis said the definition of systemic implies a time component, in that it couldn't exist in perpetuity, and a breadth component that would mean a request would impact all users of a product. Lewis also rebutted allegations that the Bill would result in mass surveillance of Australians.

"The notion of mass surveillance, which seems to be the recurring issue in the public dialogue about this, is just not true. We would not be in a position physically to do it, we are not covered legally to do it, and we not interested in doing it," he said.

"If you have a look at the number of ASIO investigations versus the number of communications made in Australia -- I don't know, I'd hate to do the figures -- but if you have a look at the number of communications made in Australia on any one day, and the numbers that might be of interest to ASIO, or indeed to our police colleagues, it would be minuscule."

In consultation on the Bill, a number of submissions have called for increased judicial oversight and for protections existing for the issuing of TCNs to be extended to TANs and TARs.

The Office of the Australian Information Commissioner (OAIC) specifically asked for the judicial oversight and disallowing of systemic weaknesses to be extended to voluntary requests for assistance, particularly in the case of small providers that may not have the resources available to determine whether complying to a TAR would introduce a systemic weakness.

"If passed, the Bill would invoke exceptions to the Australia Privacy Principles," the OAIC said.

The ASIO chief said that although he can issue a TAN, and would only need the approval of the attorney-general for a TCN, often a warrant would already be in place.

"The only time the attorney-general [would] be invoked in any way in that equation [in issuing a TAN] would be if request for assistance involved us then looking for content," he said. "But to tell you the truth, it normally happens the other way around: We would get the warrant for the content, and then discover that we had to approach the company to access that content."

On Friday, Lewis said the Bill is proposing to take existing powers from the real world into the cyber realm.

"To put it simply, I'll describe it as similar to using a pair of precision tweezers to extract a needle from a communication haystack. We're looking to communication providers to help us pick that needle out of the haystack by informing them of exactly what that needle is, which needle are we after," Lewis said.

"Far from being a backdoor, we are knocking on right on their front door, this is not backdoor stuff.

Stating that the proposed laws do not remove the need for a warrant to access content, Secretary of the Department of Home Affairs Michael Pezzullo picked up on the door analogy.

"We've got the warrant, we've arrived at the house, but it is very securely locked, we need a locksmith," Pezzullo said. "So the warranted authority for the activity already has to pre-exist.

"That authority has to exist at all times, this is not extraneous to that regime."

In another submission made to the Parliamentary Joint Committee on Intelligence and Security -- which is currently reviewing the legislation as the government attempts to ram it through Parliament -- Cisco said the Bill would create backdoors.

We have defined a 'backdoor' to include any surveillance capability that is intentionally created and yet not transparently disclosed," Cisco said.

"To the extent that the Bill would require via a TCN the creation of a capability while simultaneously preventing the [communication providers] from documenting the existence of that capability, the law would result in the creation of backdoors."

Lewis predicted again on Monday that by 2020, all ASIO targets would be using encrypted communications.

Related Coverage