Australian decryption legislation will not undermine 'legitimate encryption': Home Affairs

Calling government proposals to seek decryption of communications a "backdoor" is a cartoon-like assumption, according to Secretary of the Department of Home Affairs Michael Pezzullo.
Written by Chris Duckett, Contributor
(Screenshot: Chris Duckett/ZDNet)

Australia's push for a decryption magic bullet will not undermine "legitimate encryption", and may not need legislation at all, according to Department of Home Affairs secretary Michael Pezzullo.

Pezzullo told Senate Estimates on Monday morning that the preference remains dialogue and consultation with industry, and if newly-minted Minister for Home Affairs Peter Dutton deemed it was necessary, then legislation would be introduced.

Although pushed for specifics by Australian Greens Senator Jordon Steele-John, Pezzullo said the legislation would not "undermine legitimate encryption" and would balance societal needs for encryption.

"The challenge for governments and parliaments all around the world is how do you ensure that encryption is used for legitimate societal purposes, and not misused by -- in the same way the internet is misused through the dark web -- that encryption is available to those who use it for legitimate purposes and not otherwise," he said.

The secretary for Home Affairs struck out at descriptions of the decryption proposal as a "backdoor".

"That's the shorthand, colloquial, and in many respects, highly ill-informed shorthand that is sometimes used in this field," Pezzullo said.

"You assume that a backdoor has to be created, I'm just saying that that is a cartoon-like assumption -- not that you are making -- but you've seen the literature."

Law enforcement warn of impact of 5G, mesh networking, IPv6

In submissions to the Joint Committee on Law Enforcement's inquiry into Impact of new and emerging information and communications technology, the Department of Home Affairs and Australian Criminal Intelligence Commission (ACIC) warned that law enforcement would be degraded by a number of new technologies.

The agencies said the arrival of 5G, IPv6, and mesh networking would make interception of communications through existing legislation harder. In particular, the use of 5G in concert with other access modes across the same session would hinder surveillance.

"A key issue with the introduction of 5G technology is that to provide lawful access, communications providers will need to assist law enforcement agencies to reconstruct data sessions from multiple sources to allow access to a single communication event," ACIC wrote. "Whereas this is an occasional (but increasing) requirement for current 4G communications, this will almost certainly become the new normal for all data intercepted through 5G.

"Given 5G is slated to carry exponential increases in data, at far higher speeds, with far greater security that ever before, the impost and burden on both communications providers and law enforcement agencies to achieve lawful interception will be unprecedented."

Home Affairs said the prospect of mesh networking made it "imperative" for law enforcement to be able to tap more than just carrier networks, and the inclusion of IPSEC natively into IPv6 would make encryption much more prevalent.

"The implementation of IPv6 will make these encryption services easily accessible and transparent to consumers, and significantly increases the amount of encrypted content over internet services," Home Affairs said.

With the number of IP addresses set to significantly increase with IPv6, the department said the easy ability of users to have more than one IP address would make tracking harder.

"A single user may have numerous IP addresses when operating online. This will degrade law enforcement's ability to attribute information to a particular person," it said. "For example, a person communicating on one social media platform may not necessarily use the same IPv6 address when browsing the internet, or when communicating on another social media platform."

Home Affairs also said that even if the government introduces its decryption legislation, it will not be enough.

"While a legislative response can address some of the challenges posed by encryption, it is likely that agencies will continue to face challenges accessing end-to-end encrypted communications," the department wrote.

"In this environment, it will be increasingly important for law enforcement agencies to utilise alternative methods to investigate serious crimes and combat threats to public safety and national security. For this purpose, the range of powers available to agencies must continually be examined."

It also reiterated previous claims that over 65 percent of lawfully intercepted data by the Australia Federal Police is encrypted, 9 of 10 ASIO priority cases are impacted by encryption, and it is estimated all electronic communication will be encrypted by 2020.

Home Affairs -- a new portfolio which now covers Immigration, the Australian Security Intelligence Organisation (ASIO), Australian Federal Police, Border Force, Australian Criminal Intelligence Commission, Australian Transaction Reports and Analysis Centre, and the office of transport security -- said it would turn to new technologies, such as blockchain and artificial intelligence, to get more value out of its information.

"Home Affairs will adopt leading-edge operational technology to drive innovation in surveillance, examination, inspection and detection," it said.

An Audit Office report from last year found that the-then Department of Immigration and Border Protection (DIBP) has insufficient protection against external threats, and was under the belief it was doing better than it was

"In comparing DIBP with the agencies, subjected to this audit is important to recognise the relevant position of each agency on the ICT investment curve," DIBP said in its defence at the time. "This in turn has a direct implication and relationship to the maturity of their respective cybersecurity initiatives."

The Australian National Audit Office though disregarded the excuses of DIBP.

"Since the first audit in 2014, all three entities have undergone strategic business changes, such as machinery of government changes or upgrading and transforming core ICT systems that support government service delivery," it said.

"These changes are common in the public sector landscape and entities must maintain business continuity, including ensuring the integrity and availability of their systems, data, and information."

Related Coverage

Senator calls out FBI director's 'ill-informed' encryption backdoor views

A leading senator isn't happy, and is demanding answers.

Australia's war on encryption potentially 'reckless': Former US cyber advisor

Demands for more access to private data and control over personal communications devices 'sounds a lot like China', says Obama's director for Cybersecurity Policy.

Australian government still pushing decryption magic bullet

Seven months after Prime Minister Malcolm Turnbull told ZDNet the laws of Australia will trump the laws of mathematics, Minister for Home Affairs Peter Dutton has discussed looming legislation that would force companies to help the government access communications.

Encrypt.me v. TunnelBear: How the VPN clients fare for iOS users (TechRepublic)

After testing two popular VPNs, our reviewer shares his thoughts on how they stack up for iOS users when it comes to privacy, network speed, connection options, and pricing.

Report: Only 40% of data stored in cloud secured with encryption, key management (TechRepublic)

Organizations globally lack clear policies around securing data in the cloud, according to Gemalto and the Ponemon Institute.

Editorial standards