The greatest threat posed by Australia's planned new anti-encryption laws comes from the voluntary requests made to communication providers, not the compulsory notices to give technical assistance, according Dr Chris Culnane, because they have greater scope and less oversight.
"At a very high level, the legislation introduces two compulsory notices, and one voluntary request. Whilst the compulsory notices have gained the most attention, it is my view that the voluntary assistance requests are where the greatest danger exists," Culnane wrote in a detailed blog post last week.
"The assistance requests are not constrained by the same limitations as the notices in what they [government agencies] can ask for, neither are they part of the annual reporting."
Culnane is a lecturer at the School of Computing and Information Systems at the University of Melbourne.
"My analysis is based on viewing the legislation as a technical document, looking for gaps and inconsistencies, since that is so often where the greatest threat lies," he wrote.
The legislation in question is the Telecommunications and Other Legislation Amendment (Assistance and Access) Bill 2018. An exposure draft [PDF] was released last month, along with an explanatory document [PDF]. It's intended to address the "challenges" that encryption creates when it comes to intercepting communications.
Under the new law, Australian government agencies would be able to issue three kinds of notices:
- Technical Assistance Notices, which are compulsory notices for a communication provider to use an interception capability they already have;
- Technical Capability Notices, which are compulsory notices for a communication provider to build a new interception capability, so that it can meet subsequent Technical Assistance Notices; and
- Technical Assistance Requests, which Culnane said are described as voluntary requests. "There is no criminal or civil penalty for not complying with them, although they are covered by the same secrecy provisions," he wrote.
"It is my view that these [Technical Assistance Requests] are the real objective of the legislation, not the compulsory notices. The requests are defined differently to both of the notices, and have few, if any, limitations on what they can request," Culnane wrote.
"Furthermore, they are excluded from essential oversight, by virtue of not being included in the annual report issued by the minister (see 317ZS)."
The laws of mathematics do apply in Australia
The government says the legislation won't create backdoors in encryption. But it is intended to create a framework for providing access to endpoint devices, amongst many other things.
"The issue of System Weaknesses is made a big deal of in the legislation and explanatory note. It seems like it is an attempt to comply with the claim of not mandating backdoors. However, the term isn't defined anywhere," Culnane wrote.
"Furthermore, what is described remains a backdoor, albeit a keyed backdoor. There is no requirement for backdoors to be universally exploitable to be considered a backdoor, it merely needs to provide an alternative entry point into the target system or protocol."
Culnane noted that the description of a Systemic Weakness "seems somewhat contradictory", and offered some technical details of how keyed backdoors might work, before providing his conclusion.
"The only compromise appears to be that they have realised that in fact the laws of mathematics do apply in Australia and that the backdoor needs to be relocated somewhere else. That isn't really an improvement, it is just a technicality," he wrote.
Culnane believes that the legislation does allow for the creation of backdoors, however. The constraints on the the two kinds of Notices, which are defined in division 7 of the Bill, do not apply to Technical Assistance Requests.
"There is no restriction on a Technical Assistance Request asking for the implementation of a Systemic Weakness. Likewise, unlike Technical Capability Notices, there is no restriction on requesting the development of new capabilities to remove electronic protection (317E(1)(a))," he wrote.
Culnane's blog posts also covered issues such as the secrecy provisions, ways in which the legislation could be used more broadly than indicated in the explanatory document, and his concerns about the broad definition of a "communications provider".
"For example, it covers a person that '... provides an electronic service that has one or more end users in Australia', which appears to cover every website that is accessible from Australia," he wrote.
"Furthermore, the legislation also covers an individual if '... the person develops, supplies or updates software used, for use, or likely to be used, in connection with: (a) a listed carriage service; or (b) an electronic service that has one or more end users in Australia', which appears to cover every piece of software, or mobile app, that connects to internet or produces content that is going to be used on the internet.
"That is an incredibly broad category, the justification for which is not clear."
In its current form, as an exposure draft, the Bill still has to face public consultation before it's tabled in parliament. The government appears to be in a hurry, however, in part because the proposed laws would be part of its contribution to the Five Eyes nation's tougher new stance against encryption.
The deadline for public comments on the exposure draft is this Monday, 10 September 2018.