Australia's semantic sleight of hand on encrypted messaging revealed

Newly-released documents confirm that the Australian government's commitment to 'no backdoors' to weaken encryption algorithms doesn't preclude backdoors elsewhere in the secure messaging pipeline.
Written by Stilgherrian , Contributor

"The government will not mandate backdoors. That is, the government will not require that inherent weaknesses be built into encryption," said a briefing note prepared for Australia's then-favourite attorney-general, Senator George Brandis QC, on August 4, 2017.

The note is one of ten redacted documents released by the Attorney-General's Department (AGD) on Tuesday under Freedom of Information provisions. It was prepared in the wake of the July 14, 2017, press conference held jointly by Brandis with the prime minister and the acting commissioner of the Australian Federal Police, which foreshadowed legislation to tackle end-to-end encrypted messaging, and the 2017 meeting of the G20 nations where Australia took the lead in that battle.

"The Australian government will not legislate to weaken the security of devices or communications. The Australian government will address this problem by working and collaborating with international partners, particularly the Five Eyes intelligence partners and with the broader global community," the note said.

It stressed that law enforcement and intelligence agencies being able to access people's communications with appropriate authority is a "well-established principle", and that the government is merely "bringing existing legal obligations up to date".

"The government plans to extend the reasonable assistance obligation that currently applies to domestic carriers and carriage service providers to all companies providing communications services and devices in Australia," the note said.

"That assistance would extend to removing forms of electronic protection where reasonable, practicable and proportionate. For example, in some cases, providers may be able to develop technical solutions that permit law enforcement agencies to lawfully obtain critical, yet encrypted information, or provide information to assist agencies to find those technical solutions themselves."

The note reveals that the government is concerned about that loaded word "backdoor".

"Much of the media speculation has centred on whether the government is planning to mandate backdoors," it said.

"[A] 14 July 2017 Fairfax article reported Facebook as saying that 'weakening encrypted systems for them would mean weakening it for everyone.' Media reporting has also been focused on the meaning of what constitutes a 'backdoor', particularly in smaller technology publications."

Your writer is one of those who's been focused on the meaning of what constitutes a backdoor, and for mine the meaning is clear. It's a method, created deliberately, for someone to access data that would otherwise be protected. In the case of a communication, that means access by someone other than the sender or the recipient.

It's therefore important to note that in the released document from 2017, and in cybersecurity minister Angus Taylor's speech last week, the government's "no backdoors" commitment is in the context of "access to a decryption key" or "weaken[ing] encryption" or "building weaknesses into encryption products".

Indeed, the briefing note quoted earlier stated that the proposed legislation would "ensure companies that provide communications services and devices in Australia have an obligation to assist agencies, including with decryption", and would "allow agencies to use alternative capabilities, like surveillance devices and computer network exploitation".

There's also that curious phrase "removing forms of electronic protection".

This would seem to support my speculation from a year ago that the existing lawful intercept requirements in the Telecommunications (Interception and Access) Act 1979, which required the manufacturers of telco exchanges and switches to include intercept capabilities -- "wiretaps" in American English -- is to be extended to end-user devices.

It's not so much a "war on maths" as a battle against the structure of the messaging industry, or aspects thereof. You don't need to attack encryption if you can access the plaintext message by, say, accessing the sender's raw keystrokes through the device's operating system, or looking at the screen as the message is decrypted on the recipient's device.

Why the delay?

The earliest document released on Tuesday is an email dated November 27, 2015, from Katherine Jones, deputy secretary of what was then called the National Security and Criminal Justice Group at AGD.

The email is classified "PROTECTED Sensitive: Cabinet". Key details are redacted, such as the recipients, and the agencies being brought into loop. But it shows that none of this discussion is new, with AGD being aware that "both the technology and broader environment has [sic] changed significantly".

"We have undertaken some preliminary thinking about the new challenges in the context of broader plans to improve the Telecommunications (Interception and Access) Act 1979," the email said.

"In addition, I am mindful that recent developments in the UK and US indicate that those jurisdictions have moved away from the idea of backdoor 'skeleton keys' as a solution."

So if all this was known and discussed in 2015, why have we still not seen any draft legislation? And why has the government been so cagey about what it plans to do?

Perhaps it's because the government has been distracted by the massive restructure into what is now the Department of Home Affairs and, from July 1 this year, the Australian Signals Directorate as an independent statutory authority.

Perhaps it's because the handover from Brandis, now Australia's High Commissioner in London, to Australia's new favourite attorney-general Christian Porter, delayed work.

Perhaps it's because discussions between the government and its international partners, and with the tech industry, are moving more slowly than hoped.

Or perhaps it's just because it's difficult to draft legislation which can make it all work.

According to Taylor, the consultation on that legislation will start "in the coming weeks".

Related Coverage

FBI inflated encrypted device figures, misleading public

Encrypted cell phones were a major obstacle to criminal investigation. The FBI now admits the problem was much smaller than they'd originally reported.

Tech giants hit by NSA spying slam encryption backdoors

The tech coalition includes Apple, Facebook, Google, Microsoft, and Verizon and Yahoo's parent company Oath - all of which were hit by claims of complicity with US government's surveillance.

Experts rip Ray Ozzie's plan for unlocking encrypted phones

The former Microsoft executive's idea collapsed in the face of expert scrutiny.

Russia moves to block Telegram after encryption key denial

Telegram's lawyer told ZDNet that Russia's demand for the app's encryption keys is "unconstitutional."

Pixel 2 encryption is so good it can even fend off insider attacks, Google says (TechRepublic)

New Android security features for the Pixel 2 prevent attackers from installing malicious firmware on the security module in a lost or stolen device.

Microsoft's BitLocker encryption program: A cheat sheet (TechRepublic)

BitLocker, an encryption program from Microsoft, offers data protection for the whole disk in an efficient method that is easy to implement, seamless to the user, and can be managed by systems admins.

Editorial standards