No backdoors for Australian encryption, just a riddling of ratholes

Draft legislation intended to give cops and spooks access to encrypted communications should keep encryption strong. But the powers it proposes aren't just about fighting paedophiles, terrorists, and organised criminals.

When Australian's former favourite Attorney-General Senator George Brandis QC said in mid-2017 that encrypted messaging was "impeding lawful access to the content of communications", fears of a government-mandated backdoor in encryption systems soon erupted.

But the government listened to those concerns. As your writer predicted last year, the Telecommunications and Other Legislation Amendment (Assistance and Access) Bill 2018 [PDF], which was released on Tuesday, contains no weakening of encryption, and certainly no "war on mathematics".

The Bill makes it clear that there are to be no backdoors, or at least that's the intent. It defines "designated communications providers" to include foreign and domestic communications providers, device manufacturers, component manufacturers, application providers, and traditional telecommunications carriers and carriage service providers.

Providers must not be required to "implement or build a systemic weakness, or a systemic vulnerability, into a form of electronic protection; or prevent a designated communications provider from rectifying a systemic weakness, or a systemic vulnerability, in a form of electronic protection".

What the Bill does create, amongst many other things, is a framework for providing access to endpoint devices. That's where messages can be intercepted before they're encrypted and sent, or after they've been received and decrypted.

As the explanatory document [PDF] sets out, providers can be required to install, maintain, test, or use software that a law-enforcement or intelligence agency has given them. Clearly, this would include installing government spyware on specific target devices.

Providers can also be made to substitute a service they provide with a different service, either one of their own or another provider's. That could well include redirecting target devices to a different update server, so they receive the spyware as a legitimate vendor update.

They're just examples. I'm sure you can think of more. But wouldn't such legislative and technical processes for installing unwanted software on selected target devices be a "systemic weakness"?

Or is it OK because it isn't breaking "a form of electronic protection"? Nothing is being broken. Aren't these software installation pathways, tunnels, and hidden ratholes already part of the infrastructure?

These questions are left as an exercise for the reader.

The Bill weighs in at 176 pages, plus 110 pages in the explanatory document. It'll take a while to analyse the proposed policy, and check whether the wording of the Bill actually matches the intention. But a few weirdnesses have already been spotted.

The demands made of providers are expected to be "reasonable, proportionate, practicable, and technically feasible".

The decision maker must consider the interests of the agency as well as the provider. That includes the availability of other means to reach their objectives, the likely benefits to an investigation, and the likely business impact on the provider. They must also consider wider public interests, such as any impact on privacy, cybersecurity, and innocent third parties.

But the decision maker is, essentially, the agency making the request. That's hardly a neutral party.

Section 317S of the Bill is cute. It says the attorney-general can create "procedures and arrangements" to be followed when requesting technical capability notices. They're the documents requiring a provider to build a new capability, so they can give assistance as required. But failing to comply with those procedures doesn't invalidate the notice.

Finally, there's the government's framing of the legislation as part of the fight against paedophiles, terrorists, and organised criminals. Of course, nearly every new law-enforcement power is sold that way.

But the new powers could actually be used for "enforcing the criminal law and laws imposing pecuniary penalties; or assisting the enforcement of the criminal laws in force in a foreign country; or protecting the public revenue; or the interests of Australia's national security, the interests of Australia's foreign relations, or the interests of Australia's national economic well-being".

Misrepresentation, much?

There's still plenty to consider in this Bill, but the deadline for public comments is just four weeks away, on September 10.

PREVIOUS AND RELATED COVERAGE

Canberra gives 'decryption' another crack with draft legislation

The Australian government is still committed to 'no backdoors', publishing draft legislation that will force internet companies to assist law enforcement in decrypting messages sent with end-to-end encryption.

Australia's semantic sleight of hand on encrypted messaging revealed

Newly-released documents confirm that the Australian government's commitment to 'no backdoors' to weaken encryption algorithms doesn't preclude backdoors elsewhere in the secure messaging pipeline.

Australian government committed to 'no backdoors': Taylor

'We simply don't need to weaken encryption in order to get what we need,' says cyber security minister Angus Taylor, but trust in our civilisation is crumbling.

Thou shalt be secure: RSA says you can't force private sector to break encryption

RSA's VP and GM of Global Public Sector Practice Mike Brown believes there's a better way to thwart terrorism than breaking end-to-end encryption, as recently proposed by the Australian government.

Australia called out as willing to undermine human rights for digital agenda

A report from AccessNow has asked Australia to change its course and lead the way in serving as a champion for human rights instead of against.