Facebook, Google, WhatsApp in the firing line as Australia reveals encryption laws | Cyber Security
The Australian government is proposing new laws that would require international tech giants like Facebook, Google and Apple to provide access to encrypted communications to law enforcement for policing crime.
The Telecommunications and Other Legislation Amendment (Assistance and Access) Bill 2018 is still in draft stages, but would allow heads of Australian law enforcement to issue tech companies with notices requiring them to decrypt communications, including
The government is proposing three levels of “assistance” notices that could be delivered to tech companies: a request for voluntary assistance, a notice requiring tech companies to decrypt communications where they have the capability to do so, and a third level requiring companies to build the capability to decrypt if they don’t have the technical means already established.
Importantly, the laws wouldn’t stop at Australia’s borders and the country’s telecommunications providers. The government is casting a wide net, defining “designated communications provider” under the laws as any “foreign and domestic communications providers, device manufacturers, component manufacturers, application providers, and traditional carriers and carriage service providers.”
That means everything from encrypted messaging apps, email accounts and even physical device storage is on the table for decryption.
In the explanatory document accompanying the legislation, Australia’s Department of Home Affairs catalogues a laundry list of companies that could be called on to provide access to account information, including Facebook, Instagram, Reddit, Twitter, WhatsApp, Signal, Telegram and even log-ins for comment sections on news websites.
Three levels of ‘assistance’
The laws’ three levels of “assistance”, which Australia’s security and law enforcement agencies would be able to request of tech companies, are:
- Technical assistance request: A notice to provide “voluntary assistance” to law enforcement for “safeguarding of national security and the enforcement of the law.”
- Technical assistance notice: A notice requiring tech companies to offer decryption “they are already capable of providing that is reasonable, proportionate, practicable and technically feasible” where the company already has the “existing means” to decrypt communications (e.g. where messages aren’t end-to-end encrypted).
- Technical capability notice: A notice issued by the attorney general, requiring tech companies to “build a new capability” to decrypt communications for law enforcement. The bill stipulates this cannot include capabilities that “remove electronic protection, such as encryption.”
Each level of notice requires a higher level of oversight and clearance, and the government has reiterated that law enforcement agencies would “still need an underlying warrant or authorisation.”
“We must ensure our laws reflect the rapid take-up of secure online communications by those who seek to do us harm,” he said.
“These reforms will allow law enforcement and interception agencies to access specific communications without compromising the security of a network. The measures expressly prevent the weakening of encryption or the introduction of so-called backdoors.”
While Taylor was keen to avoid talk of backdoors to encryption, the laws allow the country’s top law officer to require companies
to build capabilities into their systems where they don’t already exist in order to provide access for law enforcement.
Speaking on the Australian Broadcasting Corporation (ABC) on Tuesday morning, Taylor was pressed on this issue, but reiterated that tech companies would be able to provide access to law enforcement without weakening their security.
“[We are] ensuring we don’t break the encryption systems of the company,” he said. “So we are only asking them to do what they are capable of doing. We are not asking them to create vulnerabilities in their systems that will reduce the security because we know we need high levels of security in our communications… The [law enforcement] agencies are convinced we can get the balance right here without breaking the encryption systems of the technology companies.”
The tech world responds
CNET contacted Apple, Facebook and Google for comment on the news. Facebook and Google pointed to a statement from industry body, Digital Industry Group:
“As an industry, we work every day to help protect the privacy of people who use our services and strongly support the economic and social benefits of encryption technology,” it said in a statement. “At the same time, we appreciate the hard work governments do to keep us safe, which is why we work with law enforcement to respond to requests for data in accordance with applicable law and respective terms of service.
“The industry has also developed a set of global principles that call on governments around the world — including Australia — to adopt surveillance laws and practices that are consistent with established norms of privacy, free expression, and the rule of law. We hope that there is a constructive and public dialogue with the government around these principles as the bill continues its progress through parliament.”
Apple did not immediately respond when asked for comment.
While the tech companies have been cautious in their response to the draft legislation, they have previously fought hard on the issue of security and any attempt from governments to weaken encryption.
in the US in 2016, holding firm against law enforcement attempts to gain backdoor access to the iPhone of the terrorist responsible for the San Bernardino attack. Apple was eventually ordered to unlock the phone, but Apple claimed the episode for security worldwide.
The question of allowing decryption for law enforcement without weakening security or exposing devices and apps to bad actors is still central to the encryption debate, two years on.
Australian Prime Minister Malcolm Turnbull has previously made his position on encryption clear, weighing into the debate in 2017. “The laws of mathematics are very commendable,” he said, “but the only law that applies in Australia is the law of Australia.”
But speaking with Australia’s Radio National in June, Google’s SVP and Chief Legal Officer Kent Walker was cautious about Australia’s moves on this front.
“In other countries around the world where similar proposals have been broached, no one has been able to come forward with a good technical solution that avoids the risk of keys being disclosed, data breaches from government agencies and the like,” he said. “So while we’re very open to working constructively with the government on these things, we’ve not seen a workable proposal advanced so far.”
First published Aug. 14, 11:33 a.m. AEST.
Update, 1:13 p.m.: Adds further detail from explanatory documents and comments from Google Chief Legal Officer Kent Walker.
Fight the Power: Take a look at who’s transforming the way we think about energy.
‘Hello, humans’: Google’s Duplex could make Assistant the most lifelike AI yet.