Much of the reaction to Malcolm Turnbull’s press conference last Friday has cast his comments as the latest, and possibly worst example of political technological illiteracy. And just another instance of anti-technology bluster and rhetoric without any firm policy foundation.
Based on the level of detail and technical understanding the Australian Government has revealed so far, this is an understandable assessment. But reading between the (admittedly very blurred) lines, I would suggest that an eventual policy destination is slowly emerging.
Before assessing this policy proposal, there are three broad questions that need to be answered: What problem is the current policy approach not solving? Is what is being suggested feasible? And if so, will it address the problem?
The status quo
Firstly then, why all the rhetoric? Because, despite significant investment and a series of legislative changes, Australian law enforcement agencies are unable to access communications content, and increasingly, communications metadata in a timely manner.
The former challenge, particularly in relation to encryption, is not new. What is new is the combination of ubiquitous end-to-end encryption, and easy to use, free communication apps, that are typically hosted and headquartered outside of the reach of domestic law enforcement agencies.
As Turnbull himself noted prior to the introduction of mandatory metadata retention laws in 2015, using What’sApp or Wickr is enough to ensure that your communications are encrypted, and that the metadata is stored outside of Australia.
For law enforcement, this means that they can no longer rely on access to the ‘low hanging fruit’, those within a conspiracy unable or unwilling to use secure communications methods. Or indeed, quickly conduct network metadata analysis to prioritise investigative leads.
Clearly, there are already ways around these limitations, particularly where an individual or group has been identified as a high priority. Most obviously, given the variety and number of apps most people use, why try to defeat (or indeed ‘backdoor’) a series of encrypted apps if instead, you can get access to the device they’re used on?
The UK’s Investigatory Powers Act spelled out the extent of hacking powers currently available to UK intelligence agencies. And within law enforcement, we’ve learned about hacking in the US, but also by private sector contractors on an international level.
Recent global events might have suggested that hacking is easy; in reality, doing so within a government framework against a handful of individuals requires significant time and resources. And as the big technology companies make welcome progress at fixing vulnerabilities, this is only getting harder.
The policy solution
Up until now, the often baffling language used by government ministers across the Five Eyes alliance has made the feasibility of any potential solution too difficult to assess. But perhaps the clearest indication yet came last week in a revealing interview with Robert Hannigan, a former director of Britain's Government Communications Headquarters (GCHQ) . Hannigan largely echoed the views of the global infosec community - he refused to advocate building backdoors into encryption, which he described as overwhelmingly a good thing, and concluded that weakening security for everybody in order to tackle a minority was 'a bad idea'.
What was largely overlooked however, was Hannigan’s suggestion that authorities should instead 'go after the smartphone or laptops' of people abusing the system. And importantly, do so in cooperation with tech companies.
The specifics of how this cooperation might work remains unclear. But Hannigan’s comments point towards a solution that might satisfy some of the concerns of privacy and cyber security advocates, while also delivering a workable solution that delivers real value for law enforcement agencies - private sector-assisted hacking.
Cooperation would be compelled via a warrant, with all the accompanying oversight that this should imply. Its target would either be an app provider (such as What’s App) or perhaps more realistically, the operating system provider (largely Apple or Google). On receipt of a warrant, the provider could push a unique, tailored ‘update’ to a target’s device, containing device-specific malware that delivered ongoing law enforcement access to the device, and hence, the associated content and metadata.
Will it address the problem?
In a very obvious sense then, this proposal would help deliver access to the intelligence that law enforcement agencies need, increasing the scalability and success of law enforcement hacking operations but reducing their associated resource impact. And unlike an encryption backdoor, it might pass the technological feasibility test. Instead of weakening encryption, it would simply bypass it.
From a cyber security perspective, as Patrick Gray has pointed out, sufficient safeguards could be placed around these ‘updates’ to ensure that they couldn’t be reverse engineered - they wouldn’t need to be a ‘backdoor,’ open to abuse. And by focusing on a device rather than a specific app, the displacement effect, so obvious in focusing government efforts on just What’s App or Telegram, would not apply.
In theory then, this model appears promising. How closely it aligns with the legislation promised by Turnbull and George Brandis last week remains to be seen. But whichever legislative model Australia pursues, its progress will be watched closely by governments across the world. And of course, by a whole host of technology and communications companies.
Recent developments suggest that underneath the techno-babble, political point scoring and counter-terrorism blame game, governments the world over are faced by a very real policy problem. Australia may prove to be the test case for a policy solution that has far reaching consequences for privacy, technological development and the future of law enforcement operations.