Published daily by the Lowy Institute

Exceptional access: Australia’s encryption laws

The search is for a technical solution that reconciles the national security imperative with personal privacy.

Photo: Christiaan Colen/Flickr
Photo: Christiaan Colen/Flickr

The Australian Government will soon unveil contentious national security legislation granting law enforcement exceptional access under warrant to the encrypted data of suspected criminals. Getting the regulatory approach wrong could leave Australians exposed to a greater security risk, or left behind in the digital economy.

The lengthy debate over encryption and exceptional access is at an impasse over “backdoors”. Privacy and security advocates worry that legislation compelling companies to leave a key under the doormat for law enforcement will weaken the digital security of law-abiding citizens.

Law enforcement and the intelligence community argue that encrypted messaging among criminals, paedophiles, and terrorist networks denies them access to much-needed evidence – the “going dark” problem. 

The challenge for the government and private enterprise is to implement a technical solution that reconciles the national security imperative with personal privacy.

For the intelligence community, access to encrypted data is an unambiguous public safety issue. In its submission to the Joint Committee on Law Enforcement’s inquiry into the Impact of New and Emerging Information and Communications Technology, the Department of Home Affairs reports that more than 65% of lawfully intercepted data uses some form of encryption, and that encryption impacts nine out of ten priority cases for the Australian Security Intelligence Organisation.

Australia already has a robust national security legislation covering telecommunication interception and surveillance:

  • The Surveillance Devices Act 2004 enables law enforcement agencies to obtain warrants, emergency authorisations, and authorisations to install and use surveillance devices.
  • The Telecommunications (Interception) Act 1979 permits ASIO to intercept telecommunications under warrant for intelligence gathering, including threats of terrorism.
  • The Telecommunications Act 1997 outlines the obligations of service providers on their interception capability.

The new legislation seeks to extend the obligations of service providers to encrypted data. But detail is scant on how this will be achieved or, in the instance of cross-border investigations, implemented across jurisdictions. 

The legislation arrives at an awkward time not only for the companies it seeks to regulate but also the government. Recent data controversies (fake news, electoral interference, and the Cambridge Analytica scandal) have engendered public backlash. This has ruptured the veneer of corporate benevolence from the big five: Apple, Alphabet, Microsoft, Facebook, and Amazon.

Meanwhile, reputational damage lingers from the government’s recent data misadventures (the 2016 Census failCentrelink’s robo-debt recovery program, and #CabinetFiles).

It is difficult for the average citizen to know who to trust with their information.

Encryption is the bedrock of a safe and secure internet. It safeguards government services, the global digital economy, and communication over some messaging apps. Default encryption protects a device’s data at rest. End-to-end encryption protects data in transit. Anonymised technologies mask the identity of individuals online. 

Widespread end-to-end encryption hampers Australian law enforcement’s access to information, and these concerns are increasingly public. With much of the encryption debate focused on data storage and algorithm keys, some pundits have dismissed it as a war on mathematics.

At its core, however, the debate pits the radical idealism of the tech industry against the pragmatic realism of the intelligence community.

According to this year’s Lowy Institute Poll, 94% of the population view terrorism as either a critical or important threat. Among those who view terrorism as a threat, almost all (93%) say this is because “terrorists could kill innocent Australian citizens in our cities”. But the public is reticent to share its encrypted data with law enforcement. 

The conflict between privacy and security was highlighted this month by Her Majesty’s Chief Inspector of Constabulary, Sir Thomas Winsor. His annual State of Policing in England and Wales report states:

If, with a lawful search warrant, the police seize a drug dealer’s address book, or a terrorist’s notes on bombmaking, the public are supportive. But they seem less supportive of the police having access to mobile phone records or other forms of personal data, despite their value as evidence in crime and terrorism cases. The police have to understand why the public are reluctant to trust them with their data; the public have to understand why the police need it.

There is no global consensus on how to tackle the going dark problem. At a national level, there are requirements on telecommunication providers for the lawful access of encrypted data. In France, intelligence and security services may obtain authorisation to decrypt intercepted messages from the Prime Minister or delegate. Recipients of such orders must obey within 72 hours. Failure to comply could lead to imprisonment and a fine.

In the UK, the Investigatory Powers Act allows for a technical capability notice to compel “the removal by a relevant operator of electronic protection applied by or on behalf of that operator to any communications or data”. The European Union has not reached a unanimous position.

There are other avenues the government can pursue. These involve collaboration between law enforcement and the tech sector on alternative sources of information to assist organised crime and terrorism investigations.

One useful framework is the Global Internet Forum to Counter Terrorism. Established in 2017, this is a partnership between Facebook, Microsoft, YouTube, and Twitter. It fosters cooperation among tech companies, civil society groups and academics, governments and supranational bodies such as the EU and the United Nations. 

Through artificial intelligence and human moderation, the partnership has developed content detection and classification techniques to identify and remove extremist content and terrorist clusters from its platforms. Similar cooperation could be extended to the platforms’ encrypted products.

The debate surrounding encryption has been slow-burning. Tech companies continue to be unforthcoming in their support (or outright evasive), and the government is weary. The situation evokes the warning to Facebook chief Mark Zuckerberg this year from US Congressman Billy Long, a Republican from Missouri: “Congress is good at two things: doing nothing and overreacting. We’re getting ready to overreact.” 

When the legislation is unveiled, the Australian Government, it is hoped, will take the middle-ground approach. One with appropriate judicial oversight.

You may also be interested in