Australia Threatens to Force Companies to Break Encryption

In 2018, Australia passed the Assistance and Access Act, which—among other things—gave the government the power to force companies to break their own encryption.

The Assistance and Access Act includes key components that outline investigatory powers between government and industry. These components include:

  • Technical Assistance Requests (TARs): TARs are voluntary requests for assistance accessing encrypted data from law enforcement to teleco and technology companies. Companies are not legally obligated to comply with a TAR but law enforcement sends requests to solicit cooperation.
  • Technical Assistance Notices (TANs): TANS are compulsory notices (such as computer access warrants) that require companies to assist within their means with decrypting data or providing technical information that a law enforcement agency cannot access independently. Examples include certain source code, encryption, cryptography, and electronic hardware.
  • Technical Capability Notices (TCNs): TCNs are orders that require a company to build new capabilities that assist law enforcement agencies in accessing encrypted data. The Attorney-General must approve a TCN by confirming it is reasonable, proportionate, practical, and technically feasible.

It’s that final one that’s the real problem. The Australian government can force tech companies to build backdoors into their systems.

This is law, but near as anyone can tell the government has never used that third provision.

Now, the director of the Australian Security Intelligence Organisation (ASIO)—that’s basically their FBI or MI5—is threatening to do just that:

ASIO head, Mike Burgess, says he may soon use powers to compel tech companies to cooperate with warrants and unlock encrypted chats to aid in national security investigations.

[…]

But Mr Burgess says lawful access is all about targeted action against individuals under investigation.

“I understand there are people who really need it in some countries, but in this country, we’re subject to the rule of law, and if you’re doing nothing wrong, you’ve got privacy because no one’s looking at it,” Mr Burgess said.

“If there are suspicions, or we’ve got proof that we can justify you’re doing something wrong and you must be investigated, then actually we want lawful access to that data.”

Mr Burgess says tech companies could design apps in a way that allows law enforcement and security agencies access when they request it without comprising the integrity of encryption.

“I don’t accept that actually lawful access is a back door or systemic weakness, because that, in my mind, will be a bad design. I believe you can ­ these are clever people ­ design things that are secure, that give secure, lawful access,” he said.

We in the encryption space call that last one “nerd harder.” It, and the rest of his remarks, are the same tired talking points we’ve heard again and again.

It’s going to be an awfully big mess if Australia actually tries to make Apple, or Facebook’s WhatsApp, for that matter, break its own encryption for its “targeted actions” that put every other user at risk.

Tags: , , , ,

Posted on September 9, 2024 at 7:03 AM25 Comments

Comments

Agammamon September 9, 2024 7:18 AM

. . . but in this country, we’re subject to the rule of law, and if you’re doing nothing wrong, you’ve got privacy because no one’s looking at it,” Mr Burgess said.

Except that ‘this country’ is Australia – not exactly known as a bastion of personal freedom among the Western countries.

And ask people in the US/UK/Canada/France/Germany/Etc how well ‘if you’ve done nothing wrong, you have nothing to worry about’ works.

mw September 9, 2024 8:04 AM

That is exactly the reason why an end-to-end encryption is essitial where the private key never leaves the device and is solely in possession of the end users. So a man-in-the-middle, like tech providers, is never able to decrypt any message. In the best case the key is stored on a HSM device, but not on a TPM that isn’t fully under control of the user.

Tim Bradshaw September 9, 2024 8:46 AM

From a historical perspective I think it would be interesting to know how many times we’ve been through the sequence of

  1. government agency announces that they are going to force organisations to backdoor their encryption;
  2. justified articles, like this one, pointing out that would be very bad;
  3. pause (while presumably, behind the scenes, somebody patiently explains to the agency concerned that what they want is not mathematically possible and what the can have is extremely undesirable);
  4. nothing happens;
  5. pause, go to 1.

I wish I had kept a record of them all.

B.J. Herbison September 9, 2024 9:45 AM

Is the third element verbatim? Giving access to “encrypted data” is easy, just give it
to them. And it is “reasonable, proportionate, practical, and technically feasible”.

It’s letting them see the unencrypted version of the encrypted data that’s unreasonable, disproportionate, impractical, and technically infeasible (if the system is designed correctly).

Sean September 9, 2024 11:59 AM

Simplest fix is for all those companies to blacklist the entire continent, and any device will authenticate with “due to your government implementing act XXXXX, this will break our product. You can contact your local MP at , email and this address”, an action that likely will mean they will be unable to do anything at all, due to the phone ringing, and email being flooded, and there being crowds at the doors complaining.

Anonymouse September 9, 2024 12:32 PM

If we’ve learned nothing, when encryption keys must be shared, then those extra keys become a liability and will eventually be stolen. Having them all in a centralized, govt, location, will just make it easier and more tempting for theft.

When I think of organizations that actually keep secure things secure, govts are never near the top of the list. There are bright people in govt, but there are also plenty of idiots too. No process or storage method that is convenient enough for govt use will be secure enough to prevent theft or govt abuse.

We’ve also learned that when govt laws mandate certain things that are popular and law-abiding people follow the law, then only criminals will be left ignoring it for their own gains.

A prior NSA Director was demanding encryption from US industry that could be broken when he was in a govt job. Jump forward a few years and he changed his stance completely, saying that strong, safe, encryption was necessary for businesses and personal privacy. The only difference was that he was no longer in govt. https://www.bankinfosecurity.com/interviews/new-view-ex-nsa-chief-argues-against-encryption-backdoor-i-2943

Of course, someone we know and respect coauthored a paper about this:

mandating insecurity by requiring government access to all
data and communications

http://dspace.mit.edu/bitstream/handle/1721.1/97690/MIT-CSAIL-TR-2015-026.pdf

Victor Serge September 9, 2024 1:52 PM

Every time I read this blog I start bouncing off the walls.

What you are saying again, is that there is truly no security that is not both air-gapped prior to transmission, (along these lines: ‘https://github.com/johnshearing/Airgapped_Encrypted_Messaging), and symmetric.

Or are we all STILL so gullible?

Bcs September 9, 2024 2:38 PM

I suspect that a bunch of providers will respond to the demand that they build the ability to “give us access to any Australian’s data you have whenever we ask for it” by making sure that data can be delivered on a blank piece of paper.

We are not willing to hand over what you want to demand so we will make sure there’s nothing you have the jurisdiction to demand.

Wannabe Techguy September 9, 2024 3:59 PM

Sure even if it was possible, I certainly don’t trust L.E.
If I’m not doing anything wrong(who gets to decide that?) nobody is watching? Yeah ok.

DavidH September 9, 2024 4:09 PM

Now that this public knowledge, which it always would have become, any half-way sophisticated criminal is going to switch to something less mainstream that the Aus govt doesnt have leverage over.

Is this 4D chess and they figure the Five Eyes (i.e. mainly the NSA) will have vulnerabilities documented in the alternatives? Or are they depriving themselves of even the minimal (meta)data they could get even with end to end unbroken?

I don’t have the information to say which.

Matt September 9, 2024 10:29 PM

Just a pedantic note: ASIO is not really the equivalent of the CIA – it’s more like the FBI: broadly limited to domestic operations. The overseas operations outfit (or one of them), equivalent to the CIA, is ASIS.

Clive Robinson September 10, 2024 9:41 AM

We knew how to stop this before computers.

Think about pre WWII communications by Morse telegraphy and later telex teletypes.

The Victorians were quite hot on “Commercial Codes” and similar.

The SOE and others during WWII used “One Time Pads” that gave according to Claude Shannon’s criteria “Perfect Secrecy” even over known to be monitored HF radio communications links that in effect “broadcast” to most of Europe.

The problem is that today people are lazy and want “convenience” not “OpSec”. Thus they happily settle for the illusion of security with “systems” that are in no way secure.

What the Australian’s supposedly want is what Apple had with regards to stopping CSAM. Which was user interface side scanning software, which did a complete “end run” around any and all “on device” supposedly secure Apps.

The only way to stop this is by taking the “security end point” off of the device beyond the “communications end point”.

This requires a way for the First and Second Parties in the communication having a “shared secret” known only to them that never gets put on the communications devices, that enables “Key Management”(KeyMan) of “Key Material”(KeyMat) to be carried out securely.

If people do this correctly then “ASIO head, Mike Burgess” is as they say “Going to be so out of luck”. Because there is nothing the service or equipment suppliers can do to get at the “shared secret”.

The problems are people these days are,

1, Lazy
2, Want instant gratification
3, Not to be bothered with OpSec.
4, Not wanting to carry another device around with them.

In short “If it’s not convenient they do not want to know”. Which is why those phoney secure phones like EncroChat supplied to criminals got so many of them caught,
https://en.wikipedia.org/wiki/EncroChat

Or the Australian AFP and US FBI system,

https://www.crikey.com.au/2024/06/07/dark-wire-joseph-cox-afp-fbi-encrypted-phone-anom-operation-ironside/

Gilbert September 10, 2024 10:24 AM

It is because I do nothing wrong, I am not a criminal and obey laws of my country that NO ONE should look at my data or my communications.

Thank you Australia. But No 🙂

Steve September 10, 2024 12:00 PM

How about asking some quintessential “Project Innocence” clients how doing-nothing-wrong worked out for them?

It looks good when presented on crime shows… “yeah! this allowed us to bring those horrible criminals to justice.” BUT, what happens–especially in this new age of AI–when nearly everyone may be [wrongfully] viewed as a “criminal?”

Victor Serge September 10, 2024 1:10 PM

near as anyone can tell the government has never used [Technical Capability Notices]

But obviously they use a gag order about such a Blatant Invasion, since the outrage would be too inconvenient for political survival: As it is, they have a shiny halo in the eyes of mainstream propaganda consumers.

Historically[1] this is used as often as available expertise, opportunity, and political capital can afford.

“Transparency” is a myth told to school children. If you wont open your eyes, just use your head.

[1] Dual_EC_DRBG vis BULLRUN and EDGEHILL, and any number of other citations in Ross Anderson work, and that of Edward Snowden, Niels Ferguson et cetera, ad nauseum. Good grief does this all bear repeating to anyone with ten fingers?

Sok Puppette September 10, 2024 3:31 PM

This stuff has been fought off since the 1980s, but the latest (internationally coordinated) round of attacks seem to be breaking through. I think the bad guys are going to win this time, and not just in Australia.

The answer for this isn’t for “companies” to do or not do anything at all. You can’t build a corporate structure that can resist.

People are going to have to switch to fully decentralized systems with no effective pressure points. And no, federation, where in practice you and your ten million closest friends all end up on the same instance, is not decentralized enough. Peer to peer. And as stealthy as possible, with multiple transports.

The set of nonexistent pressure points has to include the software developers. Software has to be implemented, preferably in multiple independent programs, in ways that can trivially be duplicated or forked.

Julian N September 11, 2024 5:33 AM

For anyone who thinks you can trust the UK government (I still think there might be one or two) I would point you towards a brave lady called Pam Warren who was severely injured in a train crash and then became the focal point for rail safety.

She was embarrassing the responsible minister for telling lies – and the response was an edict to “dig the dirt” on her. I am not sure how successful the dirt digging was in this instance, but for sure allowing the government to have the ability to trawl through encrypted correspondence to protect a minister’s reputation, as might have happened here had similar legislation then been in force, is not a good step.

JMM September 12, 2024 6:50 AM

if you’re doing nothing wrong, you’ve got privacy because no one’s looking at it

This guy still closes the bathroom door, though.

Who? September 14, 2024 12:43 PM

@ Tim Bradshaw

I fear you missed point zero:

0. government agencies force organisations to backdoor their encryption;

A lot of times they work in the background with some sort of NSL to achieve their goal of weakening security without asking people for permission. Why should they ask after all? They are working for the very same government responsible for writing the rules, so no need to ask for permission.

Have the NSA asked for permission before running programs like PRISM? Have NSO asked for permission before writing Pegasus? Have the French government asked for permission before arresting Pavel Durov?

JTC September 15, 2024 6:09 PM

“Mr. Burgess says tech companies could design apps in a way that allows law enforcement and security agencies access when they request it without comprising the integrity of encryption.”

That simply is not possible. A backdoor is a backdoor for anyone and everyone to find.

David Robinson September 16, 2024 8:59 PM

Firstly, as an Australian Citizen, I support limited and specialised requests as long as there is due process.
Secondly, why does everyone talk about breaking encryption? The company makes the “App”, and the data is decrypted on the device; just update the App to send a copy of the “chat log” to law enforcement based on a specific device ID. There is no encryption breaking; this is similar to asking Google or Apple to send a copy of someone’s cloud phone backup to law enforcement.

Sure, the data might be encrypted at rest, but when the App is loaded, it’s free to copy. Each country has its own App store. I’m already limited to Apps in my own marketplace, so this highly unusual request for data can be localised to a single country. Australia will not be asking for the encryption keys to the world.

I want my personal data safe from overseas data sellers, and I go to great lengths to keep that safe with encryption on everything I own. I also live in a very lucky and safe country, and to keep living a happy, relaxed life, I agree that there is a very tiny risk my data might get scooped up in a high-security incident. And I’m ok with that.

Leave a comment

Blog moderation policy

Login

Allowed HTML <a href="URL"> • <em> <cite> <i> • <strong> <b> • <sub> <sup> • <ul> <ol> <li> • <blockquote> <pre> Markdown Extra syntax via https://michelf.ca/projects/php-markdown/extra/

Sidebar photo of Bruce Schneier by Joe MacInnis.