Australian Government Agencies Already Flexing Their New Encryption-Breaking Powers
from the sure,-cops-are-right-on-top-of-this-law-and-its-implications dept
Claiming the nation was beset on all sides by national security threats and rampant criminality, the Australian government hustled an encryption-breaking law through Parliament (and past concerned members of the public) at the end of last year. The law compels companies to break encryption at the drop of a court order to give government agencies access to data and communications they otherwise can't access.
Supporters of the law did everything they could to avoid using the term "backdoor," but backdoors are what they're expecting. How this will all work in practice is anyone's guess, as each demand for "exceptional access" will likely collide head-on with quality assurance processes meant to prevent the creation of security flaws in software and hardware. Agencies that want exceptional access will either have to bring a majority of a company's personnel on board (and hope no one leaks anything to the public) or risk having their "not a backdoor" rejected after the code is submitted for approval.
No details have come to light (yet!) about companies being approached to punch holes in their own products, but it appears the Australian government has wasted no time putting its new powers to use.
Federal law enforcement and national security agencies have started using encryption-busting powers passed by parliament in December last year, and state-based police are set to be trained in using the powers this month.
This conclusion comes from the Department of Home Affairs' first report [PDF] on the new compelled access powers. The introduction contains several paragraphs about the new law and the Department's supposed oversight of its roll out. It concludes with this statement:
The Department continues to work closely with law enforcement and national security agencies and industry to facilitate the implementation of the Act. This will support the key measures in the Act, including the industry assistance measures in Schedule 1, so that they are being used consistently and appropriately. The Department has also been advised by Commonwealth law enforcement and national security agencies that the powers in the Act have been used to support their work.
The report also continues the fine Australian government tradition of denying the law has anything to do with encryption backdoors. Here's the latest lingo dodge, which comes from a list of amendments made in response to recommendations from Australia's intelligence committee.
[Introduces] a definition for ‘systemic weakness’ and ‘systemic vulnerability’ to clarify and prohibit those proposed requirements in a request or notice which will lead to unlawful and systemic intrusions into devices and networks. This enhances the operation of existing safeguards that prevents the creation and implementation of ‘backdoors.’
The Department's new definition of these terms appears to limit encryption breaking to single devices/users, rather than entire communications platforms or operating systems.
The selective introduction of a vulnerability or weakness, as it relates to a target technology connected with a particular person is allowable. The definition of target technology further reinforces the specificity and precision through which interaction with electronic protections such as encryption is permissible. This definition takes each likely item of technology, like a carriage service or electronic service, which may be supplied by a designated communications provider, and reinforces that a weakness or vulnerability may only be introduced to the particular technology that is used, or likely to be used by a particular person. For example, a single mobile device operated by a criminal, or likely to be used by a criminal, would be classified as a target technology for the purpose of paragraph (e) of that definition. However, a particular model of mobile devices, or any devices that are not connected with the particular person, would be far too broad to fall within the definition. This ensures that the services and devices enjoyed by innocent parties or persons not of interest to law enforcement and security agencies remain out of scope and unaffected.
This could reduce the scope of what can be targeted with assistance requests, but nothing in the report suggests the government should abandon requests that fall outside of these definitions. If accessing a single target's communications can only be done by introducing a systemic vulnerability, it's safe to say the government will find a way to make the requested assistance adhere to the definitions its provided -- anything to avoid having to use the phrase "backdoor" anywhere in reports or public statements.
This assurance that the government won't demand full-fledged backdoors isn't very assuring, especially since it appears the government still doesn't know what requests meet the constraints built into the law.
Home Affairs said it was also in the process of sourcing technical and judicial assessors and experts that can be used to determine whether an agency request is permissible or not.
Cool. Some requests have already been issued and Home Affairs hasn't gotten any further than begin the process of sourcing experts to help decide whether these requests are even lawful.
Thank you for reading this Techdirt post. With so many things competing for everyone’s attention these days, we really appreciate you giving us your time. We work hard every day to put quality content out there for our community.
Techdirt is one of the few remaining truly independent media outlets. We do not have a giant corporation behind us, and we rely heavily on our community to support us, in an age when advertisers are increasingly uninterested in sponsoring small, independent sites — especially a site like ours that is unwilling to pull punches in its reporting and analysis.
While other websites have resorted to paywalls, registration requirements, and increasingly annoying/intrusive advertising, we have always kept Techdirt open and available to anyone. But in order to continue doing so, we need your support. We offer a variety of ways for our readers to support us, from direct donations to special subscriptions and cool merchandise — and every little bit helps. Thank you.
–The Techdirt Team
Filed Under: australia, backdoors, encryption, security
Reader Comments
Subscribe: RSS
View by: Time | Thread
Crikey! This 'ere's a Snapchat message, the most dyngerous encryption in all the Web!
*manic grin*
I think I'll poke it with a mandatory-backdoor bill!
[ link to this | view in chronology ]
Re:
Gah! Too soon, dood! 😢
[ link to this | view in chronology ]
How does that work when all similar devices on the same service run the same encryption? Does that mean that companies have to be able to control updates and reinstalls at the individual user level?
[ link to this | view in chronology ]
Its what the IEFT and others have been saying for years
The way to defeat encryption is to infect the target device and view the content after its been decrypted.
This is what I have been hoping for all along. This allows targeted surveillance, hopefully approved by a court. It also increases the cost, which is important. We want governments to have to spend money/effort to surveil people so that they have to choose who to expend the effort on.
If this is where the Aus government sees the "scope" and that is what happens, I approve.
Its bullshit like the "ghost" members of encrypted group chats that GCHQ were talking about that should get you worried. Read Bruce Schneier or Matthew Green to get the background on that one.
Backdoors do not work. You cannot control who will use them.
[ link to this | view in chronology ]
Re:
It may mean, rather, that if they do it at that level, their users will be vulnerable. Such designs are common but have long been noted as a security risk. Australia might push us toward more secure designs, e.g. where Windows Update will not install anything whose hash hasn't appeared on a public blockchain (preferably accessed in an anonymous way, or verified through independent sources)—this is basically Certificate Transparency.
[ link to this | view in chronology ]
Maybe a dingo ate your encryption
[ link to this | view in chronology ]
If the tell the maker of an smartphone app to break security for one particular user, how will that work what with the app being distributed through the Android or iPhone app store? Have Google and Apple already put in the capability for an app developer to do that?
[ link to this | view in chronology ]
Re:
Arent there apps that use screen recording already? The govt just need to lure you into installing some app - I'm surprised they havent released a free tax app.
[ link to this | view in chronology ]
just proves was urgently needed
if not used, you'd say wasn't necessary
[ link to this | view in chronology ]
"Rampant criminality" ...how apt.
"We have met the enemy, and he is us." (though, of course, they'll never see it)
[ link to this | view in chronology ]
"Federal law enforcement and national security agencies have started using encryption-busting powers passed by parliament in December last year, and state-based police are set to be trained in using the powers this month."
Using their powers to bust encryption. It sounds like their people were bitten by radioactive mathematicians.
[ link to this | view in chronology ]
Re:
I can see it now, dood:
🎶 Crypto-Man! Crypto-man! 🎶 Undoes whatever crypto he can. 🎶 Breaks the Web with his hands, 🎶 catches thieves, we say he can! 🎶 Look out! He's the Crypto-Man!
[ link to this | view in chronology ]
half-baked?
Hmmm. Would that be as versus a half-fledged backdoor? Said door being either open or closed, but this isn't Schrodinger's cat we're talking about here. Either the encryption is intact, or it had been compromised. Completely, not partially.
Like the EU and it's never-to-be-sufficiently-damned copyright cartel sponsered triumvirate of leaders, this will do nothing to stop what I view as common behavior (and I make no judgments here), it will only make, automatically, criminals where there were none ere now.
Actually, all encryption can be broken, given enough time. The gist of the law can be restated thusly: since it can be broken, then it must be broken... but instantly - time be damned! Not to mention several and various other Laws Of The Universe.
Wouldn't it be nice if everyone just started using the same encryption schema instead of trying to make up their own? I can picture it now: "Hey there officer, I can't break this, it comes from Company X in [name your favorite country here], and they have laws against giving out keys or "shudder" backdoors. So sorry, have a nice day!".
sumgai
[ link to this | view in chronology ]
everyone here understands whats baout to happen..
Lets ask.. HOW the gov. think s they wish to make this happen.. They are already setting people up to DO this job. HOW? Only 1 corp can make modems for the country? Only 1 corp can set the encoding?? Register each modem TO 1 person, and 1 new code per person/family?(thats fun and who has the book of Who has what code) 1 code to be used for everyone?? F'ing stupid as hell..
And what stops the USER from creating a honey trap, for the gov to look at? so their main computer is never seen from the internet?? It only takes 1 rasp Pi to create it..
Those persons you hired?? I HOPE, you can keep them along time. As any smart person will figure out HOW this works.. Or copy your access program with all the Backdoors(to sell to the highest bidder and the RIAA/MPAA assoc) AND PAY then very good wages, so they dont use this ability to SPY on your government personell.. OR are your federal reps, NOT covered by this STUPID IDEA... PS...how about the Corps in your nation.. Do they have to have a backdoor into the their system..(I dont think so)
Which makes this law Unfair.
[ link to this | view in chronology ]
Ofcourse they are starting to use this law
One thing about this, just because they are using it doesn't necessarily mean they need to use it or it's being used as a last resort.
Why go through due process with the old methods (warrants, etc) when you can just slap one of these on to someone?
[ link to this | view in chronology ]