A front door, not a back door: Dutton’s decryption laws explained

The government is trying to pass laws that will totally redefine what police and intelligence agencies can do, with a warrant, to get access to private messages

The government could be about to pass sweeping decryption laws which will give intelligence agencies strong new powers to force tech companies to help them crack encrypted devices and messages.

Australia would be a pioneer in the decryption space, as the first country among the Five Eyes intelligence-sharing alliance to attempt large-scale reforms.

The laws were still being debated, in detail, by the cross-party Intelligence committee.

But now, the Morrison government says the agencies need the powers urgently before the Christmas break, and is “insisting” the parliament pass the laws before the end of the fortnight.

The heads of Australia’s intelligence agencies – from ASIO to the secretive Signals Directorate – have been called to Parliament House for urgent hearings, where they will be asked if they believe the laws should be fast-tracked.

The government’s case

Encryption underpins every secure message you send online, from online banking to private messages.

It is the technology that scrambles messages using complex algorithms into unreadable codes as they travel from sender to receiver, so anyone who intercepts the message can’t read it.

The encryption bill would give Australian agencies new powers to force tech companies to build them tools to crack encrypted communications
Source: AAP

Messaging apps all use a form of encryption, but some are more secure than others.

End-to-end encryption offers the highest protection, where not even the company has the key, so it couldn’t crack the message even if it wanted to.

Whatsapp, Telegram, Wickr and Signal are popular examples and are well used in political, media and security circles.

But the rapid uptake of these tools obviously extends to criminal networks, from human traffickers to terrorists.

“The criminals, the terrorists, the paedophiles are using encrypted messaging apps,” Home Affairs Minister Peter Dutton said, speaking in the wake of police detailing how they had thwarted an alleged terror plot in Melbourne.

The head of Australia’s domestic spy agency, ASIO, says their priority targets are using encryption to evade traditional monitoring techniques.

“Ninety-five per cent of our targets are using encrypted communications,” Duncan Lewis, the agency’s chief, told parliament’s Intelligence committee.

Not a backdoor?

The San Bernardino terror attack in 2016 is often cited as a key example of why the laws are needed.

In that case, Apple refused a request from the FBI to help it crack the dead terrorist’s iPhone, insisting it was not technically possible for it to weaken one iPhone’s encryption without compromising every device.

The FBI took Apple to court, but the case was eventually dropped because the US government found a third-party company that was able to crack the device.

“The criminals, the terrorists, the paedophiles are using encrypted messaging apps," Peter Dutton.
Source: AAP

Nonetheless, the case triggered a global debate about the merits of “backdoors” in common encrypted technology that could give law enforcement secret “keys”.

“Apple would not help unlock the iPhone of the dead San Bernardino terrorist,” former PM Malcolm Turnbull said, announcing the laws.

“The privacy of a terrorist can never be more important than public safety. Never.”

But the Australian government took a different approach, in a way.

Rather than building a backdoor, it will seek the power to compel tech companies – from the makers of small electrical components, right up to search and social giants like Google and Facebook – to build them new “capabilities” to get around encryption.

They will need a warrant from a court – similar to the current threshold for a request to tap a suspect’s phone.

“We want to see more encryption in this country, not less,” then-Cybersecurity Minister Angus Taylor said earlier in the year.

Mr Lewis, of ASIO, says they want a “front door”, not a back door.

What does that mean?

Nigel Phair is a former investigator with the Australian Federal Police, who headed its high-tech crime centre.

He explains how the agencies could get tech companies to bypass encrypted communications on the phones of suspects.

“Going through the device would be the easiest thing,” he told SBS News.

“That would be either through a key-stroke logger, maybe an additional secretive app downloaded on to [the device], maybe through an update of the other apps that are on the device.”

In other words, even if you’re using an encrypted app, the agencies could force a tech company to install secret software on your phone that monitors your keyboard strokes, or captures your screen.

SBS News asked Mr Taylor, who drafted the laws, for more examples:

“It may be getting a company to help us locate a criminal, to have a capability to locate criminals through GPS tracking,” the former Cybersecurity Minister said. 

Angus Taylor.
Source: AAP

Another option would be forcing a company to build an online cover profile for an agent, Mr Taylor said, so they could chat with a network of criminals.

Labor likely to approve, despite concerns from privacy groups

Labor is working with the government in the cross-party Intelligence committee on potential amendments to the bill, but the government is pushing to pull them out of committee and push them through parliament this year.

There is a long-running tradition of bipartisanship on national security bills. When the two major parties disagree on the details, they try to resolve the differences through the committee.

Tim Singleton Norton, chair of Digital Rights Watch, said there was a risk of government-ordered “capabilities” falling into the wrong hands.

“The problem is that when you break encryption for one, you break it for everyone,” he said.

He said the proposal would effectively allow backdoors.

“We have a massive problem here about the idea of giving police a power that will create backdoors, that will create access for anyone to break encryption protocols.”

Tech companies sound the alarm

In a joint submission to the Home Affairs department, a group representing Amazon, Facebook, Google, Oath and Twitter raised serious concerns with the scope of the bill and a lack of oversight.

The companies argue the laws would “require the provider to identify a weakness in the security of data in their systems or technology and to make that weakness known to those agencies”.

“While [we] appreciate the challenges facing law enforcement, we have concerns with the bill, which, contrary to its stated objective, may serve to actually undermine public safety by making it easier for bad actors to commit crimes against individuals, organisations or communities,” the submission reads.

Cooperating closely with law enforcement to help breach private communications could “erode consumer trust” and potentially “introduce weaknesses that malicious actors could exploit”.

The laws are designed to avoid situations like the San Bernardino terrorism investigation in the United States, where Apple famously resisted pressure from the FBI to break a suspect’s phone.

The submission argue the laws should be limited with more judicial oversight and only used on the worst suspected criminals.

“The bill proposes extraordinary powers of unprecedented scope, and their exercise should be limited to combatting serious crimes that pose a grave threat to human life or safety.”

Published 26 November 2018 at 1:11pm
By James Elton-Pym