This article is part of a series on how law enforcement is fighting crime across digital borders. You can read the rest here.
The Australian government wants new powers to access encrypted communications, but do they need them?
Police and intelligence agencies already have significant abilities to access data about our emails, phone calls and text messages if we’re suspected of committing a crime, although it can be difficult to tell exactly what they’re doing with them.
The government argues existing interception capabilities are inadequate to protect national security. According to Attorney-General George Brandis, backdoor access to encrypted communications would redress the “degradation of our intelligence capability” to prevent terrorism.
Read more: Choose better passwords with the help of science
Many Australians are unaware of current police and intelligence powers when it comes to accessing our data. As the government lobbies for new levels of access, that needs to change.
‘Backdoor’ access
The government’s proposal to compel technology companies to provide access to encrypted messaging services is modelled on laws passed by other members of the Five Eyes surveillance alliance, of which Australia is a member.
Deputy US Attorney-General Rod Rosenstein recently announced the Department of Justice intends to demand interception of encrypted communications. New Zealand already requires technology companies to grant access. In the UK, authorities may force decryption where it is technologically feasible.
As with our allies, it is unclear if Australia’s laws will require so-called “backdoor” vulnerabilities to be built into messaging applications like Facebook Messenger or WhatsApp.
They could compel access via decryption keys or they might enable remote access to devices for interception of communications “at the ends”.
In response, cryptographers argue it is not mathematically possible to access end-to-end encrypted messages via interception without undermining online privacy for everyone.
The current state of telecommunications surveillance
The government already has various powers to access metadata, the contents of digital conversations and computer networks.
The Attorney-General’s Department recently released its annual report on telecommunications surveillance.
Thanks to the Telecommunications (Interception and Access) Act (TIA Act), law enforcement and other agencies can access stored communications with a warrant. This can include “email, SMS or voice messages stored on a carrier’s network”. In other words, the contents of any communication not encoded via encryption.
Agencies may also apply for “preservation notices” to compel telecommunications companies to preserve data.
During the 2015-16 financial year, there were 712 warrants issued for access to stored communications. Data is not available about the types of offences these warrants were used for. It is also not clear how the telecommunications information was used in investigations.
The issue of metadata retention
A controversial 2015 amendment to the TIA Act requires telecommunication service providers to retain metadata for two years.
This allows authorised law enforcement agencies warrantless access to information about digital communications such as the recipient or time sent, but not their content.
However, some agencies that aren’t meant to be able to access metadata are still making requests under different legal regimes, according to the Communications Alliance, and there have already been reported breaches where an Australian Federal Police officer accessed a journalist’s metadata without an appropriate warrant.
The 2015-16 financial year was a grace period for service providers to comply with retention requirements. During this time, there were 332,639 authorisations by criminal law-enforcement agencies.
Authorisations occurred most for drugs or homicide investigations. It’s possible this may indicate police are relying on ready access to metadata rather than pursuing traditional investigatory methods.
Computer network operations
Recent amendments to the TIA Act also allow the Australian Security Intelligence Organisation (ASIO) and authorised law enforcement agencies remote access to entire computer networks.
These agencies may covertly invade a network to intercept communications at the point they are received. This works whether communications are encrypted or not.
These laws have been criticised as too broad, potentially undermining the privacy of Australians, and have dramatically expanded ASIO’s powers.
It is unclear how often these surveillance powers are exercised due to the secrecy provisions surrounding ASIO operations.
The need for additional surveillance capabilities?
It is clear that Australian law enforcement agencies already have extensive surveillance capabilities. And while many of the details remain secret, we do know these powers are frequently used.
It may be that Australia is becoming a test case for the introduction of broad new powers that mandate backdoors in an attempt to undermine encrypted technology more widely. Unlike other Western democracies such as the US or Canada, Australia has no constitutional protection for human or privacy rights.
Read more: End-to-end encryption isn't enough security for 'real people'
In the meantime, Facebook argues that “weakening encrypted systems would mean weakening it for everyone.” We also know Apple has been lobbying the government to drop the proposal.
Technology companies need to fight back against a government that has considerable appetite to intercept private communications, but has not made a convincing case for why they need these new powers.
Read other stories in this series:
- Poisoned water holes: the legal dangers of dark web policing
- It’s too hard to get the data of Australian criminals when it’s stored overseas
- Virtual child p*rnography could both help and hinder law enforcement
