Australia’s Government wants to pass world-first laws that would force technology companies to help police access encrypted messages.
Attorney-General Christian Porter has said a high number of people involved in terrorist plots and serious organised crime use encrypted messaging apps.
But not only does encryption keep text messages secret, it underpins the security of the internet, from email to online banking.
Technology companies, human rights groups, lawyers and others aren’t happy about the law, and — given the bill’s powers will be unprecedented globally — it’s unclear how this will play out.
This is what we know so far about how it will affect you.
Why is this a big deal?
Encryption is the mathematical breakthrough that allows a message to stay secret between the person who wrote it and the person receiving it, no matter who ferries the message between the two.
Not only that, encryption is the foundation of many of things we take for granted on the internet, including secure stock market trading, health information storage and online voting.
But the Australian Government apparently pays little heed to the limitations of maths.
“The laws of mathematics are very commendable, but the only laws that apply in Australia is the law of Australia,” then-prime minister Malcolm Turnbull said when announcing the new laws in 2017.
But on a serious note, critics are concerned the bill grants our spies and police extensive powers that could undermine internet security, with limited oversight or safeguards.
Can the Government already read my messages?
In some cases, yes, although authorities say they need these new powers to keep up with the criminal threat.
The risk of bad actors “going dark” online is not new, and law enforcement agencies currently have numerous tools they can use to access the data of suspects.
In 2015, for example, the government passed a law requiring telecommunication companies to retain metadata for two years.
Under the ASIO Act and other laws, the top spy agency can obtain remote access to computer networks and their data.
“They already have powers to hack end points where information is not encrypted,” explained Monique Mann, a Queensland University of Technology law and technology researcher.
This power is strengthened by the current bill, which will allow state and federal authorities investigating certain offences to obtain computer access warrants similar to ASIO.
Tell me a secret
In some circumstances, law enforcement can also compel people under threat of jail time to disclose their computer or smartphone passwords — and the current bill steps up these penalties.
In addition, technology giants like Apple and Google voluntarily assist authorities.
During July-December 2017, for instance, Australian police made 120 requests for Apple account details, which could include someone’s iCloud content. Apple provided data in 64 per cent of these cases.
So what extra access will the new laws give?
At almost 200 pages, the encryption bill introduces a raft of new powers, but criticism has focused largely on Schedule 1. It proposes three key powers for law enforcement:
- A technical assistance request (TAR): Police ask a company to “voluntarily” help, such as give technical details about the development of a new online service
- A technical assistance notice (TAN): A company is required to give assistance. For example, if they can decrypt a specific communication, they must or face fines
- A technical capability notice (TCN): The company must build a new function to help police get at a suspect’s data, or face fines
The things a smartphone manufacturer or even a website owner could be asked to do by authorities are extensive: From installing software and modifying a service on demand, to providing technical information such as its source code.
While a TAR could ask a company to remove “electronic protection”, the Government argues that safeguards in the bill prevent a TAN or TCN being issued that causes “systemic weakness” or breaks encryption.
Technology companies and encryption experts have warned that any tinkering with the security of online systems could have serious consequences.
Francis Galbally, chairman of the encryption provider Senetas, told a Senate committee last week that changing just one part of a telecommunication network could have unforeseen “systemic” effects — exacerbated by the bill’s demand for absolute secrecy.
Dr Mann agreed, arguing that building a new function, such as inserting malicious code into one smartphone’s software update, is a systemic weakness because the technique can be replicated across multiple devices — including by bad actors if they became aware of the capability.
An 11th-hour compromise between the Labor Party — which seems set to support the bill — and the Government promises to define “systemic weakness” and provide additional oversight of TCNs.
But it is not clear exactly what this will mean for technology companies who have to design and develop the functionality.