The Turnbull government has announced plans for legislation to compel tech companies such as Apple, Microsoft, Facebook and Google to unscramble the encrypted communications increasingly used by terrorists and criminals to thwart the efforts of security organisations and the police.
The government’s intention to expand telecommunications security legislation to include ‘over the top’ application and service providers – many of whom are international technology companies – should be welcomed, particularly if the legislation includes the requirement for a warrant to be served prior to encrypted material being decrypted.
Whilst delivering the national security statement on June 13, the Prime Minister highlighted how terrorists and criminals were utilising encrypted electronic communications.
“Encryption for example is a vital piece of security for every user of the Internet, protecting all of us as we go about our lives, from shopping, to banking, to chatting online,” Mr Turnbull said.
“However encrypted messaging applications are also used by criminals and terrorists – at the moment much of this traffic is difficult for our security agencies to decrypt, and indeed for our Five Eyes partners as well.”
The Prime Minister is well known for his use of Wickr and WhatsApp, rather than the unsecure SMS and other electronic text messaging services. He told the ABC in 2015 that “probably the least secure form of messaging is SMS or text messaging because the messages are not encrypted in transit, and they’re not encrypted on the telco’s server.”
“And of course, they [the messages] reside there even after they’ve been deleted for varying periods,” he said.
“I use Wickr as an application. I use a number of others. I use WhatsApp … because they’re superior over-the-top messaging platforms.”
Mr Turnbull is very aware of the need for consumer privacy and electronic security.
But he is equally aware of the need for intelligence and law enforcement agencies to have the tools necessary to carry out their jobs.
Australia’s telecommunication laws were updated earlier this decade (Cybercrime Legislation Amendment Bill 2011) to force carriers and internet service providers (ISPs) to preserve stored communications, when requested by certain domestic authorities (such as the AFP), or when requested by those authorities acting on behalf of nominated foreign countries.
This means a warrant is needed before the police or security agencies can force carriers or ISPs to monitor, capture and store website use, data transmissions, voice and multimedia calls, and all other forms of communication over the digital network.
However, there remained concern that the changes made to the Telecommunications Act 1997 and Telecommunications (Interception and Access) Act 1979 did not adequately address services and applications provided by “over the top” service providers, like Apple, Microsoft, Facebook and Google.
The government’s track record on telecommunications reform has had its ups and downs recently. The bungled Telecommunications (Interception and Access) Amendment (Data Retention) Bill 2015 outraged privacy advocates because it gave access to stored metadata, without a court order, to more government departments and agencies than is reasonable. And ultimately it is questionable whether personal information is protected from being discovered when metadata is released.
Another recent telecommunications reform bill that continues to attract strong criticism is the Copyright Amendment (Online Infringement) Bill 2015, which “amends the Copyright Act 1968 to enable copyright owners to apply to the Federal Court of Australia for an order requiring a carriage service provider to block access to an online location operated outside Australia that has the primary purpose of infringing copyright or facilitating the infringement of copyright.”
A key reason why the government’s telecommunications reform agenda has been supported in some instances and strongly criticized in others has been its failure to adequately separate national security and serious crime-related legislation from that dealing with other matters, including trade, commerce and consumer law, as well as copyright and intellectual property protection.
Speaking at a press conference on July 14, the Prime Minister said that “internet companies, like the telcos at the moment, will have the obligation to assist the police with getting access to communications and information data that they are lawfully entitled to, in accordance with an appropriate warrant or court order.”
Attorney General George Brandis said that “what we are doing – and I want to emphasise this – is not changing any existing legal principle.”
“It has always been accepted that in appropriate cases, under warrant, there can be lawful surveillance of private communications,” Senator Brandis said.
“What we are doing, is bringing those existing legal obligations up to date.”
Australia is not alone in its efforts to ensure that legislation keeps pace with technology. The legislation follows in the footsteps of the United Kingdom’s Investigatory Powers Act 2016 and New Zealand’s Telecommunications (Interception Capability and Security) Act that was passed in 2013.
The complexity of what the government seeks to achieve should not be underestimated.
There are a large number of ‘over the top’ apps and service providers that operate from jurisdictions that are not likely to support the new security legislation. Does this mean that the government might look to block these ‘over the top’ services that repeatedly fail to unscramble encrypted electronic communications when ordered by a court?
There is also the issue of encrypted virtual private network (VPN) connections, which might be argued are different to messaging and other electronic communications applications.
The new security legislation should be clearly written and targeted to provide security organisations and the AFP with a vital tool in their fight against threats to the nation and serious crime.
It is equally important that the new security legislation does not provide unwarranted and unacceptable outcomes including the opportunity for big corporations, multi-nationals and the myriad of local, state and federal government departments and agencies to gain access to private encrypted communications in circumstances other than that provided for by existing legislation.