The federal government has recommitted to introducing legislation that would force tech companies to work with law enforcement to decrypt communications – but it still has not detailed how this would work practically.
At Senate Estimates on Monday, it was confirmed that the legislation is being transitioned from the Attorney-General’s office to the new Home Affairs department, which is expected to put a bill forward in the coming months.
Speaking at the Press Club last week, new home affairs minister Peter Dutton confirmed that government would pursue the legislation, which was first announced by former Attorney-General George Brandis last July.
“The government is willing to work with these firms. But we will also introduce legislation to ensure companies providing communications services and devices in Australia have an obligation to assist agencies with decryption,” Mr Dutton said.
“And as a society we should hold these companies responsible when their service is used to plan or facilitate unlawful activity. So we must continue to review and refine our laws to ensure they are fit for purpose.”
Mr Dutton said ubiquitous encryption is a “vital tool” for banking and communications, but could be a “significant obstacle” for criminal investigations.
“We know that more than 90 per cent of counter-terrorism targets are using it for communications, including for attack planning here. Decryption takes time, a precious commodity when threats may materialise in a matter of days or even hours,” he said.
“Law enforcement access to encrypted communications should be on the same basis on telephone and other intercepts, in which companies provide vital and willing assistance in response to court orders.”
Home Affairs secretary Michael Pezzullo confirmed during Estimates that the development of the legislation would move from the Attorney-General’s office to the new Home Affairs department, which is expected to put a bill forward in the coming months.
“Administratively, the work is being done by my colleague the secretary of the Attorney-General’s department, and within that department, but they will be handing it across soon,” Mr Pezzullo said.
Under the administrative arrangements, Mr Dutton will take carriage of the legislation.
“We have not provided him with draft legislation or with advice.”
“It is really a matter for the government and the Cabinet at large as to what it decides about both the form of the legislation, when to put it forward and when to put it to the parliament,” Mr Pezzullo said.
“Then we will obviously operate under the government’s direction.”
Concerns have been raised that the legislation would undermine the effectiveness of all encryption services by obligating companies to create a back door key to decryption.
Various politicians, including the Prime Minister, have repeatedly denied this is the intention, but have been unable to explain how this is so, and what the legislation would actually require.
When questioned by Greens Senator Jordon Steele-John, Mr Pezzullo said the argument that the government is asking for the creation of a back door mechanism is a “cartoon-like assumption”.
“The specifics of any scheme that may or may not be legislated in due course would have regard to those societal balances. You assume that a back door has to be created,” Mr Pezzullo said.
“The challenge for governments and parliaments all around the world is how to ensure that encryption used for legitimate societal purposes are not misused, in the same way the internet is misused through the dark web – that encryption is available to those who use it for legitimate purposes and not otherwise,” he said.
Mr Dutton also denied that government is looking for a back door to bypass encryption.
“The question now is that when you send a message, not by conventional text message, but by an encrypted message app, we can’t get access to that information and that’s the difficulty,” he said.
“I don’t think the legislation has caught up with the current technology. It’s not about hacking into peoples’ services. We’re still talking about a warrant issue.”
“There’s a proposal around where there would be a warrant taken to a separate court that would allow access to be granted to that device or to that app but when we’ve moved away and the criminals are much ahead of this than we are, as lay citizens, they have moved their communications into that area and it’s very hard for agencies to discover that information.”
Senator Steele-John said the decryption bill would set a “dangerous precedent for cyber security”, and the government’s lack of understanding of it is “frightening”.
“[Mr] Pezzullo’s claim that decryption will not undermine end-to-end encryption is complete and utter nonsense,” Senator Steele-John said.
“It’s a pretty simple concept; either both Mr Pezzullo and his department have no understanding of how encryption works, or they assume that nobody else does and have insulted the intelligence of me and my staff in the process,” he said.
“Quite simply the development and implementation of decryption technologies will decrease the security of end-to-end encryption; it is either 100 percent secure or not at all.
“Obligating Australian companies providing telecommunications services and devices to assist government agencies with decryption will fundamentally mean that the data of everyday Australians will no longer be secure.”
Digital rights group Electronic Frontiers Australia is now calling on the government to release the draft legislation for community consultation before it moves any further forward.
“Encryption is a vital technology for all citizens to keep their information safe and secure, so if there is a risk to our collective safety, we should be permitted to have some input into these decisions,” EFA board member Justin Warren told InnovationAus.com.
“Powerful entities coming to agreements behind closed doors is not how these decisions should be made. If the government has nothing to hide then they have nothing to fear from this debate,” he said.
Mr Warren said the government can still not explain how the legislation would work.
“World-renowned cryptography experts have consistently said that it is not possible to provide access to encrypted communications in such a way that only law enforcement can access it without it also becoming vulnerable to cyber criminals.
“Instead, those who ask perfectly reasonable questions about how the government believes it can access encrypted communications without some kind of back door are mocked by those in power,” he said.
The proposed legislation would undermine the Australian government’s focus on cyber security and the digital economy, EFA board member Peter Tonoli said.
“The proposed legislation goes against any semblance of supporting a digital economy,” Mr Tonoli told InnovationAus.com.
“Australian software publishers and hardware manufacturers would be significantly hamstrung, producing devices and software that international purchasers would view as tainted, with embedded technologies that compromise their security and privacy at the behest of the Australian government,” he said.
“A chain is only as strong as its weakest link. If the weakest link is created through political means, or through a back door, then Australia is undermining the security we rely on daily, which is afforded by strong encryption, whether it is in banking, work-related email or speaking with our friends and loved ones.”