The Turnbull government has pinpointed specific methods by which tech companies would be expected to reveal encrypted messages despite claiming firms would be left to find solutions, a freedom of information request has revealed.
Responding to an FOI request submitted by Crikey in July, the Attorney-General’s Department identified documents outlining “specific methods and capabilities” firms would be obliged to use to turn over the contents of encrypted communications to law enforcement.
However, the department refused to release the documents, even in redacted form, citing exemptions for national security, cabinet papers and deliberations between agencies.
“While I consider disclosure of this material would serve a general public interest in matters relating to telecommunications security and encryption, my opinion is that the public interest against disclosure outweighs the public interest for disclosure,” AGD assistant secretary Daniel Abraham said.
The response appears to be at odds with Prime Minister Malcolm Turnbull’s insistence that the government would leave it to services such as WhatsApp and Signal to work out exactly how to co-operate with authorities investigating suspected terrorism and other criminality.
Speaking in London in July, the prime minister said that messaging services “must ensure that these dark places can be illuminated by the law so that the freedoms you hold dear will not be stripped away by criminals your technologies have made undetectable”.
But when it came to exactly how they would do so, he added, “the ball is in your court”.
According to the government, about 90% of ASIO’s highest-priority cases are now affected by encryption in some way.
The FOI response to Crikey, however, reignites questions about how exactly the government could go about accessing communications that providers in Silicon Valley and elsewhere insist they can’t view themselves.
“The simple mechanics of this style of encryption means that they literally can’t compel the likes of WhatsApp or Apple to disclose what those messages are,” cybersecurity expert Troy Hunt told Crikey. “They just do not have access to them.”
The government has repeatedly insisted it is not demanding a so-called “backdoor” into encrypted messaging services that could be exploited by hackers and governments alike. But this attempt at clarification has done little to resolve confusion about what the government actually is planning, or the perception that it’s not actually sure itself.
Hunt said it was possible the government was trying to distinguish between inserting vulnerabilities into popular services, and demanding that providers retake possession of messages sent by their customers — which would be the effective end of end-to-end encryption.
“Because that’s really the only way it happens and whether you call it a backdoor or not is almost semantic,” he said.
Hunt added that the most feasible of the options possibly under consideration by the government would not actually touch on messaging services, but the devices on which they were used. By secretly accessing smartphones and computers, a capability already available to law enforcement, authorities would bypass the technical challenges and resistance of messengers associated with trying to beat encryption.
“So maybe it then becomes more of a discussion with Apple, Google, Samsung about how do we access messages on devices,” Hunt said, “as opposed to how do we try to get them while they are flying across the air.”
So they should especially in this climate. If you have nothing to hide, it won’t hurt will it.
Until a government or tyrant decides that things you do or say now are no longer compatible with a future outlook. It only takes a minor crisis to necessitate major legislative change. Unless you’re publicly stating that opinion intentionally, in which case, bravo.
A tonne of privacy for, possibly, kinda-sorta, with luck a gram of security.
I’m convinced of the essentially benign good intentions of this & future governments.
Aren’t you?
Watch for a raft of encryption appearing as freeware and no “firm” attached or liable. Governments are so desperate to control their own citizens. In any case it looks more likely that mega-corporations will be the ultimate rulers over Government. United Corporations of America anyone?
The government’s plan is obvious. The aren’t demanding a “back door,” simply specifying that suppliers of encryption services create a way to decode messages on request. In other words they plan to force these services to create a back door that the service will need to use themselves on demand of the government.