The government this morning unveiled an exposure draft of its much-anticipated legislative response to the increased use of encrypted communications services.
The bill âwill allow law enforcement and interception agencies to access specific communications without compromising the security of a network,â said law enforcement and cyber security minister Angus Taylor.
The measures in the bill âexpressly prevent the weakening of encryption or the introduction of so-called backdoors,â the minister said.
Since the government in July last year first committed to legislation to tackle law enforcement agency access to encrypted communications services, it has repeatedly claimed that any new law would not compel a communications provider to create âbackdoorsâ.
The draft bill, unveiled this morning, outlines three types of assistance that may be sought by law enforcement and intelligence agencies. The first is essentially a request for voluntary cooperation on a range of technical measures (which could, for example, include handing over certain types of information or be as simple as an explanation of how a particular service works or the format of certain data).
A second level â âtechnical assistance noticesâ â would compel the subject of a notice to assist an agency using already existing capabilities; for example, if a service provider had access to the relevant encryption key, then they could be forced to use it to decrypt a userâs data.
The third level of assistance â âtechnical capability noticesâ â would force a company to build a whole new technical capability or capabilities to assist agencies. The power is subject to sign-off by the attorney-general.
The list of types of assistance that an agency can seek with either a technical assistance or a capability notice is extensive. A non-exhaustive list includes removing âone or more forms of electronic protectionâ i.e. encryption â âthat are or were applied by, or on behalf of, the providerâ; installing, maintaining or testing software or hardware; facilitating access to a facility, customer equipment, a device, a service or software; assisting with the âtesting, modification, development or maintenance of a technology or capabilityâ; and âsubstituting, or facilitating the substitution of, a serviceâ (i.e. some form of spoofing).
An explanatory document accompanying the governmentâs draft bill stats that technical assistance notices and technical capability notices cannot require a service provider âto implement or build a systemic weakness, or a systemic vulnerability, into a form of electronic protectionâ, which includes âforms of encryption or passcode authentication, such as rate limits on a deviceâ.
The document adds: âproviders cannot be asked to implement or build so-called âbackdoorsâ into their products or servicesâ [emphasis in original].
That prohibition presumably means that ASIO canât request that WhatsApp build some master key system that allows it to just snoop on anyoneâs conversations.
The relevant section of the act â 317ZG â is reasonably short. A technical assistance or capability notice must not have the effect of ârequiring a designated communications provider to implement or build a systemic weakness, or a systemic vulnerability, into a form of electronic protectionâ or preventing them from fixing a systemic weakness or vulnerability.
In an attempt to assuage concerns, the draft bill goes on to explicitly state that the prohibition covers any requirement to âimplement or build a new decryption capability in relation to a form of electronic protectionâ or to actions that would ârender systemic methods of authentication or encryption less effectiveâ.
The explanatory document says that âthe term systemic refers to actions that impact a broader range of devices and service utilised by third-parties with no connection to an investigation and for whom law enforcement have no underlying lawful authority by which to access their personal data.â
âThe prohibition clearly limits the ability of a notice to compel a provider to re-design services that feature end-to-end encryption,â the document states.
âIf a proposed re-design had the effect of removing the default protection that all users of end-to-end encrypted services benefit from and, consequently, made their communications less secure, it would be categorised as requiring a provider to build a systemic weakness or vulnerability into a form of electronic protection.â
This is at the heart of the governmentâs claim that the legislation will not introduce backdoors. The draft bill appears to prohibit measures that would, for example, force a service provider to remove end-to-end encryption across the entirety of a service or to operate some kind of key escrow system for law enforcement agencies.
However, the explanatory documents notes, a notice âmay still require a provider to enable access to a particular service, particular device or particular item of software, which would not systemically weaken these products across the marketâ.
âFor example, if an agency were undertaking an investigation into an act of terrorism and a provider was capable of removing encryption from the device of a terrorism suspect without weakening other devices in the market then the provider could be compelled under a technical assistance notice to provide help to the agency by removing the electronic protection,â the document states.
âThe mere fact that a capability to selectively assist agencies with access to a target device exists will not necessarily mean that a systemic weakness has been built. The nature and scope of any weaknesses and vulnerabilities will turn on the circumstances in question and the degree to which malicious actors are able to exploit the changes required.â
âLikewise,â it adds, âa notice may require a provider to facilitate access to information prior to or after an encryption method is employed, as this does not weaken the encryption itselfâ.
Essentially the âsystemicâ backdoor prohibition does not prevent the introduction of backdoor-type features targeting a particular device or user (or particular devices or users).
The big question is how this would unfold in the real world, and the potential unintended consequences for users that arenât the subject of a legitimate investigation â particularly when there will be no transparency about precisely what is happening to the services that many of us rely on.
It is one thing to formally ban actions that would weaken the security of a service, but securely introducing mechanisms to target a particular device or group of devices is a non-trivial task.