In the hit US TV series The Wire, police are initially baffled when the criminal suspects they are investigating begin to communicate through photographic messages of clockfaces.
After several seasons of plots driven by the legalities and logistics of setting up telephone intercepts on suspected drug dealers, the police cannot keep up when overheard conversations are replaced by an inscrutable form of pictorial code.
The Wire cops eventually break the clockface code, but they would have a great deal more difficulty in the present if they were chasing criminals using WhatsApp, Wicker, iMessage or other encrypted communications.
Illustration: Mountain People
End-to-end encryption is a code so strong that only the communicating users can read the messages.
As a result, law enforcement agencies the world over are struggling with a wicked problem: what can they do when the suspect or target of investigation “goes dark?”
In Australia, the government claims to have found the solution to that problem in the form of a new law not necessarily to break encryption itself — as an equivalent UK legislation allows — but to co-opt technology companies, device manufacturers and service providers into building the functionality needed for police to do their spying.
The mind-bogglingly complex law, more than a year in the making, passed the Australian parliament on Thursday last week.
The opposition Australian Labor Party shelved its plans to improve the scheme and waved it through in response to overwhelming pressure from the Liberal-National Coalition government, desperate to see it made law before Christmas.
However, with digital rights and technology experts warning that government amendments are confusing or counterproductive, it is questionable whether Australia has finally unscrambled the encryption omelet or set its law enforcement agencies and information technology industry up to fail.
The Telecommunications (Assistance and Access) Act starts with a golden rule about what law enforcement agencies cannot do: they cannot require technology companies to build a “systemic weakness,” or back door, into their products.
Instead, agencies gain new powers to issue notices for companies to render assistance, or build a new capability, to help them snoop on criminal suspects.
Communications Alliance chief executive John Stanton said that his group was concerned about “the breadth and range of activities” law enforcement agencies could require companies to do.
The list of acts or things is long and includes removing one or more forms of electronic protection; providing technical information; facilitating access to services and equipment; installing software; modifying technology; and concealing that the company has done any of the above.
With these compulsory notices subject to varying levels of safeguards police could, for example, send a suspect a notification to update software such as Facebook Messenger that in fact allows police access to their messages.
Agencies might not be able to directly decrypt messages, especially if they are located overseas, such as in the case of Russian app Telegram, a key weakness of the UK security architecture.
However, using these notices, Australian agencies could install keylogger software to enable them to see, keystroke by keystroke, what users type into a message.
Similarly, software could take repeated screenshots that do not break encryption, but photograph everything going in and out of the communications app.
Other examples include modifying a device such as an Apple Home or Amazon Alexa to record audio continuously; requiring a service provider to generate a false Web site that appears to be protected, but is not, similar to a phishing e-mail; or requiring companies to hand over more accurate smartphone geolocation data.
Australian Prime Minister Scott Morrison and Minister for Home Affairs Peter Dutton have characterized the targets of the new law as terrorists, pedophiles and organized criminals.
Numerous parties to a parliamentary committee inquiry, including the Australian Human Rights Commission and the Law Council of Australia, argued that the powers should be limited to the “most serious” criminal and national security offenses.
In a deal with Labor, the government agreed to limit the powers to investigation of terrorism, child sexual offenses or other offenses punishable by a term of three years or more in prison.
That opens the laws up to use on investigations of a very wide range of offenses, including using a telecommunications service to menace, improper use of an emergency call service, possession of equipment used to make identification documentation, interference with political rights and duties and importation of a thing with intent to dishonestly obtain or deal in personal financial information.
Australian Human Rights Commissioner Edward Santow said that Australia had “passed more counterterrorism and national security legislation than any other liberal democracy since 2001.”
One of those bills — the Espionage and Foreign Interference Act passed this year — makes it unlawful for a current or former public servant to communicate information that “is likely to cause harm to Australia’s interests” — including its foreign or economic relations. The offense can be punished by seven years in prison.
That act also contains an offense of “communicating and dealing with information by non-commonwealth officers” with a five-year prison sentence.
So it could be journalists and whistle-blowers, not just pedophiles, in the frame.
Technical assistance requests could be issued to protect “Australia’s national economic well-being,” Santow said.
“It’s really worrying, that’s an incredibly broad concept that goes well beyond the protection of national security,” he said.
The threshold for “serious offense” meant that a person who failed to comply with a notice — for example by refusing to unlock their smartphone — could be jailed for 10 years, “a longer sentence than for the underlying offense” under investigation, Santow said.
“That seems to be a disproportionate impact on human rights,” he said.
Santow suggested that if the public became aware that law enforcement agencies could push an update of WhatsApp, for example, at one targeted user, “it might discourage people from downloading security updates.”
“That could effectively weaken those communications platforms — we are worried about that phenomenon,” he added.
While a law enforcement agency might only be targeting one criminal suspect, that does not mean a technological trap would not harm others.
Patrick Fair, a partner at law firm Baker and McKenzie who represents telecommunications providers, said that “the fear is that an agency will actually build a virus based on information you give them that will be used by bad actors as well if it gets out in the public domain.”
Fair has argued that compromising a messaging system, Web site or cloud-storage system to get at one user might affect others.
“Web services include many things that are shared — they could take down a Web mail system that a whole lot of people use, or create a major vulnerability as they are going after a particular unnamed person,” he said.
Stanton highlighted the example of Wannacry, in which “the biggest ransomware attack the world has ever seen originated with code written by the [US National Security Agency (NSA)].”
“If the NSA — one of the world’s most capable agencies — can lose something that causes damage like that, who’s to say that Australian state police agencies are going to be any less likely to unleash unintended consequences?” he asked.
The Communications Alliance — the lobby group for Australia’s communications industry — was one of the bodies calling for a rethink on the laws, joining an unprecedented campaign that included Digital Industry Group, an industry body representing Google, Facebook, Twitter and Amazon.com.
As the new law includes secrecy provisions, Stanton said that companies would be unwittingly operating networks and devices with security flaws.
“A device manufacturer could be told to make a modification that gets passed on via a service provider who doesn’t know it’s compromised, it’s then very hard to guard against what might flow from that, because they don’t know they’re offering a compromised service,” he said.
Fair has said that law enforcement agencies “ought to go talk to the parties they need information from and let them decide how to get it rather than undermine the system.”
One of the biggest concerns to emerge from inquiry hearings was the risk to Australia’s A$3.2 billion (US$2.31 billion) information technology export sector.
In August, Australia banned Huawei Technologies Co from building its 5G network owing to concerns of potential Chinese government interference, and the access and assistance act could lead to the same distrust of Australian technology abroad.
The precise bounds of the acts or things that companies can be required to do is still untested, but there are fears the access and assistance act will extend the reach of Australia’s controversial metadata retention law — which was passed in 2015.
Loopholes in that law have already allowed 80 agencies to request access to Australians’ metadata when the list was supposed to be limited to just 21.
Communications Alliance program management director Christiane Gillespie-Jones told the inquiry that the new law appears to give agencies the power to use “technical assistance notices” to require tech giants like Facebook and Google’s Gmail to retain users’ metadata, including browsing histories.
When former Australian attorney general George Brandis was selling the coalition’s metadata policy, he famously claimed access to metadata was like capturing “the name and address on the envelope, not the content of the letter.”
The fear is that if technical assistance notices can be used to retain browsing histories, authorities are creeping closer to the content of the letter and not just the envelope.
One of the ironies of the unfolding suite of objections about the bill has been that its greatest safeguard has proved to be its greatest flaw. The original bill failed to define what a “systemic weakness” is, so it was very hard to say what limit was placed on law enforcement agencies’ power to ask tech companies to build a new capability for them.
Government amendments included after the deal with Labor added the definition that a systemic weakness is one that “affects a whole class of technology, but does not include a weakness that is selectively introduced to one or more target technologies that are connected with a particular person.”
Fair said the idea of a “whole class of technology” is “nonsense and nobody knows what it refers to,” comments echoed by Stanton.
“Does that mean you can do something to every iPhone because you haven’t also done it to Android phones?” Stanton asked.
Amendments also introduce a new range of safeguards, including the requirement that “technical capability notices” require the sign-off of both the attorney general and communications minister.
They can be disputed to a panel consisting of a former judge and technical expert who assess whether a proposed back door is “reasonable and proportionate” or is an impermissible “systemic weakness.”
However, while those new safeguards apply to “technical capability notices,” they do not apply to “technical assistance notices,” which are in many respects as far-reaching.
The unsatisfactory destination owes much to the ragged journey of the legislative process.
After the bill was unveiled in August, the Parliamentary Joint Committee On Intelligence and Security offered careful scrutiny, preparing to improve it.
Dutton then demanded that Labor pass it, accusing them of “ending any claim to bipartisanship on national security” while Morrison claimed that Labor leader Bill Shorten was “a threat to national security.”
The government cited security agencies’ warnings that they urgently needed the new powers to fight crime and terrorism.
This pressure produced a bipartisan deal, cobbled together in a last-minute rush in the final two days of parliamentary sittings.
Labor produced its own amendments to improve judicial oversight and further clarify the definition of “systemic weakness,” but was forced to drop them to pass the law in the last session on Thursday.
The result was, as Law Council of Australia president Morry Bailes described it: “A situation where unprecedented powers to access encrypted communications are now law, even though parliament knows serious problems exist.”
Former Australian attorney general Mark Dreyfus said Labor “acknowledges that there are legitimate concerns about this legislation,” pointing to a commitment from the government to a further review and consideration of amendments in next year.
“I hope that any unintended consequences of this legislation can be brought to light over the next few months,” Dreyfus said.
However, former Australian independent national security legislation monitor Brett Walker said that it was the issue that is urgent, not this particular solution.
On Monday last week, Walker said that “it is important that a bad bill not be passed and that a bill that is good is passed.”
National security legislation was “not like many laws where we can say we won’t make the perfect enemy of the good,” because they “alter security settings for everyone in the community and once done, it may not be able to be fixed,” he said.
Australia has made itself the guinea pig of the world in testing a regime to circumvent encryption. It is a highly technical experiment being conducted in real time with a legislative process yet again asked to catch up with the messiness and uncertainty of the world of crime and its concealment.
Saudi Arabian largesse is flooding Egypt’s cultural scene, but the reception is mixed. Some welcome new “cooperation” between two regional powerhouses, while others fear a hostile takeover by Riyadh. In Cairo, historically the cultural capital of the Arab world, Egyptian Minister of Culture Nevine al-Kilany recently hosted Saudi Arabian General Entertainment Authority chairman Turki al-Sheikh. The deep-pocketed al-Sheikh has emerged as a Medici-like patron for Egypt’s cultural elite, courted by Cairo’s top talent to produce a slew of forthcoming films. A new three-way agreement between al-Sheikh, Kilany and United Media Services — a multi-media conglomerate linked to state intelligence that owns much of
The US and other countries should take concrete steps to confront the threats from Beijing to avoid war, US Representative Mario Diaz-Balart said in an interview with Voice of America on March 13. The US should use “every diplomatic economic tool at our disposal to treat China as what it is... to avoid war,” Diaz-Balart said. Giving an example of what the US could do, he said that it has to be more aggressive in its military sales to Taiwan. Actions by cross-party US lawmakers in the past few years such as meeting with Taiwanese officials in Washington and Taipei, and
Denmark’s “one China” policy more and more resembles Beijing’s “one China” principle. At least, this is how things appear. In recent interactions with the Danish state, such as applying for residency permits, a Taiwanese’s nationality would be listed as “China.” That designation occurs for a Taiwanese student coming to Denmark or a Danish citizen arriving in Denmark with, for example, their Taiwanese partner. Details of this were published on Sunday in an article in the Danish daily Berlingske written by Alexander Sjoberg and Tobias Reinwald. The pretext for this new practice is that Denmark does not recognize Taiwan as a state under
The Republic of China (ROC) on Taiwan has no official diplomatic allies in the EU. With the exception of the Vatican, it has no official allies in Europe at all. This does not prevent the ROC — Taiwan — from having close relations with EU member states and other European countries. The exact nature of the relationship does bear revisiting, if only to clarify what is a very complicated and sensitive idea, the details of which leave considerable room for misunderstanding, misrepresentation and disagreement. Only this week, President Tsai Ing-wen (蔡英文) received members of the European Parliament’s Delegation for Relations