In the hit US TV series The Wire, police are initially baffled when the criminal suspects they are investigating begin to communicate through photographic messages of clockfaces.
After several seasons of plots driven by the legalities and logistics of setting up telephone intercepts on suspected drug dealers, the police cannot keep up when overheard conversations are replaced by an inscrutable form of pictorial code.
The Wire cops eventually break the clockface code, but they would have a great deal more difficulty in the present if they were chasing criminals using WhatsApp, Wicker, iMessage or other encrypted communications.
Illustration: Mountain People
End-to-end encryption is a code so strong that only the communicating users can read the messages.
As a result, law enforcement agencies the world over are struggling with a wicked problem: what can they do when the suspect or target of investigation “goes dark?”
In Australia, the government claims to have found the solution to that problem in the form of a new law not necessarily to break encryption itself — as an equivalent UK legislation allows — but to co-opt technology companies, device manufacturers and service providers into building the functionality needed for police to do their spying.
The mind-bogglingly complex law, more than a year in the making, passed the Australian parliament on Thursday last week.
The opposition Australian Labor Party shelved its plans to improve the scheme and waved it through in response to overwhelming pressure from the Liberal-National Coalition government, desperate to see it made law before Christmas.
However, with digital rights and technology experts warning that government amendments are confusing or counterproductive, it is questionable whether Australia has finally unscrambled the encryption omelet or set its law enforcement agencies and information technology industry up to fail.
The Telecommunications (Assistance and Access) Act starts with a golden rule about what law enforcement agencies cannot do: they cannot require technology companies to build a “systemic weakness,” or back door, into their products.
Instead, agencies gain new powers to issue notices for companies to render assistance, or build a new capability, to help them snoop on criminal suspects.
Communications Alliance chief executive John Stanton said that his group was concerned about “the breadth and range of activities” law enforcement agencies could require companies to do.
The list of acts or things is long and includes removing one or more forms of electronic protection; providing technical information; facilitating access to services and equipment; installing software; modifying technology; and concealing that the company has done any of the above.
With these compulsory notices subject to varying levels of safeguards police could, for example, send a suspect a notification to update software such as Facebook Messenger that in fact allows police access to their messages.
Agencies might not be able to directly decrypt messages, especially if they are located overseas, such as in the case of Russian app Telegram, a key weakness of the UK security architecture.
However, using these notices, Australian agencies could install keylogger software to enable them to see, keystroke by keystroke, what users type into a message.
Similarly, software could take repeated screenshots that do not break encryption, but photograph everything going in and out of the communications app.
Other examples include modifying a device such as an Apple Home or Amazon Alexa to record audio continuously; requiring a service provider to generate a false Web site that appears to be protected, but is not, similar to a phishing e-mail; or requiring companies to hand over more accurate smartphone geolocation data.
Australian Prime Minister Scott Morrison and Minister for Home Affairs Peter Dutton have characterized the targets of the new law as terrorists, pedophiles and organized criminals.
Numerous parties to a parliamentary committee inquiry, including the Australian Human Rights Commission and the Law Council of Australia, argued that the powers should be limited to the “most serious” criminal and national security offenses.
In a deal with Labor, the government agreed to limit the powers to investigation of terrorism, child sexual offenses or other offenses punishable by a term of three years or more in prison.
That opens the laws up to use on investigations of a very wide range of offenses, including using a telecommunications service to menace, improper use of an emergency call service, possession of equipment used to make identification documentation, interference with political rights and duties and importation of a thing with intent to dishonestly obtain or deal in personal financial information.
Australian Human Rights Commissioner Edward Santow said that Australia had “passed more counterterrorism and national security legislation than any other liberal democracy since 2001.”
One of those bills — the Espionage and Foreign Interference Act passed this year — makes it unlawful for a current or former public servant to communicate information that “is likely to cause harm to Australia’s interests” — including its foreign or economic relations. The offense can be punished by seven years in prison.
That act also contains an offense of “communicating and dealing with information by non-commonwealth officers” with a five-year prison sentence.
So it could be journalists and whistle-blowers, not just pedophiles, in the frame.
Technical assistance requests could be issued to protect “Australia’s national economic well-being,” Santow said.
“It’s really worrying, that’s an incredibly broad concept that goes well beyond the protection of national security,” he said.
The threshold for “serious offense” meant that a person who failed to comply with a notice — for example by refusing to unlock their smartphone — could be jailed for 10 years, “a longer sentence than for the underlying offense” under investigation, Santow said.
“That seems to be a disproportionate impact on human rights,” he said.
Santow suggested that if the public became aware that law enforcement agencies could push an update of WhatsApp, for example, at one targeted user, “it might discourage people from downloading security updates.”
“That could effectively weaken those communications platforms — we are worried about that phenomenon,” he added.
While a law enforcement agency might only be targeting one criminal suspect, that does not mean a technological trap would not harm others.
Patrick Fair, a partner at law firm Baker and McKenzie who represents telecommunications providers, said that “the fear is that an agency will actually build a virus based on information you give them that will be used by bad actors as well if it gets out in the public domain.”
Fair has argued that compromising a messaging system, Web site or cloud-storage system to get at one user might affect others.
“Web services include many things that are shared — they could take down a Web mail system that a whole lot of people use, or create a major vulnerability as they are going after a particular unnamed person,” he said.
Stanton highlighted the example of Wannacry, in which “the biggest ransomware attack the world has ever seen originated with code written by the [US National Security Agency (NSA)].”
“If the NSA — one of the world’s most capable agencies — can lose something that causes damage like that, who’s to say that Australian state police agencies are going to be any less likely to unleash unintended consequences?” he asked.
The Communications Alliance — the lobby group for Australia’s communications industry — was one of the bodies calling for a rethink on the laws, joining an unprecedented campaign that included Digital Industry Group, an industry body representing Google, Facebook, Twitter and Amazon.com.
As the new law includes secrecy provisions, Stanton said that companies would be unwittingly operating networks and devices with security flaws.
“A device manufacturer could be told to make a modification that gets passed on via a service provider who doesn’t know it’s compromised, it’s then very hard to guard against what might flow from that, because they don’t know they’re offering a compromised service,” he said.
Fair has said that law enforcement agencies “ought to go talk to the parties they need information from and let them decide how to get it rather than undermine the system.”
One of the biggest concerns to emerge from inquiry hearings was the risk to Australia’s A$3.2 billion (US$2.31 billion) information technology export sector.
In August, Australia banned Huawei Technologies Co from building its 5G network owing to concerns of potential Chinese government interference, and the access and assistance act could lead to the same distrust of Australian technology abroad.
The precise bounds of the acts or things that companies can be required to do is still untested, but there are fears the access and assistance act will extend the reach of Australia’s controversial metadata retention law — which was passed in 2015.
Loopholes in that law have already allowed 80 agencies to request access to Australians’ metadata when the list was supposed to be limited to just 21.
Communications Alliance program management director Christiane Gillespie-Jones told the inquiry that the new law appears to give agencies the power to use “technical assistance notices” to require tech giants like Facebook and Google’s Gmail to retain users’ metadata, including browsing histories.
When former Australian attorney general George Brandis was selling the coalition’s metadata policy, he famously claimed access to metadata was like capturing “the name and address on the envelope, not the content of the letter.”
The fear is that if technical assistance notices can be used to retain browsing histories, authorities are creeping closer to the content of the letter and not just the envelope.
One of the ironies of the unfolding suite of objections about the bill has been that its greatest safeguard has proved to be its greatest flaw. The original bill failed to define what a “systemic weakness” is, so it was very hard to say what limit was placed on law enforcement agencies’ power to ask tech companies to build a new capability for them.
Government amendments included after the deal with Labor added the definition that a systemic weakness is one that “affects a whole class of technology, but does not include a weakness that is selectively introduced to one or more target technologies that are connected with a particular person.”
Fair said the idea of a “whole class of technology” is “nonsense and nobody knows what it refers to,” comments echoed by Stanton.
“Does that mean you can do something to every iPhone because you haven’t also done it to Android phones?” Stanton asked.
Amendments also introduce a new range of safeguards, including the requirement that “technical capability notices” require the sign-off of both the attorney general and communications minister.
They can be disputed to a panel consisting of a former judge and technical expert who assess whether a proposed back door is “reasonable and proportionate” or is an impermissible “systemic weakness.”
However, while those new safeguards apply to “technical capability notices,” they do not apply to “technical assistance notices,” which are in many respects as far-reaching.
The unsatisfactory destination owes much to the ragged journey of the legislative process.
After the bill was unveiled in August, the Parliamentary Joint Committee On Intelligence and Security offered careful scrutiny, preparing to improve it.
Dutton then demanded that Labor pass it, accusing them of “ending any claim to bipartisanship on national security” while Morrison claimed that Labor leader Bill Shorten was “a threat to national security.”
The government cited security agencies’ warnings that they urgently needed the new powers to fight crime and terrorism.
This pressure produced a bipartisan deal, cobbled together in a last-minute rush in the final two days of parliamentary sittings.
Labor produced its own amendments to improve judicial oversight and further clarify the definition of “systemic weakness,” but was forced to drop them to pass the law in the last session on Thursday.
The result was, as Law Council of Australia president Morry Bailes described it: “A situation where unprecedented powers to access encrypted communications are now law, even though parliament knows serious problems exist.”
Former Australian attorney general Mark Dreyfus said Labor “acknowledges that there are legitimate concerns about this legislation,” pointing to a commitment from the government to a further review and consideration of amendments in next year.
“I hope that any unintended consequences of this legislation can be brought to light over the next few months,” Dreyfus said.
However, former Australian independent national security legislation monitor Brett Walker said that it was the issue that is urgent, not this particular solution.
On Monday last week, Walker said that “it is important that a bad bill not be passed and that a bill that is good is passed.”
National security legislation was “not like many laws where we can say we won’t make the perfect enemy of the good,” because they “alter security settings for everyone in the community and once done, it may not be able to be fixed,” he said.
Australia has made itself the guinea pig of the world in testing a regime to circumvent encryption. It is a highly technical experiment being conducted in real time with a legislative process yet again asked to catch up with the messiness and uncertainty of the world of crime and its concealment.
Because much of what former US president Donald Trump says is unhinged and histrionic, it is tempting to dismiss all of it as bunk. Yet the potential future president has a populist knack for sounding alarums that resonate with the zeitgeist — for example, with growing anxiety about World War III and nuclear Armageddon. “We’re a failing nation,” Trump ranted during his US presidential debate against US Vice President Kamala Harris in one particularly meandering answer (the one that also recycled urban myths about immigrants eating cats). “And what, what’s going on here, you’re going to end up in World War
Earlier this month in Newsweek, President William Lai (賴清德) challenged the People’s Republic of China (PRC) to retake the territories lost to Russia in the 19th century rather than invade Taiwan. He stated: “If it is for the sake of territorial integrity, why doesn’t [the PRC] take back the lands occupied by Russia that were signed over in the treaty of Aigun?” This was a brilliant political move to finally state openly what many Chinese in both China and Taiwan have long been thinking about the lost territories in the Russian far east: The Russian far east should be “theirs.” Granted, Lai issued
On Tuesday, President William Lai (賴清德) met with a delegation from the Hoover Institution, a think tank based at Stanford University in California, to discuss strengthening US-Taiwan relations and enhancing peace and stability in the region. The delegation was led by James Ellis Jr, co-chair of the institution’s Taiwan in the Indo-Pacific Region project and former commander of the US Strategic Command. It also included former Australian minister for foreign affairs Marise Payne, influential US academics and other former policymakers. Think tank diplomacy is an important component of Taiwan’s efforts to maintain high-level dialogue with other nations with which it does
On Sept. 2, Elbridge Colby, former deputy assistant secretary of defense for strategy and force development, wrote an article for the Wall Street Journal called “The US and Taiwan Must Change Course” that defends his position that the US and Taiwan are not doing enough to deter the People’s Republic of China (PRC) from taking Taiwan. Colby is correct, of course: the US and Taiwan need to do a lot more or the PRC will invade Taiwan like Russia did against Ukraine. The US and Taiwan have failed to prepare properly to deter war. The blame must fall on politicians and policymakers