In the hit US TV series The Wire, police are initially baffled when the criminal suspects they are investigating begin to communicate through photographic messages of clockfaces.
After several seasons of plots driven by the legalities and logistics of setting up telephone intercepts on suspected drug dealers, the police cannot keep up when overheard conversations are replaced by an inscrutable form of pictorial code.
The Wire cops eventually break the clockface code, but they would have a great deal more difficulty in the present if they were chasing criminals using WhatsApp, Wicker, iMessage or other encrypted communications.
Illustration: Mountain People
End-to-end encryption is a code so strong that only the communicating users can read the messages.
As a result, law enforcement agencies the world over are struggling with a wicked problem: what can they do when the suspect or target of investigation “goes dark?”
In Australia, the government claims to have found the solution to that problem in the form of a new law not necessarily to break encryption itself — as an equivalent UK legislation allows — but to co-opt technology companies, device manufacturers and service providers into building the functionality needed for police to do their spying.
The mind-bogglingly complex law, more than a year in the making, passed the Australian parliament on Thursday last week.
The opposition Australian Labor Party shelved its plans to improve the scheme and waved it through in response to overwhelming pressure from the Liberal-National Coalition government, desperate to see it made law before Christmas.
However, with digital rights and technology experts warning that government amendments are confusing or counterproductive, it is questionable whether Australia has finally unscrambled the encryption omelet or set its law enforcement agencies and information technology industry up to fail.
The Telecommunications (Assistance and Access) Act starts with a golden rule about what law enforcement agencies cannot do: they cannot require technology companies to build a “systemic weakness,” or back door, into their products.
Instead, agencies gain new powers to issue notices for companies to render assistance, or build a new capability, to help them snoop on criminal suspects.
Communications Alliance chief executive John Stanton said that his group was concerned about “the breadth and range of activities” law enforcement agencies could require companies to do.
The list of acts or things is long and includes removing one or more forms of electronic protection; providing technical information; facilitating access to services and equipment; installing software; modifying technology; and concealing that the company has done any of the above.
With these compulsory notices subject to varying levels of safeguards police could, for example, send a suspect a notification to update software such as Facebook Messenger that in fact allows police access to their messages.
Agencies might not be able to directly decrypt messages, especially if they are located overseas, such as in the case of Russian app Telegram, a key weakness of the UK security architecture.
However, using these notices, Australian agencies could install keylogger software to enable them to see, keystroke by keystroke, what users type into a message.
Similarly, software could take repeated screenshots that do not break encryption, but photograph everything going in and out of the communications app.
Other examples include modifying a device such as an Apple Home or Amazon Alexa to record audio continuously; requiring a service provider to generate a false Web site that appears to be protected, but is not, similar to a phishing e-mail; or requiring companies to hand over more accurate smartphone geolocation data.
Australian Prime Minister Scott Morrison and Minister for Home Affairs Peter Dutton have characterized the targets of the new law as terrorists, pedophiles and organized criminals.
Numerous parties to a parliamentary committee inquiry, including the Australian Human Rights Commission and the Law Council of Australia, argued that the powers should be limited to the “most serious” criminal and national security offenses.
In a deal with Labor, the government agreed to limit the powers to investigation of terrorism, child sexual offenses or other offenses punishable by a term of three years or more in prison.
That opens the laws up to use on investigations of a very wide range of offenses, including using a telecommunications service to menace, improper use of an emergency call service, possession of equipment used to make identification documentation, interference with political rights and duties and importation of a thing with intent to dishonestly obtain or deal in personal financial information.
Australian Human Rights Commissioner Edward Santow said that Australia had “passed more counterterrorism and national security legislation than any other liberal democracy since 2001.”
One of those bills — the Espionage and Foreign Interference Act passed this year — makes it unlawful for a current or former public servant to communicate information that “is likely to cause harm to Australia’s interests” — including its foreign or economic relations. The offense can be punished by seven years in prison.
That act also contains an offense of “communicating and dealing with information by non-commonwealth officers” with a five-year prison sentence.
So it could be journalists and whistle-blowers, not just pedophiles, in the frame.
Technical assistance requests could be issued to protect “Australia’s national economic well-being,” Santow said.
“It’s really worrying, that’s an incredibly broad concept that goes well beyond the protection of national security,” he said.
The threshold for “serious offense” meant that a person who failed to comply with a notice — for example by refusing to unlock their smartphone — could be jailed for 10 years, “a longer sentence than for the underlying offense” under investigation, Santow said.
“That seems to be a disproportionate impact on human rights,” he said.
Santow suggested that if the public became aware that law enforcement agencies could push an update of WhatsApp, for example, at one targeted user, “it might discourage people from downloading security updates.”
“That could effectively weaken those communications platforms — we are worried about that phenomenon,” he added.
While a law enforcement agency might only be targeting one criminal suspect, that does not mean a technological trap would not harm others.
Patrick Fair, a partner at law firm Baker and McKenzie who represents telecommunications providers, said that “the fear is that an agency will actually build a virus based on information you give them that will be used by bad actors as well if it gets out in the public domain.”
Fair has argued that compromising a messaging system, Web site or cloud-storage system to get at one user might affect others.
“Web services include many things that are shared — they could take down a Web mail system that a whole lot of people use, or create a major vulnerability as they are going after a particular unnamed person,” he said.
Stanton highlighted the example of Wannacry, in which “the biggest ransomware attack the world has ever seen originated with code written by the [US National Security Agency (NSA)].”
“If the NSA — one of the world’s most capable agencies — can lose something that causes damage like that, who’s to say that Australian state police agencies are going to be any less likely to unleash unintended consequences?” he asked.
The Communications Alliance — the lobby group for Australia’s communications industry — was one of the bodies calling for a rethink on the laws, joining an unprecedented campaign that included Digital Industry Group, an industry body representing Google, Facebook, Twitter and Amazon.com.
As the new law includes secrecy provisions, Stanton said that companies would be unwittingly operating networks and devices with security flaws.
“A device manufacturer could be told to make a modification that gets passed on via a service provider who doesn’t know it’s compromised, it’s then very hard to guard against what might flow from that, because they don’t know they’re offering a compromised service,” he said.
Fair has said that law enforcement agencies “ought to go talk to the parties they need information from and let them decide how to get it rather than undermine the system.”
One of the biggest concerns to emerge from inquiry hearings was the risk to Australia’s A$3.2 billion (US$2.31 billion) information technology export sector.
In August, Australia banned Huawei Technologies Co from building its 5G network owing to concerns of potential Chinese government interference, and the access and assistance act could lead to the same distrust of Australian technology abroad.
The precise bounds of the acts or things that companies can be required to do is still untested, but there are fears the access and assistance act will extend the reach of Australia’s controversial metadata retention law — which was passed in 2015.
Loopholes in that law have already allowed 80 agencies to request access to Australians’ metadata when the list was supposed to be limited to just 21.
Communications Alliance program management director Christiane Gillespie-Jones told the inquiry that the new law appears to give agencies the power to use “technical assistance notices” to require tech giants like Facebook and Google’s Gmail to retain users’ metadata, including browsing histories.
When former Australian attorney general George Brandis was selling the coalition’s metadata policy, he famously claimed access to metadata was like capturing “the name and address on the envelope, not the content of the letter.”
The fear is that if technical assistance notices can be used to retain browsing histories, authorities are creeping closer to the content of the letter and not just the envelope.
One of the ironies of the unfolding suite of objections about the bill has been that its greatest safeguard has proved to be its greatest flaw. The original bill failed to define what a “systemic weakness” is, so it was very hard to say what limit was placed on law enforcement agencies’ power to ask tech companies to build a new capability for them.
Government amendments included after the deal with Labor added the definition that a systemic weakness is one that “affects a whole class of technology, but does not include a weakness that is selectively introduced to one or more target technologies that are connected with a particular person.”
Fair said the idea of a “whole class of technology” is “nonsense and nobody knows what it refers to,” comments echoed by Stanton.
“Does that mean you can do something to every iPhone because you haven’t also done it to Android phones?” Stanton asked.
Amendments also introduce a new range of safeguards, including the requirement that “technical capability notices” require the sign-off of both the attorney general and communications minister.
They can be disputed to a panel consisting of a former judge and technical expert who assess whether a proposed back door is “reasonable and proportionate” or is an impermissible “systemic weakness.”
However, while those new safeguards apply to “technical capability notices,” they do not apply to “technical assistance notices,” which are in many respects as far-reaching.
The unsatisfactory destination owes much to the ragged journey of the legislative process.
After the bill was unveiled in August, the Parliamentary Joint Committee On Intelligence and Security offered careful scrutiny, preparing to improve it.
Dutton then demanded that Labor pass it, accusing them of “ending any claim to bipartisanship on national security” while Morrison claimed that Labor leader Bill Shorten was “a threat to national security.”
The government cited security agencies’ warnings that they urgently needed the new powers to fight crime and terrorism.
This pressure produced a bipartisan deal, cobbled together in a last-minute rush in the final two days of parliamentary sittings.
Labor produced its own amendments to improve judicial oversight and further clarify the definition of “systemic weakness,” but was forced to drop them to pass the law in the last session on Thursday.
The result was, as Law Council of Australia president Morry Bailes described it: “A situation where unprecedented powers to access encrypted communications are now law, even though parliament knows serious problems exist.”
Former Australian attorney general Mark Dreyfus said Labor “acknowledges that there are legitimate concerns about this legislation,” pointing to a commitment from the government to a further review and consideration of amendments in next year.
“I hope that any unintended consequences of this legislation can be brought to light over the next few months,” Dreyfus said.
However, former Australian independent national security legislation monitor Brett Walker said that it was the issue that is urgent, not this particular solution.
On Monday last week, Walker said that “it is important that a bad bill not be passed and that a bill that is good is passed.”
National security legislation was “not like many laws where we can say we won’t make the perfect enemy of the good,” because they “alter security settings for everyone in the community and once done, it may not be able to be fixed,” he said.
Australia has made itself the guinea pig of the world in testing a regime to circumvent encryption. It is a highly technical experiment being conducted in real time with a legislative process yet again asked to catch up with the messiness and uncertainty of the world of crime and its concealment.
Could Asia be on the verge of a new wave of nuclear proliferation? A look back at the early history of the North Atlantic Treaty Organization (NATO), which recently celebrated its 75th anniversary, illuminates some reasons for concern in the Indo-Pacific today. US Secretary of Defense Lloyd Austin recently described NATO as “the most powerful and successful alliance in history,” but the organization’s early years were not without challenges. At its inception, the signing of the North Atlantic Treaty marked a sea change in American strategic thinking. The United States had been intent on withdrawing from Europe in the years following
My wife and I spent the week in the interior of Taiwan where Shuyuan spent her childhood. In that town there is a street that functions as an open farmer’s market. Walk along that street, as Shuyuan did yesterday, and it is next to impossible to come home empty-handed. Some mangoes that looked vaguely like others we had seen around here ended up on our table. Shuyuan told how she had bought them from a little old farmer woman from the countryside who said the mangoes were from a very old tree she had on her property. The big surprise
The issue of China’s overcapacity has drawn greater global attention recently, with US Secretary of the Treasury Janet Yellen urging Beijing to address its excess production in key industries during her visit to China last week. Meanwhile in Brussels, European Commission President Ursula von der Leyen last week said that Europe must have a tough talk with China on its perceived overcapacity and unfair trade practices. The remarks by Yellen and Von der Leyen come as China’s economy is undergoing a painful transition. Beijing is trying to steer the world’s second-largest economy out of a COVID-19 slump, the property crisis and
As former president Ma Ying-jeou (馬英九) wrapped up his visit to the People’s Republic of China, he received his share of attention. Certainly, the trip must be seen within the full context of Ma’s life, that is, his eight-year presidency, the Sunflower movement and his failed Economic Cooperation Framework Agreement, as well as his eight years as Taipei mayor with its posturing, accusations of money laundering, and ups and downs. Through all that, basic questions stand out: “What drives Ma? What is his end game?” Having observed and commented on Ma for decades, it is all ironically reminiscent of former US president Harry