New, sophisticated decryption technologies available to law enforcement agencies require defined thresholds in law, Michelle Mosey and Adam Henschke write.
Strong encryption helps to protect Australia’s information security and integrity, which is a net benefit to society and the economy. But at the same time, encryption technologies are reducing the capacity of law enforcement and intelligence agencies to access information relevant to national and domestic security.
Current technologies and legislation are incompatible, so Australian law enforcement and intelligence agencies may need to operate in a grey area which lacks legislative direction. Regardless of their professionalism, this introduces risks for information security and human rights.
In a recent ANU National Security College Policy Options Paper, we argue that Australia’s fundamental legal and moral approaches to the collection of encrypted information need to be reconsidered. They must balance community trust with the ability to deploy sophisticated decryption technologies.
Recently, in comparable foreign jurisdictions, we have seen domestically focused law enforcement agencies requesting backdoors be built into encrypted communication devices and applications, for use in particular national security emergencies.
However, such backdoors reduce the security and integrity of our information collectively and over the long-term, as it is not possible to ensure they are used only by those agencies. The security of our society relies upon the security of our information. We do not become more secure by increasing its vulnerability.
On this issue, the law has not kept pace with technology. In Australia, the legal basis for information collection remains in the Telecommunication Intercept and Access Act 1979 and the Intelligence Services Act 2001 – both were designed before information was routinely encrypted.
For example, end-to-end encryption is designed so that no third party, including the service provider, has knowledge of the private encryption key which is required to access the plain text communication. Communication service providers are therefore unable to provide plain text communication to domestic law enforcement agencies under warrant. Only the meta-data, or the ‘digital exhaust’ created by the transmission, can be accessed.
Strong encryption has many legitimate uses, including protecting private communication and securing essential government and commercial activities. However, it is also very often used to hide criminal and terrorist activities. In response, government agencies are seeking to decrypt devices, however on the basis of unclear legal guidelines and outdated legislation.
A recent legal case in the US highlights the issues at play. Technology giant Apple was ordered to create software enabling the FBI to bypass the security encryption of an iPhone owned by Syed Farook, one of the San Bernardino shooters.
Apple rejected this order due to the broader consequences of creating such software. It argued there would be repercussions for general information security and reputational harm if consumers became aware that it had the capacity to break into its customers’ phones.
In a world where the question is not if they will be hacked, but when, individuals place a high value on information integrity, security, secrecy and privacy. Compromising the encryption of products and devices, even for law enforcement purposes, can easily undermine trust, economic growth and potentially the commercial viability of many technology firms.
After Apple refused to heed the court’s order to create an access point, the FBI was approached by a foreign private company which successfully cracked the phone’s encryption without a clear legal basis.
This precedent raises significant risks, given the amount of money the FBI was reported to have paid (between $900,000 and $1.3 million). It may inadvertently create a competitive private-sector incentive for firms to compromise the encryption used by many millions of devices around the world. The announcement of the GrayKey ‘unlock tool’ recently advertised as capable of performing up to 3000 iPhone password unlocks for $15,000 is the first high profile example of a ‘hack for sale’ product.
No information was provided publicly by the FBI outlining its decision-making process, nor the legal basis upon which it engaged the assistance of a foreign private-sector entity. This has worrying consequences.
Domestic law enforcement and intelligence agencies have always required specialised capabilities to access information which would otherwise be inaccessible. Failure to legislate appropriate powers in relation to cyber capabilities has placed government agencies at risk, possibly undermining oversight and reducing public confidence.
For example, malware and spyware developed by the private sector has been used domestically by German authorities since 2011, despite the lack of explicit enabling legislation. As a result, security agencies have been accused of over-reach.
As currently enacted, Australian laws do not set out a process for yielding intelligence from these technologies. We need a more solid legal basis to ensure accountability and public confidence.
The Telecommunication (Intercept and Access) Amendment (Data Retention) Act 2015 is a step in the right direction. It acknowledges the challenges faced by law enforcement due to technological advances and the increasing obsolescence of technologies for which current legislation was designed.
The explanatory documents to the Act outline thresholds pertaining to the use of particular powers by ‘enforcement agencies’ to ensure oversight, proportionality and adherence to human rights while mandating data retention, intercept and access powers. The Act also explicitly excludes content from being retained.
The changing nature of encryption technologies will require legislated powers to determine thresholds at which particularly sophisticated decryption and access tools may be applied for law enforcement efforts against Australian targets. Determining the spectrum of possibilities and identifying thresholds is fraught with misdiagnosis and misinterpretation. And often the full extent of the impact of the information may not be immediately known.
To mitigate these risks, governments can take some concrete steps.
First, they should transparently review the principles behind collecting encrypted information to ensure community trust is balanced with the capability needs of law enforcement and intelligence agencies.
Second, they should legislate to codify the powers and thresholds under which agencies can circumvent strongly encrypted devices.
Finally, these powers need relevant, legislated oversight mechanisms which could be modelled on intelligence oversight already in place in Australia.
Legislating will not address the main concern that lies at the heart of this issue – privacy for users. While the question of how much privacy needs to be relinquished in order to protect the public remains, we cannot expect to trust agencies to respect privacy with no transparency or apparent accountability.