law and technology and rock and roll

recent | past | about | rss

Australian AG Wants New Powers To Compel Users To Decrypt Their Communications

Posted by Matt on March 17, 2014         Tagged with: encryption

A while ago I wrote a post which briefly touched on whether the authorities in the UK, Canada and the US could force a suspect to divulge their decryption key. In short, I answered yes, no and maybe, respectively.

Australia's itnews has published an article about a submission from the Australian Attorney General suggesting laws be made which would place new obligations on services which use encryption to protect their data, as well as individual users. This is very, very far away from being a law. This is just the AG's wish list. However, it appears that the law the AG envisions would permit the court to order a service or end user to provide any assistance that intelligence agencies require to decrypt an encrypted communication.

The relevant portion starts on page 19 of the submission and is reproduced below.

Ensuring that agencies are able to lawfully access communications in an intelligible form.

The power to lawfully access communications is only of value if agencies are able to interpret and act upon lawfully accessed information. As the Blunn Report concluded:

The ever increasing range of data products carried over networks, often as a service to other providers, means that that data is often not readily interpreted by the carrier. From the point of view of the intercepting agencies receiving the raw data is of little use and defeats the intention of the scheme which pre-supposes product in useable form.

Agencies historically relied on the small number of service providers in the Australian marketplace to deliver lawfully accessed communications in an intelligible form. The increasing diversity of the telecommunications industry, including the emergence of ancillary service providers, is limiting the effectiveness of such arrangements. Agencies are required to engage with an ever-wider range of providers to maintain their capabilities, many of whom may have had little or no previous engagement with the law enforcement or national security communities.

The Department is also advised that sophisticated criminals and terrorists are exploiting encryption and related counter-interception techniques to frustrate law enforcement and security investigations, either by taking advantage of default-encrypted communications services or by adopting advanced encryption solutions.

The Department’s current view is that law enforcement, anti-corruption and national security agencies should be permitted to apply to an independent issuing authority for a warrant authorising the agency to issue ‘intelligibility assistance notices’ to service providers or other persons. The issuing authority should be permitted to impose conditions or restrictions on the scope of this authority.

Where issued to a service provider, such notices would formalise existing arrangements. Providers would be eligible for compensation on a no profit, no loss basis and would not be subject to criminal liability for failing to comply with such notices—the industry enforcement regime established by the TIA Act and Telecommunications Act would apply.

When issued to a person other than a service provider, such as the subject of a warrant, the Department’s preliminary view is that a notice would operate in a similar fashion to orders made under section 3LA of the Crimes Act 1914. Section 3LA permits agencies that have seized physical hardware, such as a computer or an external hard drive, under a search warrant to apply for a further warrant requiring a person to ‘provide any information or assistance that is reasonable and necessary’ to allow information held on the device to be converted into an intelligible form.

Under this approach, the person receiving a notice would be required to provide ‘information or assistance’ to place information obtained under the warrant into an intelligible form. The person would not be required to hand over copies of the communication in an intelligible form, and, a notice would not compel a person to do something which they are not reasonably capable of doing.

Failure to comply with a notice would constitute a criminal offence, consistent with the Crimes Act. The above approach is consistent with the approach taken by the United Kingdom, which permits officials of law enforcement and national security agencies to, where authorised under a warrant, issue a notice requiring a person to provide assistance in connection with accessing encrypted communications. Similarly, South African law permits agencies to apply to a judicial officer for a direction requiring a person to provide information to the agency to enable the agency to decrypt lawfully intercepted communications.