Should Australians prepare for rubber-hose cryptanalysis?

Law enforcement peak body wants to make it easier to decrypt communications

So Australians probably don't need to worry about getting their kneecaps broken if they don't hand over their private encryption keys just yet, but the Australian Crime Commission wants changes to the law in order to make it easier for law enforcement to decrypt secret communications.

Appearing yesterday before a Senate committee hearing into potential changes to the Telecommunications (Interception and Access) Act 1979, the ACC's acting CEO, Paul Jevtovic, suggested that some participants in the telco industry are "designing products that support organised crime activity and frustrate law enforcement".

"[I]t is our view if you are manufacturing things like that that you should have an obligation to assist the country in defending itself against organised crime and encryption communications is a classic example of that," Jevtovic.

Pushed by Greens Senator Scott Ludlam, who is chairing the inquiry, Jevtovic acknowledged lawful uses for encryption, but added that "unfortunately organised crime takes what is good technology which helps society, they take it for their own purposes."

"And when we can identify organised crime as having access to it that's when I think industry should be able to help us," the acting ACC CEO added.

A written submission to the inquiry by the ACC advocated for changes to the TIA Act to include an "Obligation imposed on telecommunications service providers to assist law enforcement, including with the decryption of communications."

"The ACC is supportive of measures which require telecommunication service providers, including ancillary service providers, to assist law enforcement with accessing communications where authorised, including offences for not assisting with decrypting communications," as was recommended by a previous parliamentary inquiry, the submission states.

Read more: Government opens Document Verification Service to private sector

In a number of European nations, not assisting law enforcement organisations with the decryption of data is a criminal offence. For example, the UK's Regulation of Investigatory Powers Act 2000 can require the disclosure of a decryption key necessary to access information "in the interests of national security", "for the purpose of preventing or detecting crime" or "in the interests of the economic well-being of the United Kingdom".

In the US, now-defunct encrypted email provider Lavabit was last year forced to hand over private SSL keys to the FBI, potentially jeopardising the private communications of the service's 400,000 customers.

The Lavabit case drew ire from civil libertarians: "When the court ordered Lavabit to turn over its private encryption keys, it undermined the businesses and technologies we rely on to keep our information safe," an ACLU blog entry argued.

In addition to seeking rules that would force telcos to retain and offer law enforcement access to so-called 'metadata', Judith Lind, executive director, strategy and specialist capabilities at the ACC, told the inquiry that the organisation also wants "assistance from industry and ancillary providers at very much a technical level".

"So sharing knowledge about how their apps work, how their networks work to enable our technicians then to work out how and whether interception can occur," Lind said. "So we're seeking assistance at that level as well as the actual access to the data and services."

Read more: Microsoft gives ACMA access to real-time malware data

Tags TIA inquirysecurityAustralian Crime CommissionLavabitdata retentionencryptionScott Ludlamprivacy

More about FBIScott Corporation

4 Comments

PJ

1

why ruin it for everyone. If encryption isnt secure the only ones who will stop using it will be the criminals.

Tommy

2

It's not as if the local Telcos manage the encryption of most of its users anyway. The data retention of user data will only be applicable encrypted services provided by the Telco or data which is unencrypted. If I want to create my own encrypted tunnel through the internet it's not like the ISP I am using has any capability to decrypt it. Data retention is more about the collection of users history and building a profile and browsing habbits than it is about catching anyone doing anything.

The_Libertarian

3

Our government are a bunch of totalitarian wannabes who want to spy on everyone and take away our freedoms. Say no to big brother and yes to liberty.

Jay

4

A lot of encryption uses disposable keys ... keys that only exist for a finite time, and without any concept of a permanent private key. And ISPs do not necessarily know what traffic is encrypted (and how many layers of encryption exists ... eg. encrypted material sent over an encrypted link over an encrypted VPN). So unless the government forces every user of encryption to register with the government then they are going to be flogging a dead horse. It simply will not work.

Comments are now closed

BlackBerry upgrades BBM with timed messages

READ THIS ARTICLE
DO NOT SHOW THIS BOX AGAIN [ x ]