The government is close to finalising proposed legislation that it says will boost the ability of law enforcement agencies to access to communications using encrypted services.
“Legislation to enable Australian law enforcement and security agencies to adapt to the challenges posed by ubiquitous encryption is in an advanced stage of development,” a spokesperson for the Attorney-General’s Department told Computerworld.
“The government anticipates that it will be introduced in the first quarter of this year,” the spokesperson said.
Last year, then-attorney-general Senator George Brandis indicated that the government was planning to unveil the legislation before the end of 2017 during the spring sittings of parliament.
The Attorney-General’s Department spokesperson didn’t detail the reason for the delay in the introduction of a bill.
In a July 2017 Sky News interview Brandis said that governments and law enforcement and intelligence agencies “have always had the lawful capacity to intercept information” and that “there has always been an obligation on citizens, including corporate citizens, to assist police, in law enforcement matters.”
“So what we’re asking the ISPs and the device makers to do is to accept the same obligation that already applies under existing law, also applies to the new technologies,” Brandis said.
The introduction of legislation to counter the use of encrypted communications services has been foreshadowed by the government for a number of years.
In late 2015, Prime Minister Malcolm Turnbull indicated that the government was looking at how security agencies' could address the use of encrypted communications channels by terrorists.
“Rapid developments in communications technology present both opportunities and challenges for our agencies,” Turnbull said in a national security statement delivered in the wake of terrorist attacks in Paris.
Australia’s national cyber security strategy, launched in April 2016, noted that there is “a growing trend for groups and individuals to use encryption to hide illegal activity and motivate others to join their cause”.
“The Government supports the use of encryption to protect sensitive personal, commercial and government information,” the strategy states.
“However, encryption presents challenges for Australian law enforcement and security agencies in continuing to access data essential for investigations to keep all Australians safe and secure. Government agencies are working to address these challenges.”
At the strategy’s launch, Turnbull said the government would seek to work with the private sector to deal with the challenge end-to-end encryption presented to law enforcement organisations.
In mid-2017, following terrorist attacks in London, Turnbull called on “global social media and messaging companies” to facilitate police access to encrypted services such as WhatsApp and Apple iMessage.
Brandis in 2017 said Australia would seek to lead discussions among the nations of the Five Eyes intelligence partnership — comprising Australia, Canada, the UK, the US and New Zealand — on “thwarting the encryption of terrorist messaging”.
However, both the PM and key cyber security advisor Alastair MacGibbon have said the government it is not interested in ‘backdoors’ for security agency access to communications services.Read more: BlackBerry wants to secure self-driving cars
Turnbull has indicated the government has a fairly narrow definition of ‘backdoor’, however: It’s “typically a flaw in a software program that perhaps the... developer of the software program is not aware of and that somebody who knows about it can exploit,” the PM said at a July 2017 press conference.
The government has not yet revealed a great deal of detail about how the proposed legislation will function and is yet to spell out how any new laws would deal with end-to-end encryption.
End-to-end encryption services are intended — barring design or implementation flaws — to resist decryption by both the service providers and third parties.
New laws will compel tech companies “provide assistance to the police to enable them to have access to the information pursuant to a warrant,” Turnbull told the press conference.
Brandis told the same press conference that service providers and device manufacturers will both be subject to the new regime.
The government has indicated that the UK Investigatory Powers Act 2016 (aka the Snoopers' Charter) will be a model.
Under the act, the government can issue a “technical capability notice” to a service provider ordering them to remove “electronic protection applied by or on behalf of that operator to any communications or data” and provide information in an “intelligible form” when requested.
(The UK government is currently staging a public consultation on the legislation after the Court of Justice of the European Union found aspects of the law relating to data retention were in conflict with EU law.)