- A Parliamentary hearing is considering the Morrison Government’s proposed encryption laws
- Telcos receiving “around 1000” requests per day for customer details
- Government denies new laws will enforce companies to build “back doors” into devices
A parliamentary hearing has been told Australian telcos are receiving “around 1000” requests for customer details every day.
The Communications Alliance told the parliamentary hearing that the number of government agencies that could access people’s phone and internet records, originally limited to 22, had “blown out”.
“There are many more than 22 agencies,” John Stanton from Communications Alliance, the industry peak body, told the ABC.
Telcos are now required to retain such metadata on their customers under laws passed last year.
The kind of data includes details such as phone and email records of who you call or text, and where from. Shadow Attorney-General Mark Dreyfus said the figure of 22 was revised down from 80 when the mandatory data retention legislation was passed, but clearly that was not being adhered to.
Stanton says “many state-based agencies have come forward and started using their own state-based powers to request metadata”.
The hearings underway are being held by the Parliamentary Joint Committee on Intelligence and Security, which is examining another controversial communications proposal, the “Assistance and Access” bill.
The time for public comment on the Australian federal government’s draft “Telecommunications and Other Legislation Amendment (Assistance and Access) Bill 2018 closed early in September this month, and you would struggle to find any positive responses to it.
If the statistics on how much requests for metadata have ramped up since the retention laws were put in place last year are alarming, consider this next level.
What the feds are looking for is the power to order security companies and telcos to help law enforcement agencies access encrypted data i.e. the data you have every right to expect to be protected at all costs.
So not just who you called and where from, but what you spoke about.
And if companies don’t help the government access it, the pressure on them to comply ramps up in three stages:
- A “technical assistance request”. Help is offered voluntarily, and staff are given civil immunity from prosecution.
- Refuse, and we move to second level. A “technical assistance notice” can be handed to a communications provider by an interception agency strongly suggesting they offer assistance.
- And if that doesn’t work, lawyer up in expectation of a “technical capability notice”. That’s from the Attorney-General at the request of the interception agency and the company that gets it has to help law enforcement, “by building functionality”.
iTWire reports that third notice “cannot include the decryption of information or removal of electronic protection in any system”.
As you might have noted, yes, there is prosecution involved. Up to a $50,000 fine for individuals, and up to $10 million for companies that refuse to help.
To backdoor or not backdoor?
When he introduced the Bill into the House of Representatives, the Minister for Home Affairs, Peter Dutton, reiterated the point that he’s been trying to sell for months, that:
“The legislation will not weaken encryption or mandate backdoors into encryption. The Bill specifically provides that companies cannot be required to create systemic weaknesses in their encrypted products, or be required to build a decryption capability.”
It’s the ropey definitions that has groups such as the Greens and Communications Alliance most on edge. Critics say use of the term “systemic weaknesses” in particular gives the Government enough wiggle room to persuade companies into building back-door access to their customers’ devices and data.
Cryptography and cyber security expert at the University of Melbourne, Dr Chris Culnane, wrote a lengthy blog post about it, but if you want an excellent truncated version, you can find one here by Stilgherrian at ZDNet.
For example, a company might not be forced to “break a form of electronic protection”. But there is scope for it to be forced to install government software on devices for the purposes of spying on the device user, so messages can be intercepted before they’ve been encrypted, or after they’ve been decrypted.
And a “systemic weakness”, Culnane says, doesn’t necessarily mean a backdoor isn’t required to be built in. It could mean that it just has to be a keyed backdoor.
It’s not just regular everyday Australian users of data-reliant tech that could be affected. If you’re in the security hardware business, or developing any kind of IoT device that stores and manages data, you have to consider that one day your company could be the one in the news headlines being forced to hand over user details to a federal agency.
Amazing, groundbreaking Australian companies such as Quintessence Labs, which manufactures the world’s fastest true random number generator.
In doing so, it’s launching a pre-emptive strike against hackers who may use quantum computing to crack data encrypted by today’s system’s like so many peanuts.
You can learn more about how that works here, but Quintessence Labs could easily one day be the subject of a “technical capability notice” under the proposed legislation.
Understandably, CEO Vikram Sharma is cautious about wording his opinion on the draft legislation. He agrees that “we need to see greater detail” in the bill and “it’s not clear how companies will be expected to meet the request or what resources they’ll need” before it can assess its full impact on business and customers.
“As it stands, it’s difficult to determine if all the checks and balances are currently in place for such complicated legislation, particularly when it comes to how laws will be enforced (including for international companies),” he says.
However, he says there is a comfortable middle ground to be struck between ramping up the fight against the decryption capabilities of criminals and terrorists and minimising the impact on the privacy and confidentiality of Australian citizens.
“To put this into context, Australian customers already give away much more information than would ever be the subject of this bill – both willingly and unwillingly,” Sharma says.
“Furthermore, requests for user data are specific and targeted, not en masse. With the right framework in place, the integrity of our security capabilities needn’t be compromised.”
Haystack, meet needle
If Quintessence Labs were ever the subject of a “technical capability notice”, Sharma says he would “expect close consultation and acknowledgment of the risks posed to both the Australian cybersecurity sector and the businesses implicated in meeting the request”.
“Domestic and international reputation, integrity, and competitiveness of the Australian cyber security sector must also be protected by this bill,” he said.
“The use of warrants is also an important piece to this puzzle and essential to the protection of regular Australians from over reach.”
But the upshot is, what will happen, will happen. If the government wants deeper cybersecurity powers, the best option for telcos and companies like Quintessence Labs is to ensure they are as involved as possible in discussions and hopefully, helping the government bolster its national security capabilities without trampling on citizens’ rights.
“I’ll describe it as similar to using a pair of precision tweezers to extract a needle from a communication haystack,” he said.
“We’re looking to communication providers to help us pick that needle out of the haystack.”
Business Insider Emails & Alerts
Site highlights each day to your inbox.