(HRW) – The Australian government should not force technology companies to weaken the security of their products or to subvert encryption, Human Rights Watch said last week in a letter to Prime Minister Malcolm Turnbull. That strategy would undermine cybersecurity for all users and would not stop determined criminals from using encryption.
On July 14, 2017, Turnbull announced new legislation to require device manufacturers and internet companies to provide “appropriate assistance” to intelligence and law enforcement agencies to access encrypted communications. Turnbull, along with Attorney General George Brandis and the acting commissioner of the Australian Federal Police, Michael Phelan, stated that encryption was thwarting the government’s ability to monitor and investigate serious crime.
“Governments are obliged to investigate and prosecute serious crimes, but any policy response should not do more harm than good, and needs to be effective,” said Elaine Pearson, Australia director at Human Rights Watch. “Unfortunately, Prime Minister Turnbull’s proposal may fail on both counts and could undermine cybersecurity and human rights worldwide.”
Governments have many ways to sharpen investigatory capability without undercutting the security of ordinary users, Human Rights Watch said. They could invest in modernizing investigation techniques and increasing resources and training in tools already at their disposal, consistent with human rights requirements. Any limitations encryption poses to police capabilities are greatly offset by the explosion of new kinds of investigatory material enabled by the digital world, including location information and vast stores of metadata that are not encrypted.
The Australian government previously proposed a coordinated approach to encryption at a June 26 meeting of the Five Eyes intelligence partnership, which also includes the United States, United Kingdom, Canada, and New Zealand, and the July 5 G20 summit. The prime minister provided few new details about the proposed legislation in the news conference to announce the legislation. When asked what kind of “assistance” companies would be required to provide, Turnbull said that he did not seek a “back door” into encrypted services, but nonetheless expected companies to ensure access to all data in unencrypted form.
However, for end-to-end encrypted applications like WhatsApp or iMessage or data stored on iPhones, companies cannot turn over unscrambled data nor the encryption keys, even with a court order, because they do not retain the keys. Only the sender and recipient can unscramble the information. The only way for companies to access unencrypted data is to introduce a deliberate vulnerability into their design – that is, a “back door” – or remove end-to-end encryption altogether.
The overwhelming consensus of information security experts and even some high-ranking former intelligence officials is that no technical solution would allow law enforcement agencies to decrypt communications without creating vulnerabilities that would expose all users to harm. Once back doors are introduced, malicious hackers and cybercriminals will seek them out, sell them on private grey markets, or exploit them for abuse or profit. Europol has also warned that “solutions that intentionally weaken technical protection mechanisms to support law enforcement will intrinsically weaken the protection against criminals as well.”
Companies are incorporating strong encryption into products in response to a range of threats from cybercriminals, data thieves, and malicious hackers. Encryption is a critical tool in their fight to secure users from these threats. Any requirement to weaken encryption flies in the face of global efforts to shore up cybersecurity, Human Rights Watch said.
Limiting strong encryption in Australia, or even across Australia’s closest allies like the Five Eyes alliance, is also unlikely to prevent bad actors from using it. A recent global survey of encryption confirms that determined criminals could easily shift to many available foreign alternatives that would not be subject to Australian law. Those most harmed by anti-encryption legislation are the millions of ordinary users with no connection to wrongdoing whose cybersecurity would be compromised. The harm may be even more serious for journalists and activists who regularly use encrypted applications to protect sources and victims from reprisals.
Turnbull stated that the bill would be modeled after the UK’s 2016 Investigatory Powers Act (IP Act). The UK legislation allows authorities to serve “technical capability notices” on a broad range of internet companies. These notices will require firms to “provide and maintain the capability to disclose, where reasonably practicable, the content of communications or secondary data in an intelligible form and to remove electronic protection applied by or on behalf of” the operator. These notices can be used to facilitate not only targeted surveillance, but also mass surveillance, collection of metadata, and government hacking.
The precise scope of what these notices may require remains unclear, especially for operators who do not retain encryption keys. The draft implementing regulations do not clarify whether these companies will be required to alter the design of their products or build a “back door” into encryption. Contradictory statements from UK officials have not clarified the matter, nor shed light on how this approach would avoid undermining cybersecurity or prevent bad actors from using non-UK alternatives.
Just as troubling, the UK Investigatory Powers Act can also require some tech companies to notify authorities of new products or services before they are introduced so that authorities can assess whether new “technical capabilities” may be required. This potentially provides the government the ability to influence product design to facilitate surveillance, including whether and how encryption can be used.
“The UK Investigatory Powers Act is no model for any government that cares about protecting the security of online communications,” Pearson said. “If other governments follow this example, no one could trust the security of the mobile phones and applications we use every day.”
The UK parliament still needs to approve the implementing regulations before government officials can issue the new technical capability notices. However, once regulations are in place, the public may know very little about how they are used, since notices will be served and negotiated with companies secretly.
These overreaching provisions are among the reasons why whistleblower Edward Snowden described the IP Act as legalizing “the most extreme surveillance in the history of Western democracy.”
“Australia’s approach to encryption will most likely be emulated by other countries in the region,” Pearson said. “If Turnbull wants to show true leadership, Australia should become a model for how countries can investigate effectively in a world with strong encryption, not endorse policies that would undermine cybersecurity and human rights.”
This report prepared by Human Rights Watch.