Government Affairs Blog
January 14, 2019
AUSTRALIA’S NEW ENCRYPTION LAW: WHAT DOES IT MEAN TO THE COMMUNICATIONS INDUSTRY?
On December 8th the government of Australia enacted a statute designed to help law enforcement and intelligence agencies overcome technical barriers to lawful electronic surveillance. The most notable provisions of the statute would help monitor criminals, spies and terrorists whose communications are encrypted. How exactly will the new “Encryption Act” work, and what are the implications for the communications industry?
The ‘Going Dark’ Problem
Australia’s Telecommunications and Other Amendments (Assistance and Access) Act 2018 (the Encryption Act) was adopted to help government investigators implement court orders for lawful surveillance without crashing into the technical brick wall of encryption. For years law enforcement agencies in democracies worldwide had complained that they were ‘going dark’ because they could not decipher the lawfully intercepted communications. The gradual deployment of strong encryption had made the task increasingly difficult.
In the U.S. the “CALEA” lawful surveillance statute attempted to solve the encryption problem, but the measure was ineffective. A provision of the mandate required the communications industry to install surveillance solutions that would decipher encrypted communications. Unfortunately, the 1994 law failed to keep pace with modern encryption configurations.
Privacy groups actively opposed ideas to save investigations from going dark. In their view, any technique powerful enough to translate an encrypted phone call, email, or SMS message into plain text could be acquired and exploited by hackers to invade the privacy of innocent users. The activists rightly argued that communications privacy was vital to win subscriber trust.
How Australia’s Encryption Act Addresses the Going Dark Problem
Australia’s Encryption Act enables lawful access to a suspect’s encrypted messages. The Act applies to all “designated communications providers” (DCPs). This category includes not only traditional communication service providers such as telephone companies and wireless carriers but also VoIP providers, satellite operators, web site hosts, and telecom equipment vendors. Any communications industry competitor that operates facilities in Australia – or otherwise serves an Australian user – is apparently subject to the law.
The Act paves a path to decryption for both law enforcement and national security investigators. Specifically, the beneficiaries include the Australian Security and Intelligence Organisation, the Australian Secret Intelligence Service, the Australian Signals Directorate, the Australian Federal police, the Australian Crime Commission, and the state and territory police forces.
Under the Act, the government may serve a DCP with any of three legal instruments. The first and least onerous document is the “technical assistance request.” A technical assistance request seeks surveillance support on a voluntary basis. For example, the government could question Apple about the encryption program applied to its iPhones. It could also inquire about how to access encrypted messages stored in an iPhone. The exact scope of the voluntary assistance was left undefined.
More burdensome is the “technical assistance notice.” This legal instrument is compulsory. A technical assistance notice may require a DCP to activate an existing decryption capability to access suspect communications or user logs. Presumably, this mandatory measure would be invoked only where a DCP refuses to help voluntarily.
The last form of assistance, called the “technical capability notice,” is also compulsory. It would require a DCP to develop a new decryption capability. For example, it may compel a DCP to provide law enforcement with a suspect’s password, if possible, or make the suspect’s communications accessible through a push technology.
As you would expect, anyone who fails to comply with either of the above-described notices could be fined.
How the Act Addresses Security and Privacy
The authors of the Encryption Act considered the risk of creating encryption “backdoors” that might be exploited by bad guys. Accordingly, the Act stated that a DCP shall not be forced to build a “systematic weakness or “systematic vulnerability” into its infrastructure. A systematic weakness or vulnerability was defined as a technical condition that would “affect a whole class of technology,” as opposed to “a particular person.” Observers say these definitions will likely be interpreted through case-by-case litigation.
Members of the Australian parliament wanted the Encryption Act to include additional provisions for security and privacy. To accommodate these political leaders, the government adopted the Act with a promise to discuss further modifications in 2019.
The Impact of the Act on the Communications Industry
The Encryption Act imposes a potentially expensive regulatory burden. In particular, the open-ended technical capability notice could expose a service provider to any kind of encryption-related technical mandate. On the other hand, the Act provides cost-based reimbursement for entities subject to such demands.
Also consider that the Act may impact some communications competitors heavily and others not at all. Regrettably, the service providers that undertook the greatest efforts to secure their networks with strong encryption may now be forced to expend the greatest resources to penetrate that security for the sake of improved surveillance. These entities are inferably the ones that marketed to the most privacy-minded customers. Thus, the new law may erode their competitive advantage. The harm may not be too significant, however, as long as Australia observes standards for surveillance and security that apply equally to all competitors.
Possibly, an international competitor with only a token presence in Australia could be forced to rearchitect its encryption infrastructure throughout its global network. In effect, Australia could dictate surveillance practices in other countries, even those that prioritize subscriber privacy. It is unclear how these policy conflicts would be resolved.
Further complicating the risk of a surveillance-privacy conflict, the U.S. and other countries may learn from Australia’s example and adopt decryption laws of their own. The intelligence alliance known as the “Five Eyes” – consisting of the U.S., Canada, the United Kingdom, Australia, and New Zealand – has spent years lobbying for relief from the blinding effect of encryption. If all these governments adopt decryption mandates, the communications industry may struggle to reconcile the potentially divergent technical assistance demands.
One overriding factor may ultimately iron out the above-described regulatory wrinkles. All democracies experience similar needs for lawful surveillance and privacy. Cool-headed diplomacy could produce an international consensus that balances the two policy goals. In fact, the U.S. has already negotiated treaties of law enforcement cooperation called “mutual legal assistance treaties” with numerous countries worldwide. Moreover, the U.S. Congress is gravitating towards a bipartisan national privacy law that would emulate the privacy framework of the European Union.
How Industry Service Providers Should Comply with the Act
The Encryption Act does not require covered communications service providers to take any immediate compliance steps. Instead, the tasks will emerge ad hoc as the Australian government may decide. The first providers to be contacted will probably be those with the largest subscriber bases. After all, the biggest networks tend to witness the greatest volume of illegal activity.
Smart service providers will not wait for an Encryption Act mailing from the government. They will take inventory of their encryption capabilities now.
To begin with, a provider should amass literature that answers the kind of encryption-related questions a law enforcement agency might ask in a technical assistance request. What type of encryption is employed in which services and features? Can the encrypted communications be decrypted today? If not, what types of technical modifications would be needed to meet that goal? How could the decryption solution minimize the risk of a systematic weakness or systematic vulnerability?
Next, each service provider should study the feasibility of its decryption options. It should specifically examine how the cost of complying with a technical assistance notice or technical capability notice may be compensated through the government’s cost-recovery process. To decrypt a given type of communication, would the resource burden be prohibitive? If so, that fact should be documented. It could prove decisive when contesting a technical capability notice.
After completing the above-described analyses, a service provider could request a meeting with Australian law enforcement to present its compliance strategy. Law enforcement officials respect industry members that position themselves as good corporate citizens. Meanwhile, the public-private meeting could help manage regulatory expectations.
A new and technically-challenging regulatory mandate like Australia’s Encryption Act is bound to increase the communications industry’s potential liability. However, a little planning and talking with regulators could substantially mitigate the risk.
January 4, 2019
Subsentio General Counsel Joel Margolis Interviewed by Corporate Counsel Magazine
Last week Corporate Counsel Magazine interviewed Subsentio General Counsel Joel Margolis. The reporter asked Joel about Subsentio’s comments in the pending Department of Commerce rule making proceeding on advanced technologies. In the comments, Subsentio had proposed a novel approach for the administration of export controls governing advanced surveillance technologies. The approach would create a streamlined process of approvals for exporters who qualify as “trusted” parties.
For the full article, please click the link below.
November 14, 2018
HOW ARE LAW ENFORCEMENT INVESTIGATIONS AFFECTED BY THE SUPREME COURT’S RULING ON WIRELESS LOCATION PRIVACY?
I recently moderated a legal seminar in Washington, D.C. on the issue of wireless location privacy. The seminar was hosted by the Federal Communications Bar Association, and the panelists represented a variety of opposing interests. In a series of questions, I asked them how law enforcement investigations are affected by the Supreme Court’s June 22, 2018 ruling in Carpenter v. US. The panelists’ reactions were not as divisive as you might think.
Based on the seminar, Carpenter is impacting law enforcement investigations significantly, despite the open-ended nature of the ruling. At the same time, the ruling’s loose logic will likely spawn a generation of litigation to strengthen privacy protection for other types of personal data.
The Carpenter Ruling
Carpenter v US held that wireless communication subscribers have a reasonable expectation of privacy in the long-term accumulation of records that track their wireless locations because the records reveal personal details about their lives, and therefore law enforcement investigators may collect such data only after qualifying for a judicial warrant, which requires them to serve a judge with a demonstration of probable cause. Probable cause is a higher standard of due process than the “2703(d)” hurdle widely observed in the pre-Carpenter days.
The Carpenter ruling was controversial. To begin with, courts had traditionally applied the legal standard of probable cause only to communications content such as phone conversations, email and SMS texts, and everything an internet user may view and hear during a browsing session. Carpenter applied probable cause to the non-content realm of wireless location records.
Another novel feature of Carpenter downplayed the traditional “Third Party Doctrine” of privacy protection. The Third Party Doctrine instructed that “business records” produced by activities such as phone calls, banking transactions, credit card charges, and hotel reservations were not private for purposes of the Fourth Amendment, and therefore not subject to the probable cause standard, because the customers of these services shared those personal details with their third party service providers. Carpenter held that wireless location records deserve Fourth Amendment protection even though subscribers share the information with their wireless carriers.
Yet another oddity of Carpenter appeared in a footnote. The incidental remark stated that wireless location records lasting as long as seven days would receive Fourth Amendment status but a shorter span of location data might not. In response, observers questioned why seven days of such data should deserve any more privacy protection than six days or five.
The Consensus Interpretation of the Ruling
One of the panelists at the above-described seminar was a high-ranking attorney in the Department of Justice. Another was a senior counsel in a Tier I communications company. The third was a spokesperson for a leading public interest group that watchdogs government surveillance. And the last was a Fourth Amendment scholar with the National Association of Criminal Defense Lawyers. You might expect these diverse experts to present different interpretations of the Carpenter case. They did not.
All four experts agreed Carpenter raised as many questions as it answered. What should be the scope of the probable cause standard now that it covers at least one type of non-content communications? How will judges know whether and how to apply the Third Party Doctrine to all the myriad types of personal business records shared with service providers? Should wireless carriers insist on probable cause-based warrants, as opposed to 2703(d) orders, before fulfilling all law enforcement requests for location records, regardless of whether the covered timeframe extends as long as seven days?
The last question may be yielding to a practical result. When the communications provider panelist was asked how his company’s law enforcement assistance staff applies Carpenter, he said they “hold law enforcement to the highest standard.” He explained that they expect warrants for all location records requests, even those with one-day timeframes, while accepting lower levels of due process in emergency situations, as the Carpenter Court allowed.
The DOJ representative was asked how Carpenter has changed the government’s efforts to gather location data. He said their current policy is to meet the probable cause standard as often as possible, even when requesting fewer than seven days of records. However, he warned that the new practice makes it harder to solve crimes.
These responses indicate that Carpenter has substantially raised the bar for nearly all law enforcement requests involving location records.
The Consensus Prediction of Outcomes from the Ruling
The four panelists also offered similar predictions of how Carpenter will shape future investigations. They all expect abundant litigation over the questions left unanswered by the case. For example, now that law enforcement must show top-level due process to obtain records of a suspect’s past wireless locations, the investigators may eventually be held to the same high standard before engaging in real-time location monitoring.
Likewise, now that location data is subject to probable cause, other types of communications metadata may gradually fall under the same legal standard. Knowing who called a suspect, and who the suspect called, can be revealing about the individual’s personal life.
Conceivably, we may see legal fights over the Fourth Amendment treatment of non-communications records. Some examples include video surveillance data, facial recognition data, data generated by the “internet of things,” and of course, the records kept by banks, credit card companies and hotels.
August 14, 2018
HOW WILL AUSTRALIA FACILITATE LAWFUL SURVEILLANCE OF ENCRYPTED COMMUNICATIONS?
The Australian government recently announced that it will soon introduce legislation to facilitate lawful surveillance of encrypted communications. How will the Australian law work, and what are the implications for the communications industry, privacy, and public safety?
How encryption frustrates lawful surveillance
Terrorists and criminals commonly use communications with strong encryption, which is extremely difficult if not impossible for law enforcement to crack. Instant messaging services such as Apple’s iMessage and Facebook’s WhatsApp pose especially difficult barriers to lawful surveillance because they are delivered “over the top” and encrypted “end-to-end.” An over-the-top service travels over the public internet but cannot be decrypted by the service providers. End-to-end encryption means there is no point where the communication must be decrypted for inter-network transport, such as when a VoIP call interconnects to the public switched telephone network.
For years American law enforcement has complained that its investigators are “going dark,” largely due to the inability to decipher encrypted suspect communications. The CALEA lawful surveillance statute ameliorates the encryption problem somewhat. It states that when a service provider applies encryption it must undo the message-scrambling for purposes of lawful surveillance. But the statute was never updated to reach services such as iMessage and WhatsAp because it governs only “telecommunications carriers,” not device manufacturers such as Apple, social media networks such as Facebook, or over-the-top application providers.
Australia’s anticipated approach to solve the encryption problem
Australian law enforcement has not explained its encryption proposal in any detail. They deny any intention of mandating an encryption key “escrow” methodology. The escrow approach would entrust encryption keys to the custody of a neutral entity, which would disclose the keys to law enforcement as needed for investigations upon service of due process. Past proposals of this kind were crushed by industry and the public. They feared the establishment of an escrow system would create a “backdoor” path of decryption that would weaken security because hackers would develop the trickery to obtain the keys.
The Australian government hinted that its approach to encryption would resemble that of Great Britain’s Investigatory Powers Act. Although the IPA is currently undergoing revision, this much is known. The draft provision on encryption would require a covered party to decrypt any encryption that the entity itself provides, and the clause would apply to all types of communications entities, including device makers, social media sites, and over-the-top application providers. Most likely, the law would require companies like Apple to collect a suspect’s messages when they are decrypted for routing purposes at the applicable application server. Then the company would deliver the plain-text versions of the messages to law enforcement.
For encrypted data stored on handsets, computers, laptops and tablets, the device makers could likewise decrypt a suspect’s content. Apple once performed this assistance for US law enforcement when presented with suspect iPhones, even though that capability was not required by any lawful surveillance mandate. But after the 2013 mass-surveillance scandal sparked by NSA contractor Ed Snowden, Apple and numerous other communications competitors quickly tightened their security and privacy protocols.
Opposition to Australia’s approach to encryption
Although no encryption bill has been submitted to the Australian legislature, a coalition of industry and privacy groups has already denounced it. These advocates believe any solution to the encryption problem would pose security risks. For example, they say communication users may lose trust in their service providers and thus resort to obsolete security products, which could be vulnerable to botnets or malware. They urged the government to strengthen digital security, not adopt legislation to bypass it.
The pro-encryption alliance recognizes the need for government investigators to conduct lawful surveillance. But the group has not tabled a proposal to meet that goal. Instead, they argue that the integrity of strong encryption must be preserved to protect the security of essential services such as communications, banking, and health care.
The potential implications for industry, consumers and law enforcement
There may be no solution to the encryption problem that satisfies all interested parties. However, the Australian initiative may yield a workable compromise. Much depends on the extent of the burden imposed on the communications industry. The law should ask device vendors and specific commercial entities only for encryption assistance that is technically feasible. Moreover, it should also avoid hampering commercial services. Finally, it should be fairly reimbursed by government. Under these circumstances, industry may accept the new burden.
Even if a broader range of industry players assumes responsibility for lawful decryption, the cooperation may not be welcomed by privacy-minded consumers. They recognize the critical importance of encryption in their daily lives, and news reports of devastating data breaches only harden their resolve. Still, these users may prefer to see the decryption role assigned to their own chosen service providers and device makers rather than law enforcement.
Australia’s expected legal reform would reportedly not let law enforcement decode encrypted suspect communications. But it would apparently do the next-best thing by giving them access to suspect communications in plain-text form.
When a reliable bypass for encryption is available for law enforcement agents in Australia or Great Britain, the capability may benefit their counterparts in other countries. For example, once Apple upgrades its iMessage servers to capture and deliver plain-text messages, a court in Canada may validly order Apple to activate the technology in support of a Canadian investigation.
The implications are greatest for nations like the US, where device makers, social media networks, and over-the-top application providers are exempt from CALEA. In the US, regardless of whether a communication provider is covered by CALEA, if it installs a capability to deliver suspect communications in plain text, a court may order the provider to enlist the capability for an investigation. This means American law enforcement may overcome the “going-dark” problem without having to wait for Congress to update CALEA. For purposes of American public safety, that would be a godsend.
June 29, 2018
WILL ALL ELECTRONIC COMMUNICATIONS EVENTUALLY ACQUIRE TOP-LEVEL PRIVACY PROTECTION?
The US Supreme Court recently issued a ruling that curbs law enforcement agency (LEA) access to subscriber location records stored by wireless communication service providers (CSPs). In Carpenter v. US, the Court held that an LEA must show a judge “probable cause,” not just “specific and articulable facts,” before asking a CSP to disclose a suspect’s historic cell site location information (CSLI). Probable cause is the nation’s highest level of due process. The standard requires an LEA to make a factual demonstration that the suspect is probably engaged in a crime.
In the short run, the Supreme Court pronouncement may well reduce the number of court orders served on CSPs to produce CSLI. But what about the long run? Will the courts ultimately strengthen privacy protection for other forms of electronic communication?
Real-time location is arguably just as private as historic location
In Carpenter, the Court articulated strong reasons to elevate the due process standard governing CSLI. The majority opinion said CSLI provides “an all-encompassing record of the [cell phone] holder’s whereabouts.” Detailing the threat to privacy, the opinion spoke of “the deeply revealing nature of CSLI, its depth, breadth, and comprehensive reach, and the inescapable and automatic nature of its collection ….”
Actually, a court may authorize an LEA to investigate a suspect’s whereabouts in two ways. One approach is to collect the person’s CSLI, as described in the Carpenter case. The other option is to monitor the person’s movements in real-time. In the real time scenario, the court issues a “pen/trap” order or “full-content” order, and the CSP activates a technical solution in its network that discloses the suspect’s cell phone location (at the start and end of each suspect call) to the LEA in real-time for a period of 30 or 60 days.
The Court justified its judicial elevation of CSLI in part by reasoning that an investigation of CSLI is more intrusive than the real-time monitoring of a suspect’s vehicle using a vehicle tracking device. In particular, the court emphasized that CSLI traces the location of the suspect, not just the suspect’s car. However, the Court did not compare CSLI with the kind of location gleaned from pen/trap orders and full-content orders. Like CSLI monitoring, real-time cell phone location monitoring traces an individual’s movements over time. Both forms of location monitoring produce “an all-encompassing record of the [cell phone] holder’s whereabouts.” Both are “deeply revealing” in “depth, breadth, and comprehensive reach.” And both are “inescapable and automatic” in the nature of their collection.
Based on the above, it seems inevitable that US courts will ultimately accord the same top-level “probable cause” protection for real-time cell phone location monitoring that Carpenter recognized for historic cell phone location monitoring. Such a privacy-expanding outcome would make it more difficult for LEAs to obtain court orders for the real-time monitoring technique.
Communication transactional records are arguably just as private as historic location records
Wireless location is not the only type of footprint left by suspects on communications networks. The individuals also accumulate transactional records, known in the voice communication world as call data records, or “CDRs.” Think of the telephone calling information we see on our monthly phone bills. Under current law, an LEA may collect CDRs with a court order or self-generated subpoena. The applicable due process standard is the lowest one. Specifically, the LEA must only confirm that the desired records are “relevant” to a criminal investigation.
CDRs are surprisingly informative. When an investigator discovers who a suspect called and who called the suspect, along with the related times and dates over several months or a year, he or she can run the data though an analytics program that makes accurate inferences about the suspect’s private life. The algorithms expose calling patterns that distinguish the boss of the suspected crime ring from the lieutenants and henchmen. Also detectable are clues about the nature of the criminal activity itself, such as drug trafficking, auto theft, or burglary. The automation can even help predict when and where the bad guys will strike next.
Notice that CDRs are deeply revealing in their depth and breadth, and comprehensive in their reach. They are also inescapable and automatic in the nature of their collection. Moreover, the records are stored by all types of communication providers, not just wireless carriers.
For these reasons, one could say subscribers deserve the same top-level probable cause protection for CDRs that Carpenter delivered for wireless location records. The result would be another win for privacy protection and another setback for criminal investigations.
Traditionally, some components of electronic communication have been legally considered more private than others. But Carpenter points in a new direction. Based on the reasoning of the case, most if not all of our digitally-communicated life may ultimately be deemed highly private. At that point we would communicate with less risk of LEA monitoring. On the other hand, we would live at greater risk of criminal harm.