On December 8th the government of Australia enacted a statute designed to help law enforcement and intelligence agencies overcome technical barriers to lawful electronic surveillance. The most notable provisions of the statute would help monitor criminals, spies and terrorists whose communications are encrypted. How exactly will the new “Encryption Act” work, and what are the implications for the communications industry?

The ‘Going Dark’ Problem

Australia’s Telecommunications and Other Amendments (Assistance and Access) Act 2018 (the Encryption Act) was adopted to help government investigators implement court orders for lawful surveillance without crashing into the technical brick wall of encryption.  For years law enforcement agencies in democracies worldwide had complained that they were ‘going dark’ because they could not decipher the lawfully intercepted communications. The gradual deployment of strong encryption had made the task increasingly difficult.

In the U.S. the “CALEA” lawful surveillance statute attempted to solve the encryption problem, but the measure was ineffective. A provision of the mandate required the communications industry to install surveillance solutions that would decipher encrypted communications. Unfortunately, the 1994 law failed to keep pace with modern encryption configurations.

Privacy groups actively opposed ideas to save investigations from going dark. In their view, any technique powerful enough to translate an encrypted phone call, email, or SMS message into plain text could be acquired and exploited by hackers to invade the privacy of innocent users. The activists rightly argued that communications privacy was vital to win subscriber trust.

How Australia’s Encryption Act Addresses the Going Dark Problem

Australia’s Encryption Act enables lawful access to a suspect’s encrypted messages. The Act applies to all “designated communications providers” (DCPs).  This category includes not only traditional communication service providers such as telephone companies and wireless carriers but also VoIP providers, satellite operators, web site hosts, and telecom equipment vendors.  Any communications industry competitor that operates facilities in Australia – or otherwise serves an Australian user – is apparently subject to the law.

The Act paves a path to decryption for both law enforcement and national security investigators. Specifically, the beneficiaries include the Australian Security and Intelligence Organisation, the Australian Secret Intelligence Service, the Australian Signals Directorate, the Australian Federal police, the Australian Crime Commission, and the state and territory police forces.

Under the Act, the government may serve a DCP with any of three legal instruments. The first and least onerous document is the “technical assistance request.” A technical assistance request seeks surveillance support on a voluntary basis. For example, the government could question Apple about the encryption program applied to its iPhones.  It could also inquire about how to access encrypted messages stored in an iPhone.  The exact scope of the voluntary assistance was left undefined.

More burdensome is the “technical assistance notice.” This legal instrument is compulsory. A technical assistance notice may require a DCP to activate an existing decryption capability to access suspect communications or user logs. Presumably, this mandatory measure would be invoked only where a DCP refuses to help voluntarily.

The last form of assistance, called the “technical capability notice,” is also compulsory. It would require a DCP to develop a new decryption capability. For example, it may compel a DCP to provide law enforcement with a suspect’s password, if possible, or make the suspect’s communications accessible through a push technology.

As you would expect, anyone who fails to comply with either of the above-described notices could be fined.

How the Act Addresses Security and Privacy

The authors of the Encryption Act considered the risk of creating encryption “backdoors” that might be exploited by bad guys. Accordingly, the Act stated that a DCP shall not be forced to build a “systematic weakness or “systematic vulnerability” into its infrastructure. A systematic weakness or vulnerability was defined as a technical condition that would “affect a whole class of technology,” as opposed to “a particular person.” Observers say these definitions will likely be interpreted through case-by-case litigation.

Members of the Australian parliament wanted the Encryption Act to include additional provisions for security and privacy.  To accommodate these political leaders, the government adopted the Act with a promise to discuss further modifications in 2019.

The Impact of the Act on the Communications Industry

The Encryption Act imposes a potentially expensive regulatory burden. In particular, the open-ended technical capability notice could expose a service provider to any kind of encryption-related technical mandate. On the other hand, the Act provides cost-based reimbursement for entities subject to such demands.

Also consider that the Act may impact some communications competitors heavily and others not at all. Regrettably, the service providers that undertook the greatest efforts to secure their networks with strong encryption may now be forced to expend the greatest resources to penetrate that security for the sake of improved surveillance. These entities are inferably the ones that marketed to the most privacy-minded customers. Thus, the new law may erode their competitive advantage. The harm may not be too significant, however, as long as Australia observes standards for surveillance and security that apply equally to all competitors.

Possibly, an international competitor with only a token presence in Australia could be forced to rearchitect its encryption infrastructure throughout its global network. In effect, Australia could dictate surveillance practices in other countries, even those that prioritize subscriber privacy. It is unclear how these policy conflicts would be resolved.

Further complicating the risk of a surveillance-privacy conflict, the U.S. and other countries may learn from Australia’s example and adopt decryption laws of their own. The intelligence alliance known as the “Five Eyes” – consisting of the U.S., Canada, the United Kingdom, Australia, and New Zealand – has spent years lobbying for relief from the blinding effect of encryption. If all these governments adopt decryption mandates, the communications industry may struggle to reconcile the potentially divergent technical assistance demands.

One overriding factor may ultimately iron out the above-described regulatory wrinkles. All democracies experience similar needs for lawful surveillance and privacy. Cool-headed diplomacy could produce an international consensus that balances the two policy goals. In fact, the U.S. has already negotiated treaties of law enforcement cooperation called “mutual legal assistance treaties” with numerous countries worldwide. Moreover, the U.S. Congress is gravitating towards a bipartisan national privacy law that would emulate the privacy framework of the European Union.

How Industry Service Providers Should Comply with the Act

The Encryption Act does not require covered communications service providers to take any immediate compliance steps. Instead, the tasks will emerge ad hoc as the Australian government may decide.  The first providers to be contacted will probably be those with the largest subscriber bases. After all, the biggest networks tend to witness the greatest volume of illegal activity.

Smart service providers will not wait for an Encryption Act mailing from the government. They will take inventory of their encryption capabilities now.

To begin with, a provider should amass literature that answers the kind of encryption-related questions a law enforcement agency might ask in a technical assistance request. What type of encryption is employed in which services and features? Can the encrypted communications be decrypted today? If not, what types of technical modifications would be needed to meet that goal? How could the decryption solution minimize the risk of a systematic weakness or systematic vulnerability?

Next, each service provider should study the feasibility of its decryption options. It should specifically examine how the cost of complying with a technical assistance notice or technical capability notice may be compensated through the government’s cost-recovery process. To decrypt a given type of communication, would the resource burden be prohibitive? If so, that fact should be documented. It could prove decisive when contesting a technical capability notice.

After completing the above-described analyses, a service provider could request a meeting with Australian law enforcement to present its compliance strategy. Law enforcement officials respect industry members that position themselves as good corporate citizens. Meanwhile, the public-private meeting could help manage regulatory expectations.

A new and technically-challenging regulatory mandate like Australia’s Encryption Act is bound to increase the communications industry’s potential liability. However, a little planning and talking with regulators could substantially mitigate the risk.