The Australian government recently announced that it will soon introduce legislation to facilitate lawful surveillance of encrypted communications. How will the Australian law work, and what are the implications for the communications industry, privacy, and public safety?

How encryption frustrates lawful surveillance

Terrorists and criminals commonly use communications with strong encryption, which is extremely difficult if not impossible for law enforcement to crack.  Instant messaging services such as Apple’s iMessage and Facebook’s WhatsApp pose especially difficult barriers to lawful surveillance because they are delivered “over the top” and encrypted “end-to-end.”  An over-the-top service travels over the public internet but cannot be decrypted by the service providers. End-to-end encryption means there is no point where the communication must be decrypted for inter-network transport, such as when a VoIP call interconnects to the public switched telephone network.

For years American law enforcement has complained that its investigators are “going dark,” largely due to the inability to decipher encrypted suspect communications.  The CALEA lawful surveillance statute ameliorates the encryption problem somewhat. It states that when a service provider applies encryption it must undo the message-scrambling for purposes of lawful surveillance. But the statute was never updated to reach services such as iMessage and WhatsAp because it governs only “telecommunications carriers,” not device manufacturers such as Apple, social media networks such as Facebook, or over-the-top application providers.  

Australia’s anticipated approach to solve the encryption problem

Australian law enforcement has not explained its encryption proposal in any detail.  They deny any intention of mandating an encryption key “escrow” methodology. The escrow approach would entrust encryption keys to the custody of a neutral entity, which would disclose the keys to law enforcement as needed for investigations upon service of due process.  Past proposals of this kind were crushed by industry and the public. They feared the establishment of an escrow system would create a “backdoor” path of decryption that would weaken security because hackers would develop the trickery to obtain the keys.

The Australian government hinted that its approach to encryption would resemble that of Great Britain’s Investigatory Powers Act.  Although the IPA is currently undergoing revision, this much is known. The draft provision on encryption would require a covered party to decrypt any encryption that the entity itself provides, and the clause would apply to all types of communications entities, including device makers, social media sites, and over-the-top application providers. Most likely, the law would require companies like Apple to collect a suspect’s messages when they are decrypted for routing purposes at the applicable application server.  Then the company would deliver the plain-text versions of the messages to law enforcement.

For encrypted data stored on handsets, computers, laptops and tablets, the device makers could likewise decrypt a suspect’s content.  Apple once performed this assistance for US law enforcement when presented with suspect iPhones, even though that capability was not required by any lawful surveillance mandate. But after the 2013 mass-surveillance scandal sparked by NSA contractor Ed Snowden, Apple and numerous other communications competitors quickly tightened their security and privacy protocols.

Opposition to Australia’s approach to encryption

Although no encryption bill has been submitted to the Australian legislature, a coalition of industry and privacy groups has already denounced it.  These advocates believe any solution to the encryption problem would pose security risks. For example, they say communication users may lose trust in their service providers and thus resort to obsolete security products, which could be vulnerable to botnets or malware.  They urged the government to strengthen digital security, not adopt legislation to bypass it.

The pro-encryption alliance recognizes the need for government investigators to conduct lawful surveillance.  But the group has not tabled a proposal to meet that goal. Instead, they argue that the integrity of strong encryption must be preserved to protect the security of essential services such as communications, banking, and health care.

The potential implications for industry, consumers and law enforcement

There may be no solution to the encryption problem that satisfies all interested parties.  However, the Australian initiative may yield a workable compromise. Much depends on the extent of the burden imposed on the communications industry. The law should ask device vendors and specific commercial entities only for encryption assistance that is technically feasible. Moreover, it should also avoid hampering commercial services. Finally, it should be fairly reimbursed by government. Under these circumstances, industry may accept the new burden.  

Even if a broader range of industry players assumes responsibility for lawful decryption, the cooperation may not be welcomed by privacy-minded consumers.  They recognize the critical importance of encryption in their daily lives, and news reports of devastating data breaches only harden their resolve. Still, these users may prefer to see the decryption role assigned to their own chosen service providers and device makers rather than law enforcement.

Australia’s expected legal reform would reportedly not let law enforcement decode encrypted suspect communications.  But it would apparently do the next-best thing by giving them access to suspect communications in plain-text form.

When a reliable bypass for encryption is available for law enforcement agents in Australia or Great Britain, the capability may benefit their counterparts in other countries.  For example, once Apple upgrades its iMessage servers to capture and deliver plain-text messages, a court in Canada may validly order Apple to activate the technology in support of a Canadian investigation.

The implications are greatest for nations like the US, where device makers, social media networks, and over-the-top application providers are exempt from CALEA.  In the US, regardless of whether a communication provider is covered by CALEA, if it installs a capability to deliver suspect communications in plain text, a court may order the provider to enlist the capability for an investigation.  This means American law enforcement may overcome the “going-dark” problem without having to wait for Congress to update CALEA. For purposes of American public safety, that would be a godsend.