With all the brouhaha going on in Canberra recently, the draft of a piece of very important legislation was introduced along with an explanatory note. The Telecommunications and Other Legislation Amendment (Assistance and Access) Bill 2018 might sound all soft and fluffy but it's anything but that. This is a piece of legislation that will compel IT companies that create encrypted systems to "assist" the government with access to encrypted communications.
The government's explanatory note is all about the "challenges" law enforcement faces when it comes to accessing encrypted messages. The paper notes "95 per cent of the Australian Security Intelligence Organisation's (ASIO) most dangerous counter-terrorism targets actively use encrypted messages to conceal their communications".
The purpose of the Bill is to allow agencies to seek help from providers, both domestic and offshore, in the execution of their functions. The Bill also provides agencies with alternative-collection powers, allowing them, under warrant, to access devices.
The new laws, as they are drafted, provide for agencies to make three different types of requests.
- Voluntary assistance can be requested to assist ASIO, the Australian Secret Intelligence Service (ASIS) and the Australian Signals Directorate (ASD) and interception agencies in the performance of their functions.
- The Director-General of Security, or the head of an interception agency, can issue a technical assistance notice requiring a designated communications provider to give assistance they are already capable of providing that is reasonable, proportionate, practicable and technically feasible.
- The Attorney-General can issue a technical capability notice, requiring a designated communications provider to build a new capability that will enable them to give assistance as specified in the legislation to ASIO and interception agencies. A technical capability notice cannot require a provider to build or implement a capability to remove electronic protection, such as encryption.
It says something about the complexity of this matter when the 166 page legislation comes with a 115 pages of explanatory notes.
While the term backdoor is never used, we are looking at laws that place a lot of power in the hands of one person, the Attorney-General or could circumvent open and transparent processes if a software company voluntarily provides assistance.
A large part of the new laws seems to be about getting access to end-point devices and then asking software companies to assist with accessing data. That may mean asking for a weakness to be built so that data could be accessed.
Which sounds like a backdoor by another name.