Encryption

By Inika Bose and Josephine Bird. This article was produced in collaboration with Professor Nicolas Suzor at QUT, Digital Rights Watch, and the Fitzroy Legal Service.

Privacy is a fundamental human right. One of the key ways we protect privacy online is by encrypting information. However, in 2018, the Australian government introduced anti-encryption laws which puts the privacy of your digital communications at risk. The laws are designed to force both Australian and foreign technology companies to give police and security agencies access to encrypted messages. 

If you are an activist, journalist or whistleblowerPerson who makes a complaint about illegal or inappropriate actions of their employer. More, it is possible that:

• your private communications may be monitored; and
• your personal identity may be exposed.  

This is especially concerning if you are working with sensitive information or need to protect your anonymity or that of your sources. 

In this section:

• What is encryption and how can it be used to protect your information?
• What are Australia’s anti-encryption laws?
• What is a TAN, a TCR, and a TAR?
• What next?

What is encryption and how can it be used to protect your information?  

Encryption technology is important because it ensures your data is protected. If you send a message without using encryption technology, your messages may be vulnerable to interceptions from third-parties (including criminal attackers and law enforcement agencies). 

There are different types of encryption which can be used to protect your information. Two of these include: end-to-end encryption and encryption in-transit.

If you send a message using encryption in-transit, your message cannot be read or tampered with as it moves from one location to another. For example, an instant message (IM) sent using Facebook Messenger will be encrypted as it passes over the internet. Facebook will still have access to the IM because it is stored on their server for the recipient to access, in a form that is not encrypted. This leaves your communications vulnerable; not only can it be read by the provider, but law-enforcement agencies may ask the provider to give them access to your communications. 

If you send a message using end-to-end encryption, only you and the intended receiver of the message will be able to read it. The message is encrypted using a key which only the receiver possesses. For example, an IM sent using WhatsApp will be encrypted as it passes over the internet and is still encrypted while it is stored on WhatsApp’s server. Even though WhatsApp and Facebook Messenger are both provided by Facebook, only WhatsApp is end-to-end encrypted. This means your communications will be protected if law enforcement agencies ask a provider to access your communications because the provider themselves cannot access them.

What are Australia’s anti-encryption laws? 

Under the new laws, technology companies are required to provide law enforcement agencies with access to their user’s personal data. Technology companies may also be required to  change their systems so that encrypted data can be accessed. 

These laws were introduced to prevent terrorism and organised crime. Attorney-General Christian Porter argued that the legislation ensures Australia’s national security and law enforcement agencies have the tools they need to access encrypted conversations of those who seek to do us harm, and adapt to, the evolving technological environment.

Access to encrypted messages can be obtained by law enforcement agencies through three types of orders:

• Technical Assistance Notices (TAN);
• Technical Capability Notices (TCN); and
• Technical Assistance Requests (TAR).

What is a Technical Assistance Notice?

A Technical Assistance Notices (TAN) is a compulsory notice that can be issued to technology companies to require them to use interception capabilities they already have. The requests a law enforcement agency can make using a TAN are limited to asking for assistance that the technology company is able to provide  within its current capabilities. If the company can access a specific communication, they may be required to do so (e.g. messages sent using encryption in-transit that are stored on the company’s network). If the company does not have the ability to access the information requested, it will not be required to build the capability to do so. This means, for example, that a TAN cannot be used by law enforcement agencies to access messages sent using end-to-end encryption. 

A TAN can be issued by the:

• ASIO (Australian Security Intelligence Organisation); 
• Chief officer of the Australian Federal Police;
• Chief officer of the Australian Crime Commission; or 
• Chief officer of the State or Northern Territory Police Force.

A TAN may require a technology company to provide a wide range of assistance to law enforcement, including: 

• providing information on an individual i.e. customer data; 
• providing technical information; or,
• providing the government agency with administrator access to information hosted by the company.

If a technology company fails to comply with a TAN order, they may face fines of up to 10 million AUD. 

What is a Technical Capability Notice?

A TCN is a compulsory notice designed to compel technology companies to build a new technical function to assist law enforcement investigations. The legislation states that law enforcement agencies cannot ask a technology company to create a “systemic weakness” or “vulnerability”. However, this protection is vague, and digital rights activists have raised concerns that notices  may require a company to create a back-door to their systems . A back-door is a method which allows someone to by-pass existing security measures that are in place to protect your data. If a technology company builds a back-door, there can be no guarantee that a systematic weakness or vulnerability will not be created. Experts warn that there is a real risk that a TCN may ask technology companies to create  a back-door that introduces a “security hole” that  could be abused or exploited by criminals or misused by law enforcement agencies. 

A TCN can only be issued by the Commonwealth Attorney General. Once issued, the technology company can either accept or challenge the notice.

If a technology company receives a TCN, they may be compelled to: 

• install software; 
• modify a service on demand; and
• provide technical information such as its source code. 

If a technology company fails to comply with a TCN, they may face fines of up to 10 million AUD. 

What is a Technical Assistance Request?

A TAR is a request issued to technology companies to provide voluntary assistance. What the law enforcement agencies can request a company to do is broad, uncertain, and virtually limitless. Although it is voluntary, the TAR is not subjected to the same safeguards that apply to  TCNs.. 

 A TAR, like a TCN, can be used to  request a company to develop capabilities to remove digital protection.   This means a company is not obliged to follow through with the request and will not face fines if they chose not to comply with a TAR order. Even though TAR’s are voluntary, technology companies are often willing to assist law enforcement agencies when requested. 

A TAR can be issued by the: 

• ASIO (Australian Security Intelligence Organisation);
• ASIS (Australian Secret Intelligence Service);
• ASD (Australian Signals Directorate); 
• Australian Federal Police; and
• State and territory police.

Will you be notified if your provider has been issued a TAN, TCN or TAR?

If your service provider receives a request or notice, you will generally not be notified about it. There is a secrecy provision in the legislation which makes it an offence under the Act for a company to disclose information about a request or notice, with a penalty of 5 years imprisonment. 

The secrecy provision also applies to employees of a company. If a technology company is issued a request or notice, only the employees who are required to comply with the notice or request will be notified.  

Can a TAN, TAR or TCN be challenged?

Law enforcement agencies can only issue technology companies with a TAR, TAN or TCN if the order is:

• reasonable and proportionate to the risk; and
• practically and technically feasible i.e. that a technology company can reasonably comply with the request.

If a technology company receives a TCN, they may challenge this notice by asking for an assessment. The assessment will be conducted by a person who has technical knowledge and a retired judge (collectively known as ‘assessors’). The assessors will provide a report which will consider whether the TCN issued is appropriate or whether it should be changed. When re-assessing whether the TCN is appropriate, the Attorney General must take this report into consideration. However, the Attorney General is not required to follow the recommendations. 

There are no express methods under the anti-encryption laws which a technology company can follow if they want to challenge a TAR or TAN. However, judicial reviewReview by a court of an adminis­trative act (q.v.) on the basis of fault in the decision-making process. Compare: review on the merits. More through the High Court or Federal court may still be available.

What Next? 

In 2019, amendments to the anti-encryption laws were passed. These were a step in the right directions towards addressing some of the concerns associated with the laws. However, digital rights activists are still concerned that the legislation is flawed and will weaken Australia’s digital security. 

Digital Rights organisations, including Digital Rights Watch, have sought to have the anti-encryption laws repealed. At the very least, digital rights activists are campaigning for the laws to incorporate changes which will address the criticisms associated with the current laws. 

The Parliamentary Joint Committee on Intelligence and Security is currently reviewing the laws, and is due to complete their review on 30 September 2020.

For more information on how you can protect your digital rights and get involved in the public debate, visit: Digital Rights Watch and Australian Privacy Foundation. 

Further resources to help improve your digital security:

• The EFF maintains a Surveillance Self Defence website with tips on how to protect yourself. Note that this is not specific to Australia, but you may find the tips helpful.
• AccessNow maintains a Digital Security Hotline that offers real-time, direct technical assistance and advice to civil society groups & activists, media organizations, journalists & bloggers, and human rights defenders. Access Now can help you improve your digital security practices to keep out of harm’s way, and they provide rapid-response emergency assistance if you are already under attack.
• Digital Rights Watch maintains a database of helpful tools and resources to protect yourself online.