Encryption: Has the government stuck to its ‘no backdoors’ pledge?

The government this morning unveiled an exposure draft of its much-anticipated legislative response to the increased use of encrypted communications services.

The bill “will allow law enforcement and interception agencies to access specific communications without compromising the security of a network,” said law enforcement and cyber security minister Angus Taylor.

The measures in the bill “expressly prevent the weakening of encryption or the introduction of so-called backdoors,” the minister said.

Since the government in July last year first committed to legislation to tackle law enforcement agency access to encrypted communications services, it has repeatedly claimed that any new law would not compel a communications provider to create ‘backdoors’.

The draft bill, unveiled this morning, outlines three types of assistance that may be sought by law enforcement and intelligence agencies. The first is essentially a request for voluntary cooperation on a range of technical measures (which could, for example, include handing over certain types of information or be as simple as an explanation of how a particular service works or the format of certain data).

A second level — “technical assistance notices” — would compel the subject of a notice to assist an agency using already existing capabilities; for example, if a service provider had access to the relevant encryption key, then they could be forced to use it to decrypt a user’s data.

The third level of assistance — “technical capability notices” — would force a company to build a whole new technical capability or capabilities to assist agencies. The power is subject to sign-off by the attorney-general.

The list of types of assistance that an agency can seek with either a technical assistance or a capability notice is extensive. A non-exhaustive list includes removing “one or more forms of electronic protection” i.e. encryption — “that are or were applied by, or on behalf of, the provider”; installing, maintaining or testing software or hardware; facilitating access to a facility, customer equipment, a device, a service or software; assisting with the “testing, modification, development or maintenance of a technology or capability”; and “substituting, or facilitating the substitution of, a service” (i.e. some form of spoofing).

An explanatory document accompanying the government’s draft bill stats that technical assistance notices and technical capability notices cannot require a service provider “to implement or build a systemic weakness, or a systemic vulnerability, into a form of electronic protection”, which includes “forms of encryption or passcode authentication, such as rate limits on a device”.

The document adds: “providers cannot be asked to implement or build so-called ‘backdoors’ into their products or services” [emphasis in original].

That prohibition presumably means that ASIO can’t request that WhatsApp build some master key system that allows it to just snoop on anyone’s conversations.

The relevant section of the act — 317ZG — is reasonably short. A technical assistance or capability notice must not have the effect of “requiring a designated communications provider to implement or build a systemic weakness, or a systemic vulnerability, into a form of electronic protection” or preventing them from fixing a systemic weakness or vulnerability.

In an attempt to assuage concerns, the draft bill goes on to explicitly state that the prohibition covers any requirement to “implement or build a new decryption capability in relation to a form of electronic protection” or to actions that would “render systemic methods of authentication or encryption less effective”.

The explanatory document says that “the term systemic refers to actions that impact a broader range of devices and service utilised by third-parties with no connection to an investigation and for whom law enforcement have no underlying lawful authority by which to access their personal data.”

“The prohibition clearly limits the ability of a notice to compel a provider to re-design services that feature end-to-end encryption,” the document states.

“If a proposed re-design had the effect of removing the default protection that all users of end-to-end encrypted services benefit from and, consequently, made their communications less secure, it would be categorised as requiring a provider to build a systemic weakness or vulnerability into a form of electronic protection.”

This is at the heart of the government’s claim that the legislation will not introduce backdoors. The draft bill appears to prohibit measures that would, for example, force a service provider to remove end-to-end encryption across the entirety of a service or to operate some kind of key escrow system for law enforcement agencies.

However, the explanatory documents notes, a notice “may still require a provider to enable access to a particular service, particular device or particular item of software, which would not systemically weaken these products across the market”.

“For example, if an agency were undertaking an investigation into an act of terrorism and a provider was capable of removing encryption from the device of a terrorism suspect without weakening other devices in the market then the provider could be compelled under a technical assistance notice to provide help to the agency by removing the electronic protection,” the document states.

“The mere fact that a capability to selectively assist agencies with access to a target device exists will not necessarily mean that a systemic weakness has been built. The nature and scope of any weaknesses and vulnerabilities will turn on the circumstances in question and the degree to which malicious actors are able to exploit the changes required.”

“Likewise,” it adds, “a notice may require a provider to facilitate access to information prior to or after an encryption method is employed, as this does not weaken the encryption itself”.

Essentially the “systemic” backdoor prohibition does not prevent the introduction of backdoor-type features targeting a particular device or user (or particular devices or users).

The big question is how this would unfold in the real world, and the potential unintended consequences for users that aren’t the subject of a legitimate investigation — particularly when there will be no transparency about precisely what is happening to the services that many of us rely on.

It is one thing to formally ban actions that would weaken the security of a service, but securely introducing mechanisms to target a particular device or group of devices is a non-trivial task.