There has been a growing anxiety around a new piece of legislation working its way through the Australian parliament. The official name is the Telecommunications and Other Legislation Amendment (Assistance and Access) Act 2018 (TOLA Act).
At a high level the act is about giving security agencies in Australia selected access to encrypted communications. It is creating a significant stir worldwide because this can be viewed as another test case for the five-eyes countries. Already the UK has the Investigatory Powers Act, passed in 2016. When the Australian act is passed by the parliament, Australian interception agencies will be able to request software application developers to modify their applications to provide access to an individual’s encrypted communications (eg. voice calls, video calls, text messages, and email).
This topic is particularly important to Anonyome Labs because we build privacy focused mobile applications e.g. MySudo with end-to-end encrypted communication capabilities for voice, video, messaging and email. Given Anonyome Labs has an office location in Australia, and we have MySudo in the Australian App Store, this immediately puts Anonyome Labs in a position where we could be subject to a request at any time.
Details of the Act
In this section I’ll describe the specifics regarding the Act.
The Act describes the process for Australian Agencies to make a request on a software application developer. As the ABC describes so well, there are three types of requests that an agency can make:
- Technical assistance request (TAR): Police ask a company to “voluntarily” help, such as give technical details about the development of a new online service.
- Technical assistance notice (TAN): A company is required to give assistance. For example, if they can decrypt a specific communication, they must or face fines.
- Technical capability notice (TCN): The company must build a new function to help police get at a suspect’s data, or face fines.
The request can come from a number of different sources
- The Director-General of Security of the Australia Security Intelligence Organization (ASIO)
- The Director-General of the Australian Secret Intelligence Service (ASIS)
- The Director-General of the Australian Signals Directorate (ASD)
- The chief officer of an interception agency
The first three requestors are your typical intelligence gathering agencies (the US equivalents are perhaps the NSA and CIA). An interception agency includes the Australian Federal Police, Australian Crime Commission or any State/Territory Police Force. That is a significant number of organizations that can put a request on a software development company.
The Act describes communication material that could be subject to a request. This includes “text, data, speech, music or other sounds, visual images (moving or otherwise), in any other form, in any combination of forms”.
Which seems to cover all types of communication currently implemented in most messaging, calling, video and email encryption apps. That is, everything end-to-end encrypted in MySudo.
Once an organization or individual receives a request, they must treat it very seriously. The act states that a person receiving the request must not:
- aid, abet, counsel or procure a contravention
- induce, whether by threats or promises or otherwise, a contravention
- be in any way, directly or indirectly, knowingly concerned in, or party to, a contravention
- conspire with others to effect a contravention
Also a person receiving a request (presumably an employee in a software development company) is not allowed to disclose the request details to any other person or they face fines. This requirement is difficult to understand given that software development is a group activity.
Technical Capability Notice (TCN) and Software Modifications
There is nothing in the Act that describes how the encryption software might be modified to conform to a request. The TCN is therefore the most hazardous for software development companies, and has the greatest potential to inflict damage to the software’s reputation once the users of the software become aware that a modification request has taken place.
One example of how the software might be modified is described in the article from the Electronic Frontier Foundation (EFF). In one example the encryption software is modified to allow observation of clear text data by having a two way private and encrypted conversation, turned into a three way conversation with an agency being able to see the unencrypted data. And where the two original users aren’t aware that it has done so. This requires the software to be specifically modified so that the user’s interface in this circumstance does not highlight to either user that a third party is also involved.
The Act does indicate that modifications to the encryption software should not unduly affect the operation of the system. A software developer cannot be asked to introduce either a systemic vulnerability or weakness. These are the definitions from the Act and are almost identical:
- systemic vulnerability that affects a whole class of technology, but does not include a vulnerability that is selectively introduced to one or more target technologies that are connected with a particular person. For this purpose, it is immaterial whether the person can be identified.
- systemic weakness means a weakness that affects a whole class of technology, but does not include a weakness that is selectively introduced to one or more target technologies that are connected with a particular person. For this purpose, it is immaterial whether the person can be identified.
It seems logical that the modification described above by the EFF violates these two definitions. Perhaps only legal test cases will confirm this one way or the other.
Responding to the Controversy
Because of the controversy about this Act, Mike Burgess the Director General of the Australia Signals Directorate wrote a rebuttal to the issues being raised in the press.
What is next for the Act?
This is not the end of the road for the Act, as its passage was secured only with the promise of further review and requests for amendment by the Federal Opposition. The Parliamentary Committee of Inquiry will commence a review of the new legislation and hold further public hearings, with a view to completing the legislative review by 3 April 2019.
What is the Anonyome Labs view on modifying software for encrypted communications?
At Anonyome Labs we have always been very supportive of helping law enforcement with their investigations – under due process. However, our strong view is that we should never weaken encryption systems that provide safety, security and privacy for law abiding citizens. It is very easy to imagine that any change to encryption software will introduce a backdoor that could impact more than just the user under investigation through the TOLA act.
These articles provide some additional coverage of this topic: