Should Australians prepare for rubber-hose cryptanalysis?

So Australians probably don't need to worry about getting their kneecaps broken if they don't hand over their private encryption keys just yet, but the Australian Crime Commission wants changes to the law in order to make it easier for law enforcement to decrypt secret communications.

Appearing yesterday before a Senate committee hearing into potential changes to the Telecommunications (Interception and Access) Act 1979, the ACC's acting CEO, Paul Jevtovic, suggested that some participants in the telco industry are "designing products that support organised crime activity and frustrate law enforcement".

"[I]t is our view if you are manufacturing things like that that you should have an obligation to assist the country in defending itself against organised crime and encryption communications is a classic example of that," Jevtovic.

Pushed by Greens Senator Scott Ludlam, who is chairing the inquiry, Jevtovic acknowledged lawful uses for encryption, but added that "unfortunately organised crime takes what is good technology which helps society, they take it for their own purposes."

"And when we can identify organised crime as having access to it that's when I think industry should be able to help us," the acting ACC CEO added.

A written submission to the inquiry by the ACC advocated for changes to the TIA Act to include an "Obligation imposed on telecommunications service providers to assist law enforcement, including with the decryption of communications."

"The ACC is supportive of measures which require telecommunication service providers, including ancillary service providers, to assist law enforcement with accessing communications where authorised, including offences for not assisting with decrypting communications," as was recommended by a previous parliamentary inquiry, the submission states.

In a number of European nations, not assisting law enforcement organisations with the decryption of data is a criminal offence. For example, the UK's Regulation of Investigatory Powers Act 2000 can require the disclosure of a decryption key necessary to access information "in the interests of national security", "for the purpose of preventing or detecting crime" or "in the interests of the economic well-being of the United Kingdom".

In the US, now-defunct encrypted email provider Lavabit was last year forced to hand over private SSL keys to the FBI, potentially jeopardising the private communications of the service's 400,000 customers.

The Lavabit case drew ire from civil libertarians: "When the court ordered Lavabit to turn over its private encryption keys, it undermined the businesses and technologies we rely on to keep our information safe," an ACLU blog entry argued.

In addition to seeking rules that would force telcos to retain and offer law enforcement access to so-called 'metadata', Judith Lind, executive director, strategy and specialist capabilities at the ACC, told the inquiry that the organisation also wants "assistance from industry and ancillary providers at very much a technical level".

"So sharing knowledge about how their apps work, how their networks work to enable our technicians then to work out how and whether interception can occur," Lind said. "So we're seeking assistance at that level as well as the actual access to the data and services."


Copyright © 2014 IDG Communications, Inc.

7 inconvenient truths about the hybrid work trend
Shop Tech Products at Amazon