New laws to force tech giants to reveal data

Technology companies could face fines of up to $10 million if they refuse to help police investigating a serious crime.

File image of an iPhone

File image of an iPhone Source: AAP

Tech companies ranging from internet providers such as Telstra to device-makers like Apple could be forced to help law enforcement agencies crack into encrypted communications under new laws unveiled by the Turnbull government on Tuesday.

The laws are designed to prevent situations like the , where US investigators fought Apple in a drawn-out court case to crack a terror suspect’s iPhone.

Australia’s domestic spy agency ASIO claims 90 per cent of its ‘priority cases’ involve some form of encryption, while over 90 per cent of data intercepted by the federal police are also encrypted.

The wide-sweeping reforms would also allow police conducting a normal search of a person, like a frisk search, to compel the person to unlock their mobile phone with a password or fingerprint. 



They must have reasonable suspicion that there is evidence of a crime on the phone, according to the draft legislation. The penalty for refusing the request will increase from two to a maximum of five years in prison. 



Cybersecurity minister Angus Taylor said the government could not “risk giving criminals a way of hiding”.

“We need legislation in place whereby companies can work with the government to ensure that we can get access to the data we need to prosecute and investigate serious crimes," he said. 

Federal Minister for Law Enforcement and Cyber Security Angus Taylor has offered his resignation, following Peter Duttno's challenge.
Federal Minister for Law Enforcement and Cyber Security Angus Taylor has offered his resignation, following Peter Duttno's challenge. Source: AAP


The were unveiled on Tuesday but could still be amended and are yet to pass the parliament. The government plans to introduce the laws before Christmas. 

They would give police and intelligence agencies the ability to ask companies for voluntary assistance with lifting a form of encryption, facilitating “access” to devices, or concealing the fact that agencies had undertaken a covert operation.

Access to any data will require a warrant, but law enforcement agencies themselves will have the power to ask for technical assistance from companies. 

"Agencies cannot get access to any data without a warrant or authorisation, full stop," Mr Taylor told SBS News. 

"Industry assistance is separate from that. It's saying look, we have a warrant, but we also need industry assistance." 

The Australian Strategic Policy Institute's cyber expert Fergus Hanson said the government had taken a "tailored approach of going after individuals rather than weakening protections for all of us".

Mr Hanson said his strategic thinktank had more concerns with earlier drafts of the legislation but said this version was well-balanced on the whole. 

He said tech companies might still push back against orders to share their source code. 

SBS News contacted Apple Australia for comment but did not receive a response before publication. 

Forcing companies to build new tools

The attorney-general – currently Christian Porter – will be able to issue a “technical capability notice" that forces the company to “build a new capability” to help police or ASIO with their inquiries. 

The notice cannot force the company to remove encryption. The government has long insisted it would not create “backdoors” in secure communications. 

"The government cannot ask a company to weaken its encryption systems," Mr Taylor said. 

"We want to see more encryption in this country, not less." 

"We see more and more money and personal identities being stolen from people's personal accounts and so encryption is crucial to thwart that kind of crime." 

So what kind of orders could the attorney-general issue? 

"It may be getting a company to help us locate a criminal, to have a capability to locate criminals through GPS tracking," he said. 

Another application might be to get the company to create an "online presence" for a police officer so they could talk to a "network of criminals", he said. 

The laws cover a broad range of companies, from telcos and device-makers right down to companies that make tech components. 

File
File Source: AAP


Multiple options for breaking tough encryption

Applications that offer end-to-end encryption remain a challenge for law enforcement agencies. 

Apps like Signal and Wickr are among the best-known. They seal messages with a unique key that only the recipient can decode, meaning the company itself cannot break the encryption. 

Asked about these apps, Mr Taylor explained the new laws would offer a range of ways to crack a phone. 

"One way is through the application. The other way is through the device. The other way is through the networks themselves," Mr Taylor told SBS News.

"There's many different ways of doing this." 

New warrants tailored for seizing computers

The laws also introduce new warrants for police and ASIO to use when seizing computers. 

The new warrants will give agencies 30 days to examine computers instead of 14 days, and will also ensure they can access "account-based data" like Facebook accounts and emails. 

The warrants will also allow the agencies to do cover their tracks by doing "anything reasonably necessary to conceal the fact that anything has been done in relation to a computer".

The so-called "concealment activities" can occur within the 28 days of the search. 

Labor urges consultation, while Greens sound alarm

Labor's cyber security spokesperson Gai Brodtmann said the opposition would analyse the detail of the legislation before coming to a final conclusion. 

"I urge the government to consult on this. Consult extensively and give it time," she told SBS News. 

The two major parties nearly always offer bipartisan support on national security matters.  

But the Greens' digital rights spokesman, Senator Jordan Steele-John, said the measures "completely undermine" the point of end-to-end encryption. 

He said the new powers could allow agencies to force companies to install malware on devices. 

“Installing malware on people’s devices to read encrypted data is not a solution to catching criminals but it is weakening the defences of every single device that receives encrypted messages, therefore making it easier for criminals who want to steal data," Senator Steele-John said. 





Share
6 min read
Published 14 August 2018 8:05am
Updated 14 August 2018 3:20pm
By James Elton-Pym

Share this with family and friends