The Australian Government is proposing to introduce legislation this year to impose an obligation on communications and technology companies to assist law enforcement agencies to access encrypted messages, in the event that voluntary cooperation is not provided by those companies.

Background

The Australian Government has taken a strong stand in relation to the need for law enforcement agencies to access encrypted messages, sent over systems such as WhatsApp, Viber and Telegram. This has been evidenced by the positions taken by the Government on the international stage, including the recent Five Eyes and G20 meetings.

Five Eyes: A voluntary solution?

At the 26 June 2017 Five-Eyes intelligence talks in Ottawa a hot topic was how to seek cooperation from internet service providers (ISPs) and device makers to access encrypted messages sent using the systems of those ISPs. The governments of all of the Five-Eyes members (the United States, the United Kingdom, Canada, Australia and New Zealand) argued that the inability of law enforcement agencies to access encrypted messages significantly impedes the investigation of serious crimes, particularly terror related offences, and therefore undermines public safety.

The joint communique issued by the five governments following the Ottawa meeting stated that:

encryption can severely undermine public safety efforts by impeding lawful access to the content of communications during investigations into serious crimes, including terrorism. To address these issues, we committed to develop our engagement with communications and technology companies to explore shared solutions while upholding cybersecurity and individual rights and freedoms.

Australia’s positon at the G20

The Australian Prime Minister continued to push this theme, including the need for international cooperation, at the G20 meeting held in Hamburg in early July 2017. The G20 leaders’ statement on countering terrorism, issued in Hamburg, supported the need for access to be obtained to encrypted messages. That statement provided in part that the G20 leaders encourage collaboration with industry to provide lawful and non-arbitrary access to available information where access is necessary for the protection of national security against terrorist threats.

The way forward: Following the UK

The Attorney-General has acknowledged that Australia already has regulation, included in the Telecommunications Act 1997 (Cth) and the Crimes Act 1914 (Cth), requiring telecommunications companies to provide assistance to law enforcement agencies to access communications. However, the view of the Government is that this legislation has not kept up with technological advancements and needs to be updated.

Legislation dealing with access to encrypted messages is already in place in the United Kingdom and New Zealand. The Attorney-General has stated that Australia’s new laws will be guided by the UK legislation, specifically the Investigatory Powers Act 2016. Under that UK Act, there is an obligation on regulated entities to do whatever they reasonably can be expected to do to enable law enforcement agencies to inspect messages that are the subject of encryption or to inspect devices, where a technical capability notice is issued with the approval of a judicial commissioner.

Encrypted messages are difficult to access because the providers of the services do not hold the keys necessary to decrypt messages, these are held by users. This has caused entities potentially subject to the UK legislation, such as Facebook, Google and the like, to raise a concern that the UK legislation – and potentially the legislation proposed in Australia – will require “backdoors” to be installed in encryption systems software.

A backdoor refers to a flaw in a software system for encrypted messaging that would allow access to encrypted messages notwithstanding that the encryption keys are not held. Concern has been expressed that if a backdoor is included in encrypted messaging software that is able to be used by law enforcement agencies then that backdoor may also be used by hackers or others to access legitimate encrypted messages for criminal purposes. The Australian Government has insisted it will not require the use of backdoors. Instead, the Government has said it is the responsibility of technology companies that provide end-to-end encryption services to work out a way that encrypted messages may be accessed, where required by law enforcement.

Next steps in Australia

A draft of the proposed Australian legislation is not yet available, but it is intended to be introduced to Parliament during the Spring 2017 Parliamentary sittings, which commence on 8 August 2017. It remains to be seen how closely that draft legislation will follow the UK Investigatory Powers Act and whether it will address concerns regarding the security of encrypted messages sent for legitimate purposes.