Breaking US Encryption: The Australian Test Case


A bill currently before the Australian Federal Parliament doesn't seek to defeat encryption and enable Government to more easily spy on civilians. It just requests or compels 'communications providers' to do 'acts or things' to make spying easier.

How do you more easily access encrypted communications (largely provided by US companies such as Apple, Google, and Facebook) without breaking encryption?

Apparently no-one knows, but hidden in plain sight is a clue.

The Australian Federal Government is attempting to rush through a bill - The Assistance and Access Bill 2018 - which seeks to empower law enforcement and national security agencies to request or compel 'designated communications providers' to do a range of 'acts or things' to provide technical assistance to these agencies.

Who are designated communications providers? Any global company providing communications services directly, or as part of the global supply chain, according to the Australian Human Rights Commision (AHRC) submission:

The explanatory document states that the choice to define a ‘designated communications provider’ so broadly is deliberate, to capture ‘the full range of companies in the communications supply chain both within and outside Australia’. Notably, proposed s317C extends to offshore entities that have a role in the provision of communications and related services in Australia.

What are the acts or things they can be compelled to do? No idea, says the AHRC:

...the breadth of the proposed powers under the industry assistance framework, and how it interacts with established warrants processes, is unclear, making it uncertain as to what exact actions can lawfully be required of providers.

The Australian Information Industry Association can't tell you either and - now that you mention it - really wouldn't mind knowing the definition of systemic weakness:

"Systemic weaknesses or vulnerabilities cannot be implemented or built into products or services". The definition of what is meant by "systemic weaknesses or vulnerabilities" is required. At what point does a measure that is introduced become "systemic"?

Although only a handful of the 15,000+ public submissions have been published, pouring through the mountain of concerned, confused words confirms no-one knows how this bill could work.

It seems – just a little bit – like a case of the trees getting in the way of the forest.

So here is the forest, the example used to justify the bill's existence:

A high risk Registered Sex Offender (RSO) was placed on the register for raping a 16 year old female, served nine years imprisonment and is now monitored by Corrections via two ankle bracelets whilst out on parole.

Victoria Police received intelligence that he was breaching his RSO and parole conditions by contacting a number of females typically between 13 and 17 years of age. Enquiries showed that he was contacting these females and offering them drugs in return for sexual favours.

The suspect was arrested and his mobile phone was seized but despite legislative requirements he refused to provide his passcode. Due to an inability to access his phone as well as the fact that he used encrypted communication methods such as Snapchat and Facebook Messenger, Victoria Police was unable to access evidence which would have enabled them to secure a successful prosecution and identify further victims and offences.

These are high victim impact crimes that are being hindered by the inability of law enforcement to access encrypted communications.

The Australian Federal Government raises this as representative of the key problem, which implies that the bill will solve this particular problem.

So the Government has essentially announced a global 'Capture The Felon Competition' (CTF) in the spirit of the Capture The Flag security contests. Here is this CTF challenge:

You are the Government. You can 'volunteer' or 'compel' Snapchat, Facebook, Apple and Google to do 'acts or things' which will result in the successful prosecution of the suspect (note for the purposes of this CTF competition there is a presumption of guilt).

However there are two rules:

  1. You cannot break encryption
  2. You cannot introduce a systemic weakness

How do you do it?

Photo by David Werbrouck on Unsplash