This Information Age article forms part of a 7-part series on Ethics, covering artificial influencers, facial recognition, IoT, security and more. The series will culminate in an online panel on 11 December. Register to take part in the discussion and send your questions to the ACS Ethics Committee.
The Australian Government recently released a draft Assistance and Access bill that would allow certain government law enforcement and intelligence agencies (including ASIO, ASIS, and the ASD) to request that telecommunications and equipment providers assist in the access of encrypted communications.
This request could be voluntary or required, depending on the nature of the request.
A request known as a ‘technical capability notice’ may be issued, which requires that a provider build new capabilities into their products if necessary to gain access to encrypted communications.
There’s no question of the importance of maintaining national security.
Adoption of messaging and communications apps that leverage encryption technologies by terrorist groups (and other criminals) for communication is also commonplace.
The Apple versus FBI case from early 2016 highlights some of the issues that law enforcement has when it comes to accessing information protected by such technologies.
Attempting to overcome current encryption technologies using brute force techniques would take such a significant amount of time and potentially trigger other safeguards (such as a device wipe).
Because breaking encryption is difficult, other methods are often used to access secured information, such as using hacking techniques to identify and exploit vulnerabilities in the software.
The use of a software vulnerability was the method ultimately used by the FBI to access the locked phones when Apple didn’t cooperate.
In order to prevent the introduction of platform-wide exploits, extreme care would need to be taken when it comes to responding to requests such as a technical capability notice.
Industry best practice, and a requirement of the EU General Data Protection Regulation (GDPR), is that systems are secure by design.
The introduction of a requirement to expose data upon request may create compliance issues and increase the risk that additional information is exposed due to poor implementations.
If the bill is passed, providers will have concerns around complying with the requests as Apple did in the US back in 2016.
No doubt there will also be many questions raised around privacy and compliance with other laws.
Hackers will likely begin targeting such platforms of interest and, in the event of a poor implementation of a response to a technical capability notice, there is an increased risk of exposure of private information.
The need to access secured information of interest by law enforcement is important, but so is ensuring personal information is protected to the maximum extent; truly, a double-edged sword.
Georg Thomas is National Security & Risk Manager, Corrs Chambers Westgarth.
Register to take part in our Ethics online discussion on 11 December.
Read our entire 2018 Ethics series:
Part 1: Artificial influencers
Part 2: Facial recognition unmasked
Part 3: When IoT goes wrong
Part 4: Who’s to blame for phishing breaches?
Part 5: Could encryption legislation increase risk of being hacked?
Part 6: Would you install a keylogger at your workplace?
Part 7: Do you abide by a professional code of ethics?