New tech surveillance laws more a 'side gate' than 'back door' into Australian phones
Curious about what's stopping your most intimate text messages from falling into the wrong hands? Find out how encryption actually works.
New laws will be unveiled today aimed at helping the nation's spy agencies and police monitor and prevent criminal activity through phones and the internet.
The Federal Government reckons the current legislation is seriously out of date — it was drafted for a time when Australians would call each other on their home or office phone, and email was just a pipe dream.
Of course mobile phones are now all but an extension of someone's person, and the use of messaging apps is growing exponentially.
Police and security agencies are worried criminals like terrorists are planning attacks, and paedophiles are grooming children, without having their communications monitored.
"In the last 12 months, 200 cases have arisen where our investigations for serious crimes have been impacted by our inability to access that data under the existing legislation," Cyber Security Minister Angus Taylor says.
"So that means the risk here is that criminals, terrorists, paedophiles and drug smugglers are getting away with their crimes without us being able to hold them to account."
That's where these law changes come in. The Government says modernising the legislation will ensure criminals "have no place to hide".
So, is this a 'back door' for the cops to get into our phones?
The Government says no. It insists companies will not be asked to break encryption systems where they don't hold the "golden key".
"We believe encryption is absolutely crucial to protecting Australians. So the legalisation explicitly excludes the potential for law enforcement to ask industry to create a weakness in their encryption systems."
There is a distinction between the encryption on messages people send to each other, and the encryption for shared services like cloud-based file sharing.
For example, Apple won't be forced to create a back door for iMessage, where the encryption key is different for every user.
But it does hold a single encryption key for its iCloud services — something the Government could request access to.
Think of it this way: if you use an app to send a message to your friend, it's encrypted as it travels between the two phones or devices.
When it arrives, it's decrypted for your friend to read.
Under the proposed changes, if law enforcement agencies have a valid search warrant to monitor your phone, they could read the decrypted message at the same time as your friend does.
And they could take copies of what they see, search the device for content and even delete items such as messages or photos if necessary.
Angus Taylor says this would only be possible under strict guidelines.
"Those crimes in the case of a computer access warrant must be serious. It's not any crime, it's got to be a serious crime. So it's three years' imprisonment or higher."
Maybe not a "back door", and more of a "side gate".
How does it work?
Agencies like ASIO or the Australian Federal Police will have the ability to request telecommunication and tech companies help them with their investigations.
Such a request could range from something as basic as seeking information about how a messaging service or app works so agencies can tailor their approach to monitoring someone, to explicitly asking for access to an individual's online profile or message history.
Angus Taylor says tech and telecommunication companies could also be asked to help locate a suspected criminal.
"Where we need to track a suspected terrorist … we want access to GPS data. We can't track potential terrorists without knowing where they are. So that is going to be crucial information in a serious case," he says.
There are three different levels of requests. The first stage is voluntary: a "give us a hand"-type appeal.
The second stage is a compulsory request, where a company has to help out or face a fine of up to $10 million. Individuals would face a $50,000 fine.
The third stage is not only compulsory for a company or individual to abide by, but also means they may have to work to build their own systems to help monitor activity. In other words, if they don't know how or can't comply with the request, they have to work hard to meet the request.
It could be tricky trying to pursue some app developers or companies based in distant countries if they don't comply, but the Federal Government believes its allies around the world will have a decent level of cooperation on such issues.
How often would the Government make such a request of a company?
It's unclear whether, armed with these new powers, the Government and its law-enforcement agencies would begin flooding tech companies with requests for access to data.
Since 2013, the Australian Government has made 6,977 requests for data from Facebook, relating to 7,759 different users and accounts.
In response, Facebook provided some data to the authorities in about 67 per cent of those requests.