The Turnbull government has pinpointed specific methods by which tech companies would be expected to reveal encrypted messages despite claiming firms would be left to find solutions, a freedom of information request has revealed.
Responding to an FOI request submitted by Crikey in July, the Attorney-General’s Department identified documents outlining “specific methods and capabilities” firms would be obliged to use to turn over the contents of encrypted communications to law enforcement.
However, the department refused to release the documents, even in redacted form, citing exemptions for national security, cabinet papers and deliberations between agencies.
“While I consider disclosure of this material would serve a general public interest in matters relating to telecommunications security and encryption, my opinion is that the public interest against disclosure outweighs the public interest for disclosure,” AGD assistant secretary Daniel Abraham said.
The response appears to be at odds with Prime Minister Malcolm Turnbull’s insistence that the government would leave it to services such as WhatsApp and Signal to work out exactly how to co-operate with authorities investigating suspected terrorism and other criminality.
Speaking in London in July, the prime minister said that messaging services “must ensure that these dark places can be illuminated by the law so that the freedoms you hold dear will not be stripped away by criminals your technologies have made undetectable”.
But when it came to exactly how they would do so, he added, “the ball is in your court”.
According to the government, about 90% of ASIO’s highest-priority cases are now affected by encryption in some way.
The FOI response to Crikey, however, reignites questions about how exactly the government could go about accessing communications that providers in Silicon Valley and elsewhere insist they can’t view themselves.
“The simple mechanics of this style of encryption means that they literally can’t compel the likes of WhatsApp or Apple to disclose what those messages are,” cybersecurity expert Troy Hunt told Crikey. “They just do not have access to them.”
The government has repeatedly insisted it is not demanding a so-called “backdoor” into encrypted messaging services that could be exploited by hackers and governments alike. But this attempt at clarification has done little to resolve confusion about what the government actually is planning, or the perception that it’s not actually sure itself.
Hunt said it was possible the government was trying to distinguish between inserting vulnerabilities into popular services, and demanding that providers retake possession of messages sent by their customers — which would be the effective end of end-to-end encryption.
“Because that’s really the only way it happens and whether you call it a backdoor or not is almost semantic,” he said.
Hunt added that the most feasible of the options possibly under consideration by the government would not actually touch on messaging services, but the devices on which they were used. By secretly accessing smartphones and computers, a capability already available to law enforcement, authorities would bypass the technical challenges and resistance of messengers associated with trying to beat encryption.
“So maybe it then becomes more of a discussion with Apple, Google, Samsung about how do we access messages on devices,” Hunt said, “as opposed to how do we try to get them while they are flying across the air.”