THE ROLE OF 

IN
AUSTRALIA


I I I

A MEMORANDUM
-
JANUARY 2018 -



  
   
   

 

   

 

The authors of this document are Lizzie O’Shea and
Elise Thomas, with support from Access Now and
assistance by Nathan White, Amie Stepanovich, and
the Access Now Policy Team.

Access Now defends and extends the digital rights of users at risk around
the world. By combining innovative policy, global advocacy, and direct
technical support, we fight for open and secure communications for all.
For more information, visit https://www.accessnow.org

 ENCRYPTION IN AUSTR ALIA   Executive Summary

EXECUTIVE SUMMARY

U Encryption is essential to Australia’s modern

digital society, economy, and cyber security,
and it is only effective if it is strong and robust.

U Strong encryption serves Australia’s national

interests by protecting governments,
communities, and the economy from criminal,
terrorist, and state-sponsored attacks.

U Encryption will only become more important for
protecting Australian interests as technology
advances in the coming decades.

U The government is proposing to weaken encryption

in the name of fighting terrorism, however this policy
would create more security risks than it addresses.

U There are other policy options for dealing with

terrorist use of digital technology that are more
urgent and effective than weakening encryption.

3

 ENCRYPTION IN AUSTRALIA   Background to the Current Debate About Encryption

BACKGROUND TO THE CURRENT DEBATE
ABOUT ENCRYPTION
Encryption is a method for ensuring communications
between two parties remain private from everyone else,
including the carrier. Even if an encrypted communication
is intercepted by a third party, it cannot be read by anyone
except the people who are authorised to decrypt it.
Encryption is a foundational tool for the proper functioning
of the digital society and economy, and is used in a wide
range of settings, including banking, public service
delivery, and communications systems.
At various times governments have attempted to regulate
encryption, with little success. Most recently in the UK,
the government has introduced the Investigatory Powers
Act, which requires technology companies to assist
the government to decrypt messages where technically
feasible. It is unclear what this provision means in practice
for companies and individuals that rely on encryption.
The act is still being implemented, so it has not yet been
possible to observe how it will be used.
Prime Minister Malcolm Turnbull has stated that his
government wants to introduce a method for intercepting
and reading encrypted messages. In July 2017, he discussed
giving law enforcement this power for the purposes
of keeping the public safe from terrorism. In that same
press conference, former-Attorney General George
Brandis argued that the government’s surveillance powers
needed to be brought up to date by requiring that technology
companies cooperate with law enforcement. Attorney
General Brandis indicated that this initiative is part of
Australia’s participation in the Five Eyes, and confirmed
the government’s commitment to intelligence sharing
with these partners.
It is not clear how the government plans to implement
these changes in law. This uncertainty suggests that
the government does not appreciate the complexity
of the issues involved. Approaches proposed or used
in other countries include outright prohibitions on
encryption, escrow of encryption keys, or limitations
on the strength of encryption. Each of these has been
demonstrated to have serious risks. Two of the most
commonly discussed options in Australia have been to
require technology companies to build a ‘backdoor’ to
allow direct government access, or, conversely, to obligate
companies to build into systems the capacity to decrypt

the messages and then hand the information over to the
government. Attorney General Brandis has indicated
that mandating a backdoor is not the government’s plan,
however he has also stated in June 2017 that ‘if there are
encryption keys then those encryption keys have to be put
at the disposal of authorities.’
The reactions from experts and commentators have
highlighted deep problems with the government’s
general plan. Academics have outlined the flaws from
an engineering perspective. ‘Decrypting terrorists’
communications without undermining the security of
everyone else sounds great,’ wrote academics from the
University of Melbourne, ‘but this is not an engineering plan
and every known attempt has failed.’ Built-in weaknesses
in encryption systems are not features that can be
exploited only by the government; they can also be used
by criminals and foreign enemies. Information about any
backdoor will be highly valuable, and a honeypot for
hackers, making it hard to keep safe. In July 2017, private
health insurer Bupa notified tens of thousands of their
customers that their private information had been leaked
by a rogue employee – demonstrating the immense
security risks facing institutions charged with protecting
data. Journalists have also pointed out that the proposal is
unlikely to be effective for its intended purpose: terrorists
can, and likely will, move to other communication channels
that have strong encryption. Civil society organisations
have argued that police already have significant powers
to investigate terrorism and this proposed extension of
surveillance capabilities has not been justified.
The government’s Digital Economy Strategy, Cyber
Security Strategy, and International Cyber Engagement
Strategy each confirm the importance of digital
technologies and cyber security for Australia in the years
ahead. Encryption is a crucial element of all cyber security
strategies. The purpose of this paper is to demonstrate that
encryption is essential to the digital society, and encryption
is only effective if it is robust. A system of encryption
with a back door is like a chain with a fatally weak link
– the strength of the entire system is compromised and
it is only a matter of time before it breaks, jeopardising
the safety of everyone who relies on it. This risk has
profound implications for systems and infrastructure
that we rely on for our daily lives.

4

 ENCRYPTION IN AUSTRALIA   Encryption Today

ENCRYPTION TODAY
Encryption plays a major role across many important
areas of Australian life, including national security
interests, the economy, and protecting the community,
individuals, service providers, and the private sector
from crime and other risks.

Encryption is essential to many
government activities
4 N AT I O N A L SEC U R I T Y
The integration of digital technology into almost all
government practices makes cyber security an essential
part of national security. The Australian Cyber Security
Centre (ACSC) notes that in 2017, all federal and state
government networks were ‘regularly targeted’ by actors
ranging from cybercriminals to state-sponsored
adversaries. Many states in our region are rapidly
developing their cyber capabilities for both defensive and
offensive purposes. The ACSC responded to 671 cyber
security incidents impacting government between
1 July 2016 and 30 June 2016. Encryption offers an
essential line of defence against such attacks.

look for softer targets to attack or disrupt, including
contractors and service providers. An attack on IT company
Deloitte may have allowed hackers to steal emails from
multiple US government departments. It has also been
recently revealed that Australian government contractors
have been successfully hacked and had large amounts of
data stolen. Defence and intelligence agencies, as well
as law enforcement, are especially likely to be targeted by
highly sophisticated and capable adversaries. Defending
information systems and deterring hackers requires strong
encryption at a range of levels, from major government
databases to personal devices of individual contractors.

4 E S SEN T I A L INF R A S T RU C T U R E
Operators of public infrastructure are also vulnerable.
In late 2016, a ransomware attack on the San Francisco
metro shut the ticketing system down for two days. A minor
computer glitch which stopped all trains across Melbourne
in July 2017, stranding thousands of passengers,
demonstrated how disruptive interference with these
systems could be. A deliberate and sustained attack on
major public transport systems, or the electricity grid as
has happened in Ukraine, could cause chaos in Australian
cities. These infrastructure systems are put at risk if they
are not protected by strong encryption.

4 G O V ER NMEN T DATA SE T S
Large government datasets, such as the MyGov system,
are highly tempting targets for malicious state actors and
cyber criminals. Earlier in 2017 it was discovered that
a hacker had infiltrated and stolen data from Medicare,
and was selling Australians’ personal information to
the highest bidder. Incidents such as this not only put
individuals at risk of crimes such as identity fraud, they
also damage the public’s trust in the government to keep
their data safe online. As various government bodies
continue to improve their digital services and consolidate
datasets, it is crucially important to protect these assets
using cyber security best practices, of which strong
encryption is one.

4 CONTR ACTORS AND SERVICE PROVIDERS
The range of potential targets is not limited to systems
directly operated by government. The ACSC has said that
as government defences improve, adversaries are likely to

Encryption is the lynchpin
of the modern financial system
4 B A NK IN G
The vast majority of the world’s money now exists only in
a digital format. Security is the key promise that banks
make to customers who deposit money with them. Banks
are obvious targets for cyber criminals, and ‘bank grade
security’ has become synonymous with best practice in
this field. Nonetheless, banks around the world have
fallen victim to hackers, with over a billion dollars stolen
in some cases. The increasing sophistication and ambition
of these modern bank robbers should serve as a warning
about the importance of supporting banks and financial
service providers to implement the strongest possible
cyber defences, including strong encryption.

5

 ENCRYPTION IN AUSTRALIA   Encryption Today

4 C A R D PAY MEN T S
Australians now make the majority of their purchases
digitally (using debit and credit cards) rather than paying
in cash. Encryption is central to card payments both
online and through point-of-sale machines such as
EFTPOS, because it protects sensitive customer data
like PINs from being stolen or intercepted. The Payment
Card Industry Security Standards Council, which includes
companies like Visa and MasterCard, requires anyone
processing card transactions to use strong encryption
under the Data Security Standards. These companies take
their responsibility to encrypt and protect customer data
extremely seriously. Accommodating a government policy
which undermines the strength of their encryption would
present a very challenging task for companies in the
payment card industry and the businesses that rely on it.

4 D I G I TA L C O MMER CE
The government’s Digital Economy Strategy estimates
that digital technologies could add up to $250 billion
to Australia’s GDP by 2025. In order for these benefits
to be realised, it is important that the technologies
which online businesses rely on are secure and align
with global standards. Poor cyber security practices
like weak encryption leave businesses vulnerable to
costly criminal attacks and stifle entrepreneurship in
Australia’s digital economy.

Encryption protects communications
and data sharing systems
4 IND I V ID UA L S
Data breaches, which lead to theft and exposure of the
data about individuals, can have significant personal,
professional, and legal ramifications. The hack
of ‘infidelity site’ Ashley Madison is just one example
in which leaked data impacted personal relationships,
damaged professional reputations, and exposed
individuals to risks such as identity theft. Consumers

rightfully expect that their personal data will be stored
securely, including through the use of strong encryption.
Encryption protects messages between individuals where
they would have a reasonable expectation of privacy, but
the issue is much larger than personal communications.
For example, the recent leak from credit reporting agency
Equifax has exposed at least 143 million people to the
risk of identity theft and other crimes. Consumers have
a reasonable expectation that messaging platforms and
storage systems for personal data will be kept secure,
including through the use of strong encryption.

4 CR I T I C A L SER V I CE S
Critically important service providers such as hospitals rely
on complex information technology systems for sharing
data about patients and services. They are regular targets
of cybercriminals. The WannaCry attack in May 2017 hit 16
UK hospitals, preventing them from accessing their patient
data system and leading to cancelled surgeries, diversion
of ambulances, and widespread disruption of medical
services. Protecting the ongoing operation of hospitals
and other vital services is a top priority and demands
the strongest defences technology can provide.

4 P R I VAT E SEC T O R
Private sector professionals and businesses with access
to sensitive or commercially valuable information
are prime targets for commercial espionage by both
local and international hackers. Small businesses are
also vulnerable, and it has been reported that 59% of
Australian businesses recorded cyber security breaches
in 2016. A report by IBM and the Ponemon Institute found
that the average total cost to an Australian business
which suffered a data breach in 2017 was $2.51 million.
The report found that malicious attacks are the most
common cause of data breaches. Motivations for attacks
on the Australian private sector range from international
espionage to intellectual property theft, according to
former head of the U.S. CIA Bill Hayden. Supporting
businesses and ensuring that Australia’s private sector
remains globally competitive must include allowing access
to the best possible defences against criminal attacks.

6

 ENCRYPTION IN AUSTRALIA   Encryption Tomorrow

ENCRYPTION TOMORROW
The rapid pace of technological advancement means
that laws made today – which may remain in force for
years or decades to come – must consider not only
the present situation but also the foreseeable future.
As technology becomes ever more deeply embedded
into Australia’s economy, society, and national security,
encryption will only become more critical to the protection
of Australian interests.

Encryption is needed to create
a modern, competitive economy
Australian companies must be able to protect themselves
against crime and, in turn, attract international investment.
This requires that businesses use the highest possible
standards in cybersecurity. New financial technologies
such as the blockchain and cryptocurrencies as well as
the growth in other technology industries will only increase
the need for encryption. If development in encryption
is limited, companies deploying these technologies will
likely look elsewhere rather than invest in Australia.
Undermining encryption would put Australia at a
competitive disadvantage against other nations as their
cyber defences continue to improve.

Encryption is needed to prevent crime
and enable law enforcement
The frequency, seriousness, and sophistication of
cybercrime will grow in the coming decades. Strong
encryption is necessary to help keep the public safe from
both new kinds of crime, and traditional crimes aided by
new technology. It will also be needed by law enforcement
and intelligence agencies to defend themselves and
the public against criminal, terrorist, or state-sponsored
adversaries. As more data are collected and stored by
police, security, and intelligence agencies, the digital
assets and networks of these agencies will increasingly
come under threat from outside attackers. Protecting
the integrity of policing and intelligence systems is
crucially important for the safety of all Australians.

Encryption is needed for a safe,
prosperous modern society
The Internet of Things, smart cities, autonomous vehicles,
and a host of other exciting new technologies will play
a major role in Australian life over the coming decades.
In order for Australians to enjoy the benefits of these
new technologies, it is important to also guard against
the risks. Other countries, like China, are responding to
modern challenges by investing in quantum cryptography.
Australians deserve and expect protections of the highest
international standard to keep our communities safe in the
years to come.

7

 ENCRYPTION IN AUSTRALIA   Solving Problems Without Undermining Security

SOLVING PROBLEMS
WITHOUT UNDERMINING SECURITY
The Turnbull government has expressed concern about
terrorists using encryption to evade surveillance, but
this concern misses some important considerations.
The case for weakening encryption has not been made
out, especially in a context in which so many everyday
digital activities would be put at risk.

Weakening encryption will create more vulnerabilities
that can be exploited by criminals.
By aiming to weaken encryption, the government
will create more national security problems than it
addresses. The government has not made public its
plans for storing and protecting the information that it
will gather as part of building and using a backdoor or
other tool to bypass or limit encryption. Such valuable
information will be enticing to criminals. Consider that
recently the US Securities and Exchange Commission
disclosed that its central database was hacked, with
the information possibly used for insider trading
purposes. The government has not demonstrated that
it is prepared for similar such assaults.

Law enforcement and intelligence service already
have immense powers and capacity for surveillance.
This includes a mass data retention regime that is very
similar to a proposal rejected by the European Court
of Justice as being unnecessary and disproportionate.
This also includes powers to compel the production
of private encryption keys and passwords, as well
as powers to access computer infrastructure and
endpoints. The problem is not that law enforcement and
intelligence agencies lack surveillance powers.

There are clearly other, much larger problems that
are being encountered by law enforcement tackling
terrorism than access to encrypted communications.
Criminal investigations are currently being delayed by
months and even years as police struggle to find the right
expertise for examining information stored on devices.
Arguably, the more urgent priority is training of digital
forensic and cyber-crime specialists, and supporting
them to work in law enforcement.

The government should focus on the reform of Mutual
Legal Assistance Treaties (MLATs) instead of weakening
encryption to improve law enforcement process
MLATs between Australia and other countries include
arrangements for information sharing for law enforcement
purposes. These processes tend to be slow, opaque,
and inefficient. Reform of MLATs is an urgent priority
to ensure that intelligence is shared in a timely and
effective manner. It would allow intelligence agencies
to make better use of evidence they already have, rather
than encourage them to seek access to evidence they do
not yet have (like encrypted messages). The reform
of MLATs ought to be a focus of the government.
The government’s job is to develop policies that protect
national security without endangering public safety and
economic interests. The focus on weakening encryption
does not meet these requirements.

8

 ENCRYPTION IN AUSTRALIA   Conclusion

CONCLUSION
Strong encryption protects Australian interests and
keeps ordinary Australians safe. It serves the interests
of anybody who uses internet banking, shops online,
relies on modern public services, and expects their
personal information to be kept private. Weakening
encryption creates risks to the safety of everyone,
as well as businesses and public service providers.
It also sets Australia back relative to our global
competitors. Policies that undermine strong
encryption create more problems than they solve, and it
is critical that legislators and decision makers consider
the consequences before it is too late.

9