Australia’s big encryption-busting laws have done little more than give authorities the power to ask nicely
There was much fanfare in late 2018 when Australia passed world-leading legislation to help law enforcement and spy agencies break encryption.
As communications increasingly moved into platforms that are endto-end encrypted, including Signal, WhatsApp and Meta’s other apps including Messenger, authorities were losing track of criminals and spies who were “going dark”.
The new bill would provide powers for agencies to first ask tech companies to help them break encryption or, if that failed, use compulsory powers to require them to assist or even to build new capability to do so.
Australian agencies could gain powers such as to send push notifications to criminal suspects, disguised as software updates, that instead installed key-logging software to enable them to see, keystroke by keystroke, what users type into a message.
Sign up for Guardian Australia’s free morning and afternoon email newsletters for your daily news roundup
The spy agency Asio said the bill was urgent and Labor, then in opposition, waved it through.
Knowing that agencies were armed with this huge arsenal made it especially odd to see Reece Kershaw, the head of the Australian federal police, and Mike Burgess, the head of Asio, attend the National Press Club last Wednesday to politely ask for more cooperation from tech companies.
The truth is that many of the new powers have barely been used.
An increase in penalties to coerce suspects to unlock their phones was used immediately by agencies. Eventually they got the hang of the voluntary powers, issuing 66 technical assistance requests last financial year up from 30 the year before.
But as I noted in a question at the Press Club, on the latest publicly available data agencies have not been using the compulsory powers (technical assistance notices, and technical capability notices) at all. Zip, zilch, zero.
“I think you’ll see in this financial year a 100% increase on that zero,” Kershaw replied.
“I don’t want to go into details of that. But you know, it goes back to the tech companies, we just want what we currently have as far as that arrangement of them being able to share material and referrals to us that we can act on.
“So we don’t know what we’d need to request if it goes dark.”
After my note that 100% of zero is zero, Kershaw confirmed that the compulsory powers had now been used once.
Burgess said: “I’m not going to rule it out. Of course we’re here to ask for their help. We have good relationships with the companies. And I will use the law if I need to but I’m asking for their help.
“It’s the way they design things – we need their help.”
So it sounds as though despite having laws that create compulsory powers, agencies don’t know how or what to compel without voluntary assistance from social media companies. Much of the encryption bill would appear to be practically useless.
Burgess was very clear that he was not asking for new laws, powers or resources for Asio. “I am not asking the government to do anything. I am asking the tech companies to do more.”
It could not be clearer who the intended audience of the call to action was, but the Australian somehow concluded it was Anthony Albanese who needed to “log on” to fix online safety laws that “are outdated and not fit-forpurpose”.
Australia’s reflexive response to any national security or criminal threat is that new powers must be required.
It’s so hardwired that even when the cops and spooks said they weren’t using their existing powers and they don’t need new ones, some in the media concluded the exact opposite.
After the spread of misinformation about the identity of the Bondi Junction stabber and videos of the Wakeley church attack, the social licence of the social media companies is at low ebb.
The Albanese government has been keen to capitalise, using the attacks to argue for everything from passage of its misinformation bill to the social media companies coughing up some dough for traditional news media, rather than sidestepping the laws by removing news.
Why shouldn’t Kershaw and Burgess get in on the act, to jawbone social media companies to play ball on encryption?
Traditional media companies are happy to amplify these messages, and were already starting up a campaign against encryption helping paedophiles and drug dealers.
All of these developments are highly newsworthy: Elon Musk v eSafety commissioner, backbench revolt on Dutton’s green light for the misinformation bill, renewed pressure on social media companies.
But we can’t memory-hole the fact we’ve been here before on encryption.
Was it responsible for parliament to rush through laws that were so poorly understood? Do agencies need powers they barely use?
Watching Kershaw and Burgess I felt a sense of pathos. My image of an all-powerful security state reaching into suspects’ phones was replaced with something more anodyne.
After more than five years, agencies are armed with a law that is a paper tiger and can do little more than ask nicely.