23 February 2022
The future of assistance to law enforcement in an end-to-end encrypted world
By Tom Uren
Domestic telecommunications companies assist law enforcement by the lawful interception of otherwise private communications when presented with a valid warrant.
This has been a powerful tool to combat crime. In the 2019–20 financial year, for example, 3,677 new warrants for telecommunications interception were issued, and information gained through interception warrants was used in 2,685 arrests, 5,219 prosecutions and 2,652 convictions. That was in the context of 43,189 custodial sentences in the same year.
But law enforcement and security officials assert that the usefulness of ‘exceptional access’, as it’s called in this paper, has declined over time as strong encryption has become increasingly common.
Australian Security Intelligence Organisation (ASIO) Director-General Michael Burgess has stated that encryption ‘damages intelligence coverage’ in 97% of ASIO’s priority counter-intelligence cases.
The problem of increasingly powerful encryption degrading the usefulness of exceptional access is often referred to as ‘going dark’.
The Australian Government has committed to the reform of Australia’s electronic surveillance legislative framework.5 Although its discussion paper mentions encryption only in passing,6 we can expect that encryption and going dark will be a topic of debate as reform is considered. This paper contributes to that debate by examining how firms that provide digital communications services can provide assistance to law enforcement even as strong encryption is increasingly common.
Although exceptional access is primarily concerned with evidence collection, it may be better in some cases to focus on crime prevention, when it comes to achieving society’s broader aim of safety and security. This may be especially true for serious offences that cause significant harms to individuals, such as child exploitation and terrorism.
Accordingly, in this paper I divide assistance to law enforcement into two broad types:
- Building communications services so that criminal harm and abuse that occur on the service can be detected and addressed, or doesn’t even occur in the first place. Examples of harms that might be avoided include cyberbullying or child exploitation that occur online.
- Assisting law enforcement with exceptional access for crimes that are unrelated to the communications service. Examples of such crimes might include an encrypted messaging service being used to organise drug smuggling or corruption.
I start by exploring the justification for exceptional access and then examine how encryption has affected assistance to law enforcement, as well as the differences between transport encryption and end-to-end (E2E) encryption and the implications those differences have for law enforcement.
I examine encryption trends and discuss the costs and benefits of exceptional access schemes.
I then examine some of the approaches that can be used by service providers to provide these two different forms of assistance as E2E encryption becomes increasingly common. I also summarise some of the advantages and disadvantages of those different approaches.
A number of initiatives seek to embed safety and security into the design, development and deployment of services. They encourage industry to take a proactive and preventive approach to user safety and seek to balance and effectively manage privacy, safety and security requirements. Those initiatives have relatively few big-picture privacy or security drawbacks, but there are many issues on which there isn’t yet consensus on how to design platforms safely. Such initiatives may also need extensive resources for employee trust and safety teams.
Providing law enforcement access to E2E encrypted systems is very challenging. Proposals that allow access bring with them some potentially significant risks that exceptional access mechanisms will be abused by malicious actors.
Watch the launch webinar here.