The Australian government has today proposed a new law which would require tech companies like Apple to give authorities access to encrypted data on receipt of a warrant. Failure to comply would leave the company liable to fines of up to A$10 million ($7.3 million), and potential jail time.
Apple does already comply with court orders demanding access to encrypted data where it has the means to do so and is satisfied that doing this is legal, but cannot do so for Messages and FaceTime …
These services use end-to-end encryption, meaning that only the recipient device can decrypt the data. Although it passes through Apple servers, Apple does not have access to the encryption code, and would therefore be unable to provide access.
Apple doesn’t log the contents of messages or attachments, which are protected by end-to-end encryption so no one but the sender and receiver can access them. Apple can’t decrypt the data.
When a user turns on iMessage on a device, the device generates two pairs of keys for use with the service: an RSA 1280-bit key for encryption and an ECDSA 256-bit key on the NIST P-256 curve for signing. The private keys for both key pairs are saved in the device’s Keychain and the public keys are sent to Apple’s directory service (IDS), where they are associated with the user’s phone number or email address, along with the device’s APNs address.
Apple does have access to iCloud backups, however. These are encrypted, but not end-to-end, so the company does hold the key. iCloud backups give access to much of the data stored on an iPhone. Following the FBI battle, it has been suggested that Apple plans at some point to move to end-to-end encryption of iCloud backups so that it would be unable to access any data stored on the phone.
The Australian government – like other governments around the world – doesn’t appear to understand how end-to-end encryption works. Reuters reports that the Assistance and Access Bill 2018 would require access to messages.
“Our legislation for telecommunication intercepts, being able to access data, in order to investigate and prosecute criminal activity, with a warrant, is no longer fit for purpose,” Angus Taylor, the minister for law enforcement and cybersecurity, told Reuters.
“Whether it’s pedophiles or terrorists or drug dealers, it makes sure we have legislation fit for purpose in a modern era,” he added, referring to the proposed measure.
The government first touted the idea of this legislation back in June.
One cybersecurity expert at the University of New South Wales in Canberra has said the measure speaks to ‘chaos and confusion’ in the Australian government.