Democracies need to accept the mainstream adoption of end-to-end encryption in popular messaging and communications applications like WhatsApp, Signal, iMessage and, in the future according to Meta, Facebook Messenger.

End-to-end encryption, where only the sender and recipient can see the contents of a message, has been around for a long time for people who wish to keep their communications private. It gained particular traction after Edward Snowden’s revelations of mass government surveillance in 2013. Its value has since been consolidated globally as a necessary technical response to the perceived surveillance excesses of technology companies and governments alike and can help protect the safety and rights of people around the world to express themselves freely.

But some liberal democratic governments are pushing back against its adoption by mainstream instant-messaging platforms, going so far as to launch an emotive advertising campaign against it recently in the UK.

Broadly, the Australian government argues that law enforcement and intelligence agencies are finding it harder to obtain usable content directly from the platforms because the platforms cannot decrypt and see the encrypted communications that transit their systems.

While Australia, together with the other Five Eyes countries, along with India and Japan, have stated their support for strong encryption, in the same joint statement they also call for platforms to work with governments on technically feasible solutions to enable law enforcement (with appropriate legal authority) to have access to content in a readable and usable format. These two things are not mutually exclusive, except in when end-to-end encryption is being used. End-to-end encryption is specifically designed to prevent third parties from viewing the content of a communication, thus providing privacy to users.

There are other encryption architectures available for messaging systems, such as client-to-server encryption, but it is weak in terms of privacy because a third party with access to the server can read all communications. This is the architecture used in services such as WeChat, and previously in Zoom.

The seven countries have also argued that the move to implement end-to-end encryption would threaten the current practice of platforms without it to continue to proactively identify photos and videos for known child sexual abuse material and report it to authorities.

The problem is that, whether it’s liberal democratic governments monitoring communications for child sexual abuse material or authoritarian governments monitoring for what they deem politically sensitive content, both require decrypting communications (either on the device or on the server) to analyse for ‘harmful’ or ‘illegal’ content, resulting in a third party (and unintended recipient) accessing the encrypted content.

Unfortunately, as we’ve seen with other restrictions in freedom of expression online by liberal democracies, authoritarian countries will use Western examples when enacting their own policies to police content online. Western countries will be hard pressed to criticise those that censor political content if they themselves don’t support an environment in which strong encryption is the norm.

Fundamentally, any access by law enforcement to communications is an intrusion of privacy. Any liberal democratic government with that power needs to have and maintain the trust of its citizens. Even if the current government is trusted, future governments may not be. And given that there are cases in Australia alone of authorities using capabilities, powers and data in unexpected ways, there is cause for concern.

Technology companies also have a role to play. They have responsibilities to protect vulnerable users of their platforms, prevent their platforms from being used to facilitate crimes and harmful activities, and help law enforcement (with lawful requests). Together with governments, they should seek solutions that do not demonise or affect the integrity of end-to-end encryption.

Law enforcement doesn’t necessarily need unencrypted content to prosecute a crime. Metadata, which provides information about the communication, can be used to generate leads. But content makes gathering evidence to even obtain a warrant significantly easier.

As Tom Uren writes in his recent ASPI report, The future of assistance to law enforcement in an end-to-end encrypted world, there are options available to protect children using social media from harm. Platforms can use metadata and behavioural analysis to sound the alert when, for example, an adult is contacting multiple children that they haven’t had prior contact with. They can educate and encourage children and parents to report suspicious content, which could provide unencrypted content for the platforms to analyse. Perhaps messages to and from children might not use end-to-end encryption by default.

Law enforcement agencies seeking access to evidence for a crime still have a wide array of tools in their belts. Police can access metadata from social media companies about users’ accounts or from service providers in Australia (such as ISPs) that are required to store certain metadata for two years. Australian law enforcement can take over social media accounts or apply for computer access warrants to obtain evidence from devices on which data is usually unencrypted. These investigative techniques are more challenging and can’t necessarily be done at scale.

End-to-end encryption, especially in combination with anonymising software and the growing complexity of modern internet networks, which includes a move towards a decentralised Web 3.0, does make the job of online policing more difficult.

We need to find a middle ground. There is a nuanced debate to be had about how users of online services can be protected both by law enforcement and by platforms, while at the same time governments ensure that the right to privacy, enforced with strong encryption, is not dismissed easily.

Encrypted messaging has become a very difficult business. Despite their reach, it’s hard to make money from messaging apps. And their key service—encryption—is under constant attack from actors across the political spectrum.

Authoritarian governments are furious because citizens are using encrypted messaging to organise dissent. In democratic countries, law enforcement agencies hate the way it facilitates criminal behavior of all kinds.

And democratically minded publics are incensed because right-wing extremists on the fringe and in the mainstream have used it to spread disinformation, to subvert elections and to organise political violence and radicalise others.

On top of that, elected politicians are increasingly addicted to using it for policy discussions and reporting, undermining basic democratic transparency and accountability.

Services like WhatsApp, Signal and Telegram are deeply entangled in high-stakes political struggles globally over fundamental rights such privacy and peaceful dissent, legitimate law enforcement imperatives, rising authoritarianism, and the existential threats to democracies from disinformation—all happening in the increasingly vulnerable and dangerous realm of cyberspace.

At the same time, encrypted messaging services are enormously popular. At least half the world’s people have at least one encrypted messaging app on their phones. Of these, WhatsApp has by far the greatest reach, used by about 90% of people in most countries.

In an interview with the director of ASPI’s International Cyber Policy Centre, Fergus Hanson, WhatsApp CEO Will Cathcart outlined his approach to navigating hazardous political waters.

Since taking over the top job at WhatsApp in 2019, Cathcart has built a reputation as a strong advocate for encrypted messaging as a service essential to protecting against threats to privacy, democracy and cybersecurity.

Under his leadership, the company has mounted high-profile challenges in India and Brazil against government attempts to pry open the service to enable surveillance of messaging.

WhatsApp has targeted companies that assist state surveillance. In 2019, it initiated a suit in a US federal court against Israeli tech company NSO Group. The suit alleged that NSO had developed its Pegasus spyware to penetrate encrypted messaging services, helping Mexico, Saudi Arabia, the United Arab Emirates, Bahrain, Morocco and Kazakhstan target journalists, academics and civil society activists. The case is still working its way through the US justice system.

‘This is about the fight for a secure internet,’ Cathcart says.

In his conversation with ASPI, Cathcart talked about WhatsApp’s origins. One of the company’s founders, Jan Koum, was born in the Soviet Union. Scarred by the experience of totalitarianism, he held a deep-seated belief that human beings need to be able to talk to someone in private without someone listening in.

‘Privacy, democratic values are in our DNA,’ Cathcart explains.

That DNA will be tested even further in coming years as WhatsApp attempts to enter more markets in places with varying levels of democracy. In response to a question about the service’s future in Hong Kong, Cathcart acknowledged that ‘we run the risk of being blocked everywhere we operate’.

But he goes on to say that the issue is bigger than tech companies. They can’t fight the problem of authoritarianism on their own and be profitable in a sector that demands global scalability to remain in business.

Rather, democratic governments need to be thinking about how to ‘commandeer tech companies in the fight to spread liberal values’. Partnering more closely with tech companies on combating disinformation and introducing regulation to bake more privacy into digital technologies are some of the approaches suggested by Cathcart.

WhatsApp made news this year by launching a lawsuit against the Indian government in India’s supreme court on constitutional grounds.

‘What the Indian government wants,’ explains Cathcart, ‘is traceability. But we’re arguing that this is inconsistent with the privacy guarantees in the Indian constitution.’

WhatsApp contends that the Indian authorities are asking it to break its end-to-end encryption. The Indian government denies this, but experts support WhatsApp’s assessment.

When asked what response he expects from the Indian government, he says that WhatsApp could be blocked just like it was in Brazil. In 2015–16, the service was blocked three times and a Facebook executive jailed, although those actions were later overturned by an appellate court decision which ruled that end-to-end encryption was important for human rights in the country.

Since then, Brazil has enacted a general data protection law and an internet bill of rights that provide a more coherent legal framework for the preservation of encrypted messaging.

WhatsApp’s case against India is happening against a backdrop of increasingly authoritarian moves by the Modi government to control information. However, the Indian government has argued that it is only following international precedent like Australia’s anti-encryption laws.

Still, Cathcart hopes that WhatsApp can remain part of India’s growth story. In fact, India is WhatsApp’s largest market, with 400 million users.

This points to a fundamental tension that Cathcart has to manage. Encrypted messaging services don’t make profits on their own. WhatsApp competitor Signal—started by WhatsApp founder Brian Acton—operates as a not-for-profit. Telegram has raised operating funds through initial coin offerings and its own cryptocurrency, and CEO Pavel Durov has said that it won’t allow ads or sell user data to raise revenue. But, basically, both of these services rely on billionaire subsidies.

Cathcart admits that WhatsApp also has yet to make a profit, but hopes to through a mixture of business services, advertising and financial services.

For the business sector, WhatsApp’s plans include offering direct business-to-customer messaging and business-to-customer services, like getting a boarding pass delivered via WhatsApp.

Advertising initiatives include offering businesses ways to find new customers through ads on Facebook and Instagram, which could be counted as revenue for WhatsApp.

The company also will market financial services like digital banking and money transfers in emerging markets where both literacy and underbanking are widespread problems.

But if the Indian court battle doesn’t go WhatsApp’s way, a big chunk of the company’s future revenue will be in doubt. And if WhatsApp decides acquiesce to the Indian government’s position, that might irrevocably damage trust in the brand’s privacy DNA, which is already shaky due to perceptions of data-sharing with Facebook.

Cathcart insists there’s a middle path here—that it’s possible both to have secure encryption for users and to assist law enforcement. He says the company is more than willing to work with law enforcement if it’s done through proper legal channels in accordance with human rights standards.

As an example, Cathcart says that WhatsApp doesn’t see individual messages, but it has a reporting mechanism for users to report suspicious activity. Content moderators can look at some metadata, group names and patterns of behaviour that might be indicative of criminal and inauthentic activity. They’ve also added a Google button to encourage users to factcheck information.

Another avenue for countering misinformation and disinformation is through changing the design of the product. One change that WhatsApp made in 2018 after vigilante killings in India was to adjust the forwarding settings so that content could only be forwarded once, limiting the speed at which harmful messages could be spread. But presumably this also works to limit pro-democracy messaging too.

Cathcart says these measures have seen large decreases in forwarding across the WhatsApp system. He also points to the company’s recent partnering with Brazil’s election systems, on things like factchecking and shutting down fake accounts. Again, working with governments is key, says Cathcart, as are government-run public awareness campaigns on disinformation.

But his broader message for law enforcement is that encryption protects the internet. Just like in physical spaces, there should be a limit to how much law enforcement can do in cyberspace to solve crimes. For example, in an age of increasingly smart homes, police shouldn’t be able to get into your living room whenever they want; a warrant should be required, like it is in the physical world. Breaking encryption might help solve some crimes, but it will make us less safe overall.

Yesterday the government and opposition came to an agreement to pass the Assistance and Access Bill 2018 just before parliament rises. The bill rocketed towards the top of the political agenda when the government demanded that the opposition allow it to pass this week—the final parliamentary sitting week of the year. Labor reportedly secured assurances from the government that the committee reviewing the bill (the Parliamentary Joint Committee on Intelligence and Security) will continue to do so into next year, that the bill’s powers will be limited to serious offences and given more oversight, and that the term ‘systemic weakness’ will be defined in the final legislation.

Before the deal was reached, industry input had spurred even Aunty to generate tabloid-esque headlines like this: ‘Encryption bill could have “catastrophic” outcomes for Australian business, industry leaders warn’.

In this potion of perspectives, there’s been a lot of misperception and exaggeration. The bill’s unofficial title—‘the encryption bill’—is itself a misnomer. The draft legislation explicitly rules out trying to stop end-to-end encryption. But beneath the fire and fury there is a balance we need to rediscover.

Intelligence chiefs have lined up to explain the problems caused by going dark (the inability to access suspected criminals’ communications because of the growing ubiquity of encryption on everyday devices). ASIO Director-General Duncan Lewis told the committee, ‘I anticipate ASIO would immediately use this legislation if it were available.’ And the head of the Australian Criminal Intelligence Commission, Mike Phelan, has argued that a ‘holistic package’ is the only way forward and that there’s no option of picking and choosing. These are serious people with a strong commitment to serving the national interest.

Balanced against the need to address these concerns is the need to get this bill right. It is not a simple piece of legislation. Several questions require further consideration—like the appropriate authorisations for the different types of requests that can be made, definitional clarity, implications for Australian exporters and the oversight regime. Considerable effort is needed to sharply distinguish (and communicate) the reach of this law and the protections it provides from the practices of states whose overreach we reject.

In the UK, a somewhat similar law (the Investigatory Powers Act 2016—an admittedly much broader piece of legislation) took a year to navigate its way through parliament. The Assistance and Access Bill was introduced into parliament just two and half months ago, or a period of 16 sitting days for the House of Representatives. Hardly an inordinate period of review.

The urgency of passing these laws does need some context. Other similar countries (with the exception of the UK) don’t have similar powers, so the Australian legislation is attracting a lot of attention from multinational companies which are anticipating that other countries will follow Australia’s lead. There are also considerable wait times before the bill’s most far-reaching provisions can be exercised. Before a technical capability notice—which could include compelling a communications provider to develop a way for authorities to access a person’s data—can be issued, the government must first engage in a minimum 28-day consultation period (section 317W), although this can be waived in limited circumstances. The notice can then be appealed, and there’s the time required to actually build the capability. Elements of the bill like this are not quick fixes to the ‘going dark’ problem.

Australia has a strong history of bipartisanship on national security issues and is much stronger for it. It is good that this tradition has been able to hold, if only just, during this debate and a pathway has been found for ongoing review. Given the many issues that still require addressing, further scrutiny will be a good thing.

After a few false starts, the government has released its promised legislation to address the ‘going dark’ problem caused by encryption—something that affects more than 90% of the data lawfully intercepted by the Australian Federal Police.

Despite much speculation that it might attempt to destroy end-to-end-encryption, the Telecommunications and Other Legislation Amendment (Assistance and Access Bill) 2018 goes out of its way to make clear that it will do no such thing. The draft bill explicitly states that no measure can be taken that requires a designated communications provider to build ‘a systemic weakness, or a systemic vulnerability’ (section 317ZG). The key word here is ‘systemic’: instead of aiming to create systemic vulnerabilities, the bill seeks to facilitate tailored access and the creation of ‘alternative-collection capabilities’.

Reading the draft bill, you get the impression that it has benefited from a long consultation process with industry. But, as discussions that ASPI’s International Cyber Policy Centre has held with the major tech firms, the government, and privacy and encryption experts have revealed, there are a lot of varying views on this issue and the bill will still meet with resistance.

The bill is long and detailed, but here are a few of the key changes it ushers in.

Section 317C brings into the Telecommunications Act’s remit a broad array of companies and individuals under the banner of ‘designated communications providers’. This includes ‘the full range of participants in the global communications supply chain, from carriers to over-the-top messaging service providers’. The category also includes providers of an ‘electronic service’, which is broadly defined to capture ‘a range of existing and future technologies, including hardware and software’ (section 317D).

Part 15 creates three tools for requesting and compelling assistance from designated communications providers. One is voluntary (a technical assistance request) and two are compulsory (a technical assistance notice and a technical capability notice). Both compulsory requests must meet a test of being reasonable, proportionate, practicable and technically feasible.

A technical assistance notice compels a provider to cooperate if it has the capability to do so—for example, to decrypt messages if it already has that capability.

A technical capability notice, by contrast, compels a provider that doesn’t yet have a capability to enable it to assist, to develop one. As the accompanying explanatory document notes: ‘The things specified in technical capability notices may require significant investment.’ This is likely to be the most controversial provision of the bill for many of the big tech firms.

The terrain that the three types of notices can cover is broad (section 317E). One provision that’s likely to be especially controversial is the potential for companies to be asked or compelled to hand over source code (section 317E(1)(b)), subject to a test of whether it’s reasonable and proportionate.

The legislation anticipates that companies, in most cases, will cooperate; however, penalties have been added as an inducement. Companies that don’t comply face fines of up to $10 million and individuals can be fined up to $50,000 for each case of non-compliance. It also increases the penalties in the Crimes Act for those who refuse a lawful request to provide access to a device (for example, their password or fingerprint). The penalty increases from a maximum of six months’ or  two years’ imprisonment to a maximum of five years’  or 10 years’ imprisonment, depending on the seriousness of the crime being investigated.

Many would regard the government’s starting premise as reasonable—that provided a compelling public need exists (as demonstrated by a warrant) governments should be able to compel access to otherwise private information. In this new technological age, a broad range of organisations should help provide that access in the same way traditional telcos have been for a long time. The trick, of course, is in the execution.

The tech companies have been rightly concerned about any attempt to create systemic vulnerabilities or remove encryption. In the wake of the Snowden affair, when brand reputation depends on keeping an arm’s-length relationship with government, many of the tech companies will be loath to appear too close to any government and concerned about any precedents that might be set in a broader international context. Handing over source code, for example, might be one area where some companies draw a line, concerned about the implications in other more authoritarian jurisdictions where that information could be used to cause harm or intellectual property theft.

Some companies might also try to game the law. As drafted, the safeguards that require requests to be reasonable, proportionate, practicable and technically feasible could encourage some companies to secure data in a way that makes it impracticable for them to assist, even if they’re compelled to do so. Companies like Apple already encrypt communications in such a way that they claim they themselves can’t decrypt. Over time, areas where opportunities for assistance exist could be gradually closed off in a similar manner.

This bill is a long way from the one outlined in early reporting last year that claimed encryption would be broken. While it contains provisions that will no doubt receive pushback over the coming weeks, it’s a more nuanced response than reports suggested.

In June, Andrew Davies produced a pair of Strategist pieces (see here and here) on the encryption challenge to security, in the process succinctly explaining why our telecommunications intercept (TI) capability is ‘going dark’. Andrew’s second contribution paints a rather bleak picture of the future of this collection capability: ‘[T]he access to data through lawful intercept that our security agencies once enjoyed will never be possible again.’ The loss of TI effectiveness will hit the Australian law enforcement community particularly hard: it’s the fundamental building block for complex investigations. Before considering what ought to be done, it’s worth examining how an over-reliance on TI has shaped contemporary police thinking.

A number of dated assumptions underpin the Telecommunications (Interception and Access) Act 1979. While Andrew’s first instalment provided some insight into the prevailing technological conditions of the day, I’d argue that authorities at the time had also assumed the following:

• The Australian government had a technological edge over the private sector and could arguably adopt technology rapidly (at least by the standards of the day) to any foreseeable change in the operating environment. However, that’s no longer the case.
• Many Australians trusted their government to self-regulate its use of intrusive powers.
• The government would maintain its monopoly control over the telecommunications industry. Deregulation and privatisation have, for better or worse, dramatically changed that arrangement.
• Law enforcement’s physical access to telephone communications was a relatively simple affair—a point made particularly clear by Andrew.

While successive governments have tinkered with the Telecommunications (Interception and Access) Act, they have at various stages failed to engage with the seismic paradigm shifts that have occurred.

Since 1979, we all got phones in our houses, and later in our pockets, while law enforcement got an effective and efficient intelligence collection capability. That capability offered police officers direct access to the most private of conversations between alleged offenders.

From 1979 until the 11 September 2001 terror attacks, Australia’s law enforcement agencies experienced significant pressures from governments to reduce expenditure. With cost-effective access to TI material a given, successive police commissioners found savings in the degradation of undercover and human intelligence capabilities. A series of high-profile inquiries into Australian police services in the 1980s and 1990s hastened that degradation: allowing police officers to engage with criminals became an unacceptable risk.

In an intelligence collection management sense, TI became so effective that many of the most basic principles of intelligence collection management were discarded in the law enforcement domain. Long-held principles, such as redundancy in collection efforts, in which more than one collection asset is tasked to ensure that information can be confirmed, were abandoned.

Until recently, no Australian law enforcement agency seemed to believe that going dark was possible. However, Andrew’s recent work reveals that we’re unlikely to be able to legislate our way out of the problem.

I struggled to find a contemporary and comparative going-dark case study until I reflected on the intelligence collection challenge of the ADF’s 1993 deployment to Somalia. Ready for contemporary operations, the ADF deployed tactical signals intelligence capabilities to Somalia to support the operations of a battalion group. With precious few transmissions to intercept, the battalion intelligence collection went dark. In response, it rapidly established human source capabilities in the field. Over the years since that deployment, the ADF has developed a robust human intelligence collection capability that augments technical collection capabilities and provides protection against going dark.

With that vignette in mind, perhaps an alternative approach to going dark might be found in intelligence and investigations tradecraft.

Collection management is an often overlooked, yet critical, component of any successful intelligence endeavour. For law enforcement agencies, greater emphasis needs to be placed on adequately developing intelligence professionals who can approach the problem of collecting intelligence and evidence in an imaginative manner, using a combination of intelligence disciplines. There can be no doubt that in the emerging law enforcement operating environment the collection of evidence and information will be riskier and more difficult. But there appear to be few other options.

While collection management will provide a roadmap for where to go next, the loss of TIs will necessitate greater investment in alternative collection disciplines, which will be costly. At the very least, physical surveillance and undercover and human source capabilities will become increasingly important in our future TI-dark world.

While we may not be able to decrypt communications, we shouldn’t turn our back on technical intelligence or the exploitation of the electromagnetic spectrum. Through the study of communications using tried and tested techniques such as traffic analysis, intelligence value can still be drawn from identifying communication patterns.

TIs have provided police and intelligence agencies with a real advantage for almost 40 years. For my money, the secret now is not to lament the loss of that valuable capability but to innovate to the conditions of the day. While Andrew quoted Dylan, I’m going to refer to the sage words of ’80s popstar Kim Wilde to describe the opportunity this presents: ‘And we were dancing. Dancing in the dark … Something’s gonna start’.