A 2015 "strategic assessment" of the "ramifications" of encryption on law enforcement intelligence-gathering in Australia will remain out of public view, after a decision to withhold it was upheld by the acting freedom of information commissioner.
The assessment, Going Dark: Encrypted Communications in Australia and the Ramifications for Law Enforcement Intelligence Collection’, was refused release by the Australian Criminal Intelligence Commission (ACIC) in July 2018.
ACIC's refusal was made partially on grounds that the assessment could "prejudice ... law enforcement methods and procedures" and that it could also prejudice a current investigation.
The refusal was upheld in a review by the acting freedom of information commissioner Elizabeth Hampton last month.
During the review, ACIC characterised the document as "a strategic assessment produced and disseminated by the ACIC to inform collaborative work with national and international partners."
"That work seeks to combat the growing threat posed by criminals exploiting encrypted communications to commit and conceal serious and organised crime," the agency said.
"It contains information about lawful methods and procedures used by the ACIC in preventing, detecting and investigating breaches of the law," an ACIC spokesperson added when contacted by iTnews.
The applicant, known only as 'ZR', argued that the report "should be available to the public to inform policy discussion."
"Encryption and the efforts of government agencies to bypass it are a matter of clear public concern," ZR said in the review application.
"The general public should be equipped with general information about the methods authorities use or intend to use to bypass encryption in order to allow them to contribute meaningfully to policy debate.
"It is not reasonable, in my view, for the exercise or expansion of powers related to bypassing encryption to happen in secret."
Hampton acknowledged "that the use of encrypted communication is a matter of public interest."
However, she noted that the exemption relied on by ACIC, on prejudice to law enforcement methods and procedures, is "not ... conditional, and therefore it is not subject to a public interest consideration."
ZR has not exhausted their appeals options, with avenues still available via the Administrative Appeals Tribunal and the Commonwealth Ombudsman.
Precursor to powers
The report could shed light on some of the impetus for so-called encryption-busting laws passed by the Australian parliament at the end of 2018.
The Telecommunications and Other Legislation Amendment (Assistance and Access) Act - often shortened to the TOLA Act - granted law enforcement and intelligence agencies access to communications sent over end-to-end encrypted services.
Police and national security agencies can issue "requests" or "notices" to service providers for assistance.
The laws were used 11 times by law enforcement agencies in their first full-year of operation.
ACIC's spokesperson declined to comment on how the withheld "strategic assessment" may have influenced the creation of the TOLA Act.
"We have no further comment on the content of the report, including with regard to the operation of the ... TOLA Act," the spokesperson said.
The government at the time made no secret of its fears around the growing use of encrypted communications and messaging services.
"Within a short number of years, effectively, 100 percent of communications are going to use encryption," the then attorney-general George Brandis said in 2018.
"This problem is going to degrade if not destroy our capacity to gather and act upon intelligence unless it's addressed."
Justin Warren, chair of digital rights organisation Electronic Frontiers Association, told iTnews that encryption remains "a pivotal part of how society functions in the 21st century”.
“Encryption is vital for everything from how your bank details are kept safe, to how the computer networks that administer power plants and food distribution services operate, to how whistleblowers communicate safely with journalists," he said.
"Once you build master keys for them, they can easily be abused or end up in the hands of dangerous cybercriminals and state actors."
Australian police and intelligence agencies’ surveillance powers generally have rapidly expanded in recent years.
The US and Australia signed the CLOUD Act in December last year, providing both countries streamlined access to data held by tech companies in each's jurisdictions.
Parliament also passed laws that grant ACIC and the Australian Federal Police powers to take control of online accounts without consent to gather evidence about serious offences, and potentially alter material to disrupt criminal activity.
