The Australian Law that Would Force Suspects to Hand Over their Passwords

The Australian Attorney General is pushing a new law that would force suspects of computer crimes to disclose the passwords and keys necessary to decrypt their internet communications.

Part of a proposal to revise the country's Telecommunications Interception Act, the law would expand an existing law, section 3LA of the Crimes Act 1914, which already allows Australian authorities to gain access to physically seized computers and hard drives by way of forcing suspects to disclose their decryption passwords.

The proposal would give intelligence agencies even more elbow room, by allowing them to also "issue 'intelligibility assistance notices' requiring a person to provide information or assistance to place previously lawfully accessed communications into an intelligible form," as IT News reported today.

In the US, the Fifth Amendment is meant to protect against this type of self-incrimination, so a similar American law may be less likely to pass. But that’s not to say there aren't precedents in the US court system for ordering encryption keys be disclosed.

In 2006, US Immigration and Customs Enforcement officials stopped a man at the Canadian-US border and searched his laptop, which contained child porn. But when the laptop was rebooted, the drive containing the illegal content appeared encrypted. Officials won a case to subpoena the suspect, Sebastien Boucher, for the passphrases to decrypt the drive.

But that example is just the tip of the iceberg if you consider the hypothetical situations in which previously intercepted conversations could be forcibly decrypted to help build a prosecution.

The Australian AG’s objective here could be seen as a signal to intelligence agencies abroad that are hell-bent on consolidating their control amid wide-ranging scrutiny, and skyrocketing signups for PGP and encryption services ever since last year's NSA surveillance revelations. Governments and citizens around the globe have criticized the US intelligence community’s disturbing data collection practices; it could be the case that the Australian government, one-fifth of the "Five Eyes" global electronic surveillance alliance, is looking to defend and advance its missions while maintaining it does so legitimately, and in accordance with existing legal framework.

Adopting a new key-disclosure law like this would dramatically shift the strategies and methods Australian authorities use to collect evidence, make arrests, and build cases against alleged computer criminals. There would be little need to identify or expose informants when providing evidence if suspects were essentially put through a process of self-incrimination.

That said, the proposal states the new law couldn’t make someone do “something they are not reasonably capable of doing,” and that users wouldn’t simply be made to hand over their communications. But it also states that “failure to comply with a notice would constitute a criminal offence, consistent with the Crimes Act.”

Of course, this law would be practical in aiding government prosecutors in the more transparent part of building a case. That’s because citing the government-intercepted, or “previously lawfully accessed communications,” would be necessary in order to issue requests for decrypted versions of them in the first place.

As Edward Snowden's leaks have started to unravel the powers of authorities assigned with the task of preventing global cybercrime, we can expect a simultaneous struggle to ravel them back up, and an awkward vy to obtain higher levels of control and oversight.