Home | Databases | WorldLII | Search | Feedback Privacy Law and Policy Reporter

Taylor, Greg --- "Burn that book! Canbera spooks lose the plot on 'secret' crypto report" [1999] PrivLawPRpr 7; (1999) 5(8) Privacy Law & Policy Reporter 145

Burn that book! Canberra spooks lose the plot on ‘secret’ crypto report

Scene 1: background
Scene 2: the Walsh Report
Scene 3: serendipity
Scene 4: the cover-up continues

Burn that book! Canberra spooks lose the plot on ‘secret’ crypto report

Greg Taylor

In February 1999, the last scene of a modern bureaucratic comic opera was played out to an incredulous public gallery. The plot concerns the arcane science of encryption, which is still being treated as if it were a military secret, despite having moved into the academic and commercial sectors over 20 years ago. It is a story of political cover-up and a series of inept attempts at censorship of a public policy document.

Scene 1: background

Encryption is a mathematical technique used to scramble information into a form that is unreadable except by the intended recipient. It plays an essential role in secure transmission of sensitive commercial information over public networks and in the protection of personal privacy, yet its widespread deployment is being stifled by regulations left over from the Cold War era.

Computers have revolutionised cryptography and have enabled incredibly powerful ciphers to be deployed. However, the strength of these ciphers is of enormous concern to law enforcement and national security agencies, for whom covert surveillance of communications channels has been a stock-in-trade. Put simply, the new codes cannot be broken, and this has resulted in various attempts by governments around the world to stifle development of new products, largely through the clumsy mechanism of export controls.

Scene 2: the Walsh Report

Against this background, the Australian Government decided in mid-1996 that it was time to bring the debate out into the open so that all of the issues involved in the controversy might be explored, with a view to resolving the conflicts between opposing interests.

Gerard Walsh, former deputy director of the Australian Security Intelligence Organisation (ASIO) was commissioned by the Attorney General’s Department to prepare a review. Mr Walsh interviewed key opinion leaders in Australia and overseas and produced a 96 page report entitled ‘Review of Policy relating to Encryption Technologies’, subsequently dubbed the Walsh Report. The report was intended to be released publicly and was sent to the government printer by the department in early 1997.

However, before the printed copies could be distributed to government bookshops, the report was recalled, apparently at a high level. In the meantime, Electronic Frontiers Australia (EFA), an internet privacy watchdog, had been anxiously awaiting release of the report. When the report failed to appear, a freedom of information request for a copy of the report was lodged in March 1997. This was rejected, supposedly because release of the report would affect law enforcement, public safety and national security. A request for review of the decision was lodged and eventually EFA obtained a censored copy of the report in June 1997, with the allegedly sensitive material whited out. The report was released on the EFA website, and in the subsequent media coverage the department claimed that the report was never intended to be made public, a claim that is clearly at odds with Gerard Walsh’s understanding of the objectives, and with the foreword to the report, which called for public feedback (see ‘Crypto report suppressed’ (1997) 3 PLPR 181).

The release of the report online attracted widespread interest around the world, since it was one of the few reports on this controversial subject that attempted to take a balanced look at the issues.

The Walsh Report, while promoting a ‘balanced’ view, came out in favour of free access to cryptography by the public. The conclusions in the report were especially interesting in view of Mr Walsh’s background with ASIO. Some argued that the report was withheld because it did not reach the ‘right’ conclusion — that use of cryptography should be restricted. However, the status of government thinking on the issue remained unknown, although all major parties had published policies supporting relaxation of controls.

Scene 3: serendipity

There the matter might have rested but for an amusing piece of serendipity. In December 1998, university student Nick Ellsmore stumbled across an unexpurgated copy of the report in the State Library of Tasmania. He immediately notified EFA and subsequent inquiries revealed about 30 copies in various libraries around the country. It came to light that the Australian Government Publishing Service (now Ausinfo), which printed the report, had lodged ‘deposit copies’ with certain major libraries. This is a standard practice with all Australian government reports that are intended for public distribution. The Walsh Report is quite possibly the first instance where a report was withdrawn after printing but before any public release. Neither the Attorney General’s Department nor Ausinfo were apparently aware that not all copies had been returned to them.

EFA promptly released the full report on its website in January 1999, with the previously censored portions highlighted in red. The irony was that the allegedly sensitive parts of the report, which were meant to be hidden from public gaze, were now dramatically highlighted. The censored sections provide a unique insight into the bureaucratic and political paranoia about cryptography, such that censorship was deemed to be an appropriate response. The official case for strict crypto controls is consequently weakened, because much of the censored material consists of unpalatable truths that the administration would prefer covered up, even though the information may already be known, or at least strongly suspected, in the crypto community.

This apparent unwillingness to admit the truth is an appalling indictment on those responsible for censoring the report. It is indicative of a bureaucracy more anxious to avoid embarrassment and criticism than adhere to open government principles and encourage policy debate. Even worse, the censorship was performed under the mantra of law enforcement and national security, a chilling example of Orwellian group-think.

There are some controversial recommendations in the report that demand attention, since they could well be still on the current policy agenda, in Australia or elsewhere. Examples are proposals for legalised hacking by agencies, legalised trapdoors in proprietary software, and protection from disclosure of the methods used by agencies to obtain encrypted information. These matters attracted a great deal of media attention, much of which focused on the central issue of government surveillance of its citizens.

Below is a brief summary of some of the censored paragraphs, including several which border on the trivial and the obvious, as an illustration of the paranoia which surrounds this issue.

Paragraphs censored for reasons of national security, defence or international relations include:

• a statement that there are ‘design flaws’ in US and British key recovery proposals (Para 1.2.52 and 1.2.57);
• an opinion that export controls are of dubious value (1.2.60, 3.7.6); and
• a recommendation that authorities be given the power to demand encryption keys, in contravention of the principle of non self-incrimination.

Paragraphs censored for affecting enforcement of law and protection of public safety include:

• statements that strong encryption is widely available and cannot be broken (1.2.15 and 1.2.16, 3.5.1, 3.5.4);
• acknowledgment that more overt forms of surveillance carry ‘political risk’ (1.2.22, 3.6.1, 4.3.1, 4.3.2);
• a recommendation that law enforcement and national security agencies should arrange to put back doors in proprietary software for surveillance purposes (1.2.33, 6.2.10, 6.2.11, 6.2.22);
• a statement that communications interception is valuable (1.2.42);
• a statement that criminal elements are using prepaid SIM cards in mobile phones (3.2.2);
• speculation about forming another cryptanalytical agency to parallel DSD (4.4.2);
• commentary about the vulnerability of key escrow systems (4.5.8);
• a statement that agencies want protection from disclosure of how keys were obtained (6.2.16);
• a recommendation that the Federal Police Act permit covert entry to premises (6.2.20); and
• recommendations for exemption of Federal Police from the normal legal discovery process (6.2.20).

Scene 4: the cover-up continues

In mid-February, about a month after the library story broke, Ausinfo quietly sent out letters to the major libraries, recalling the deposit copies of the report on the basis that it was ‘embargoed’ by the Attorney General’s Department. Presumably they had hoped to do this without attracting undue attention. However, the incident came to the notice of EFA almost immediately, and for the third time the Walsh Report became a newsworthy item.

When the story broke, neither the Attorney General’s Department nor Ausinfo would take responsibility for the recall action, each pointing the finger at the other. Furthermore, a spokesperson for the Attorney General continued to maintain that the report was never intended for public release, despite overwhelming evidence to the contrary.

This incredible saga of bumbling bureaucracy and inept attempts to stifle debate on an unresolved public policy controversy remains a mystery. The government continues to pretend that the matter can be covered up, and has not commented on glaring questions about the propriety of using the provisions of the Freedom of Information Act 1982 to cover up unpalatable truths.

Fortunately, the report is now preserved for posterity in electronic form (at http://www.efa.org.au/Issues/Crypto/Walsh/). So far, the sky hasn’t fallen.

Greg Taylor is Vice-Chair of Electronic Frontiers Australia (EFA). But wait ... there’s more! The saga continues in Scene 5, Private Parts p 163 (Ed).