mark nottingham

Do you Trust Australia? Part Three

Sunday, 19 August 2018

Australia

Not that long ago, the US government attempted to compel Microsoft to reveal a customer’s data that was located in Ireland.

Back in December 2013, federal law enforcement was conducting a criminal narcotics investigation. During the course of this investigation, the government sought a search warrant, pursuant to Section 2703(a) of the SCA, to seize the contents of an email account belonging to a Microsoft customer. Microsoft complied with the warrant to an extent, turning over any account information that was being stored in the United States. However, the actual emails, and their contents, were stored overseas in Dublin, Ireland. Microsoft balked at turning over the overseas content, and the district court held the corporation in civil contempt for its failure to comply with the warrant.

The Microsoft Ireland Case: A Brief Summary, Lawfare

Because of how the Internet works, it isn’t uncommon for your content to be hosted in another country. Because international travel has become cheap and ubiquitous, is isn’t uncommon for an Australian to be in another country, or for a non-Australian to be in Australia.

Indeed, much of the services we interact with in Australia – for better or worse – are run by multinational (often but not always US-based) corporations. Facebook, Twitter, Amazon, Google, Alibaba, Dropbox, Apple, Microsoft, and many more. Essentially, everything we call “the Cloud.”

These companies have obligations to their customers that might require them to refuse access to data, or to notify their customers of a request for it.

So, what would they do if they got a request like the DoJ made to Microsoft above, but from an Australian interception agency under the Assistance and Access Bill 2018?

Can the Police Commissioner of New South Wales ask for the Facebook private messages of Australians currently in Japan? What about Japanese in Japan?

Can ASIO request that Apple construct a facility to show them FaceTime calls between Australians? What if one end of the call is in Europe?

Can the AFP ask for Dropbox data that’s hosted for an Australian user in Singapore? What about a non-Australian?

When the DoJ asked Microsoft for overseas access, Microsoft was able to push back in court, win, and talk about it publicly. What assures that’s possible in the proposed legislation?

As written, these instruments seem to allow an interception agency to ask for whatever they deem necessary, and a service provider has to comply. Without the ability to meaningfully challenge a request, a service provider can be put in a very awkward situation where they’re breaking the law overseas to satisfy it in Australia.

This is Hard

To be clear, I’m not suggesting that authorities should never have the ability to make such requests; because of the nature of the Internet, crime that occurs is often cross-border, and they need effective tools to pursue it.

I’m also not suggesting that the authorities in Australia will necessarily abuse their power. They’re trying to do a very difficult job with limited tools. That said, no one can deny that abuses and overreach do happen, and so some check on that power is needed.

And, even if the Australian authorities never abuse this power, we should be asking ourselves how we’ll react when similar legislation is passed in another jurisdiction and is used to require access to Australian services.

To date, I understand there’s been a significant amount of discussion in diplomatic fora about creating norms and eventually treaties around how these kinds of situations are handled between countries.

Allowing access without significant oversight (see previous posts) – perhaps even overseas – seems like it’s jumping past that process and setting an undesirable precedent, and it puts a lot of the burden for sorting out conflicts onto the service provider, which is likely to lead to some pretty distorted – and unjust – outcomes.

Off to Canberra

Tomorrow I’m off to Canberra to participate in an Internet Society panal about encryption at Parliament House, followed by some meetings. Hopefully, I’ll learn a lot more about what’s intended and what’s possible in the proposed legislation.

I’d be very happy to find these three blog posts to be completely off-base, where I’ve completely missed an important aspect of the law (as I’m not a lawyer, that isn’t unlikely). If so, I’ll convey that back here.

However, I’d like to see it written down, not just have assurances that “it works that way.” Maybe I’ve seen too many vague specifications that have been misinterpreted.