In Australia, Even Learning About Encryption Will Be Illegal Soon

You might not think that an academic computer science course could be classified as an export of military technology. But under the Defence Trade Controls Act — which passed into law in April, and will come into force next year — there is a real possibility that even seemingly innocuous educational and research activities could fall foul of Australian defence export control laws.

Handcuffs picture from Shutterstock

Under these laws, such "supplies of technology" come under a censorship regime involving criminal penalties of up to ten years imprisonment. How could this be?

The story begins with the Australian government's Defence and Strategic Goods List (DSGL). This list specifies goods considered important to national defence and security, and which are therefore tightly controlled.

Regulation of military weapons is not a particularly controversial idea. But the DSGL covers much more than munitions. It also includes many "dual-use" goods, which are goods with both military and civilian uses. This includes substantial sections on chemicals, electronics and telecommunications, among other things.

Disturbingly, the DSGL risks veering wildly in the direction of over-classification, covering activities that are completely unrelated to military or intelligence applications.

To illustrate, I will focus on the university sector and one area of interest to mathematicians like myself: encryption. But similar considerations apply to a wide range of subject material, and commerce, industry and government.

Encryption: an essential tool for privacy

Encryption is the process of encoding a message so that it can be sent privately. Decryption is the process of decoding it, so that it can be read. Encryption and decryption are two aspects of cryptography, the study of secure communication.

As with many technologies subject to dual-use regulation, the first question is whether encryption should be covered at all.

Once the preserve of spies and governments, encryption algorithms have now become an essential part of modern life. We use them almost every time we go online.

Encryption is used routinely by consumers to guard against identity theft, by businesses to ensure the security of transactions, by hospitals to ensure the privacy of medical records, and many other organisations. Given that email has about as much security as a postcard, encryption is the electronic equivalent of an envelope.

Encryption is perhaps dual-use in the narrow sense that it is useful to both military/intelligence agencies as well as civilians. But so are other relatively mundane technologies like cars.

Moreover, since the Edward Snowden revelations — and even much earlier for those who were paying attention — essentially everyone knows they are subject to mass surveillance by the US National Security Agency, along with its Five Eyes partners, including Australia.

While states have no right to privacy, an individual's right to privacy is considered a fundamental human right. And in today's world, encryption is essential for individual citizens to safeguard this human right. Strict control of encryption as dual-use technology, then, would not only be a misuse of state power, but would represent the curtailment of a fundamental right.

How the DSGL covers encryption

Nonetheless, let's assume for the purposes of argument that there is a justification for regarding at least some aspects of cryptography as dual-use, and consider how the DSGL covers encryption.

The DSGL contains detailed technical specifications. Very roughly, it covers encryption above a certain "strength" level, as measured by technical parameters such as "key length" or "field size".

The practical question is how high the bar is set: how powerful must encryption be in order to be classified as dual-use?

The bar is currently set low. For instance, software engineers debate whether they should use 2048 or 4096 bits for the RSA algorithm. But the DSGL classifies anything over 512 bits as dual-use. In reality, the only cryptography not covered by the DSGL is cryptography so weak that it would be imprudent to use.

Moreover, the DSGL doesn't just cover encryption software: it also covers systems, electronics and equipment used to implement, develop, produce or test it.

In short, the DSGL casts an extremely wide net, potentially catching open source privacy software, information security research and education, and the entire computer security industry in its snare.

Most ridiculous, though, are some badly flawed technicalities. As I have argued before, the specifications are so imprecise that they potentially include a little algorithm you learned at primary school called division. If so, then division has become a potential weapon, and your calculator (or smartphone, computer, or any electronic device) is a potential delivery system for it.

These issues are not unique to Australia; the DSGL encryption provisions are copied almost verbatim from an international arms control agreement. What is unique to Australia is the strict level of regulation.

Criminal offences for research and teaching?

The Australian Defence Trade Controls Act (DTCA) regulates the DSGL and enacts a censorship regime with severe criminal penalties.

The DTCA prohibits the "supply" of DSGL technology to anyone outside Australia without a permit. The "supply" need not involve money, and can consist of merely providing access to technology. It also prohibits "publishing" DSGL technology, but after recent amendments, this offence only applies to half the DSGL: munitions, not dual-use technologies.

What is "supply" then? The law does not define the word precisely, but the Department of Defence suggests that merely explaining an algorithm could constitute "intangible supply". If so, then surely teaching DSGL material, or collaborating on research about it, would be covered.

University education is a thoroughly international and online affair — not to mention research — so any such "supply", on any DSGL topic, is likely to end up overseas on a regular basis.

Outside of academia, what about programmers working on international projects such as Tor, providing free software so citizens can enjoy their privacy rights online? Or network security professionals working with overseas counterparts?

Examples of innocuous, or even admirable, activities potentially criminalised by this law are easily multiplied. Such activities must seek government approval or face criminal charges -— an outrageous attack on academic freedom, to say the least.

There are exemptions, which have been expanded under recent amendments. But they are patchy, uncertain and dangerously limited.

For instance, public domain material and "basic scientific research" are exempted. However, researchers, by definition, create new material not in the public domain. And according to the Australian Bureau of Statistics, "basic scientific research" is a narrow term, which excludes research with practical objectives. Lecturers, admirably, often include new research in teaching material. In such circumstances none of these exemptions will be of assistance.

Another exemption covers supplies of dual-use technology made "preparatory to publication", apparently to protect researchers. But this exemption will provide little comfort to researchers aiming for applications or commercialisation, and none at all to educators or industry. A further exemption is made for oral supplies of DSGL technology, so if computer science lecturers can teach without writing (giving a whole new meaning to "off the books") they might be safe.

There is no explicit exemption for education. None for public interest material. And indeed, the government clearly envisions universities seeking permits to teach students DSGL material — and, by implication, criminal charges if they do not.

On a rather different note, the DTCA specifically enables the Australian and US militaries to share technology.

Thus, an Australian professor emailing an American collaborator or postgraduate student about a new applied cryptography idea, or explaining a new variant on a cryptographic algorithm on a blackboard in a recorded lecture broadcast over the internet — despite having nothing explicitly to do with military or intelligence applications — may expose herself to criminal liability. At the same time, munitions flow freely across the Pacific. Such is Australia's military export regime.

Brief reprieve

There is nothing wrong in principle with government regulation of military technology. But the net is cast too broadly in the DSGL, especially in the case of encryption. The regulatory approach of the DTCA's permit regime is effectively one of censorship with criminal penalties for breaches.

The result is vast overreach. Even if the Department of Defence did not exercise its censorship powers, the mere possibility is enough for a chilling effect stifling the free flow of ideas and progress.

The DTCA was passed in 2012, with the criminal offences scheduled to come into effect in May 2015. Thankfully, emergency amendments that passed into law in April this year have provided one year's reprieve.

Despite those amendments, the laws remain paranoid. The DSGL vastly over-classifies technologies as dual-use, including essentially all sensible uses of encryption. The DTCA potentially criminalises an enormous range of legitimate research and development activity as a supply of dual-use technology, dangerously attacking academic freedom — and freedom in general — in the process.The Conversation

Daniel Mathews is Lecturer in Mathematics at Monash University.

This article was originally published on The Conversation. Read the original article.


Comments

    Godgldsgegmsgse egsg soesm i ggp ifdgjsodr rkgdogsir kgaldge!?

      As long as you don't tell me how to work out what it means, you're fine

    I actually worked on the Defence Trade Control Act Amendment Bill 2015 as a member of one of pilot programs reporting to the SECSG (Strengthened Export Controls Steering Group). The tone and especially the title of this article is misleading imho.

    Keep in mind, I do not work for DECO, the Commonwealth Govt or the Department of Defence - so what I say here are my views and opinions, not an official view or advice on compliance with the laws.

    The reason the laws were introduced was to control intangible supply of technology (both military and "dual-use"), to meet Australia's obligations under numerous international treaties. There were (and are) already obligations under Section 13E of the Customs Act (prohibited exports) 1958 for the export of any DSGL goods. This is not new. We are not alone in doing this - the EU and US have introduced virtually identical legislation.

    When the DTCA 2012 was passed into law, there was agreement to consider the impacts in a variety of sectors - research, academia, industry, defence. 8 pilot programs were setup to investigate the effects in each industry - reporting to the SECSG, which was a panel consisting of various representatives (Australian Chief Scientist, CEO of ARC, CEO of NHMRC, Chief Defence Scientist, industry reps, VC of Uni of Qld etc). The penalty provisions were temporarily suspended during the pilot program, with a view to introducing legislative amendments to lessen the impacts on affected sectors.

    The pilots and legislative amendment took longer than expected, so the non-penalty period was extended to give organisations more time to apply for permits. This is a good thing, not a bad thing.

    Last edited 10/12/15 10:56 am

      Your argument appears to be that it's good to implement a knowledge-crime law because you've signed a treaty promising to do so.

        Quite the contrary - I would rather have a system I can work with than one that would be impossible to work with. I felt the best way to achieve this was to become engaged and help make changes, rather than just hope that the law won't be enforced.

        I honestly think the chance of Australia withdrawing the law is virtually nil. It is on the public record that when the original bill was being debated in federal parliament in 2011/12 that the US made representations (via the US ambassador to Australia) that the changes being proposed by the greens and opposition would result in a law that does not meet Australian obligations under the AU-US Defence Trade Cooperation Treaty.

        http://www.aph.gov.au/Parliamentary_Business/Bills_Legislation/bd/bd1112a/12bd091

        As I said earlier, the reasons for entering into this treaty are well outside my knowledge and expertise, but the important point for my industry is that these laws are real and they are not going anywhere in the near future.

        Pretending the laws don't exist will not be of much help on 02 April 2016 when the penalties are enforced. YMMV.

          I just read your message, three times.
          Not one single word of your response addressed the issue I raised, so here it is again:

          When one points out that it a law is mandated by treaty, one is clearly offering an excuse for the law, not a defense of it.

            I'm not sure what you're getting at. I had no role in passing either the original law or the treaty, so I have no compulsion to defend or excuse either.

            I'm merely stating my opinion of why the law is here and my opinion that it being overturned is not likely the near future. You seem to be implying that is somehow an endorsement of the controls, which it is not.

            Last edited 15/12/15 8:42 am

              My point?
              1: I've demonstrated that one of your arguments was an excuse, not a reason.
              2: Your presentation of an excuse as a reason is dishonest argumentation.
              3: Readers should be suspicious of data provided by someone who demonstrates a willingness to argue dishonestly for their cause.

                1. Have you? Saying the law was introduced due to treaty obligations is a reason. You might not like the reason, but it's still a reason.
                2. That's a matter of opinion. I think it's a reason.
                3. Only logical if points 1 and 2 are true. I respectfully disagree.

                  OK, stage 1:

                  You admit that the intent of your text about the treaty obligation was part of you defending the law, right?

                  I mean otherwise, what was it? Irrelevant space-filler?

                  @bringerofmuffins

                  No I don't "admit" anything. You seem to be eager to assign intent to my statement of fact. I am simply clarifying a common misconception that the law was arbitrarily introduced by the federal government or can be arbitrarily removed by the government. The law and it's introduction have to be seen in context of the treaty. They are not separate issues.

                  It seems to me that you are attempting to debate something that you seem to have spent very little time educating yourself about. I will simply say this - if you want to ignore the law, go right ahead. The penalty for wilful non-compliance is roughly $400k and/or 10 years in prison. Good luck with that.

                  Last edited 15/12/15 10:25 pm

                  I'll let readers decide for themselves whether context and clarification form part of an argument.
                  I think it's obvious that they do, so your denial further undermines my perception of your honesty.

                  So, to point 2: How treaties are excuses, not reasons.
                  If this law is a bad law, it wont magically be a good law if it's mandated by treaty.
                  If this law is a good law, it won't magically become bad if I point to a treaty which forbids it.

                  In fact treaties are irrelevant to determining whether this is a good or bad law!

                  A government's responsibility is to its citizens, not to foreign governments.

                  When a government wishes to introduce a law which restricts a freedom, they'll often first sign a treaty with other nations who want to restrict the same freedom.
                  Then they can point to the treaty and claim that it would be churlish to not hold up our end of the deal.

                  Lastly, I honestly have no opinion on whether this is a good law or a bad law, my point is that you've demonstrated dishonest argumentation (twice now) and so should not be trusted.

                  Once again, you simply stating that my comments are "dishonest" doesn't make it so. I'm telling you the facts surrounding the introduction of the law, as I understand them. How you interpret those facts is entirely up to you. You seem to misinterpret my explanation of the law (and it's context) as an endorsement of the law.

                  Comply with the law or don't comply with the law. I don't care, the choice is yours. I work in an international industry where these laws have daily, significant negative impacts so we can't just ignore them.

                  I think you have demonstrated that you are determined to make vague generalisations with little knowledge or understanding of either the law or the treaty, so I'm not going to waste any more time responding.

                  I'll let slide that you accuse me of ignorance of the law without citing an example.

                  The elephant in the room is that you implicitly make the astonishing argument that whether a law is arbitrarily introduced has no impact on the virtue of the law!

                  Allow me to demonstrate:

                  M: "You admit that the intent of your text about the treaty obligation was part of you defending the law, right?"

                  L: "No [...] I am simply clarifying a common misconception that the law was arbitrarily introduced by the federal government or can be arbitrarily removed by the government."

                  By claiming that your statement that the law wasn't arbitrarily imposed is *not* a defense of the law's virtue, you implicitly claim that arbitrarily introduced laws have equal virtue to otherwise identical laws which are introduced for a reason!

    I should also point out there are several factual inaccuracies in this story. For example, the laws only control the transfer of technology across the border (from within AU to outside AU), or brokering transfers between 3rd parties.

    Giving a lecture to students in Australia is totally outside the scope of the legislation - irrespective of whether they are Australian or international students. Being a student and learning about the technology is also outside the scope of the Act.

    I suggest the author consult Monash Unis export controls manager and/or DECO to clarify some of the basic misunderstandings.

    EDIT: I clicked the authors link on the article. Perhaps the article should also say the author is a founding member of wikileaks. Not that I'm suggesting anything improper, but it is worth noting IMHO.

    Last edited 10/12/15 10:54 am

      So... is learning about encryption will be illegal soon in Australia?

        No it isn't.

        Let me be more clear:

        DSGL - List of controlled items, split into two sections: Military Items (Part 1) and Dual-Use items (Part 2). Dual-use means the technology is not primarily designed for military purposes but may be harmful if used in a certain way. This list is referenced by two different Acts (plus others if dealing with "military" technology, such as the WMD Act).

        s13E Customs Act (Prohibited Exports) 1958 - controls the tangible export of goods and technology. One example is sending a virus out of Australia that is listed on the DSGL. Another example is physically carrying information of a controlled item out of the country (eg on a laptop or usb stick). This law is NOT new.

        DTCA 2012 and Amendment 2015 - intangible exports classified as "supply" (private communication), "publication" (public dissemination), and "brokering" (arranging xfer between 3rd parties). An example of supply could be sending an email with gene sequences relating to the pathogenesis of a controlled virus to someone outside AU.

        The Amendments - among other things - removed controls on verbal supply, publication and pre-publication activities and introduced general export licenses (AUSGELs), which permit transfers of non-sensitive items to countries that are members of the 4 main export control regimes (most western countries).

        Both of these Acts only apply when goods are transferred across the border. So communicating the material within Australia is not controlled.

        Last edited 10/12/15 12:15 pm

      I don't really see how the author being a founding member of WikiLeaks is relevant here. WikiLeaks served, and still serves, a useful purpose, it's nothing to be ashamed of.

      But more to the point, how would this affect international students, studying from home (ie India, Europe, Africa, China) connected to their Australia uni of choice and following lectures via webinar? That's cross border. Presumably, that would make lectures regarding cryptography illegal which is the point of the author.

      Similar to discussions about encryption and government attempts to curb such (using backdoors and other jokes) we seem to be heading for a period of extreme overreach and control by governments. Which will eventually end when the People take back control again.

      The world is ever changing, and everyone needs to change with it. If you don't (and history has plenty of examples where companies failed to change with the times) you are left behind. What worked yesterday doesn't necessarily work today any more.
      What fool would seriously belief that criminals/terrorists will use software that has known backdoors? They're very capable of developing their own encrypted solutions, without backdoors. Malware is the best example that proves this.

      Last edited 10/12/15 2:25 pm

        I don't really see how the author being a founding member of WikiLeaks is relevant here. WikiLeaks served, and still serves, a useful purpose, it's nothing to be ashamed of.

        I agree. I talking about disclosing the background of the author. I think it is certainly relevant that a person writes an article about "censorship" and were a founding member of wikileaks. That is not implying any problem, just disclosure.

        Presumably, that would make lectures regarding cryptography illegal which is the point of the author.

        And as I said above, any information in the public domain is exempt from control at all. So any cryptography currently in any textbook does not require a permit to export under the Act.

        I think there are a lot of things to not like about the new legislation. The point is that using arguments to make points that simply aren't true does nothing to further the cause.

          "any information in the public domain is exempt from control at all"
          But a lecture doesn't necessarily use only public domain content. There's nothing restricting a lecturer to encourage students to group together and theorize, even develop practical solutions. Ie, they might come up with a practical way to use quantum encryption. Someone has to invent the latest and greatest encryption.

      Wikileaks association "worth noting"? Thank you lunchbox99, the filthy spirit of Senator Joe McCarthy lives on in you I see. This is the sort of disgraceful personal attack you'd expect from a totalitarian state minion.

        Lol, good one.

        If you can't read - I don't work for the government. I work in an affected industry sector that has nothing to do with defence. You don't think the author being a founder of wikileaks has any relevance to this article. I disagree.

        Last edited 10/12/15 11:34 pm

          "I don't work for the government". Wow, from Joe McCarthy to Mandy Rice Davies within a couple of comments. Sure you don't. I guess you're one of those guys who think rape victims should be cross examined on their sexual history in court, just in case it has any relevance you know. Evil.

            Lol. What? You are certainly going wide with that rape victim nonsense.

            I think you misunderstand my role in the DTCA pilot. I work at an Australian scientific research organisation totally unrelated to defence work. Our involvement was to take what was believed to be unworkable legislation (DTCA 2012) and make recommendations to the steering group on how to minimise those negative impacts in our sector, which when combined with all the other recommendations (other pilots, industry, government, legal etc) culminated in the Amendment Bill 2015. My view is that this was a more constructive role than just standing on the sidelines whinging about the legislation.

            There were significant improvements in the practical administration of the Act. For example, prior to the amendments you needed a defence permit to verbally communicate controlled dual-use technology (eg make a phone call). This is no longer a requirement. Similarly the requirement to seek a permit to publish a scientific paper has been removed for dual-use items.

            Is the Act perfect? In my opinion, not by a long shot. But it's substantially more workable than it was 2 years ago and the government may amend further, if necessary.

            There are limits to how much the legislation can be altered due to our obligations under international treaties. Of course, we could break those treaties but AU has decided to be part of this for reasons that are frankly beyond my knowledge or expertise.

            Last edited 11/12/15 11:21 am

              why are you chosen it get involved with gov decisions that affects the rest of the nation?
              Surely everyone is entitled to have a say how things are done by the people representing them to run the country in the best interests of the public who voted for them

        Hah... Funny that you regard mentioning a person was a founding member of wikileaks a "disgraceful personal attack" :).

    I also think its misleading. The crux of this article is based on the 'supply of technology' which is nothing new. Major vendors already have legal agreements and different versions of code based on a persons location.

    I think that this excerpt from the article draws a very long bow:

    What is “supply” then? The law does not define the word precisely, but the Department of Defence suggests that merely explaining an algorithm could constitute “intangible supply”. If so, then surely teaching DSGL material, or collaborating on research about it, would be covered.

    So does that mean if I talked about how mustard gas was used in a war, then I would be in breach of the DCTA? What if I farted on someone (the chemical warfare of a 512-bit ciper which is "so weak it would be imprudent to use"), does that also mean I could be carted off?

    Any technology (including modern technology such as encryption, or even benign tech like a car and how strong it is) which is taught for the purpose of mis-use (hiding secrets or being used in a ram-raid) should obviously draw attention, but I think this article is nothing more than a filler article for gizmodo designed to garner interest in what is currently a hot topic (and yet here I am).

      What is “supply” then? The law does not define the word precisely, but the Department of Defence suggests that merely explaining an algorithm could constitute “intangible supply”

      Yes it does. Explaining the algorithm within Australia is no supply under the act. Communicating it to someone outside AU could be supply, if the technology is deemed to be controlled.

      So does that mean if I talked about how mustard gas was used in a war, then I would be in breach of the DCTA?

      Not if you are talking about it wholly within AU or wholly outside AU. Also if the information is public knowledge, then it is not controlled.

      Keep in mind, there are other Acts already controlling defence related items, which might be relevant. So talking about classified missile technology or command and control software even within Australia might be a completely different offence.

      Last edited 10/12/15 12:24 pm

    If so, then division has become a potential weapon, and your calculator (or smartphone, computer, or any electronic device) is a potential delivery system for it.I can divide (some) numbers in my head. Does that make me a human weapon?

    Hmm... just to be safe, I'd better schedule a Bourne/Chuck marathon to work out how to proceed.

      you come up with some classics! Well done sir

    So i have some encrpytion software on my lapatop (vpn, device encryption) and it includes some source code for some high strength or slighly modified public\private key encryption algorithms for my own use or for work purposes. I leave the country or come into Australia for a security conference.

    Am i now breaking the law ?

      Its a good question, but I still believe, if the law prohibits anyone from learning it, it may as well prohibit its use entirely. And if that's true, I wonder how banking websites will function, perhaps they will be some exceptions for this case.

      Last edited 14/12/15 5:02 pm

    So if everyone already knows about it, talk away. If it is new research, go to jail. How does this not provide a chilling effect. Geez I hate nazis. Did Donald Trump write this legislation?

    If you are in another country with similar legislation (most western countries), then you may need a permit to export the technology.

    To reiterate, information in the public domain is generally not controlled - so publicly available software would most likely be exempt.

    Last edited 11/12/15 11:24 am

    Most recreational drugs are illegal in Australia... doesn't stop those vying for a Darwin award though...

    I'm a little late to the party here, but my 2 cents worth...

    This is a really bad law, regardless of how many other Western countries have the same (or similar) legislation. The BS than lunchbox99 is peddling is pathetic: "Oh, it's okay, so long as it remains in Australia". In case you haven't noticed, we live in an interconnected world now. If someone were to write a blog about quantum cryptography, they would fall in to scope (and would no doubt receive a knock on the door if said blog was noticed by those responsible for enforcing this law). Same thing with cross border research. In academia, it's common to have teams spread across difference continents. And what about open source projects?

    The fact that the bar has been set so low (512bit keys) says it all, really. This is obviously the thin edge of the wedge - one of the first moves to make sure the general population only adopt and use cryptography that the government can easily crack.

    First the "Great Australian Firewall", and now this. Can anyone else see a pattern forming here? When I read stories like this, it makes me realize my decision to leave Australia (taking with me my 7 year university education) was the right choice.

Join the discussion!

Trending Stories Right Now