IP: Censored Australian crypto report liberated

[Dave Farber <farber () cis upenn edu>]

> Date: Wed, 13 Jan 1999 07:52:41 +1000
> To: declan () well com
> From: Greg Taylor <gtaylor () efa org au>
> Subject: Censored Australian crypto report liberated
>
> Declan,
>
> This may be of interest to you.
>
> Regards,
>
> Greg Taylor
> Electronic Frontiers Australia
>
> ----------------------------------------------------------------------
> EFA has obtained access to an uncensored copy of the "Review of Policy 
> relating to Encryption Technologies" (the Walsh Report) and this has 
> now been released online at:
>   http://www.efa.org.au/Issues/Crypto/Walsh/index.htm
> The originally censored parts are highlighted in red.
>
> The report was prepared in late 1996 by Gerard Walsh, former 
> deputy director of the Australian Security Intelligence 
> Organisation (ASIO).  The report had been commissioned by 
> the Attorney-General's Department in an attempt to open 
> up the cryptography debate in Australia.  It was intended 
> to be released publicly and was sent to the government printer early
> in 1997.  However, distribution was stopped, allegedly at a very 
> high (i.e. political) level.  EFA got wind of this and applied 
> for its release under FOI in March 1997.  This was rejected 
> for law enforcement, public safety and national security reasons.  We 
> persisted, and eventually obtained a censored copy in June 1997, 
> with the allegedly sensitive portions whited out.  The report
> was released on the EFA website, and in the subsequent media 
> coverage the department claimed that the report was never 
> intended to be made public, a claim that is clearly at odds with 
> Gerard Walsh's understanding of the objectives, as is obvious from
> his foreword to the report. 
>
> It has now come to light that the Australian Government Publishing 
> Service, which printed the report, lodged "deposit copies" with 
> certain major libraries.  This is a standard practice with all 
> Australian government reports that are intended for public
> distribution.  The Walsh Report is quite possibly the first instance
> where a report was withdrawn after printing but before any public
> release.  It is believed that the Attorney-General's department
> was unaware that not all copies had been returned to them.
>
> To this day, the report remains officially unreleased, except for
> the censored FOI version.  Interestingly, several Australian 
> government sites now link to the report on the EFA website.
>
> Quite possibly, this situation would have remained unchanged,
> except for an alert university student, Nick Ellsmore, who recently 
> stumbled across an unexpurgated copy of the report, gathering dust 
> in the State Library in Hobart.  The uncensored version has now 
> replaced the censored report at the original URL.
>
> The irony of this tale is that the allegedly sensitive parts of
> the report, which were meant to be hidden from public gaze, are
> now dramatically highlighted.  The censored sections provide a 
> unique insight into the bureaucratic and political paranoia 
> about cryptography, such that censorship was deemed to be an
> appropriate response.  The official case for strict crypto 
> controls is conseuently weakened, because much of the censored 
> material consists of unpalatable truths that the administration 
> would prefer to be covered up, even though the information
> may already be known, or at least strongly suspected, in the crypto 
> community.  
>
> This apparent unwillingness to admit the truth is an appalling 
> indictment on those responsible for censoring the report.
> It is indicative of a bureaucracy more anxious to avoid embarrassment
> and criticism than adhere to open government principles and encourage
> policy debate.  Even worse, the censorship was performed under 
> the mantra of law enforcement and national security, a chilling 
> example of Orwellian group-think.  
>
> There are also some controversial recommendations in the report that 
> demand attention, since they could well be still on the current 
> policy agenda, in Australia or elsewhere.  Examples are 
> proposals for legalised hacking by agencies, legalised trap-doors 
> in proprietary software, and protection from disclosure of the 
> methods used by agencies to obtain encrypted information, an
> apparent endorsement of rubber-hose code-breaking. 
>
> On top of all this is the matter of allegedly sensitive material 
> being released to public libraries.  It would seem that a number 
> of copies have been gathering dust now for at least a year.  
> So far the sky hasn't fallen, nor has the country succumbed
> to rampant threats to national security.
>
> Attached is a brief summary of what seem to be the important 
> censored items, including a few which make the Attorney-General's
> Department look somewhat precious, to put it mildly.
>
> The more interesting exercise is to scroll through the report until
> you see red ;-)
>
> Greg
>
> ===================
>
> Paragraphs censored for reasons of national security, defence or 
> international relations
> --------------------------------------------------------------------
> - A statement that there are "design flaws" in US and British key 
>    recovery proposals (1.2.52 and 1.2.57)
> - An opinion that export controls are of dubious value (1.2.60, 3.7.6)
> - Commentary that US agencies sought to dominate public discussion of 
>    encryption policy (5.1.3)
>
> Paragraphs censored because they are classified as "internal 
> working documents"
> --------------------------------------------------------------------
> - A recommendation that "hacking" by law enforcement agencies should 
>    be above the law (1.2.28, 6.2.3)
> - Recommendation that authorities be given the power to demand 
>    encryption keys, in contravention of the principle of non 
>    self-incrimination.
>
> Paragraphs censored by reason of affecting enforcement of law and 
> protection of public safety
> ---------------------------------------------------------------------
> - A statement that encryption is a "looming problem" (1.2.1)
> - Statements that strong encryption is widely available and cannot be
>    broken. (1.2.15 and 1.2.16, 3.5.1, 3.5.4)
> - Acknowledgment that more overt forms of surveillance carry 
>    "political risk" (1.2.22, 3.6.1, 4.3.1, 4.3.2)
> - A recommendation that law enforcement and national security agencies
>    should arrange to put back doors in proprietary software for 
>    surveillance purposes. (1.2.33, 6.2.10, 6.2.11, 6.2.22)
> - A statement that communications interception is valuable (1.2.42)
> - A statement that criminal elements are using prepaid SIM cards in 
>    mobile phones (3.2.2)
> - Speculation about forming another cryptanalytical agency to parallel 
>    DSD. (4.4.2)
> - Commentary about the vulnerability of key escrow systems (4.5.8)
> - Statement that agencies want protection from disclosure of how keys 
>    were obtained (6.2.16)
> - Recommendation that the Federal Police Act permit covert 
>    entry to premises. (6.2.20)
> - Recommendations for exemption of Federal Police from the normal 
>    legal discovery process (6.2.20)