Walsh Report (cryptography)

The Walsh Report was an Australian cryptography policy review undertaken for the Australian government by Gerard Walsh, initially released in 1996 and then withdrawn before its sale to the public. Electronic Frontiers Australia (EFA) obtained a redacted copy under freedom of information laws and published it on EFA's website. Subsequently, an unredacted copy was found and the redacted parts were added to the EFA copy.

Policy review[edit]

The Walsh Report was an Australian cryptography policy review undertaken at the request of the Secretary of the Attorney-General's Department^[1] by Gerard Walsh, the former deputy director of the Australian Security Intelligence Organisation (ASIO).^[2] The report included a broad analysis of cryptography issues from an Australian context.^[3]

The report, titled Review of Policy relating to Encryption Technologies, is popularly called the Walsh Report.^[2]

In his report, Walsh found that there was a lack of coordination in the government over the establishment of cryptography policy. Walsh also reported no clarity as to which department and which minister was responsible for cryptographic policy. Consequently, there was a danger that policy would be developed without being coordinated.^[2]

The main advice given by Walsh in the report was that major legislative action to safeguard law-enforcement or national security was not required at the time.

No specific options were recommended in the report for legislation on cryptography, nor did the report recommend mandatory key recovery.^[4]

Recommendations in the report for minor legislative and other actions included:

establishment of a summary law on intrusive investigative powers
to consider the setting up of an additional and more serious offence when cryptography is used to obstruct a criminal investigation
to consider establishing a power to allow police to demand encryption keys^[4]
a key recovery or escrow scheme, as had been advocated by the United States, not be established by Australia.^[2]

History[edit]

Background[edit]

Walsh was invited to undertake his review following on from the Barrett Report, which concluded: "while Australian agencies all report that encryption has not been a problem to date, it is likely to become one in the future."^[1]

Initial issue[edit]

The Walsh Report was issued on 10 October 1996.^[2]

Deposit copies[edit]

After being printed, deposit copies of the report were lodged by the Australian Government Publishing Service (AGPS)^[5] with around 40 university and public libraries under a free deposit scheme.^[6]

Embargo[edit]

The report was listed for sale in January 1997 by AGPS. Three weeks later, Electronic Frontiers Australia (EFA) enquired why it was not actually available.^[1]

In February 1997,^[4] before the Walsh Report was publicly released, the Australian Attorney-General's Department embargoed it and withheld the report from commercial sale.^[2]^[5]

FOI request[edit]

In March 1997 EFA applied for the release of the Walsh Report under the Freedom of Information Act 1982.^[1]^[5]^[7]^[8]

Initially, the request was denied. Following a review that was requested by EFA,^[1] in June 1997^[1] EFA obtained a copy of the Walsh Report that had been redacted^[2]^[3] on national security,^[3] defence, international relations, internal working document, law enforcement and public safety grounds.^[1]

EFA then published the redacted version of the Walsh Report on its website.^[8]

Discovery of deposit copies[edit]

In December 1998^[5] an uncensored copy of the Walsh Report was discovered in the State Library of Tasmania by Nick Ellsmore, a university student in Hobart.^[2]^[6]^[7]^[9]^[10] Ellsmore alerted EFA to the availability of the report.^[1]

Publication of unredacted version[edit]

By comparing the redacted and unredacted copies it was possible to identify the censored sections of the report.^[9]

EFA added the redacted parts to its copy on the Internet,^[2] and highlighted them in red.^[1]

Following the discovery of the uncensored copies of the Walsh report, The Australian newspaper revealed the censored recommendations.^[6] Release of the complete report was also covered by Hobart's Mercury, Melbourne's Sun-Herald, The Sydney Morning Herald, many Internet news sites and radio stations in Perth and Sydney.^[1]

Recall of deposit copies[edit]

On 10 February 1999, after The Australian's revelations, the Australian Government Information Service (AusInfo), the government publisher, wrote to the deposit libraries. The AusInfo letter, said that the "Attorney-General's Department wants all copies recalled" and asked that copies of the report be returned to AusInfo.

A spokesperson for Daryl Williams, the Attorney-General, said that the release of the Walsh report had been discussed with AusInfo, but denied that the Government initiated the recall.

In February 1999, EFA cryptography committee chairman, Greg Taylor, said: "The bumbling attempts to censor the [Walsh] report have only served to focus international attention on it".^[6]

Censored parts[edit]

Redacted observations included:

Encrypted data is being stored and transmitted beyond the visibility or reach of investigative agencies.^[1]

The censored recommendations included:

software booby-traps
PC bugging^[6]
that Australian law enforcement agencies be given the power to "hack" corporate computer systems and to alter proprietary software to allow for the monitoring of communications^[9]
as strong cryptographic products can be obtained over the Internet, the efficacy of export controls over cryptographic products as a defensive strategy is dubious^[2]
the conclusion of the Barrett Report that the time when encryption becomes a problem for law enforcement and national security agencies is not yet here, but will soon be
the surveillance powers of ASIO should be extended.^[1]

References[edit]

^ ^a ^b ^c ^d ^e ^f ^g ^h ⁱ ^j ^k ^l Ellsmore, Nick (4 July 1999). "Cryptology: Law Enforcement & National Security vs. Privacy, Security & The Future of Commerce". cryptome.org/. Retrieved 25 August 2014.
^ ^a ^b ^c ^d ^e ^f ^g ^h ⁱ ^j Cryptography And Liberty 1999: An International Survey of Encryption Policy. Electronic Privacy Information Center. 1999. ISBN 1893044033. Retrieved 10 July 2014.
^ ^a ^b ^c Koops, Bert-Jaap (1998). The Crypto Controversy: A Key Conflict in the Information Society. Kluwer Law International. p. 2. ISBN 9041111433. Retrieved 22 June 2014.
^ ^a ^b ^c Koops, Bert-Jaap (February 2013). "Crypto Law Survey : Australia". cryptolaw.org/. Retrieved 25 August 2014.
^ ^a ^b ^c ^d "Australia - Walsh report on global cryptography debate". EU Legal Advisory Board News. January–February 1999. Retrieved 22 August 2014. In December 1998, several uncensored copies of the Walsh Report, which constitutes an important review of Australian cryptography policy, were found in public and university libraries in Australia. These are believed to be deposit copies lodged by the Australian Government Publishing Service (AGPS) after the report was printed but before the 1997 decision by the Attorney-General's Department to withhold it from commercial sale. In March 1997, Electronic Frontiers Australia (EFA), applied for release of the report under the 1982 Freedom of Information Act.^{[dead link]}
^ ^a ^b ^c ^d ^e Tebbutt, Dan (23 Feb 1999). "Canberra suppresses IT report". news.com.au. Archived from the original on 1999-04-27. Retrieved 20 August 2014.
^ ^a ^b Yiacoumi, Roulla (13 January 1999). "Hidden report reveals crypto paranoia". APC Newswire. Archived from the original on 18 August 2000. Retrieved 22 August 2014. A university student in Tasmania has stumbled across a pivotal government report on cryptography which was mysteriously withdrawn from public view two years ago. ... Online civil liberties group Electronic Frontiers Australia applied for the report's release under the Freedom of Information Act in March 1997.
^ ^a ^b Jackson, Margaret; Hughes, Gordon (2001). Hughes on data protection in Australia. Lawbook Company. p. 319. ISBN 0455217270. Retrieved 22 June 2014.
^ ^a ^b ^c "Censored Report Recommends Australian Police Hack Web Sites". australia.internet.com. 4 January 1999. Retrieved 22 August 2014. Law enforcement agencies in Australia ought to be able to "hack" into corporate computer systems and change proprietary software to enable monitoring of communications, according to a 1996 report which had been censored by the Australian government but recently uncovered by a university student.
^ Rogers, Matthew (15 January 1999). "Student exposes spying plans". The Mercury. Retrieved 22 August 2014. A HOBART university student has unearthed secret Federal Government plans to let Australia's top spy agencies hire computer hackers to break into the PCs of suspects.^{[permanent dead link]}

External links[edit]

[Ellsmore99-1] ^ ^a ^b ^c ^d ^e ^f ^g ^h ⁱ ^j ^k ^l Ellsmore, Nick (4 July 1999). "Cryptology: Law Enforcement & National Security vs. Privacy, Security & The Future of Commerce". cryptome.org/. Retrieved 25 August 2014.

[EPIC99-2] ^ ^a ^b ^c ^d ^e ^f ^g ^h ⁱ ^j Cryptography And Liberty 1999: An International Survey of Encryption Policy. Electronic Privacy Information Center. 1999. ISBN 1893044033. Retrieved 10 July 2014.

[Koops98-3] Koops, Bert-Jaap (1998). The Crypto Controversy: A Key Conflict in the Information Society. Kluwer Law International. p. 2. ISBN 9041111433. Retrieved 22 June 2014.

[Koops13-4] Koops, Bert-Jaap (February 2013). "Crypto Law Survey : Australia". cryptolaw.org/. Retrieved 25 August 2014.

[EU99-5] "Australia - Walsh report on global cryptography debate". EU Legal Advisory Board News. January–February 1999. Retrieved 22 August 2014. In December 1998, several uncensored copies of the Walsh Report, which constitutes an important review of Australian cryptography policy, were found in public and university libraries in Australia. These are believed to be deposit copies lodged by the Australian Government Publishing Service (AGPS) after the report was printed but before the 1997 decision by the Attorney-General's Department to withhold it from commercial sale. In March 1997, Electronic Frontiers Australia (EFA), applied for release of the report under the 1982 Freedom of Information Act.^{[dead link]}

[Tebbutt99-6] Tebbutt, Dan (23 Feb 1999). "Canberra suppresses IT report". news.com.au. Archived from the original on 1999-04-27. Retrieved 20 August 2014.

[Yiacoumi99-7] Yiacoumi, Roulla (13 January 1999). "Hidden report reveals crypto paranoia". APC Newswire. Archived from the original on 18 August 2000. Retrieved 22 August 2014. A university student in Tasmania has stumbled across a pivotal government report on cryptography which was mysteriously withdrawn from public view two years ago. ... Online civil liberties group Electronic Frontiers Australia applied for the report's release under the Freedom of Information Act in March 1997.

[Jackson01-8] Jackson, Margaret; Hughes, Gordon (2001). Hughes on data protection in Australia. Lawbook Company. p. 319. ISBN 0455217270. Retrieved 22 June 2014.

[aic99-9] "Censored Report Recommends Australian Police Hack Web Sites". australia.internet.com. 4 January 1999. Retrieved 22 August 2014. Law enforcement agencies in Australia ought to be able to "hack" into corporate computer systems and change proprietary software to enable monitoring of communications, according to a 1996 report which had been censored by the Australian government but recently uncovered by a university student.

[Rogers99-10] Rogers, Matthew (15 January 1999). "Student exposes spying plans". The Mercury. Retrieved 22 August 2014. A HOBART university student has unearthed secret Federal Government plans to let Australia's top spy agencies hire computer hackers to break into the PCs of suspects.^{[permanent dead link]}

[1]

[2]

[3]

[4]

[5]

[6]

[7]

[8]

[9]

[10]