Walsh Report (cryptography)

The Walsh Report was an Australian cryptography policy review undertaken for the Australian government by Gerard Walsh, initially released in 1996 and then withdrawn before its sale to the public. Electronic Frontiers Australia (EFA) obtained a redacted copy under freedom of information laws and published it on EFA's website. Subsequently, an unredacted copy was found and the redacted parts were added to the EFA copy.

Policy review
The Walsh Report was an Australian cryptography policy review undertaken at the request of the Secretary of the Attorney-General's Department by Gerard Walsh, the former deputy director of the Australian Security Intelligence Organisation (ASIO). The report included a broad analysis of cryptography issues from an Australian context.

The report, titled Review of Policy relating to Encryption Technologies, is popularly called the Walsh Report.

In his report, Walsh found that there was a lack of coordination in the government over the establishment of cryptography policy. Walsh also reported no clarity as to which department and which minister was responsible for cryptographic policy. Consequently, there was a danger that policy would be developed without being coordinated.

The main advice given by Walsh in the report was that major legislative action to safeguard law-enforcement or national security was not required at the time.

No specific options were recommended in the report for legislation on cryptography, nor did the report recommend mandatory key recovery.

Recommendations in the report for minor legislative and other actions included:
 * establishment of a summary law on intrusive investigative powers
 * to consider the setting up of an additional and more serious offence when cryptography is used to obstruct a criminal investigation
 * to consider establishing a power to allow police to demand encryption keys
 * a key recovery or escrow scheme, as had been advocated by the United States, not be established by Australia.

Background
Walsh was invited to undertake his review following on from the Barrett Report, which concluded: "while Australian agencies all report that encryption has not been a problem to date, it is likely to become one in the future."

Initial issue
The Walsh Report was issued on 10 October 1996.

Deposit copies
After being printed, deposit copies of the report were lodged by the Australian Government Publishing Service (AGPS) with around 40 university and public libraries under a free deposit scheme.

Embargo
The report was listed for sale in January 1997 by AGPS. Three weeks later, Electronic Frontiers Australia (EFA) enquired why it was not actually available.

In February 1997, before the Walsh Report was publicly released, the Australian Attorney-General's Department embargoed it and withheld the report from commercial sale.

FOI request
In March 1997 EFA applied for the release of the Walsh Report under the Freedom of Information Act 1982.

Initially, the request was denied. Following a review that was requested by EFA, in June 1997 EFA obtained a copy of the Walsh Report that had been redacted on national security, defence, international relations, internal working document, law enforcement and public safety grounds.

EFA then published the redacted version of the Walsh Report on its website.

Discovery of deposit copies
In December 1998 an uncensored copy of the Walsh Report was discovered in the State Library of Tasmania by Nick Ellsmore, a university student in Hobart. Ellsmore alerted EFA to the availability of the report.

Publication of unredacted version
By comparing the redacted and unredacted copies it was possible to identify the censored sections of the report.

EFA added the redacted parts to its copy on the Internet, and highlighted them in red.

Following the discovery of the uncensored copies of the Walsh report, The Australian newspaper revealed the censored recommendations. Release of the complete report was also covered by Hobart's Mercury, Melbourne's Sun-Herald, The Sydney Morning Herald, many Internet news sites and radio stations in Perth and Sydney.

Recall of deposit copies
On 10 February 1999, after The Australian's revelations, the Australian Government Information Service (AusInfo), the government publisher, wrote to the deposit libraries. The AusInfo letter, said that the "Attorney-General's Department wants all copies recalled" and asked that copies of the report be returned to AusInfo.

A spokesperson for Daryl Williams, the Attorney-General, said that the release of the Walsh report had been discussed with AusInfo, but denied that the Government initiated the recall.

In February 1999, EFA cryptography committee chairman, Greg Taylor, said: "The bumbling attempts to censor the [Walsh] report have only served to focus international attention on it".

Censored parts
Redacted observations included:
 * Encrypted data is being stored and transmitted beyond the visibility or reach of investigative agencies.

The censored recommendations included:
 * software booby-traps
 * PC bugging
 * that Australian law enforcement agencies be given the power to "hack" corporate computer systems and to alter proprietary software to allow for the monitoring of communications
 * as strong cryptographic products can be obtained over the Internet, the efficacy of export controls over cryptographic products as a defensive strategy is dubious
 * the conclusion of the Barrett Report that the time when encryption becomes a problem for law enforcement and national security agencies is not yet here, but will soon be
 * the surveillance powers of ASIO should be extended.