Tech Giants Concerned About Australia's Encryption Laws
18.10.2018 securityweek Security
Cyber law changes proposed in Australia specifically state that companies will not be required to implement encryption backdoors, but tech giants are still concerned that the current form of the legislation is too vague and leaves a lot of room for interpretation.
Australia's Telecommunications and Other Legislation Amendment (Assistance and Access) Bill of 2018 aims to compel local and international technology service providers to cooperate with law enforcement and intelligence agencies on investigations into criminal and terrorist activity or face fines of millions of dollars.
The bill wants to give agencies the ability to make three types of requests: a Technical Assistance Request (TAR), which provides a framework for making requests and which includes provisions for compensating firms that provide voluntary assistance; a Technical Assistance Notice (TAN), which compels companies to provide assistance, if they can; and a Technical Capability Notice (TCN), which compels companies to develop new capabilities in anticipation of a future TAN or TAR.
The bill specifically mentions that the goal of the government is not to weaken encryption, but tech giants are still concerned.
The Assistance and Access Bill was introduced to the Parliament's Intelligence and Security Committee on September 20 and comments were accepted until Friday, October 12.
More than 60 submissions were received from both individuals and organizations. Unsurprisingly, law enforcement organizations, such as the Police Federation of Australia, welcome the initiative, and government agencies are trying to convince everyone that encryption will not be weakened.
Australia's Department of Home Affairs claims the new bill "establishes a technologically neutral framework for industry and government to work together towards access solutions with entrenched security protections."
"The new arrangements put in place by the Bill will allow, where possible, Australian authorities exceptional access to encrypted communications in circumstances negotiated by industry and Government. Importantly, any arrangement that would introduce weaknesses and make innocent, third-party communications vulnerable would be in contravention of the Bill’s legal safeguards," the department commented.
Cisco, Apple, Mozilla, Kaspersky Lab and others are still concerned about the bill and its international impact, particularly due to its vagueness and lack of transparency.
Kaspersky Lab has commented on various aspects of the bill, including legal implications.
"By enabling direct access to the foreign users’ machines through the technology provider, rather than through the approved cooperation channels, the Bill may instituonalize circumvention of the standardized procedures of formal mutual legal assistance requests on the grounds of urgency or secrecy," the cybersecurity firm said. "More so, the regulators in jurisdictions where a mutual legal assistance regime with Australia is absent may consider this access to be a violation of nation’s sovereignty. When served with a notice to access data in those jurisdictions and conceal this action, providers may face a stark choice of which country’s laws they will have to violate."
Cisco is concerned that other governments will follow Australia's example, but they "may not have Australia's commitment to restraint in the exercise of executive power."
"Without further amendment, we believe the net result of these changes would harm the security interests of Australia by setting a precedent that could be adopted by less liberal regimes," Cisco said.
Mozilla warned that "any measure that allows a government to dictate the design of Internet systems represents a significant risk to the security, stability and trust of those systems."
"The bill is intentionally vague on the form and extent of what might be compelled by a TCN, so it is difficult to say what kinds of capabilities might be requested. We wish to emphasize that an under-specified authority to impose technical capabilities onto a software vendor not only introduces substantive problems through insufficient clarity, but also fails to provide certainty for both users and developers of technology," Mozilla said.
Apple says it's willing to help law enforcement investigations, but believes weakening encryption is not necessary. The tech giant wants the law to be clear and unambiguous and include a "firm mandate" that bans the weakening of encryption and other security protections.
"We encourage the government to stand by their stated intention not to weaken encryption or compel providers to build systemic weaknesses into their products. Due to the breadth and vagueness of the bill’s authorities, coupled with ill-defined restrictions, that commitment is not currently being met," Apple noted. "For instance, the bill could allow the government to order the makers of smart home speakers to install persistent eavesdropping capabilities into a person’s home, require a provider to monitor the health data of its customers for indications of drug use, or require the development of a tool that can unlock a particular user’s device regardless of whether such tool could be used to unlock every other user’s device as well. All of these capabilities should be as alarming to every Australian as they are to us."