Blow-back on encryption laws
Political storm: Big Tech fights back on encryption law controversy
The federal government’s controversial anti-encryption bill gives “extraordinary powers of unprecedented scope” and may serve to “undermine public safety”, according to some of the biggest tech companies in the world.
Digital Industry Group Inc (DIGI), an industry group representing Amazon, Facebook, Google and Twitter among others, said it hds serious concerns about the Telecommunications and Other Amendment (Assistance and Access Bill) 2018 in its submission to government on the draft legislation.
DIGI said there needs to be independent oversight on the new powers included in the bill, and that tech companies should not be forced to build vulnerabilities or weaknesses into products.
In a rare public submission, the Internet Architecture Board also criticised the bill, saying it could have a “serious and undesirable impact” and lead to the “fragmentation of the internet”.
The draft legislation, released last month, outlined new powers allowing Australian law enforcement and agencies to require tech companies to assist in accessing encrypted communications.
It introduces new voluntary technical assistance requests, along with mandatory technical assistance notices and technical capability notices, which can only be issued by the Attorney-General.
These notices can require a company to build a new capability that “will enable them to give assistance or insert malware onto a device to intercept communications”.
In its submission, DIGI said that these orders would undermine the strength of encryption as a whole.
“Requiring technology companies to engineer vulnerabilities into their products and services would undermine the security and privacy of our users, as well as the world’s information technology infrastructure,” the submission said.
“Governments should avoid any action that would require companies to create any security vulnerabilities in their products and services.”
The government has repeatedly said the bill does not require the creation of “backdoor” access to encrypted communications, and would not lead to “systemic weaknesses” in encryption.
“The Australian government remains committed to the security of communications services and devices and the privacy of Australians. These powers cannot be used to introduce so-called backdoors or require a provider to disclose communications content or data,” the government said last month.
But DIGI said the bill “may require the provider to identify a weakness in the security of data in their systems or technology and to make that weakness known to those agencies” and “may serve to actually undermine public safety by making it easier for bad actors to commit crimes against individuals, organisations or communities”.
“The proposal for companies to facilitate technical vulnerabilities is of particular concern as it doesn’t just create a vulnerability for law enforcement to exploit, it becomes a vulnerability for all, making it easier for criminals to exploit digital technologies to commit crimes,” DIGI said.
The group is also concerned about a lack of judicial review over the issuing of the technical notices and requests, which may be based on information that is not known to the recipient.
It said that the government’s statements about the bill don’t match the actual legislation.
“While the explanatory document suggests the issuers of notices should consider the interests of the service provider and availability of other means to reach that agency’s objectives, this is not the same as a legal requirement that the decision-maker be satisfied that issuing the notice is ‘necessary’,” the group said.
The group recommended that notices be decided by an independent judicial authority on the “basis of evidence and an assessment of clear criteria”, and that these notices shouldn’t require a company to build vulnerabilities or weaknesses into the services.
But the government has said issuing a notice or request must be “reasonable, proportionate, practicable and technically feasible”.
“This means the decision-maker must evaluate the individual circumstances of each notice. The decision-maker must also consider wider public interests, such as any impact on privacy, cybersecurity and innocent third parties,” the government said.
The new powers could also force tech companies to do something that may violate the laws of another country.
“This potentially places service providers in an impossible situation and also potentially jeopardises Australian national security if other governments introduce similar provisions,” DIGI said.
Even if its recommendations are adopted by the government, the widespread powers included in it should be properly considered in consultation with civil and digital rights group, DIGI said.
“It’s important to note that even if these recommendations were adopted, the bill proposes extraordinary powers of unprecedented scope, and their exercise should be limited to combating serious crimes that pose a grave threat to human life or safety,” it said.
The Internet Architecture Board said that the Australian government’s approach could lead to the fragmentation of the internet.
“This approach, if applied generally, would result in the internet’s privacy and security being the lowest common denominator permitted by the actions taken in myriad judicial contexts. From that perspective, this approach drastically reduces trust in critical internet infrastructure and affects the long term health and viability of the internet,” Internet Architecture Board chair Ted Hardie said.
This could be exacerbated by tech companies being forced to do something that may break a law in another country, Mr Hardie said.
“This risk might cause some infrastructure providers to relocate, reduce service or even block service to Australian users. Such fragmentation of the internet is one of the primary concerns we have today, as it reduces the value of a global, highly-connected internet,” he said.
The new powers would undermine the security of encryption as a whole, he said.
“Requiring access to data that’s intended to be kept confidential after it has been decrypted can cause weaknesses and harms that are equivalent to or greater than those caused by backdoors in encryption itself,” Mr Hardie said.
“Any method used to compel an infrastructure provider to break encryption or provide false trust arrangements introduces a systemic weakness, as it erodes trust in the internet itself. The mere ability to compel internet infrastructure providers’ compliance introduces that vulnerability to the entire system, because it weakens that same trust.”
A coalition of digital and civil rights groups, including Digital Rights Watch, the Australian Privacy Foundation and Electronic Frontiers Australia, has also released its on the legislation and outlined its “numerous serious concerns”.
The bill gave “extremely broad powers with almost no oversight without any substantive justification”, the groups claim, and it “effectively enacts insecurity by design”.
It argued that Parliament should completely reject the legislation, and criticised the government for the “extremely limited” consultation time it gave to the bill.
In response to queries regarding the concerns included in the submissions, a Home Affairs spokesperson said the government would “carefully consider the submissions that have been made and will bring forward any amendments arising from those considerations in due course”.