Aussie tech staff an ‘insider threat’
Australian employees of global tech companies may now viewed as “insider threats” due to the federal government’s new encryption powers, global internet giant Mozilla has warned.
Scathing submissions to the Parliamentary Joint Committee on Intelligence and Security’s inquiry into the Assistance and Access Bill have continued to flow in, as attention turns to Labor to address the many issues surrounding the Act if it is elected in May.
The submissions warned that local tech companies are also already feeling the impact of the new laws, with Australia’s global reputation severely damaged.
Global open-source web developer Mozilla slammed the Act in its submission, saying it could lead to Australian employees of international tech companies being viewed as “insider threats”, with “ambiguous” wording in the legislation allowing for notices to be issued to individual employees rather than companies.
“It is easy to imagine how Australian authorities could abuse their powers and the penalties of this law to coerce an employee of a DCP to compromise the security of the systems and products they develop or maintain,” Mozilla said in its submission.
“This potential would force Designated Communication Providers to treat Australia-based employees as potential insider threats, introducing another vector for compromise that could undermine trust in critical products and incentivising companies to move critical roles to other localities.”
In its submission, Melbourne-based encrypted email provider FastMail outlined the real-world impacts the Act has already had for local tech companies, with Australia’s global reputation damaged.
With growing awareness globally on privacy and online security, the passing of the Act has led to customers abandoning Australian companies, the submission said.
“Our customers are deeply concerned that they cannot trust the Australian government to properly manage, monitor and control the flow of access requests. We have already seen an impact on our business caused by this perception,” the FastMail submission said.
“We have seen existing customers leave, and potential customers go elsewhere, citing this bill as the reason for their choice. We anticipate a reduction in foreign investment for startups, as people refuse to put their money into a product that could be compromised without warning,” it said.
“We also anticipate that other Australian companies will find it more difficult to export their products or services to other countries.”
The new powers would also have a “chilling effect” on anyone looking to start a tech company in Australia, with talent moving overseas, FastMail said.
“If Australians with great ideas choose to take their intellectual property to another country, it has a negative impact both by reducing future tax revenue and by depriving the technology community in Australia of another entrant,” it said.
Other submissions to the committee focused on pushing for “mitigation strategies”, as the second best option behind repealing the Act entirely.
A coalition of more than 30 international civil society groups and tech companies, including Google, Facebook, Apple, Amazon and Privacy International, put in a joint submission that said the slightly amended legislation that passed late last year did not address any of the fundamental concerns surrounding the new powers.
“The Act … threatens cybersecurity and encryption in Australia and around the world. Once Australia uses the broad new powers conferred by the Act to demand that tech companies weaken the security features of their products, this will affect all users of those products, wherever they are located,” the joint submission said.
“Protections for privacy, data security and free expression that are derived from the availability of strong encryption would be undermined by government demands that communications providers introduce intentional vulnerabilities into secure products for the government’s use.”
The coalition of tech organisations has called for a number of changes to the bill that would “ameliorate though not cure” some of these issues.
They are urging the government to narrow the authorities that can access the powers, refine the definitions of “systemic weakness” and “systemic vulnerabilities”, include more robust judicial oversight and better protections for the rights of security researchers and software engineers.
The call for judicial oversight is a primary recommendation emerging from many of the new submissions.
“One of the most troubling omissions from the law that still remains is the lack of any requirement for judicial review of technical assistance notices and technical capability notices prior to their issuance,” the joint submission said.
“Nor is there a clear and meaningful opportunity for independent or judicial oversight after they have been issued.
“While they will not cure every concern that this law raises, these amendments would help to ameliorate some of the most significant threats.”
These demands have been backed by the Opposition, with Labor senators moving a number of amendments earlier this month before debate was delayed until the next sitting week in April.
Labor’s amendment redefining “systemic weakness” as passed by the Parliament, while the others are yet to be debated. The Opposition has vowed to work with industry to fix the legislation, saying that the government has “botched” it, despite Labor supporting its passage unammended late last year.
The Australian Human Rights Commission also supplied another submission to the inquiry, saying that the new powers would “permit inappropriately intrusive, covert and coercive powers, without effective safeguards to adequately protect the human rights of law enforcement targets and innocent third parties”.
“At no stage, have the limitations on human rights been demonstrated by the government to be reasonable, necessary and proportionate to the stated aim of ‘better dealing with the challenges posed by ubiquitous encryption’,” the submission said.
The Commission also called for mitigation amendments, including requiring judicial authorisation, better definitions of key phrases and reducing the breadth of objectives for which the powers can be used.
In another submission, Access Now said the new powers could be “damaging, or even life-threatening”.