Encryption & Key Management , Governance & Risk Management , Privacy
Tech Companies Bristle at Australia's Crypto LegislationLatest Draft Still Imperils Privacy and Security, Organizations Contend
Australia's latest draft of legislation that would enable law enforcement access to encrypted communications is still far too secretive and imperils privacy and security, technology companies and civil liberties organizations contend.
See Also: OnDemand Panel | Zero Trust Privileged Access: 6 Essential Controls
Late last week, a host of top companies and organizations, including Apple, Cisco, Facebook, Google and Microsoft, signed onto critiques of the legislation, known as the Telecommunications and Other Legislation Amendment (Assistance and Access Bill) Bill 2018.
The material was submitted to the Parliamentary Joint Committee on Intelligence and Security, which is reviewing the legislation. It plans to hold an initial public hearing on Friday and more hearings in the coming weeks.
Like the U.S. and U.K., Australia contends that encrypted communications are hampering law enforcement and national security investigations. Last year, the government marshalled support among it allies for new laws that would compel communications providers to unlock encrypted content (see Australia Pushes 'Five Eyes' for Tools to Counter Encryption).
The Australian government has strenuously denied it was seeking to force companies to install "backdoors," or surreptitious access methods. But encryption experts and technologists have argued that the government's position is more of a misleading semantics game and that any such access technique would increase security risks.
On Thursday, a coalition of 25 civil society organizations and 13 technology companies jointly filed comments on the latest draft of the bill.
The coalition says that while some of the provisions of the draft bill are "commendable," the proposed legislation nonetheless "poses serious threats to cybersecurity, privacy and freedom of expression." In a separate filing on Friday, Cisco suggests that other countries with fewer bounds on executive power will take cues from Australia's moves.
"Without further amendment, we believe the net result of these changes would harm of the security interests of Australia by setting a precedent that could be adopted by less liberal regimes," Cisco writes.
The legislation, however, has robust support from police and government.
"Secure, encrypted communications are being used by terrorist groups and organized criminals to avoid detection and disruption," the Department of Home Affairs writes in a submission. "Over 90 percent of telecommunications information being lawfully intercepted by the Australian Federal Police now uses some form of encryption."
Tech Companies on Notice
The legislation would allow for the government to issue three kinds of notices: voluntary technical assistance notices, technical assistance notices and technical capability notices.
It's the technical capability notice that is causing the most concern. An organization receiving that kind of notice would be compelled to building a new capability to give assistance to the government. The government maintains that this kind of order does not mean a company is compelled to remove encryption if it is not possible to do so.
The bill further says that the government cannot order an organization to build a systemic weakness or vulnerability into its service. But the coalition says that "other sections of the bill undermine the safeguards provided by this language."
In addition to joining the coalition, Apple submitted separate comments on Friday. The scope of the bill, it contends, would appear to allow for actions such as preventing certain users from receiving security updates.
"We encourage the government to stand by their stated intention not to weaken encryption or compel providers to build systemic weaknesses into their products," Apple writes. "Due to the breadth and vagueness of the bill's authorities, coupled with ill-defined restrictions, that commitment is not currently being met."
Apple, which fought a high-profile battle with the FBI over access to an iPhone used by one of the shooters in an incident in San Bernardino, California, contends that it's not possible to only grant special access to encrypted data to law enforcement without broader risk.
"That is a false premise," Apple writes. "Encryption is simply math. Any process that weakens the mathematical models that protect user data for anyone will by extension weaken the protections for everyone."
Indeed, the coalition contends in its submission that the proposed Australian legislation "also appears to permit the type of demand" that the FBI made of Apple
The FBI successfully gained a court order that compelled Apple to create a special version of its iOS mobile operating system that would remove certain security protections. Apple fought the order, and the FBI later dropped its legal action after finding another way to unlock the device.
Apple Says Secrecy Requirements 'Stifling'
Australia's proposed legislation is somewhat modeled on the U.K.'s Investigatory Powers Act, which similarly empowers the government to require cooperation of organizations in accessing locked data. The U.K., however, requires that Judicial Commissioners review proposed technical capability notices prior to issuance (see British Home Secretary Demands Backdoored Communications).
The coalition, and Apple in a separate filing, noted that the Australian plan would leave the attorney general with the sole power to determine if a technical capability notice should be carried out.
The revised bill, however would allow an organization to jointly examine with the attorney general whether a technical capability notice would, say, violate the prohibition on creating systemic weaknesses in products. But the coalition contends the bill wouldn't allow for "adequate oversight" of either a technical assistance notice or technical capability notice either before or after the government issues one.
"Given the breadth and power of the new authorities that would be created by the bill, it is critical that the law provides for robust oversight of authorizing agencies to ensure accountability," the coalition says.
Under the proposed law, organizations would be allowed to release statistics twice a year on the type of received requests. But there would be strict penalties for disclosing a specific request, with a maximum sentence of five years in prison.
Apple calls the secrecy requirement "stifling," suggesting that it could prevent legitimate whistleblowing.
"For instance, if an engineer working for a provider tasked with complying with a TCN [technical capability notice] had a legitimate legal or ethical concern, they could be imprisoned for five years for merely disclosing the fact of a TCN to his or her employer's human resources office," Apple writes. "Similarly, an employee of a provider who legitimately believed a TAN [technical assistance notice] or TCN violated the law, could not disclose that concern for fear of punishment."