Security news that informs and inspires

Tech Companies Push Back Against Australia’s Crypto Backdoor Bill

Several large technology providers have expressed serious concerns with a bill that’s moving through Australia’s parliament that would allow the country’s government to compel companies to build new capabilities into their products to bypass or weaken encryption.

In formal submissions to the Parliament of Australia’s Joint Committee on Intelligence and Security, Apple, Cisco, Mozilla, and several other companies objected to the bill, saying it would compromise security for all users and make life easier for not just law enforcement, but also attackers. The Assistance and Access Bill 2018 would give authorities in Australia several new methods for requesting assistance or information or demanding technical capabilities from technology providers. It has been moving through Australia’s legislature quickly since it was introduced in September and tech companies and security experts and digital rights organizations are worried that the bill represents a serious threat to user privacy and security.

“In the face of these threats, this is no time to weaken encryption. There is profound risk of making criminals’ jobs easier, not harder. Increasingly stronger — not weaker — encryption is the best way to protect against these threats,” a letter from Apple to the committee says.

The provision in the bill that has most observers concerned is one that gives the country’s attorney general the power to issue a technical capability notice (TCN) to a technology provider. Using a TCN, the attorney general could force a company to develop a new capability to provide information or intercept capabilities to law enforcement, and also prohibits the company from documenting or disclosing the capability. The provision essentially allows the Australian government to compel vendors to build in backdoors, something that technology providers are not very enthusiastic about.

“We have defined a ‘backdoor’ to include any surveillance capability that is intentionally created yet not transparently disclosed. To the extent that the bill would require via a TCN the creation of a capability while simultaneously preventing the [designated communications provider] from documenting the existence of that capability, the law would result in the creation of a backdoor,” Cisco said in submission to the committee.

Australia is not the only country that is attempting to get around the use of strong encryption in consumer products through legislation or mandates. The governments in Russia and China have moved to force the operators of some secure messaging services to turn over encryption keys or take other steps to give authorities access to users’ communications. There also have been extensive discussions among law enforcement officials and legislators in both the United States and U.K. about so-called exceptional access to encrypted communications or devices. That approach is similar in that it would require providers to build in some software or hardware capabilities to provide a way into encrypted systems when issued a warrant or other legal authority. It’s a well-worn idea and one that security experts and technology providers say is fundamentally flawed.

“A rush to enact legislation in the proposed form could do significant harm to the Internet."

“Some suggest that exceptions can be made, and access to encrypted data could be created just for only those sworn to uphold the public good. That is a false premise. Encryption is simply math. Any process that weakens the mathematical models that protect user data for anyone will by extension weaken the protections for everyone. It would be wrong to weaken security for millions of law-abiding customers in order to investigate the very few who pose a threat,” Apple’s letter says.

Officials at Mozilla expressed similar concerns, saying the bill would pose a serious threat to the security of the network as a whole.

“A rush to enact legislation in the proposed form could do significant harm to the Internet. TCNs in particular present the government with capabilities that we don’t believe are appropriate, as well as being a significant risk to the security of the Internet,” Mozilla officials said in a submission to the committee.

The push for legislation in Australia comes a few weeks after the governments of the Five Eyes nations--U.S., U.K, Canada, Australia, and New Zealand--issued a statement saying that law enforcement access to encrypted communications is vital and legislation would be the next step if technology providers don’t make voluntary changes.

“Should governments continue to encounter impediments to lawful access to information necessary to aid the protection of the citizens of our countries, we may pursue technological, enforcement, legislative or other measures to achieve lawful access solutions,” the statement says.

The first public hearing on the Australian bill is scheduled for Friday.