Tech Industry Pushes for Australian Encryption Law ChangesSenate Committee Reviewing Law With an Eye to Amend
Technology organizations say Australia's anti-encryption law passed in December 2018 is already undermining trust in their local operations.
See Also: Secure Access Service Edge (SASE)
Australia's Senate Parliamentary Joint Committee on Intelligence and Security is conducting a review that's due April 3. A submission period closed on Friday. Sixty-two government entities, organizations and companies filed opinions on how the law could be remedied.
The law grants the government new powers to compel software companies to help law enforcement decrypt content, or in extreme cases, develop new technologies to disable or undermine encryption (see Australia Passes Encryption-Busting Law).
It's the latter part that raised the most ire, as technologists worried the government could force software developers to install backdoors into their products. Other parts of the law impose penalties on those who disclose secret government orders to undermine encryption, obscuring public oversight.
But the Coalition government contended it needed the powers over the holiday season, citing possible national security and terrorism threats. Critics contended the vague intimation of a public safety threat was an unjustified scare campaign leveraged to push flawed legislation onto the books.
Among the critics are Mozilla, which said its preference is for the law, formally known as the Assistance and Access Bill 2018, to be "abandoned and annulled." It fears the government could use its powers to single out one employee to compromise the integrity of its systems. That employee would be bound by secrecy and face prison if a legal order were to be disclosed.
That law could force tech companies "to treat Australia-based employees as potential insider threats, introducing another vector for compromise that could undermine trust in critical products and incentivizing companies to move critical roles to other localities," Mozilla says in its submission.
"Australian-based providers of information technology products and services are now regularly fielding questions regarding the impact of the Act on their installed products and in the context of prospective sales engagements."
Also weighing in is FastMail, an email provider.
"We have already seen an impact on our business caused by this perception," FastMail says in its submission. "Our particular service is not materially affected as we already respond to warrants under the Telecommunications Act. Still, we have seen existing customers leave, and potential customers go elsewhere, citing this bill as the reason for their choice."
Parliament passed the law amidst of flurry of legislative activity at the year's end of its session, with legislators acknowledging that it was problematic but pledging to fix its faults this year. It was a messy end to a contentious debate that drew international attention.
Because of Australia's close partnership with the other intelligence partners including the U.S., Canada, U.K. and New Zealand, there are fears that Australia could become the go-to place to undermine encryption via mutual legal assistance orders.
The legislative debate last year drew international attention. Among the critics outside Australia is Riana Pfefferkorn, an associate director of surveillance and cybersecurity at the Center for Internet and Society at Stanford Law School.
Pfefferkorn filed comments with the Senate committee on Feb. 14. She contends that the secrecy requirements around the law "has caused immediate and ongoing harm to Australia's technology sector (according to industry leaders)."
"It is not publicly known - and maybe never will be - which providers have been served to date with technical assistance/capability notices or requests under the new law, or what the providers have secretly done to their products and services in order to comply," she writes.
Over the past few years, many communications software providers have designed systems that can transmit content that can only be decrypted with private keys held by those communicating. The new law, however, allows Australia to issue a "technical capability notice," which compels a company to build a new capability that would unlock content.
"It is not publicly known - and maybe never will be - which providers have been served to date with technical assistance/capability notices or requests under the new law, or what the providers have secretly done to their products and services in order to comply."
Security experts contend doing so would also create openings for nation-states and cybercriminals, who may discover and take advantage of purposeful weaknesses inserted into software.
Although the government has maintained it wouldn't order companies to build systemic weaknesses, security experts derided the claim as semantic jibberish that is in practice technically unfeasible.
"Australian-based providers of information technology products and services are now regularly fielding questions regarding the impact of the Act on their installed products and in the context of prospective sales engagements," Senatas writes. "The situation is not aided by foreign competitors making use of the media and other material to improve their competitive position."