New laws that could compel global technology companies to assist Australian spy agencies and police have been labelled “aggressive” by some security experts.
If passed, the assistance and access bill would introduce expansive new powers to help law enforcement officers investigate criminal activity online.
Its supporters argue these powers are needed because criminals are increasingly using sophisticated methods of communicating online to escape detection.
The Government is adamant the bill would not force the likes of Apple or Google to undermine encryption, which keeps online activity private and secure.
But critics are concerned that once made, holes in the security of individual smartphones, chips and other devices would be difficult to control.
Australia’s proposed laws represent a significant step up in the fight against the criminal use of encrypted communications, according to security researcher Christopher Parsons of The Citizen Lab in Toronto, Canada.
Concerns the bill will make our technology less safe
Among other provisions, the bill proposes three key ways for technology companies, software developers and others to assist spy agencies and police:
- A technical assistance request: A company can choose to “voluntarily” help, such as give details about the development of a new online service
- A technical assistance notice: A company is required to give assistance if they can. For example, if they have the ability to decrypt a specific communication, they must or face fines
- A technical capability notice: The company must build a new function so it can assist police, as long as it does not force encryption to be broken
Authorities would still need an “underlying warrant or authorisation” to access the content of the encrypted communications.
The Government says that “systemic” weaknesses, such as undermining encryption across all devices, cannot be demanded.
But Vanessa Teague, a cryptography expert at The University of Melbourne, is concerned that some ambiguity remains in the bill.
For example, could a company be asked to build a specific vulnerability for an individual’s device, even if the company was afraid that change might have accidental side effects for other users, she wondered.
In Dr Teague’s view, the Government’s guarantees “appear only in a weakened, ambiguous or limited form [in the bill]”.
A spokesperson for the Department of Home Affairs said that in addition to prohibiting requests that would introduce a systemic weakness, the bill contained additional safeguards.
“The Attorney-General must consider a provider’s submission in determining if a request is reasonable, proportionate, practicable and technically feasible,” they added.
“This includes considering the impact of notice on privacy, cybersecurity and innocent third parties.”
Tom Sulston of Digital Rights Watch warned that once a new technical capability existed for surveillance, it could be reused. It could even be lost or stolen, as has occurred with devastating effect in the United States.
“Once the proverbial cat is out of the bag, … other people can exploit that,” he said.
The bill could compromise trust in technology: experts
One way technology companies could assist agencies would be to target an individual with a tailored modification to an app to compromise their messages, Fergus Hanson, head of International Cyber Policy Centre at the Australian Strategic Policy Institute (ASPI), suggested.
“If Australia suddenly said ‘we want to roll this out over your entire network’ that would be a clear breach of the requirement that they not introduce systemic vulnerabilities,” he added.
Citizen Lab’s Mr Parsons said a scenario where targeted software updates were altered to allow interception was troubling.
“When there is the concern that updates might be poisonous, it diminishes the trust individuals will have in running updates,” he said.
“It’s sort of like a vaccine. If everyone’s vaccinated, then we’re protected … but if we selectively don’t, then all of a sudden our immunity goes down. Our computer systems become more generally insecure.”
Mr Hanson said another potential sticking point was the bill’s proposal that agencies could ask for a company’s source code, which could help them identify and exploit vulnerabilities in technology that the company is not aware of.
“I think there will be a lot of pushback from some companies to do that, because it’s got a lot of international precedent-setting implications,” he said.
The bill could be used for foreign purposes: critics
Digital Rights Watch’s Mr Sulston pointed out the bill provided a broad range of reasons why a technical capability notice could be issued.
Orders could be made by the Attorney-General, not only for safeguarding national security, but also for “assisting the enforcement of the criminal laws in force in a foreign country”.
According to ASPI’s Mr Hanson, the latter is a process that often happens in the “offline” world. Foreign police can ask Australian law enforcement for assistance in investigating a suspect, within certain legal parameters.
But such decisions would be made without an enforceable national human rights framework, pointed out Queensland University of Technology researcher Monique Mann, as Australia does not have one.
Notices might be issued to assist with a foreign investigation in circumstances where Australian investigators believe it was appropriate, according to Home Affairs.
“These request are subject to robust scrutiny to ensure that assistance is consistent with Australia’s international responsibilities and human rights obligations,” a spokesperson said.
“It’s important for democratic nations to reflect on … [whether] the activities they take in the legislation they pass could be mimicked by states that are more oppressive and lack the rule of law,” Mr Parsons suggested.