Some of the world’s biggest technology companies have warned that a draft government bill intended to counter the use of encryption by criminals and terrorist groups could instead undermine user safety.
The Telecommunications and Other Legislation Amendment (Assistance and Access) Bill 2018 is the government’s long-foreshadowed response to the increased use of online communications services, particularly those that protect their users’ privacy through the use of encryption.
The government has argued that the legislation is necessary because of the increased phenomenon of criminal groups ‘going dark’: Using end-to-end encryption to evade surveillance.
However, the Digital Industry Group Inc (DIGI) — whose members include Amazon, Facebook, Google, Oath, and Twitter — have told the government that the proposed legislation may make it “easier for bad actors to commit crimes against individuals, organisations or communities”.
The Assistance and Access Bill includes three types of assistance that can be sought from tech companies by police and intelligence agencies. The first is a request for voluntary assistance. The second type — “technical assistance notices”— would legally compel a service provider to assist police. The third type — “technical capability notices” — would require a company to build a whole new capability to allow police to access data.
The two types of notice cannot require a service provider “to implement or build a systemic weakness, or a systemic vulnerability, into a form of electronic protection,” an explanatory memorandum accompanying the draft legislation states.
However, DIGI in a submission to the government’s public consultation on the bill notes that technical assistance or technical capability notices still may require a company to “provide assistance or build capabilities that impact the security of the service provider’s system, product or services in a non-systemic way” or “to implement or build a systemic weakness or vulnerability into something other than ‘a form of electronic protection’.”
“These requirements have potential to erode consumer trust and introduce weaknesses that malicious actors could exploit,” DIGI argues.
The group said it was also concerned at the lack of oversight and “the absence of checks and balances with this legislation”.
“Notices can be issued based on the judgment of decision-makers at agencies or the Attorney-General,” DIGI says. “These Notices may be issued based on facts or criteria that are not known to the recipient, and without full understanding of a technology on the part of an agency.”
The proposed legislation as it stands may require a company to violate the laws of other countries in which they operate, potentially placing it in an “impossible situation”.
The group argued that there should be a legal requirement that before issuing a notice the relevant decision-maker be satisfied that issuing it is “necessary”.
It also warned that the legislation could be used to impose new data retention or interception requirements on service providers that are not carriers or carriage service providers — potentially expanding Australia's data retention regime beyond telcos.
DIGI called for independent judicial oversight of technical assistance and technical capability notices.
In addition, service providers should not be required to “build vulnerabilities or weaknesses into their products or services” and notices should not be used to expand data retention beyond telecommunications carriers. The companies should be forced to breach the laws of other countries, the group says.
“It’s important to note that even if these recommendations were adopted, the Bill proposes extraordinary powers of unprecedented scope, and their exercise should be limited to combating serious crimes that pose a grave threat to human life or safety,” the group adds.