A key protection in a government bill that is designed to increase the ability of police to access online communications is a prohibition on forcing a company to build a “systemic” security vulnerability into its products or services. However, exactly what that provision will mean in practice remains unclear.
The Parliamentary Joint Committee on Intelligence and Security today held its first public hearing on the Telecommunication and Other Legislation Amendment (Assistance and Access) Bill 2018.
The bill contains several schedules boosting the powers of police and intelligence agencies to access communications services (although the government has been at pains to point out that the provisions in the bill won’t undo any existing warrant requirements to get access to a particular piece of content or intercept communications).
Much of the scrutiny of the bill has focused on Schedule 1, which establishes a new system by which authorised agencies can request or demand cooperation from “designated communications providers” or DCPs (an extremely broad category set out in Section 317C, capturing organisations ranging from telecommunications network operators to an organisation that “provides an electronic service that has one or more end-users in Australia”).
The legislation will establish a system of Technical Assistance Requests (TARs — requests for voluntary cooperation from a DCP), Technical Assistance Notices (TANs — instructions to a DCP to assist in a certain manner) and Technical Capability Notices (TCNs — an order from the attorney-general that a DCP build a new capability to assist law enforcement investigations).
The bill sets out a lengthy list of “things” that can be required by a TAN or TCN, ranging from providing technical information to installing software, modifying the characteristics of a service, or concealing any changes made as a result of a notice.
The bill says that a DCP “must not be required to implement or build a systemic weakness or systemic vulnerability” or carry out “one or more actions that would render systemic methods of authentication or encryption less effective”.
The bill does not detail what a “systemic weakness” is, however.
Shadow attorney-general Mark Dreyfus noted that a significant number of submissions in response to government consultation on the bill have expressed concern over whether it would still allow the creation of “backdoors” or “systemic weaknesses” in services.
“No-one’s requiring at the enterprise level when you manufacture a device or you set up a network that there’s a general or universal way of simply flicking a switch and all of a sudden rendering encrypted communications ‘clear’,” the secretary of the Department of Home Affairs, Mike Pezzullo, told today’s hearing.
Mike Burgess, the director-general of the Australian Signals Directorate said that a systemic weakness is “one that would be available to everyone”. “It would be one thing to ask for assistance to get access to something but actually the action undertaken to provide that in that targeted case actually jeopardised the information of other people as a result of that action taken and that’s not what’s being asked,” the ASD chief said
Dreyfus asked why, if that’s the definition the government is using, it isn’t included in the bill.
Home Affairs first assistant secretary Hamish Hansford said that the difficulty was that what a systemic weakness would be for a particular company “relies on an understanding of what their business structures are”.
“What a systemic weakness might be for Apple or Google might not be for Microsoft,” he said.
In the bill “it’s defined within its ordinary meaning of relating to a system,” he added.
Pezzullo said: “‘Systemic’ intrinsically means pertaining to the whole system; something which operates at the level of the system. So if you’re producing the phones that we all have in our pockets or you’re running a network or you’re running an application that’s got a general presence on a network, a systemic weakness would be something that would be universal and therefore, subject to the technical capacity of someone wishing to attack that weakness would be available to all attackers — that is the last thing we want.”
Dreyfus ran the witnesses through a series of scenarios focused on the “systemic weakness” prohibition.
The first was a notice directing a maker of a smart speaker ordering to install persistent eavesdropping capabilities in a particular individual’s home. At the hearing it was not clear whether such a requirement would fall afoul of the bar on requiring the introduction of a systemic weakness.
Another hypothetical posed by Dreyfus was a direction to provide a “tool that could unlock a particular user’s device regardless of whether such a tool could be used to unlock every other user’s device as well.” “Would the prohibition on creating systemic weaknesses rule out that kind of notice?” the Labor MP asked.
“You can’t require a capability to remove a level of electronic protection,” Hansford said. “So depending on the example... I think the answer is: I’d have to explore it more.”
Australian Federal Police Commissioner Andrew Colvin said “it’s potential [sic.] but that’s what the [attorney-general] will have to consider on the advice of both the industry expert and potentially an independent expert as to whether on the balance creating that technical access does create a broader systemic fault for everybody who has the same phone with the same configuration.”
Many of the scenarios canvassed were drawn from a submission to the inquiry by Apple, which has argued the bill is “dangerously ambiguous with respect to encryption and security”.
The iPhone-maker’s written submission to the inquiry argued that the bill “could allow the government to order the makers of smart home speakers to install persistent eavesdropping capabilities into a person’s home, require a provider to monitor the health data of its customers for indications of drug use, or require the development of a tool that can unlock a particular user’s device regardless of whether such tool could be used to unlock every other user’s device as well.”
Apple said that a government could potentially force a company to build a tool capable of bypassing the security of a particular device — and that although the government may believe that doing so would not create a “systemic risk” to security, the company argued that “even if deployed only to one phone” such an application would “render everyone’s encryption and security less effective”.
Another scenario posed to witnesses at today’s hearing was whether adding a new end point to an encrypted service would breach the systemic weakness ban.
“I think it would depend on how the new end point is introduced with the company,” Hansford said. “So we’d have to understand the infrastructure of the company which gets to the point about consultation with the company to understand their systems in order to understand how you would do that... so I think the answer depends on the company and how they’re structured and how they use the technology.”
He confirmed, however, that requiring a company to implement a key escrow arrangement would violate the bill’s provisions.
“I think that’s the first one we’ve got to that wouldn’t depend on the circumstances,” Dreyfus noted.