Australia’s anti-encryption laws is drawing fresh fire from members of the technology community. This time, it’s coming from FastMail and Mozilla.
Last December, Australia passed a first of its kind anti-encryption law in the lower house. The law would compel organizations to implement backdoors on anything that involves encryption for the purpose of eavesdropping for law enforcement. The process was rushed and the laws were passed despite the backlash from the technology sector operating in the country.
The passage has left many companies to contemplate going as far as fleeing the country. Others say they will stay and fight. An example of that is encrypted messaging app Signal saying that they won’t comply with installing any kind of back door simply because of the way the system is built.
To make matters worse, the anti-encryption law even started to become an international incident with observers in New Zealand saying that New Zealand needs to rethink their online strategy. The strategy, of course, being that government data is being pushed towards cloud computing. If personal information is in the cloud, the question is, where is that cloud stored? As it turns out, it’s stored in Australia. With anti-encryption laws being pushed, the question then becomes: how can personal information possibly be protected on Australian land?
For the Australian governments side of things, Australia’s spy chief blasted critics. He accused them of perpetuating “myths” and accused them of being motivated by “self-interest”.
While the news somewhat died down since, that doesn’t mean the issue is still smouldering beneath the surface. Now, controversy is flaring back onto the surface of the public conciouse with fresh criticisms from companies like FastMail and open source developer Mozilla.
In a submission (PDF), FastMail said that the passage of TOLA/Assistance and Access Act has created the perception that Australia no longer respects the personal rights of privacy. All of this is in the context of data leaks and breaches occurring, The Facebook Cambridge Analytica scandal, and Europe’s General Data Protection Regulation (GDPR).
In response to the laws, FastMail says that they foresee a reduction of foreign investment. This in the context of how 90% of their user base is from non-Australian regions. Additionally, their staff have expressed concerns what this law will mean.
Meanwhile, Mozilla expressed their own concerns with the law (PDF). The company is demanding clarity that requests for backdoors must not target individuals, but instead, a designated on point person instead who can handle such a request. Additionally, they say that secret backdoors would undermine publis trust in an open source project. From their submission:
As an open source company, we are committed to developing our products and services publicly. More than just a philosophical choice, open source development allows myriad actors outside of Mozilla to identify bugs in our code, and in doing so making our products and services more resilient and secure. This benefits the hundreds of millions of people who use Mozilla products every day. Developing in the open also allows our users to have more trust in the integrity of our code. The restrictions on disclosure in TOLA around building backdoors and other “acts and things” that may be required under the law are not just antithetical to us an open source company but would undermine the security and trust of all of our users.
When the US FBI in 2016 sought to force Apple to develop new software to undermine the security of its systems in order to gain access to an encrypted iPhone, this debate played out in the public eye. This allowed security experts, civil society, other companies, and elected representatives to weigh in on the risks of this order. Yet, if the Australian government were to use their new powers under TOLA today, we wouldn’t know about it, because the law contains strict restrictions on disclosing information about any orders that are issued. Moreover, neither the orders issued under TOLA nor the limitations on talking about them have to be approved by a judge. This effectively prohibits the much-needed conversation about the appropriate limits of government surveillance as well as use of exploits that undermine the security of internet users, products, and services.
Secrecy should not be the default. If the government believes that secrecy is required in order to protect the integrity of an investigation or operation, they should have to seek an additional approval from a court of relevant jurisdiction. The Government should have to periodically justify to the court why the continuation of a restriction on disclosure is warranted, and all orders should become public eventually. While we understand that there may be a need for secrecy around the use of TARs and TANs because disclosure may alert the target of an investigation or operation, the same cannot be said of TCNs. Given that TCNs need not be tied to a specific target, operation, or investigation, there is no comparable need for restrictions on disclosure. TCNs designed to ensure that a DCP is capable of giving help could theoretically be used against any user, the vast majority of whom are not and will not ever be under suspicion. While we don’t believe Australian authorities should have these powers given the profound security and privacy risks, we believe the government should have to make the case for these capabilities in the public eye. TCNs should never be secret.
The company went on to recommend court oversight for backdoor requests, the inclusion of impartial reviews, and require that such requests would not disproportionately harm non-targetted users among other things.
So, from a privacy front, the war in Australia is far from over. It’s by no means looking good, but it’s not as though the country is a lost cause yet. As it stands now, the current Australian government has already developed a track record of ignoring expert advice. As such, whether or not this has any sort of impact remains to be seen. Still, it’s understandable that companies such as Mozilla and FastMail will take any opportunity they can to at least fight these laws. After all, their very future in the country could very well be at stake here.
(Via The Daily Swig)
Drew Wilson on Twitter: @icecube85 and Google+.