Australian encryption-busting Bill would create backdoors: Cisco

Tech giants including Apple, Cisco, and Mozilla have criticised the Australian government for wanting to introduce laws that would allow for access to encrypted content.

Despite the Australian government repeatedly claiming that its Assistance and Access Bill would not involve the creation of backdoors, networking giant Cisco has accused Canberra of doing just that.

In a submission [PDF] to the Parliamentary Joint Committee on Intelligence and Security -- which is currently reviewing the legislation as the government attempts to ram it through Parliament -- Cisco called out Canberra for not allowing greater transparency on disclosing notices and requests from Australian authorities to access encrypted communications.

"We have defined a 'backdoor' to include any surveillance capability that is intentionally created and yet not transparently disclosed," Cisco said.

"To the extent that the Bill would require via a [Technical Capability Notice] the creation of a capability while simultaneously preventing the [communication providers] from documenting the existence of that capability, the law would result in the creation of backdoors."

The networking giant pointed to statements made by its CEO Check Robbins in October 2016 when addressing rumours that American companies had cosy arrangements with Washington intelligence agencies.

"We don't provide backdoors. There is no special access to our products," Robbins said at the time.

Cisco said in its submission that in order to maintain customer trust, any "form of surveillance technique" in its products must be publicly disclosed.

"Cisco is most certainly not alone in having foresworn the existence of backdoors in technology products and services. As such, this issue is a significant concern that should be promptly addressed via an amendment to the Bill," the company said.

It further warned that other governments would likely follow Australia's lead if the Assistance and Access Bill is passed in its current form, and that it does not customise its lawful communication interception capabilities for any nation, and all such capabilities are described in product documentation.

"Without further amendment, we believe the net result of these changes would harm the security interests of Australia by setting a precedent that could be adopted by less liberal regimes," Cisco said.

Read more: Australia's anti-encryption law will merely relocate the backdoors: Expert

Under the proposed law, Australian government agencies would be able to issue three kinds of notices:

  • Technical Assistance Notices (TAN), which are compulsory notices for a communication provider to use an interception capability they already have;
  • Technical Capability Notices (TCN), which are compulsory notices for a communication provider to build a new interception capability, so that it can meet subsequent Technical Assistance Notices; and
  • Technical Assistance Requests (TAR), which have been described by experts as the most dangerous of all.

Tasked with overseeing Australia's intelligence agencies, Inspector-General of Intelligence and Security (IGIS) Margaret Stone warned in her submission that technical assistance requests could allow for the voluntary creation of backdoors.

"This raises the legal possibility that ASIO, ASIS, or ASD could negotiate an agreement with a provider to voluntarily create or fail to remediate a 'backdoor'," Stone wrote.

"While it is foreseeable that many providers would decline any such request because it is incompatible with their commercial and reputational interests, the possibility appears to exist that an individual provider could be persuaded to do so, and if so, compensated in accordance with a contract, agreement, or other arrangement."

Stone called on the government to add increased reporting provisions to the Bill that would force agencies to notify IGIS of when requests were made.

No time to weaken encryption

Amongst the 31 submission to the joint committee published late on Friday afternoon, Apple said the best way for the government to reach its objective of tracking down criminals and terrorists was through stronger encryption, and not by weakening it.

"This is no time to weaken encryption," Apple wrote. "There is profound risk of making criminals' jobs easier, not harder."

Cupertino argued that by reducing security for one customer, it would also reduce the security of "millions of law-abiding customers in order to investigate the very few who pose a threat".

"The government may seek to compel a provider to develop custom software to bypass a particular device's encryption. The government's view is that if it only seeks such tool for a particular user's device, it will create no systemic risk," Apple said.

"As we have firmly stated, however, the development of such a tool, even if deployed only to one phone, would render everyone's encryption and security less effective."

Apple expressed concern that one of the Bill's few outs -- preventing communication providers from building a "systemic weakness" into products to comply -- could be circumvented and allow agencies to prevent certain users from receiving security updates, or prevent providers from fixing security flaws, if Canberra deemed such actions non-systemic.

See: The race to ruin the internet is upon us

The iPhone-maker called for the introduction of a provision to allow for judicial review prior to technical capability notices being issued, and said it was deeply concerned that the government could force real-time interception of over-the-top-based messages and calls.

As a company that stores much of its customer data in the United States, Apple said it could face criminal sanctions for "any unauthorised interception of content in transit" under US law, or if Canberra wanted data on EU citizens, it could face fines of 4 percent of annual turnover thanks to the General Data Protection Regulation.

"Forcing business with operations outside Australia to comply with TANs or TCNs that violate the laws of other countries in which they operate, will just incentivise criminals to use service providers that never assist Australian authorities or ones that operate underground in jurisdictions unfriendly to Australian interests," Apple said.

"Rather than serving the interests of Australian law enforcement, it will just weaken the security and privacy of regular customers while pushing criminals further off the grid."

A number of submissions warned the government to think of the global implications of its proposed laws.

"A rush to enact legislation in the proposed form could do significant harm to the internet," Mozilla wrote.

"TCNs in particular present the government with capabilities that we don't believe are appropriate, as well as being a significant risk to the security of the Internet. The bill as proposed represents a one-sided view, without adequate consideration for the broader and longer-term costs and repercussions of its implementation."

Mozilla said that TCNs are, in effect, an "intentional introduction of a security vulnerability", and said the Bill could harm Australian companies in the global economy.

It was a view shared by Australian email provider FastMail, which said laws removing privacy would not help Australia's brain drain.

"To the extent that this Bill takes us further out of alignment with protections expected by the rest of the world, it hurts the ability of all Australian companies to compete in the global market."

In a prior round of consultation, the Internet Architecture Board (IAB) said the Bill's provisions represented an existential threat to the internet's security and integrity.

IAB chair Ted Hardie stated a method to compel an infrastructure provider to break encryption or provide false trust arrangements will introduce a systemic weakness that threatens to erode trust in the internet itself.

"The mere ability to compel internet infrastructure providers' compliance introduces that vulnerability to the entire system, because it weakens that same trust," Hardie said. "The internet, as a system, moves from one whose characteristics are predictable to one where they are not."

If similar legislation where implemented by other jurisdictions, the IAB said the end result could be the fragmentation of the internet itself.

Read: Australian encryption Bill raises bar for outrageous legislation: Comms Alliance

"This approach, if applied generally, would result in the internet's privacy and security being the lowest common denominator permitted by the actions taken in myriad judicial contexts. From that perspective, this approach drastically reduces trust in critical internet infrastructure and affects the long term health and viability of the internet," the IAB said.

Speaking to the National Press Club last Wednesday, Minister for Home Affairs Peter Dutton said the changes already made to the Bill have resulted in it being compromised.

"I think there is a common-sense approach here. I think the government has crafted that common-sense approach, but it can only be enacted if it is supported in the Senate," Dutton said. "We can't have on key national security Bills compromises because we're dealing with five or six or eight different senators all with different motivations, and pulling in every direction."

Dutton said Opposition Leader Bill Shorten needs to decide whether he is on the side of Silicon Valley multinationals or with "law enforcement and intelligence agencies in this country who want to protect Australians".

The Home Affairs minister added that tech giants need to be hounded to pay more tax in Australia, have breached user privacy for commercial advantage, and are protesting moves to force them to help law enforcement in Western countries while simultaneously doing business in authoritarian growth markets.

"It is essential. Given we are talking about nine out of 10 national security investigations now being impeded because of the use of encryption, we need to deal with it. It doesn't go as far as some people would want, but it is a measured response," he added.

The minister called for the Bill should be dealt with sooner rather than later.

Related Coverage