Security guarantees will be meaningless under encryption-busting laws: Senetas

If an Australian company is compelled by legislation to deny that a capability in its products exists, then its assertions are meaningless, security company Senetas has said.

Australian security vendor Senetas has called for the proposed Assistance and Access Bill to be withdrawn, saying it will damage Australian reputations and trust.

Under the proposed law, Australian government agencies would be able to issue three kinds of notices:

  • Technical Assistance Notices (TAN), which are compulsory notices for a communication provider to use an interception capability they already have;
  • Technical Capability Notices (TCN), which are compulsory notices for a communication provider to build a new interception capability, so that it can meet subsequent Technical Assistance Notices; and
  • Technical Assistance Requests (TAR), which have been described by experts as the most dangerous of all.

In a submission [PDF] to the Parliamentary Joint Committee on Intelligence and Security, Senetas said the Bill will introduce systemic weaknesses into products and the internet as a whole, despite government assertions to the contrary, as well as hurting the country.

"The Bill will damage Australian developers' and manufacturers' reputations in international markets, resulting in loss of trust and confidence in Australian cybersecurity R&D and products," the company said.

"Rather than protecting the interests of citizens, this Bill compromises their security and privacy as a consequence of weaker cybersecurity practices and easier access to new tools for cyber criminals."

The security company said that since the Bill specifies that organisations cannot confirm the existence of a capability created for interception agencies, Australian companies could not be trusted.

"If the customer suspects that they might have been targeted, the legislation also requires that the company must deny it -- regardless of the truth," it said "Any guarantee of security from an Australian technology company is therefore meaningless."

Economically, Senetas said the laws would endanger billions of dollars of exports, as well as the jobs of people who are dependent on that trade.

"With export values exceeding $3b, we face the real prospect of sales being lost, exports declining, local companies failing or leaving Australia, jobs in this industry disappearing, and related technical skills deteriorating," the company said.

Should a capability be created, the company said it is "almost guaranteed" to be misused, as staff are not vetted and are likely to be swayed by a "financial opportunity".

"Worse, for foreign corporations, the development effort will likely take place offshore," Senetas said. "In the context of some software communities, code transparency is core and attempts to modify code will be identified by the support community. This will lead to either compromising the capability, identifying the target, or to its misuse.

"In essence, working with commercial organisations to develop and deploy these types of capabilities (as envisaged by this Bill) will result in high risks combined with extreme consequences -- for all parties. The government will be held accountable regardless."

An earlier submission from Cisco said the Bill would create backdoors.

"We have defined a 'backdoor' to include any surveillance capability that is intentionally created and yet not transparently disclosed," Cisco said.

"To the extent that the Bill would require via a TCN the creation of a capability while simultaneously preventing the [communication providers] from documenting the existence of that capability, the law would result in the creation of backdoors."

The networking giant said in its submission that in order to maintain customer trust, any "form of surveillance technique" in its products must be publicly disclosed.

"Cisco is most certainly not alone in having foresworn the existence of backdoors in technology products and services. As such, this issue is a significant concern that should be promptly addressed via an amendment to the Bill," the company said.

It further warned that other governments would likely follow Australia's lead if the Assistance and Access Bill is passed in its current form, and that it does not customise its lawful communication interception capabilities for any nation, and all such capabilities are described in product documentation.

"Without further amendment, we believe the net result of these changes would harm the security interests of Australia by setting a precedent that could be adopted by less liberal regimes," Cisco said.

Last month, the United Nations Special Rapporteur on the right to privacy Joe Cannataci said the Bill should be set aside.

"The Assistance and Access Bill is unlikely to be workable in some respects, and is an unnecessary infringement of basic liberties in other," Cannataci wrote. "Its aims do not justify a lack of judicial oversight, or independent monitoring, or the extremely troubling lack of transparency.

"This Bill needs to be put aside. It is fatally flawed."

Related Coverage

There's 'bigger fish to fry' than anti-encryption laws: Telstra security chief

What cyber crimefighters really need are better global collaboration and faster access to IP address data, not the content of encrypted data communications, according to Jacqueline McNamara.

ASIO chief says encryption-busting scheme would not involve persistent monitoring

Head of ASIO Duncan Lewis has said there is a time limit to any assistance rendered under the Assistance and Access Bill.

Dutton frames Encryption Bill debate as battle between protecting Silicon Valley or protecting Australians

Australian Minister for Home Affairs Peter Dutton claims the Bill is already watered down, and Labor should support it.

Australian industry and tech groups unite to fight encryption-busting Bill

The new mega-group has called on Canberra to ditch its push to force technology companies to help break into their own systems.

Home Affairs makes changes to encryption Bill without addressing main concerns

Services providers now have a defence to use if they are required to violate the law of another nation, and the public revenue protection clause has been removed.

Why Australia is quickly developing a technology-based human rights problem (TechRepublic)

Human rights advocates have called on the Australian government to protect the rights of all in an era of change, saying tech should serve humanity, not exclude the most vulnerable members of society.