Key safeguard in Australia’s anti-encryption legislation ‘almost meaningless’

Digital Rights Watch’s Lizzie O’Shea says ban on implementing a “systemic weakness” may not protect end users of online service from unintended consequences

Tablet with lock showing secure encryption
Thinkstock

One of the key safeguards in a controversial Australian law that is intended to help facilitate police access to encrypted communications is “almost meaningless,” according to a human rights lawyer.

Lizzie O’Shea, a board member of Digital Rights Watch and a 2019 recipient of Access Now’s Human Rights Hero award, says that the legislation’s prohibition on forcing tech companies to introduce a “systemic weakness” into their systems “is almost meaningless”.

The Telecommunications and Other Legislation Amendment (Assistance and Access) Act 2018 (TOLA Act) allows law enforcement agencies to issue Technical Assistance Requests (formal requests for assistance) and Technical Assistance Notices (orders to carry out a certain act), and also allow the government to issue a Technical Capability Notice (a direction to implement a new capability in a product or service).

However, the TOLA Act bars police and national security agencies from requesting or ordering a service provider to implement a “systemic weakness” or “systemic vulnerability”.

The act defines the term “systemic weakness” as a “weakness that affects a whole class of technology, but does not include a weakness that is selectively introduced to one or more target technologies that are connected with a particular person” (the act doesn’t require that the “particular person” can be identified).

The original version of the bill did not include any definition of systemic weakness, with the government only drafting one after concerns were raised about the ambiguity of the term. The definition eventually included in the act has continued to be a source of controversy, however.

Last year, a collection of major industry groups including Communications Alliance, Digital Industry Group Inc. (DIGI) and the Australian Information Industry Association (AIIA) told a parliamentary inquiry that the definition was “difficult to understand, ambiguous” and “significantly too narrow”.

One example advanced by the industry coalition was that it was unclear whether a “class of technology” would cover “all mobile handsets, or Android phones, but not iPhones, or the mobile handsets offered by one service provider but not another or some other combination of factors.”

“It's very difficult to identify systemic weakness in advance except to say that almost any of these things that you can imagine a law enforcement agency would like the company to do probably do risk creating a systemic weakness,” O’Shea told the Linux.conf.au conference, which was held earlier this month on the Gold Coast.

A systemic weakness is “really that you can only define in retrospect, I think,” O’Shea said during her LCA keynote.

“This safeguard, I think, is almost meaningless. It's window dressing more than anything else.”

The Department of Home Affairs has argued that the legislation expressly prohibits the creation of so-called exceptional access systems, and that persistent capabilities deployed to a network to create new access points would fall afoul of the act’s ban on carrying out or implementing “any act or thing that will, or is likely to, jeopardise the security of any information held by any other person”.

However, in a 2018 submission to an inquiry into the bill — which at the time included the systemic weakness prohibition but not any definition — Home Affairs argued that, for example, the creation of a custom firmware for a device, such as a smartphone, to “service a single request” and then “used as the basis to respond to future requests” does not constitute a systemic weakness or vulnerability.

“Custom firmware built to address one notice or request is not a systemic weakness unless it is deployed to users other than the targeted user,” Home Affairs argued. “So long as the capability is held in reserve it does not jeopardise the security of other users and is not a systemic weakness.”

In her address O’Shea argued that systemic weaknesses were “difficult to define in advance and to stop before they happen”.

“It's like hiding a nuclear bomb in an unlocked garage or shed, because you're not offering any protection on it and if it goes missing, then … you have no control over what happens to it after that,” she said.

The TOLA Act is currently being examined by the Parliamentary Joint Committee on Intelligence and Security. It’s also being scrutinised by the Independent National Security Legislation Monitor.

Related:

Copyright © 2020 IDG Communications, Inc.

8 simple ways to clean data with Excel
  
Shop Tech Products at Amazon