No need to keep encryption-busting capabilities secret: Internet Australia
The chair of Internet Australia, Dr Paul Brooks, has said there is no real need to keep encryption-busting capabilities of the proposed Assistance and Access Bill secret, and that any capabilities should be made public, as is currently done for phone tapping equipment.
“The fact that a particular capability that is built into the equipment is being used in a particular instance, that should be kept secret, but the fact the equipment has the capability at all, that is not secret,” Brooks told the Joint Parliamentary Committee on Intelligence and Security on Friday.
“The aim of this whole thing is ultimately to catch criminals and terrorists that are using software systems for nefarious purposes — if there is a capability in that system for that activity to be monitored or messages to be seen, the net effect of having that capability known is effectively that the dumb criminals will continue to use the software anyway, and they may get caught.
“And if the purposes of the secrecy is to enable criminals to be caught, the fact that that capability is public means the smart criminals won’t use that system, that system will be denied to them, and they will need to find another way.”
According to Brooks, while good will come from having a capability known and prevent criminals using services due a concern of possible monitoring, on the flip side, law-abiding persons and organisations will need to also stop using a service, or take other precautions, if the service is being used thanks to, for instance, its end-to-end encryption capabilities.
Under the proposed law, Australian government agencies would be able to issue three kinds of notices:
- Technical Assistance Notices (TAN), which are compulsory notices for a communication provider to use an interception capability they already have;
- Technical Capability Notices (TCN), which are compulsory notices for a communication provider to build a new interception capability, so that it can meet subsequent Technical Assistance Notices; and
- Technical Assistance Requests (TAR), which have been described by experts as the most dangerous of all.
Read: Australian encryption Bill raises bar for outrageous legislation: Comms Alliance
Brooks pointed out that the sorts of communication services that the government is likely to target — WhatsApp, Signal, Facebook, iMessage — could be bypassed by an organisation creating its own internal service.
“The reality that law-enforcement grapples with is that the ability to encrypt information is itself public, the algorithms are public, the ways of generating keys are public,” he said.
“Any organisation, for good or bad, can create their own software relatively simply and communicate using it and are unlikely to respond or even be known about to receive some sort of notice.”
Echoing concerns from local security vendor Senetas, which said earlier this month that the Bill endangers AU$3 billion worth of exports and would render security guarantees meaningless, Internet Australia said it created an “air of doubt” about whether Australian manufacturers had been subjected to a notice and alluded to the federal government’s own concerns about Huawei which lead to it being banned from 5G deployments.
“This is the very first time that this sort of interception and access capability has been requested of devices. All other forms of telecommunications law — for lawful interception, for stored data warrant, all that sort of stuff — applies to communications providers, licensed carriers, and communication service providers,” Brooks said.
“This, for the first time, puts obligations and enforcement directly to the equipment manufacturers.”
Internet Australia additionally called for a central agency within government to hand requests or notice to industry, particularly to help out smaller service providers, mirroring the functionality of the Communications Access Coordinator (CAC) when dealing with data retention requests.
“If it comes through the CAC, they’ve got a greater degree of confidence that it has been scrutinised and determined to be lawful [and] has authority, where they don’t need to go through a whole lot of pile of checks and balances to try to verify whether an incoming request from an organisation or person they don’t know is actually legitimate, or it is coming from a scammer or a criminal impersonating someone from an agency trying to get data for nefarious purposes,” he said.
See: OAIC calls for sunset clause on encryption-busting Bill and warns of privacy risks
Brooks also added that a central agency would remove the possibility of conflicting requests from different agencies, as the secrecy provisions in the Bill prevent service providers from speaking about requests received.
“So if a software manufacturer or an equipment manufacturer were to get a request from one agency to make a certain change in how their equipment functions … and they make that change, or they are about to make that change for that agency, and a second agency comes in with a second request to effectively do something ignorant of what the first agency had asked for, that then either changes or counteracts what the first agency did, and the net result of that is confusion for industry and potential to overwrite the changes that were requested by the first agency, so the first agency doesn’t get what it is they asked for,” Brooks said.
“A big concern that we’ve heard from multiple, particularly small service providers, is a way of deconflicting those potentially conflicting requirements coming from multiple agencies because each one is unaware of what another agency might be looking for — having that funnelled through a single agency who can raise those flag internally within the intelligence community, because the service providers are not allowed to, would be extremely helpful.”
The call for increased transparency and documentation around requests by Internet Australia follows Cisco stating that it publicly discloses any surveillance technique in its products.
“Cisco is most certainly not alone in having foresworn the existence of backdoors in technology products and services. As such, this issue is a significant concern that should be promptly addressed,” the company said in a submission to the committee.
“We have defined a ‘backdoor’ to include any surveillance capability that is intentionally created and yet not transparently disclosed.
“To the extent that the Bill would require via a [Technical Capability Notice] the creation of a capability while simultaneously preventing the [communication providers] from documenting the existence of that capability, the law would result in the creation of backdoors.”
Last month, the United Nations Special Rapporteur on the right to privacy Joe Cannataci said the Bill should be set aside.
“The Assistance and Access Bill is unlikely to be workable in some respects, and is an unnecessary infringement of basic liberties in other,” Cannataci wrote. “Its aims do not justify a lack of judicial oversight, or independent monitoring, or the extremely troubling lack of transparency.
“This Bill needs to be put aside. It is fatally flawed.”