Australia’s push to enact laws that would allow its law-enforcement agencies to compel companies help them break their own encryption represent an existential threat to the internet’s security and integrity, the Internet Architecture Board (IAB) has warned.
In a rare submission [PDF] to a legislation-forming process, IAB chair Ted Hardie states a method to compel an infrastructure provider to break encryption or provide false trust arrangements will introduce a systemic weakness that threatens to erode trust in the internet itself.
“The mere ability to compel internet infrastructure providers’ compliance introduces that vulnerability to the entire system, because it weakens that same trust,” Hardie said. “The internet, as a system, moves from one whose characteristics are predictable to one where they are not.”
If similar legislation where implementation by other jurisdictions, the IAB said the end result could be the fragmentation of the internet itself.
“This approach, if applied generally, would result in the internet’s privacy and security being the lowest common denominator permitted by the actions taken in myriad judicial contexts. From that perspective, this approach drastically reduces trust in critical internet infrastructure and affects the long term health and viability of the internet.”
Hardie expressed concern that the laws are able to force companies to break laws in other jurisdictions to meet Australian obligations, such as violating GDPR terms in Europe to hand data over to Australian law enforcement. Further, the IAB is concerned Canberra would seek to weaken internet standards, and could result in Australian organisations having their motivations questioned when new standards are drawn up.
“Internet standards development is based upon mutual trust, cooperation, and good-faith participation,” Hardie said. “Having those undermined by this legislation does not appear to be an appropriate result.”
The IAB is recommending that the legislation explicitly prohibit its use: In relation to critical internet infrastructure services, such as DNS, PKI, and BGP; in compelling co-operation by standards creating bodies and participants; and disallow the use of the legislation by implementation of protocols such as HTTP, DNS, TCP, QUIC, IP, and TLS.
The board has also asked for the clarification of “systemic vulnerability” and “systemic weakness” in the legislation, and called for the legislation to provide for cases where companies have obligations in other jurisdictions.
Locally, a joint submission by the Communications Alliance, Australian Information Industry Association, and Australian Mobile Telecommunications Association said the proposed laws need substantial work and further consultation.
The associations warned that not only could the Australian Assistance and Access Bill 2018 have organisations run foul of international law, it may also interfere with obligations already imposed on communications providers such as data retention, and Telecommunications Sector Security Reforms (TSSR).
“In the past three years alone, the telecommunications industry has seen (or is about to see) three key legislative changes with the introduction of the Data Retention Regime, the TSSR, and now the Encryption Bill. This has resulted in a piecemeal approach to various pieces of legislation and resulted in a complex legal environment that is increasingly difficult and costly to navigate for both large and small to medium private sector organisations,” the associations said.
“It also opens up the potential for unintended consequences and is fraught with the risk that the original intention of a law, e.g. the interception legislation, may be threatened by the practical application of another piece of legislation, e.g. the proposed Encryption Bill.”
The submission [PDF] hits out at the ability for agencies to request the installation of software, and said that should be removed.
“The associations consider that the ability for agencies to request the installation of any software constitutes legislative overreach and is unlikely to conform to the principles of reasonableness and proportionality. Installing such software may also cause a DCP [designated communication provider] to be in breach with its TSSR, data retention, or interception obligation,” the submission said.
In a similar vein, the associations said the ability of agencies to obtain source code was unnecessary and disproportional, and should be removed from the defintion of technical information contained in the Bill.
Due to the Bill containing secrecy provisions that do not allow an employee to inform their superiors that they have received a compulsory notice demanding a new interception capability be built, the associations warned this constituted an insider threat.
“The secrecy provisions will create an insider threat to all organisations which they will need to counter, to the extent possible at all, by the organisation’s own security program,” the submission said.
“The inability to share the fact that a TCN [technical capability notice] has been received will also mean that, where a provider detects some form of abnormality within its systems (which may be the result of the intervention requested by an agency), resources will be wasted on addressing and fixing the detected issue, thereby potentially rendering the entire exercise pointless.”
The submission additionally raised the question on the constitutionally of the Bill, as the legislation claims to be in effect on overseas sites that Australians merely visit.
“If a large social media platform was issued a fine under the new legislation, it could withdraw operations, thereby reducing the range of services to which Australians have access, or simply refuse to pay. In such a scenario it is also questionable whether the level of fines of AU$10 million would act as a sufficient deterrent given the global revenues of such companies,” the submission said.
“Importantly, the obvious difficulties of enforcing the legislation in relation to overseas products or services have the potential to disadvantage Australian providers compared with their international counterparts.
“The associations warn that the Bill could have serious anticompetitive effects.”
Last week, Dr Chris Culnane warned that voluntary assistance notices could hold the greatest danger.
“The assistance requests are not constrained by the same limitations as the notices in what they [government agencies] can ask for, neither are they part of the annual reporting,” Culnane wrote.
“It is my view that these [Technical Assistance Requests] are the real objective of the legislation, not the compulsory notices. The requests are defined differently to both of the notices, and have few, if any, limitations on what they can request.”
On mirrored reasoning, the associations called for the abolition of Technical Assistance Requests.
If the Assistance and Access Bill becomes law as it stands, it could affect ‘every website that is accessible from Australia’ with relatively few constraints in the government’s powers.
Official statements from the Five Country Ministerial meeting make it clear: Voluntarily build lawful access into encrypted messaging systems, or else. It’s not a good look.
Draft legislation intended to give cops and spooks access to encrypted communications should keep encryption strong. But the powers it proposes aren’t just about fighting paedophiles, terrorists, and organised criminals.
Newly-released documents confirm that the Australian government’s commitment to ‘no backdoors’ to weaken encryption algorithms doesn’t preclude backdoors elsewhere in the secure messaging pipeline.
Despite calling the laws of mathematics ‘commendable’, the prime minister of Australia told ZDNet the only law that applies in Australia is the law of Australia when it comes to legislating decryption.