Australia’s ‘encryption’ law could erode consumer trust in tech: Amazon

Retail leviathan calls for significant changes to law

Online retail and cloud computing giant Amazon has warned MPs that Australia’s so-called ‘encryption’ law could erode consumer trust in technology.

The claim by the US company is contained in a submission to an inquiry of the Parliamentary Joint Committee on Intelligence and Security (PJCIS). The PJCIS is examining the Telecommunications and Other Legislation Amendment (Assistance and Access) Act 2018, which was passed on the last parliamentary sitting day of 2018.

The legislation, which received bipartisan support, is intended to open new avenues for law enforcement agencies to compel online service providers and telcos to cooperate with investigations.

A significant component of the legislation is that the government, subject to consultation and certain safeguards, can issue a notice forcing a company covered by the law to create a new capability to support law enforcement or national security operations.

The legislation prohibits such notices from being used to direct the creation of a “systemic vulnerability” or “systemic weakness”. The ‘TOLA Act’ defines a systemic vulnerability as one that “affects a whole class of technology, but does not include a vulnerability that is selectively introduced to one or more target technologies that are connected with a particular person”. (“For this purpose, it is immaterial whether the person can be identified,” the legislation adds.) Systemic weakness has a similar description in the act.

That definition (and prior to it being inserted into the bill before parliament passed it, the lack of any definition of the terms) has been a source of controversy, with the tech sector calling for it to be changed in order to make it clearer.

Before the legislation was passed, the Department of Home Affairs indicated that it did not believe, for example, that the creation of a custom firmware for the iPhone to facilitate access to information on a device would constitute a systemic weakness.

“Custom firmware built to address one notice or request is not a systemic weakness unless it is deployed to users other than the targeted user,” the department said last year. “So long as the capability is held in reserve it does not jeopardise the security of other users and is not a systemic weakness.”

However, many, Apple likely included, would consider such firmware as a systemic weakness.

“Deliberately creating for one party a means of access to otherwise secure data will create weaknesses and vulnerabilities that, regardless of any good intentions, creates the opportunity for other actors – including malicious ones - to access that same data,” Amazon argued in its submission to the current inquiry.

“Simply stated, if anyone creates a vulnerability in a technology that allows access to otherwise secure data then that vulnerability is capable of being exploited by another party with the knowledge and means to do so.”

The current legislation bans a notice that has the effect of “requesting or requiring a designated communications provider to implement or build a systemic weakness, or a systemic vulnerability, into a form of electronic protection”.

However, Amazon argues that a “technology provider can be required to install or maintain any software or equipment, or to implement or build systemic weaknesses or vulnerabilities into any other component of a network, system, product or service”.

The company also said it was concerned that there was no judicial authorisation before notices are issued under the act.

“These Notices can be issued based on facts or criteria that may not be made known to the recipient of the Notice,” Amazon said. “The validity of a Notice is dependent upon the issuer’s interpretation of the law, their analysis of the facts, and their weighting of the various factors to which the Act requires them to give consideration.”

Another concern is that the notices could require a company to “do acts in Australia” that violate the law in other countries it operates in.

A fourth area of concern is that although the legislation bans the use of its provisions from requiring telcos to abide by new data retention obligations, it could be read as leaving an opening for directions relating to data retention being issued to non-telco businesses.

Home Affairs recently acknowledged that the legislation had had a negative effect on the Australian tech sector, but it blamed the overseas perception of the legislation rather than its reality.