Security software vendor Kaspersky has called for the government to introduce limits on the potential compelled disclosure of source code under the regime introduced by the Telecommunications and Other Legislation Amendment (Assistance and Access) Act (TOLA Act).
The legislation — frequently dubbed the ‘encryption bill’ in the lead-up to being passed by parliament in December — introduced wide-ranging powers for law enforcement and intelligence agencies to demand assistance from a “designated communications provider”.
The definition of DCP is extremely wide-ranging and includes a person that “provides an electronic service that has one or more end-users in Australia”.
In a submission to a review of the legislation being conducted by the Parliamentary Joint Committee on Intelligence and Security (PJCIS), Kaspersky said that its ‘Transparency Centres’ in Zurich and Madrid provide a secure environment for government stakeholders and enterprise partners to review the company’s “software updates, and threat detection rules, along with other technical and organisational processes”.
Those centres were established to help bolster trust in the company’s security software after the US, UK and Dutch governments sought to limit use of the Russian company's software. The US administration banned government agencies from using Kaspersky software over its fear that the Russian government could employ it as a vector to launch hacking campaigns. Kaspersky has rejected the push against it as “Cold War paranoia” and said the accusations against it lack credibility.
In its submission to the PJCIS inquiry, the company said it is worried that the TOLA Act’s Technical Assistance Notices (directions to cooperate with law enforcement) and Technical Capability Notices (an order to create a new capability to facilitate an investigation) could force the “the compelled and non-transparent disclosure... of our most critical and sensitive security infrastructure, including source code” which “may pose a serious threat to keeping our products’ integrity and trustworthiness”.
The security vendor said that it supported the introduction of “strong protections” for sensitive IP including developing mechanisms for a “process, negotiated and approved by both sides, for disclosure of companies’ intellectual property”. There should also be “reasonable timeframes for companies... to get prepared for such disclosure of their sensitive security information, including source code.”
In addition, Kaspersky said there should be a legal mechanism to challenge a direction to disclose source code or other sensitive information, and mandatory independent oversight by the Commonwealth Ombudsman or the federal privacy watchdog, the Office of the Australian Information Commissioner. Businesses should also be able to reveal the kind of information they have been forced to disclose, Kaspersky argued.
Kaspersky said it was in favour of limitations being added to the list of “acts of things” that can be covered by TANs and TCNs, noting that the legislation contemplates “installing, maintaining, testing or using software or equipment” as a potential subject for compelled cooperation by a company.
“Clear limitations are extremely important as the software or equipment deployed within a company’s system upon the request of an agency might give the agency direct access to the sensitive information or traffic data, metadata or to the functionality of such software or equipment a non-limited period and beyond the immediate needs of a specific TAN or TCN,” Kaspersky argued.
Other recommendations including an improved consultation process for TCNs, a clear threshold for “urgent” notices issued under the TOLA Act, and reduced punishment for disclosing information about requests under the legislation.
Another recommendation is the introduction of “precise definitions” for “systemic weakness” and “systemic vulnerabilities”. One of the few limitations in the TOLA Act is a prohibition on requiring a service provider to introduce a systemic weakness or vulnerability into its product or service. Kaspersky is not alone in its concern over how the legislation defines those terms.