Australia’s controversial Telecommunications and Other Legislation Amendment (Assistance and Access) Act 2018 (TOLA Act) was intended to combat the problem of criminals and terrorists ‘going dark’: Using technologies and services, such as messaging apps with end-to-end encryption, that make traditional interception techniques ineffective for law enforcement and spy agencies.
However, two prominent Australian cryptologists claim that while the TOLA Act as it stands does “not adequately protect the security of innocent users,” a “reasonably competent adversary” could still avoid any risk of their communications being intercepted “with minimal technical knowledge, and the use of commodity off-the-shelf components.”
The claim by University of Melbourne researchers Dr Chris Culnane and Associate Professor Vanessa Teague was made in a submission (PDF) to a review of the TOLA regime by the Independent National Security Legislation Monitor. It is one of two reviews scrutinising the legislation; the other, an inquiry by the Parliamentary Joint Committee on Intelligence and Security (PJCIS) is expected to have its timeline extended in order to consider the findings of the INSLM.
“If it is possible to construct a plausible strategy that the adversary could use, we should assume that such a strategy will at some point be adopted, and as such, any gains claimed by the [legislation] will be lost,” Culnane and Teague argue. “This is particularly important with regards to determining whether the [legislation] is balanced.”
Although there “should be an implicit benefit” from the legislation today since criminals or other adversaries have yet to adapt to it, for it “to have net gain, any benefit must continue to exist even after the adversary has had a chance to adapt.”
The pair state that they have devised an approach that “could be taken by any competent adversary”. As a result, the trade-off between the long-term benefits provided by the legislation are “nearing zero, with a high price paid in terms of privacy, freedom and cybersecurity.”
Although most of their submission is public, the approach they developed is outlined in a confidential appendix that forms part of their submission.
Although the TOLA Act was a large piece of legislation with a number of schedules addressing Computer Access Warrants, search powers, and the powers of ASIO and Border Force, most of the commentary (and controversy) has centred on Schedule 1.
That sets out a framework for service providers assisting law enforcement and national security agencies. It outlines a system of Technical Assistance Requests (TARs — requests for voluntary assistance); Technical Assistance Notices (TANs — lawful directions for assistance using the existing capabilities of a service provider); and Technical Capability Notices (TCNs — directions from a government that a service provider implement a new capability to assist a relevant agency).
Critics of the legislation argue that the provisions of Schedule 1 could unintentionally undermine the online security of people that aren’t the target of a legitimate law enforcement investigation. The government argues that the legislation contains a number of important safeguards, however, including a bar on forcing a company to introduce a “systemic weakness” or “systemic vulnerability” into a service or product.
Concerns about the ambiguity of those two terms saw definitions, previously absent altogether, hastily introduced into the legislation before it was passed on parliament’s final sitting day for 2018. Those definitions have done little to allay the fears of the TOLA Act’s critics, however.
A systemic vulnerability is described in the act as “a vulnerability that affects a whole class of technology, but does not include a vulnerability that is selectively introduced to one or more target technologies that are connected with a particular person. For this purpose, it is immaterial whether the person can be identified.” (Systemic weakness has an almost identical definition in the act.)
A supplementary explanatory memorandum accompanying the act says that a systemic vulnerability is a “vulnerability that affects a whole class of technology (rather than a single item of technology), but does not include a vulnerability that is selectively introduced, on a case-by-case basis, to one or more target technologies that are connected with a particular person.”
“What is a vulnerability or weakness exactly?” Culnane and Teague ask. “What one person regards as a weakness might be described by another as a helpful information-sharing feature.” The pair also takes issue with the term “class of technology”.
The TOLA Act supplementary explanatory memorandum states that the ‘systemic weakness’ definition “makes clear that a systemic weakness is something that makes general items of technology less secure.” The document states: “Technological classes include particular mobile device models[,] carriage services, electronic services or software. The term is intended to encompass both old and new technology or a subclass within a broader class of technology; for example an iOS mobile operating system within a particular class, or classes, of mobile devices.”
It adds: “Where requirements in a notice make the whole set of these items more vulnerable, it will be prohibited. This ensures that the powers do not jeopardise the general use of technology by persons who are not of interest to law enforcement and security agencies. The intent of the prohibition as expressed in the definition is to rule out requirements that would create a material risk of otherwise secure information being accessed by unauthorised third parties.”
Culnane and Teague argue that the definition “blocks a vulnerability that affects a whole class of technology, but immediately excludes target technologies that are connected with a particular person.” The term “class of technology” is “not a term that exists in technology literature,” their submission adds.
The term could be broad enough to refer to “mobile phones, or all ADSL connections, or all social media”. With that definition, no single organisation would control an entire class of technology. However, without a clause explicitly ruling out a particular provider having to weaken the security of a particular technology it operates it “would appear that it will be perfectly legitimate to ask a telecommunication provider to introduce a vulnerability to the whole of its network, since that will not cover an entire class due to other telecommunication providers not being included in the same TAR/TAN/TCN.”
The Office of the Victorian Information Commissioner (OVIC) raised some similar concerns to the researchers in its submission, arguing that the “potential risk of the capability introduced under the Bill to selectively create weaknesses or vulnerabilities may still result in the undermining of the security of communications as a whole.”
The definitions of systemic weakness and vulnerability imply that a "selective weakness does not create a systemic weakness,” OVIC states. The act is “precariously suggestive that a selective weakness can be adequately secured, or that its re-use will be prevented.”
There's an “underlying assumption” that only legitimate agencies will be able use a weakness created by a TCN but there is a “well-documented risk that malicious actors may take advantage of any weaknesses created.”
The federal government, via the Department of Home Affairs, and state and federal police agencies in their submissions endorsed the existing legislation and its safeguards. Home Affairs argued that the legislation’s nine months of operation proved that claims about the risk to the online safety of non-target individuals “have not been substantiated”.
“The disconnect between the perceived and actual effect of the law means that pointing to negative perceptions, even where those are widely held, is not an argument against the underlying policy and therefore cannot influence a reform discussion,” the submission adds.
The department rejected proposals to remove the ability to “weaken particular instances of technology” from the legislation: “It is appropriate for agencies to have the ability to selectively weaken the target technologies of those under investigation,” Home Affairs argued. “Provided that no other person is impacted, there is no difference between introducing a security weakness into a person’s service or device and compelling that person to handover their login credentials.”
A range of other groups and individuals also made submissions to the INSLM, raising many of the same criticisms that have been made by business groups and civil liberties advocates in the lead-up to and aftermath of the legislation being passed.