Surveillance legislation: Government’s ‘lip service’ on backdoors

Draft government legislation intended to increase law enforcement organisations’ ability to monitor the use of online communication services pays “some lip service to not creating backdoors”, according to Robin Doherty, a privacy advocate and a security champion at software consultancy ThoughtWorks.

However, as it stands Telecommunications and Other Legislation Amendment (Assistance and Access) Bill 2018 could potentially weaken the security of some of the most popular online services used by Australians.

“When they talk about a backdoor, they’re taking a very specific definition of it and they’re saying that they won’t ask any tech company to create a systemic weakness,” Doherty said.

“That’s interesting because I think that’s going to be difficult to achieve,” he said.

“Obviously they want to get access to certain people’s encrypted communications, but by requiring tech companies to build something that allows law enforcement agencies to get access to an individual’s encrypted data they put at risk everyone else’s encrypted data as well.”

The draft bill has three key measures intended to make the work of intelligence and police organisations easier: A process for making requests for voluntary assistance, a mechanism for compelling cooperation using a company’s already existing capabilities, and a further mechanism that will require an organisation to implement a new capability to assist with investigations.

The bill’s explanatory memorandum says that the third kind of assistance — dubbed “technical capability notices” — cannot require a service provider “to implement or build a systemic weakness, or a systemic vulnerability, into a form of electronic protection”.

The bill states a technical capability notice cannot include a requirement to “implement or build a new decryption capability in relation to a form of electronic protection” or to take actions that would “render systemic methods of authentication or encryption less effective”.

“What they’re trying to avoid is creating a backdoor in encryption itself or in encryption algorithms, and I think that’s definitely a good thing to avoid,” Doherty said.

“But if you look at the definition of a ‘backdoor’ it’s not just about encryption algorithms – it’s about bypassing authentication or encryption in a computer system, which can be done in the system itself or it can be done in the algorithms the system uses.”

“I think what they’re ultimately asking for is a weakness in a computer system – not encryption itself — and to my mind that’s as bad if not worse,” he added.

Exactly how a technical capability notice would play out in practice is not clear — and the chances of the public knowing seem minimal given the bill includes provisions banning the disclosure of information relating to technical capability notices (the ban applies to people connected to the relevant service provider and members of police forces or intelligence agencies and state, federal and territory employees).

There are “probably multiple ways” new capabilities could be implemented to satisfy such a notice, Doherty said.

“The most obvious would be deploying some extra software to the targeted individual’s device,” he said. “Of course if you have the ability to deploy that extra software to one device, it becomes a very attractive target for people who would like to deploy it to others.”

The bill has also caused alarm elsewhere in the tech sector.

“Protecting the public is a priority for both Government and industry,” Nicole Buskiewicz, the managing director of Digital Industry Group Inc (Digi), said in a statement released earlier this month.

“But included in that is protecting the public’s privacy and data from attack, which would likely be an unintended consequence of this bill.”

Digi counts as members a number of the major tech companies set to be affected by the bill, including Google, Facebook, Oath, Twitter, Periscope, and Redbubble.

“The reality is that creating security vulnerabilities, even if they are built to combat crime, leaves us all open to attack from criminals,” Buskiewicz said.

“This could have devastating implications for individuals, businesses, public safety and the broader economy. We are extremely concerned at the lack of judicial oversight and checks and balances with this legislation.”