The Foundation, which serves as an umbrella group for development of the open-source Web browser Firefox among other well-known projects, said in its submission to the Parliamentary Joint Committee on Intelligence and Security that the technical capability notices that were part of the Bill, along with other notices that could be used to demand changes in software, would "significantly weaken the security of the Internet".
The organisation's comments focused on the three new powers for investigative and intelligence agencies in the Bill:
- a “technical assistance request” that allows voluntary help by a company. The staff of the company will be given civil immunity from prosecution.
- a “technical assistance notice” to make a communications provider offer assistance; and
- a “technical capability notice” that can be issued by the Attorney-General at the request of an interception agency. This will force a company to help law enforcement, by building functionality.
"The interaction of the ability to request the development of new capabilities with existing government capabilities has far-reaching implications," Mozilla said. "These are complex issues that require more consultation and discussion than has been possible in the short time since this bill was first tabled."
Pointing out that the new powers posed fresh challenges, Mozilla said the Bill did not provide enough limitations on the scope of potential requests. In other words, the Bill largely depended on the judgment of those involved to decide if a given option was appropriate.
"In particular, we note that ministries responsible for consumer and business security are not required to be consulted, nor does there appear to be an inter-ministerial process for assessing the risks and interests associated with requests made under these new powers," the Foundation said.
It said the Bill was "intentionally vague" on what could be compelled through a TCN; this would create problems for a software vendor and also fail to provide certainty for users and developers.
Mozilla said it was proud of its open collaboration with a broad community and, against this background, a government request or demand for a single company to develop a capability, that would remain secret, ran counter to its established methods of development.
"Consequently, this risks making the output of our development less secure, in addition to the security risks that might be created by the capability in and of itself. In other words, complying is not as simple as just writing code - we would need new processes and operating models, and in deploying them would undermine the trust and community that we depend on for our core development," the Foundation said.
The TCN would essentially bring about the intentional introduction of a security vulnerability, Mozilla said, adding, "We are concerned both about how such vulnerabilities would introduce significant and potentially widespread user and system insecurity."
It said users might resort to avoiding automatic updates which were used to fix security vulnerabilities, once they realised that a government authority was trying to create additional functionality through any of the notices. This would make users insecure and also decrease the trust placed in the software provider, in this case the Foundation.
"...any company that is able to run software on a computer is a potential threat to the integrity of any information that computer has access to," Mozilla said. "While steps have been made to isolate software from the actions of other software on the same computer, such protections are currently neither perfect nor uniformly implemented.
"As a result, the ability to run software without fear of unintended effects on the system as a whole depends greatly on trust in the provider of that software."
The Foundation also emphasised that the new powers did not provide an process for review of orders that were imposed on companies. "Under the Bill as it stands, while providers must be consulted before being served a TAN or TCN, there is no avenue for them to object or an appeal an order. They're also not permitted to disclose that they’ve received such an order, and they can be compelled to take steps to conceal any weaknesses that are introduced."
In its conclusion, the Foundation said: "A rush to enact legislation in the proposed form could do significant harm to the Internet. TCNs in particular present the government with capabilities that we don’t believe are appropriate, as well as being a significant risk to the security of the Internet. The bill, as proposed, represents a one-sided view, without adequate consideration for the broader and longer-term costs and repercussions of its implementation."