Tuesday, 16 October 2018 05:48

Encryption bill will cause 'significant risk' to Internet: Mozilla Featured

Encryption bill will cause 'significant risk' to Internet: Mozilla Pixabay

Any measure that permits a government to lay down specifications for the design of Internet systems would cause significant risk to the security, stability and trust of such systems, the Mozilla Foundation has said in a submission about Australia's proposed encryption bill.

The Foundation, which serves as an umbrella group for development of the open-source Web browser Firefox among other well-known projects, said in its submission to the Parliamentary Joint Committee on Intelligence and Security that the technical capability notices that were part of the Bill, along with other notices that could be used to demand changes in software, would "significantly weaken the security of the Internet".

The organisation's comments focused on the three new powers for investigative and intelligence agencies in the Bill:

  • a “technical assistance request” that allows voluntary help by a company. The staff of the company will be given civil immunity from prosecution.
  • a “technical assistance notice” to make a communications provider offer assistance; and
  • a “technical capability notice” that can be issued by the Attorney-General at the request of an interception agency. This will force a company to help law enforcement, by building functionality.

"The interaction of the ability to request the development of new capabilities with existing government capabilities has far-reaching implications," Mozilla said. "These are complex issues that require more consultation and discussion than has been possible in the short time since this bill was first tabled."

Home Affairs Minister Peter Dutton introduced the bill into Parliament on 20 September, 10 days after the period for public comment ended. Officially known as the Telecommunications and Other Legislation Amendment (Assistance and Access) Bill 2018, the Bill was released for public comment on 14 August.

Pointing out that the new powers posed fresh challenges, Mozilla said the Bill did not provide enough limitations on the scope of potential requests. In other words, the Bill largely depended on the judgment of those involved to decide if a given option was appropriate.

"In particular, we note that ministries responsible for consumer and business security are not required to be consulted, nor does there appear to be an inter-ministerial process for assessing the risks and interests associated with requests made under these new powers," the Foundation said.

It said the Bill was "intentionally vague" on what could be compelled through a TCN; this would create problems for a software vendor and also fail to provide certainty for users and developers.

Mozilla said it was proud of its open collaboration with a broad community and, against this background, a government request or demand for a single company to develop a capability, that would remain secret, ran counter to its established methods of development.

"Consequently, this risks making the output of our development less secure, in addition to the security risks that might be created by the capability in and of itself. In other words, complying is not as simple as just writing code - we would need new processes and operating models, and in deploying them would undermine the trust and community that we depend on for our core development," the Foundation said.

The TCN would essentially bring about the intentional introduction of a security vulnerability, Mozilla said, adding, "We are concerned both about how such vulnerabilities would introduce significant and potentially widespread user and system insecurity."

It said users might resort to avoiding automatic updates which were used to fix security vulnerabilities, once they realised that a government authority was trying to create additional functionality through any of the notices. This would make users insecure and also decrease the trust placed in the software provider, in this case the Foundation.

"...any company that is able to run software on a computer is a potential threat to the integrity of any information that computer has access to," Mozilla said. "While steps have been made to isolate software from the actions of other software on the same computer, such protections are currently neither perfect nor uniformly implemented.

"As a result, the ability to run software without fear of unintended effects on the system as a whole depends greatly on trust in the provider of that software."

The Foundation also emphasised that the new powers did not provide an process for review of orders that were imposed on companies. "Under the Bill as it stands, while providers must be consulted before being served a TAN or TCN, there is no avenue for them to object or an appeal an order. They're also not permitted to disclose that they’ve received such an order, and they can be compelled to take steps to conceal any weaknesses that are introduced."

In its conclusion, the Foundation said: "A rush to enact legislation in the proposed form could do significant harm to the Internet. TCNs in particular present the government with capabilities that we don’t believe are appropriate, as well as being a significant risk to the security of the Internet. The bill, as proposed, represents a one-sided view, without adequate consideration for the broader and longer-term costs and repercussions of its implementation."


26-27 February 2020 | Hilton Brisbane

Connecting the region’s leading data analytics professionals to drive and inspire your future strategy

Leading the data analytics division has never been easy, but now the challenge is on to remain ahead of the competition and reap the massive rewards as a strategic executive.

Do you want to leverage data governance as an enabler?Are you working at driving AI/ML implementation?

Want to stay abreast of data privacy and AI ethics requirements? Are you working hard to push predictive analytics to the limits?

With so much to keep on top of in such a rapidly changing technology space, collaboration is key to success. You don't need to struggle alone, network and share your struggles as well as your tips for success at CDAO Brisbane.

Discover how your peers have tackled the very same issues you face daily. Network with over 140 of your peers and hear from the leading professionals in your industry. Leverage this community of data and analytics enthusiasts to advance your strategy to the next level.

Download the Agenda to find out more


Sam Varghese

website statistics

Sam Varghese has been writing for iTWire since 2006, a year after the site came into existence. For nearly a decade thereafter, he wrote mostly about free and open source software, based on his own use of this genre of software. Since May 2016, he has been writing across many areas of technology. He has been a journalist for nearly 40 years in India (Indian Express and Deccan Herald), the UAE (Khaleej Times) and Australia (Daily Commercial News (now defunct) and The Age). His personal blog is titled Irregular Expression.



Recent Comments