1300 INVOTEC

1300 468 683

Australia Data Breach Laws

In early December 2018, the Australian Parliament passed into law a bill called the “Telecommunications and Other Legislation Amendment (Assistance and Access) Bill 2018.” Australian and international technology companies immediately voiced intense opposition to the new law. Amazon, Apple, Digi, Facebook, Google, LinkedIn, Microsoft, Snap, Twitter and many more have already raised serious objections saying that the law is overly broad, deeply flawed, and lacks sufficient judicial oversight.

The law was passed in such a rush that it had to be stripped of 173 proposed amendments to the bill that were attached to it. The legislators approved the bill on the very last day of legislative sessions before going on their summer break. Like most things done in a hurry, the chances here of making major mistakes are very high.

Legislators agreed to the law as long as they can continue with the debate over adding amendments when they return from summer break. In the meantime, the structure of the law is defined sufficiently to create a global uproar over the law’s focus and major negative impact on encryption.

What Can Happen Under the New Law?

Senior officials of the Australian government (the Director-Generals of Security, the Secret Intelligence Service, and Australian Signals) and the chief officer of intelligence agencies may request companies that are considered a “designated communication provider” to give technical assistance in order to get private data on individuals and organisations.

Technical Assistance Request

Compliance with a technical assistance request is voluntary. Requests may be made in writing or given verbally in the case of an emergency. The idea is to inform the companies of what the needs are so that they can take voluntary steps to be able to comply with future requests about things that are deemed to impact Australia’s national security and the interests of Australia’s foreign relations.

Australia already has a security cooperation agreement with four other countries including the US, UK, New Zealand, and Canada. This means the new Australian law extends beyond the bounds of Australia to include the interests of these and potentially other countries. An Australian interception agency may use this new law to enforce Australian criminal laws and also foreign criminal laws if the offense has the possibility of a three-year sentence, or more, for a conviction.

Technical Assistance Notice

The procedures and the extent of an assistance request and a technical assistance notice are the same. The difference between a request and a notice is that a notice requires compliance. A technical assistance notice requires a communications provider to do acts or things, as required, to help Australian Security, the Australian Security Intelligence Organisation (ASIO), and an interception agency with issues of national security and enforcing criminal laws for serious offenses.

These notices, under the new law, come with an enforcement warrant that includes a confidentiality provision. Failure to comply may result in a fine of up to AUS$10 million (about US$7.2 million) for each incidence.

Technical Capability Notice

Under this new law, Australia’s Attorney General can give a communications provider a technical capability notice. The notice requires compliance. It forces the provider to be capable of doing things that will allow it to be able to give certain kinds of help to Australian Security, the ASIO, and other interception agencies. This capability gives the Australian government what it needs for national security issues and to enforce the criminal laws of Australia and other foreign countries related to serious offenses.

This is the part of the new law that made the CEOs of major technology communication providers nearly lose their minds because it immediately brings up problems with the almost certainty of introducing systemic vulnerabilities and systemic weaknesses. This provision of the new law can force a company to introduce a “backdoor” into their technology, which makes it extremely vulnerable to exploitation.

Systemic Vulnerability

For the purposes of the new law, a systemic vulnerability is something that impacts a whole set of technologies used by a large class of persons, such as instant messages, online banking, text messaging, and real-time chats. It does not include a vulnerability that is introduced when it is selectively applied to a target of just a particular person, even if unidentified.

To understand this concept, it means if a vulnerability is able to be limited to a targeted person and does not affect the entire class of persons it is not to be considered a “systemic” vulnerability. Although the concept is clear, achieving such a targeted vulnerability, which is limited to a single person in a system with widespread use, is extremely challenging, if not impossible.

Consider this example. If there is a need to be able to hack into a device of an individual at the Australian government’s request that is not identified, it means the entire system must have this capability as part of its design.

On close examination, this provision in the law is absurd. Communication providers must have the capability to target any particular person in the group of people using the technology. At the same time, they are not forced to use a systemic vulnerability that impacts the entire group. If a target person is unidentified then it could be anyone in the group! The only way to target them is with a systemic vulnerability; otherwise, it is not possible to find their communications.

Systemic Weakness

A systemic weakness means something that impacts the entire group of users of the technology. If the technology introduced, selectively targets a particular person it is not considered a systemic weakness. A targeted weakness is possible to achieve. However, this is normally something done by the ASIO or other intelligence groups, not by a communications provider or a technology company.

An example would be to surreptitiously gain access to a targeted person’s device and install a key logger to capture information entered on that device. It is possible but it is ludicrous to require a communication provider to do something like that to one of its customers.

Under this new law, communication providers can be forced to do things that violate a particular person’s privacy but cannot be forced to do things that create systemic vulnerabilities or systemic weaknesses. Again, the problem is that needs to have the capability to target any individual out of a group of millions or up to billions of people, means needing to have the capability to target any single person in that group. The mere existence of this capability is, by definition, a systemic weakness.

Designated Communications Provider

The definition, under the new law, of a designated communications provider is immensely broad. Besides the obvious impact on Australian-based companies and those having physical operations in Australia, it also includes any telecommunication carrier, system, intermediaries, service providers, equipment, and any electronic services, including any websites, used by one or more persons in Australia.

By this definition, the investigation of any global system by an officer of the ASIO automatically means that at least one person in Australia is using the system. This provision of the law already caused a global reaction that generated statements from many companies domiciled in other countries besides Australia, saying that Australian laws do not apply to them.

The Technical Paradox of Encryption

Encryption only works if there is no backdoor capability to get around it. In a seminal academic white paper entitled “Key Under Doormats,” published on July 7, 2015, by Professor Harold Abelson of MIT along with the input of 14 peers, the strong evidence-based case against forcing an insecure vulnerability into encryption schemes is clearly presented. Giving the Australian government access to private conversations is the same as, by design, creating an invitation to exploit this access, which makes the entire encryption scheme vulnerable.

Conclusion

The new Australian legislation makes the Australian government seem like wanting to join the ranks of totalitarian governments like Russia, China, and North Korea that have made the use of encryption illegal in those countries. The unintended result may be a global backlash against Australia. This may leave the country in technological isolation from the rest of the world.

It is not only criminals that use encryption. Many find that unbreakable encryption is useful for all kinds of important private transactions such as online banking and financial exchanges. People have the fundamental right to secured communications for many valid reasons. For example, encryption can prevent the loss of many billions due to cybersecurity breaches, protect private medical records, and prevent the theft of intellectual property.

Allowing any government the ability to get around encryption means that criminals will likely find a way to get around it as well. It is quite possible that there are criminals working for the government too. In other words, the new Australian law might actually help criminals when considering the total impact.

The trend in most of the rest of the world is to use more robust encryption, not less. Hopefully, when the Australian legislators come back into session they will have time to give these issues a much more detailed evaluation and add many amendments to improve this seriously-flawed bill.