When's a backdoor not a backdoor? When the Oz government says it isn't
Draconian new proposals on data privacy from Australia
Australia's promised “not-a-backdoor” crypto-busting bill is out and the government has kept its word - it doesn't want a backdoor, just the keys to your front one.
The draft of The Assistance and Access Bill 2018 calls for anyone using or selling communications services in Australia to be subject to police orders for access to private data.
That includes all vendors of computers, phones, apps, social media and cloud services in the Lucky Country, and anyone within national borders using them. These data-tapping orders will be enforced with fines of up to AU$10m (US$7.3m) for companies or $50,000 ($36,368) for individuals
The draft legislation also wants five years in prison for anyone who reveals a data-slurping investigation is going on. And while there's no explicit encryption backdoor requirements in the 110 page draft bill, our first look suggests there doesn't need to be.
Good cop, bad cop, what's a cop?
Here's how the government describes its intent: “The proposed changes are designed to help agencies access intelligible communications through a range of measures, including improved computer access warrants and enhanced obligations for industry to assist agencies in prescribed circumstances."
"This includes accessing communications at points where it is not encrypted. The safeguards and limitations in the Bill will ensure that communications providers cannot be compelled to build systemic weaknesses or vulnerabilities into their products that undermine the security of communications. Providers cannot be required to hand over telecommunications content and data.”
So: providers can't be compelled to create backdoors, and the government claims it wants to capture data at “points where it is not encrypted”.
Providers will, however, be subject to three tiers of requests for assistance. The first is the good cop routine; a request that makes technical assistance voluntary.
After that comes bad cop; a compulsory request, under which the Director-General of Security or the head of an interception agency issues a technical assistance notice that's enforced by the aforementioned fines.
Finally there's the bottom line; a technical capability notice. This requires companies covered by the regime to “build a new capability that will enable them to give assistance as specified in the legislation to ASIO and interception agencies”.
If a subject of a technical assistance notice or technical capability notice reveals blows the whistle the legislation recommends five years in jail. There's also a ten-year maximum sentence for individuals who refuse an order to hand over computers under the legislation.
The government's argument that the proposal doesn't mandate backdoors comes primarily from the limitation on technical capabilities notices, since they must not require companies to “implement or build a systemic weakness or systemic vulnerability” into their products.
The Register expects that the word “systemic” is going to get some scrutiny in the coming days.
Through the Looking Glass
The bill enlarges what Australia's laws consider a communications service provider, to include: "foreign and domestic communications providers, device manufacturers, component manufacturers, application providers, and traditional carriers and carriage service providers.”
In other words any ISP (whether or not it owns infrastructure); hardware vendors like Apple, Samsung, Huawei, Intel and Qualcomm; and anybody providing communications applications for games, social media or cloud services, would be subject to Oz government data orders. But it's not a secret backdoor.
Law enforcement agencies would get the right to provide software or equipment that providers would have to install in their networks or systems; and providers would have to facilitate “access to devices or services.” But it's not a secret backdoor.
Agencies would be able to ask the industry to help them develop their own “systems and capabilities”, and providers would have to tell agencies if they changed something in their systems. But it's not a secret backdoor.
If a provider is in control of a service, agencies could require them to modify or substitute the service to give them access to a device or individual's data. But it's not a secret backdoor.
And finally, providers would have to agree to stay quiet about agencies' covert operations, enforced by jail time and massive fines. But it's not a secret backdoor.
Cyber Security minister Angus Taylor this morning told Australian Broadcasting Corporation current affairs program AM that the powers would only be invoked for “serious crimes” involving sentences of three years or greater.
In spite of his saying the government wants to apprehend terrorists, paedophiles and organised crime, the law casts a much wider net, also covering helping other countries enforce their criminal law; protecting the public revenue; or protecting national security.
Australians have one month to comment on the proposals. We suspect somewhere in the Department of Home Affairs' server room there's an obscenity filtering moderation code that's going to be very active over the next 30 days. ®