Letter to Australian Parliamentary Joint Committee on Intelligence Security Expressing Concern Telecommunications and Other Legislation Amendment (Assistance and Access) Bill 2018

‍

Letter to Parliamentary Joint Committee on Intelligence Security re: Australia's Encryption

‍

October 12, 2018

Committee Secretary

Parliamentary Joint Committee on Intelligence and Security

PO Box 6021

Parliament House

Canberra ACT 2600

Australia

Submitted electronically

‍

Dear Members of the Parliamentary Joint Committee on Intelligence and Security,

The Cybersecurity Coalition (“Coalition”) writes to respectfully express grave concerns about the Telecommunications and Other Legislation Amendment (Assistance and Access) Bill 2018 “The Assistance and Access Bill 2018” (“the Bill”). As currently written and ask that you amend it to include some important clarifications before advancing the legislation further. The Coalition appreciates Australia’s interest in encryption and its goal to encourage the safe deployment and use of encryption-driven technology. However, because the Coalition believes encryption has great potential to improve security, we must oppose efforts that could negatively impact its deployment and use. The government has an important mission in protecting and fighting crime and terror. But in the course of pursuing that goal, it must not undermine the use of encryption required to protect critical systems.

We are encouraged that the Bill notes, a “Designated communications provider must not be required to implement or build a systemic weakness or systemic vulnerability etc.” – i.e., it prohibits the creation of “backdoors.” However, we are concerned that the Bill fails to provide clear assurances that the government will not attempt to weaken encryption via other means such as, unintentionally permitting insecure authentication methods or weakening key distribution algorithms or systems.

The Bill also creates new authority to hack endpoints. Specifically, the bill permits law enforcement, through a “computer access warrant,” to acquire data directly from the device through, practically speaking, discovered vulnerabilities without alerting vendors of said vulnerabilities. The Coalition believes that the benefits to the government of keeping a previously unknown vulnerability for law enforcement or national security purposes must be weighed against the national security, economic security and personal security risks of allowing that same vulnerability to go unpatched in systems in Australia and around the world.

As such, the Coalition recommends that the Australian government consider:

1. Providing a clear definition of a “systemic weakness or systemic vulnerability” and the ability for a company to challenge a request with a court based on this definition;
2. Including a government-required policy for handling and disclosing vulnerabilities, such as a Vulnerabilities Equities Process (“VEP”), where the government must undergo a structured review under established standards to determine whether and for how long a discovered vulnerability should be concealed temporarily and used for law enforcement or intelligence gathering purposes before then being disclosed in an interest to advance cybersecurity;1
3. Clarifying the limitation on creating systemic weaknesses or vulnerabilities to ensure that the government may not compel a company to disclose a previously unknown and unpatched vulnerability to the government. Any disclosure before a patch is available risks the possibility of leaks and exploitation possibly putting companies, government agencies and consumers at risk from zero-day exploits.
   

The Coalition appreciates Australia’s willingness to acknowledge the importance of encryption. As the country continues to deploy and use encryption, the Coalition looks forward to serving as a resource concerning both technical and policy questions and working with you to ensure encryption is safely deployed and used.

We appreciate your interest in this area and would welcome further collaboration moving forward.

Sincerely,

Ari Schwartz Coordinator

1 The Coalition acknowledges the tension between product cybersecurity and the government’s ability to investigate crimes and gather intelligence. The Coalition is concerned that granting government hacking authority without at minimum issuing a VEP risks significant damage within the public sphere. See Ari Schwartz and Rob Knake, “Government’s Role in Vulnerability Disclosure,” June 2016 - https://www.belfercenter.org/sites/default/files/legacy/files/Vulnerability%20Disclosure%20Web-Final4.pdf