October 12, 2018
Parliamentary Joint Committee on Intelligence and Security
PO Box 6021
Canberra ACT 2600
Dear Members of the Parliamentary Joint Committee on Intelligence and Security,
The Cybersecurity Coalition (“Coalition”) writes to respectfully express grave concerns about the Telecommunications and Other Legislation Amendment (Assistance and Access) Bill 2018 “The Assistance and Access Bill 2018” (“the Bill”). As currently written and ask that you amend it to include some important clarifications before advancing the legislation further. The Coalition appreciates Australia’s interest in encryption and its goal to encourage the safe deployment and use of encryption-driven technology. However, because the Coalition believes encryption has great potential to improve security, we must oppose efforts that could negatively impact its deployment and use. The government has an important mission in protecting and fighting crime and terror. But in the course of pursuing that goal, it must not undermine the use of encryption required to protect critical systems.
We are encouraged that the Bill notes, a “Designated communications provider must not be required to implement or build a systemic weakness or systemic vulnerability etc.” – i.e., it prohibits the creation of “backdoors.” However, we are concerned that the Bill fails to provide clear assurances that the government will not attempt to weaken encryption via other means such as, unintentionally permitting insecure authentication methods or weakening key distribution algorithms or systems.
The Bill also creates new authority to hack endpoints. Specifically, the bill permits law enforcement, through a “computer access warrant,” to acquire data directly from the device through, practically speaking, discovered vulnerabilities without alerting vendors of said vulnerabilities. The Coalition believes that the benefits to the government of keeping a previously unknown vulnerability for law enforcement or national security purposes must be weighed against the national security, economic security and personal security risks of allowing that same vulnerability to go unpatched in systems in Australia and around the world.
As such, the Coalition recommends that the Australian government consider:
The Coalition appreciates Australia’s willingness to acknowledge the importance of encryption. As the country continues to deploy and use encryption, the Coalition looks forward to serving as a resource concerning both technical and policy questions and working with you to ensure encryption is safely deployed and used.
We appreciate your interest in this area and would welcome further collaboration moving forward.
Ari Schwartz Coordinator
1 The Coalition acknowledges the tension between product cybersecurity and the government’s ability to investigate crimes and gather intelligence. The Coalition is concerned that granting government hacking authority without at minimum issuing a VEP risks significant damage within the public sphere. See Ari Schwartz and Rob Knake, “Government’s Role in Vulnerability Disclosure,” June 2016 - https://www.belfercenter.org/sites/default/files/legacy/files/Vulnerability%20Disclosure%20Web-Final4.pdf