Today was the deadline for the public to submit comments on the Australian government's draft Assistance and Access Bill 2018. The proposed legislation drew sharp criticism from numerous tech companies and civil society groups, in Australia and elsewhere, for the threats it poses to computer security, human rights, due process, and transparency. Those include a large coalition of groups, tech companies, and trade associations; a coalition of Australian civil society groups; Access Now; DIGI, a lobbying group that represents Google and Facebook among other tech companies; and this New York Times op-ed by a human rights lawyer.
I submitted comments as well; they are available here. These comments focus on the computer security implications of the Bill. The Bill is an anti-encryption "backdoor bill" that pretends it isn't. The text says that it would not mandate a "systemic" weakness in encrypted devices, software, and services. But in an explanatory document accompanying the Bill, the government, amidst its lip service to the importance of strong encryption, explains that it would still compel access to "particular" devices or items of software. ("Just this one phone, just this one time" -- sound familiar?) That "particular" access requirement undermines the supposed ban on mandating "systemic" backdoors. In reality, any provider covered by the Bill (itself an overbroad category) would quickly wind up developing a de facto "systemic" solution for complying with the numerous access demands the provider would receive. Nothing in the Bill prohibits voluntary "systemic" backdoors, nor even requires companies who choose to implement them to even try to minimize the security risks they would create.
Computer security is hard and we are very bad at it. The "particular" access solution the Bill would compel providers to create would likely contain bugs that could have unforeseen security implications across a range of devices or services, since the necessity of compliance at scale would mean the "particular" solution likely would not be tied to the specific device or item of software. Given the difficulty of securing the code for the access mechanism, whether held by the provider or by a government agency, and its attractiveness as a target for hacking, that access mechanism would likely fall into malicious hands. It could also be leaked by a provider employee or government official, due to inadvertence, phishing, blackmail, or to pocket the sizeable sum that a backdoor mechanism to encrypted devices or software would fetch on the black market.
What is more, other governments would want the same treatment as Australia's investigatory agencies -- and not all governments have the same respect for human rights and the rule of law that Australia purports to have. If passed, the Bill would give cover to authoritarian abuses of innocent encryption users in other countries. And Australia would have no leg to stand on to denounce those abuses of the exceptional-access power it would force providers to create. Computer security implicates personal security, and as I noted recently, governments can be the enemy, rather than the protector, of people's safety.
I strongly oppose this Bill, and I am heartened to see so much vocal opposition to it from so many corners. If you are an Australian voter, please continue to make your voice heard to your legislators. Either the Australian government doesn't understand computer security -- or it realizes the consequences this Bill would have, and it just doesn't care. I'm not sure which is worse.