Thursday, 13 September 2018

How Australia’s Proposed Surveillance Laws Will Break The Trust Tech Depends On


In the last few years, we’ve discovered just how much trust - whether we like it or not - we have all been obliged to place in modern technology. Third-party software, of unknown composition and security, runs on everything around us: from the phones we carry around, to the smart devices with microphones and cameras in our homes and offices, to voting machines, to critical infrastructure. The insecurity of much of that technology, and increasingly discomforting motives of the tech giants that control it from afar, has rightly shaken many of us.

But the latest challenge to our collective security comes not from Facebook or Google or Russian hackers or Cambridge Analytica: it comes from the Australian government. Their new proposed “Access and Assistance” bill would require the operators of all of that technology to comply with broad and secret government orders, free from liability, and hidden from independent oversight. Software could be rewritten to spy on end-users; websites re-engineered to deliver spyware. Our technology would have to serve two masters: their customers, and what a broad array of Australian government departments decides are the “interests of Australia’s national security.” Australia would not be the last to demand these powers: a long line of countries are waiting to demand the same kind of “assistance.”

In fact, Australia is not the first nation to think of granting itself such powers, even in the West. In 2016, the British government took advantage of the country’s political chaos at the time to push through, largely untouched, the first post-Snowden law that expanded not contracted Western domestic spying powers. At the time, EFF warned of its dangers —- particularly orders called “technical capability notices”, which could allow the UK to demand modifications to tech companies’ hardware, software, and services to deliver spyware or place backdoors in secure communications systems. These notices would remain secret from the public.

Last year we predicted that the other members of Five Eyes (the intelligence-sharing coalition of Canada, New Zealand, Australia, the United Kingdom, and the United States) might take the UK law as a template for their own proposals, and that Britain “… will certainly be joined by Australia” in proposing IPA-like powers.

That’s now happened. This month, in the midst of a similar period of domestic political chaos, the Australian government introduced their proposal for the “Telecommunications and Other Legislation Amendment (Assistance and Access) Bill 2018.” The bill unashamedly lifts its terminology and intent from the British law.

But if the Australian law has taken elements of the British bill, it has also whittled them into a far sharper tool. The UK bill created a hodge-podge of new powers; Australia’s bill recognizes the key new powers in the IPA and has zeroed in on their key abilities: those of assistance and access.

If this bill passes, Australia will - like the UK - be able to demand complete assistance in conducting surveillance and planting spyware, from a vast slice of the Internet tech sector and beyond. Rather than having to come up with ways to undermine the increasing security of the Net, Australia can now simply demand that the creators or maintainers of that technology re-engineer it as they ask.

It’s worth underlining here just how sweeping such a power is. To give one example: our smartphones are a mass of sensors. They have microphones and cameras, GPS locators, fingerprint and facial scanners. The behaviour of those sensors is only loosely tied to what their user interfaces tell us.

Australia seeks to give its law enforcement, border and intelligence services, the power to order the creators and maintainers of those tools to do “acts and things” to protect “the interests of Australia’s national security, the interests of Australia’s foreign relations or the interests of Australia’s national economic well-being”.

The “acts and things” are largely unspecified - but they include enabling surveillance, hacking into computers, and remotely pulling data from private computers and public networks.

The range of people who would have to secretly comply with these orders is vast. The orders can be served on any “designated communications provider”, which includes telcos and ISPs, but is also defined to include a “person [who] develops, supplies or updates software used, for use, or likely to be used, in connection with: (a) a listed carriage service; or (b) an electronic service that has one or more end users in Australia”; or a “person [who] manufactures or supplies customer equipment for use, or likely to be used, in Australia”.

Examples of electronic services may “include websites and chat fora, secure messaging applications, hosting services including cloud and web hosting, peer-to-peer sharing platforms and email distribution lists, and others.”

You can see the full list in the draft bill in section 317C, page 16.

As Mark Nottingham, co-chair of the IETF’s HTTP group and member of the Internet Architecture Board, notes, this seems to include “Everyone who’s ever written an app or hosted a Web site - worldwide, since one Australian user is the trigger - is a potential recipient, whether they’re a multimillion dollar company or a hobbyist.” It includes Debian ftpmasters, and Linux developers; Mozilla or Microsoft; certificate authorities like Let’s Encrypt, or DNS providers.

This is not an error: when we were critiquing a similarly broad definition in the UK’s IPA, we pointed out that the wording would allow the authorities to target a particular developer at a company (while requiring them to not inform their boss), or non-technical bystander who would not know the impact of what they were being asked to do. Commentators from close to GCHQ denied this would be the case and said that this would be clarified in later documents - but subsequent draft codes of practice actually doubled down on the breadth of the orders, saying that it was deliberately broad, and that even café owners who operated a wifi hotspot could be served with an order.

There are some signs that the companies affected by these orders have learned the lesson of the IPA, and pushed back during the Assistance and Access’s preliminary stages. Unlike the UK bill, there are clauses forbidding Australia from being required to “implement or build [a] systemic weakness or systemic vulnerability into a form of electronic protection” (S.317ZG); and preventing actions in some cases that would cause material loss to others lawfully using a targeted computer (e.g. S.199 (3), pg 163. Companies have an opportunity to be paid for their troubles, and billing departments can’t be targeted. There is some attempt to prevent government agencies forcing providers to “make false or misleading statements or engage in dishonest conduct”(S.317E).

But these are tiny exceptions in a sea of permissions, and easily circumvented. You may not have to make false statements, but if you “disclose information”, the penalty is five years’ imprisonment (S.317ZF). What is a “systemic weakness” is determined entirely by the government. There is no independent judicial oversight. Even counselling an ISP or telco to not comply with an assistance or capability order is a civil offence.

If the passage of the UK surveillance law is any guide, Australian officials will insist that while the language is broad, no harm is intended, and the more reasonable, narrower interpretations were meant. But none of those protestations will result in amendments to the law: because Australia, like Britain, wants the luxury of broad, and secret powers. There will be - and can be no true oversight - and the kind of malpractice we have seen in the surveillance programs of the U.S. and U.K. intelligence services will spread to Australia’s law enforcement. Trust and security in the Australian corner of the Internet will diminish - and other countries will follow the lead of the anglophone nations in demanding full and secret control over the technology, the personal data, and the individual innovators of the Internet.


“The government,” says Australia’s Department of Home Affairs web site, “welcomes your feedback” on the bill. Comments are due by September 10th. If you are affected by this law - and you almost certainly are - you should read the bill, and write to the Australian government to rethink this disastrous proposal. We need more trust and security in the future of the Internet, not less. This is a bill that will breed digital distrust, and undermine the security of us all.