Apple slams Australia's anti-encryption bill, calling it "dangerously ambiguous"

Apple slams Australia's anti-encryption bill, calling it "dangerously ambiguous"
Australia's prospective anti-encryption legislation may be passed over the next few months
Australia's prospective anti-encryption legislation may be passed over the next few months
View 1 Image
Australia's prospective anti-encryption legislation may be passed over the next few months
Australia's prospective anti-encryption legislation may be passed over the next few months

In an expansive submission to the Australian Parliament, Apple has strongly condemned the government's prospective anti-encryption legislation, arguing "this is no time to weaken encryption," and calling the draft outline "extraordinarily broad" and "dangerously ambitious."

Over the last few years a battle has been brewing between tech companies and governments across the world. As digital devices grow more sophisticated, so too do encryption technologies, and law enforcement agencies have become increasingly frustrated with their inability to access data on computers and smartphones.

When WhatsApp instituted end-to-end encryption across all its communications in 2016 it profoundly upset government agencies around the world. The UK and the US in particular have been loudly proclaiming that something needs to be done so that these technologies "don't provide a secret place for terrorists to communicate with each other."

Australia has been pushing harder than most other countries to realize a legislative outcome in this area, and recently the government revealed what it calls The Assistance and Access Bill 2018. The measures in the bill are designed to give law enforcement agencies the ability to press private communication companies to assist in accessing communications data.

The bill is decidedly vague at this stage but the controversial crux of the law introduces three kinds of notices the government can issue a communications provider. The first is a Technical Assistance Notice (TAN), compulsorily compelling a company to use whatever capacity currently available to intercept specific communications. The second is a Technical Capability Notice (TCN), another compulsory request, but this time with the ability to demand that new interception capabilities be built if they don't already exist.

The third notice has been described by one expert as the most dangerous of the three. This one is called a Technical Assistance Request (TAR), and unlike the first two notices it is not compulsory, but it is also free of the many restrictions that limit the first two notices. TARs are the only notice that can be completely withheld from public audit, and they allow for the implementation of systemic weaknesses into a system that the other notices do not allow.

The Australian government is insistent that this proposed legislation is not about weakening encryption or about introducing backdoors. However, some suggest the legislation is simply playing games with semantics, as cyber security expert Chris Culnane notes, "what is described [in the legislation] remains a backdoor, albeit a keyed backdoor. There is no requirement for backdoors to be universally exploitable to be considered a backdoor, it merely needs to provide an alternative entry point into the target system or protocol."

Apple's seven-page submission to the parliamentary joint committee evaluating the prospective bill is the company's most significant public statement on the encryption issue in some time. One particular statement in the submission sums up the government's seeming lack of understanding into how encryption and data security fundamentally works:

"Some suggest that exceptions can be made, and access to encrypted data could be created just for only those sworn to uphold the public good. That is a false premise. Encryption is simply math. Any process that weakens the mathematical models that protect user data for anyone will by extension weaken the protections for everyone. It would be wrong to weaken security for millions of law-abiding customers in order to investigate the very few who pose a threat."

Another concern raised in Apple's submission is the global impact of the law. The company suggests that compliance with an Australian government issue to access certain private data may breach the law of another country. In particular, it is noted that the basic requirements of the bill would violate the recently introduced General Data Protection Regulation (GDPR) in Europe.

The Australian legislation may not mean a huge amount in the global scheme of things, but it could be closely watched by other governments. Australia is part of a global intelligence alliance called Five Eyes. Comprising Australia, the United Kingdom, the United States, Canada and New Zealand, the alliance is a comprehensive agreement sharing intelligence and surveillance operations.

Following a Five Eyes meeting in Australia in August, a joint statement from the alliance was released signaling these governments' intentions to challenge growing encryption technologies. Noting that "privacy is not absolute," the Five Eyes statement concluded by stating, "Should governments continue to encounter impediments to lawful access to information necessary to aid the protection of the citizens of our countries, we may pursue technological, enforcement, legislative or other measures to achieve lawful access solutions."

It's unclear how all this will play out, but the Australian government push feels very much like a legislative test case with the world watching to see if something like this can be rammed through. If Australia gets this bill passed then it wouldn't be unexpected to see similar bills pushed across Europe, the UK and the United States.

Of course, many security experts view this as a fool's errand. Encryption is an all or nothing agreement. As Apple sums up in its notes to the Australian government:

"The government may seek to compel a provider to develop custom software to bypass a particular device's encryption. The government's view is that if it only seeks such tool for a particular user's device, it will create no systemic risk. As we have firmly stated, however, the development of such a tool, even if deployed only to one phone, would render everyone's encryption and security less effective."

Source: Apple Submission to the Australian Government (PDF)

Brian M
The naivety of governments know no bounds! The only people you are likely to get information on is the small timers, the ones without the sophistication to take simple security steps. The real bad guys will simply move to their own encryption system on top of the communication channel or use more traditional methods such as single use ciphers.
In the mean time the rest of us are exposed to the risks they want to build into the system. If you add a backdoor or any weakness to an encryption it will be found - guaranteed!
Bravo Apple! This is a fight we must win. I suspect, in the end, we cannot depend on big companies, but must DE-centralize. I like the model used by the Signal messaging app.
Good thing Protonmail is based in switzerland and does not answer to Australia.
Politicians be politicians. Creating useless laws on top of useless laws. What sort of professional moron would really believe for one second that the guys we have to most worry about would use any insecure communication methods? This is nothing but a power grab to monitor the communications of everyone -- big brother style -- using the public security boogeyman as an excuse.
Why not keep the bloody tangoes out of the country in the first place, and let your citizens retain some semblance of privacy?
Recent events here in the US make me fear that the term "in the public good" could (and would) be misapplied to absolutely anything that any Leftist entity merely wanted, and likely quite a few Righties, too.