Any Internet Company Is Obliged To Secretly Change The Program Code At The Request Of The Authorities
On December 6, 2018, the Australian Parliament passed Assistance and Access Bill 2018 – amendments to the Telecommunications Act 1997 on the rules for the provision of telecommunication services.
In legal terms, these amendments “set the standards for voluntary and mandatory assistance from telecommunications companies to law enforcement and intelligence agencies regarding encryption technologies after receiving requests for technical assistance.”
Some experts are wondering how such legislation, in general, could be adopted in a democratic country and call it a “dangerous precedent”.
The development of the new law lasted more than a year, it is extremely complex and voluminous. In the beginning, the “golden rule” is declared, for which law enforcement agencies do not have rights: they have no right to demand that IT companies introduce “systemic vulnerabilities” into their products. However, the text does not define what is considered a system vulnerability.
Further, it is argued that IT companies are obliged to help in deciphering messages from users who have been included in the development by law enforcement agencies. The list of compulsory “assistance” includes the following items:
- Removal of one or more forms of electronic protection;
- Provision of technical information;
- Facilitating access to services and equipment;
- Software installation;
- Technology change;
- Hiding the fact that any of the above has been done.
The last point is especially noteworthy. It is not only about hiding information from users so that they do not block the installation of a fresh “security update” on their devices. Everything is much more interesting.
If you look at the definition of the “designated communication provider” in paragraph 317C (clause 6), then even an individual developer, if he is an Australian citizen, must fulfill the law enforcement agencies requirement, introduce a backdoor into the program and must hide this information from his employer, otherwise he faces imprisonment .
It remains an open question to what extent the law applies to Australian programmers who work for foreign companies.
According to the adopted amendments, for example, the police has the right to send a “request for technical assistance” to the address of the Australian division of the Facebook company with the requirement to update Facebook Messenger or other software so that the police can access the messages of the interested person. If you literally follow the definition from paragraph 317C, then these requests can be sent not only to companies but also to individual developers and system administrators of Internet services. In fact, it is legalized sabotage of computer systems.
- This is the key difference between Australian law and similar laws in other democratic countries, which require law enforcement assistance from IT companies. For example, the vulnerability of similar British legislation is that if a company is technically unable to decrypt user messages (for example, if end-to-end encryption is properly implemented there), the authorities will not achieve anything from it.
But according to Australian law, the authorities may require a “software upgrade.” They may even require that you completely disable encryption in the program, if necessary. This is a dangerous precedent, experts say.
Other possible “assistance” options that IT companies are required to provide:
- Modification of a hardware device, such as Apple Home or Amazon Alexa, for continuous sound recording;
- Requirements for the service provider to create a fake website;
- The requirement for the company to transfer more accurate data geolocation phone.
The only mitigation, which was achieved by opponents of the bill – the Australian government has promised to use this legislation only in the investigation of serious crimes that provide for imprisonment of three years.
However, even this restriction includes a very large list of violations, for example, a false emergency call. Australia recently passed another dubious Espionage and Foreign Interference Act 2018, which provides for current or former civil servants with criminal penalties of up to five years for disclosing “information that could harm national interests.” Human rights activists believe that this law is directed against informers and journalists.
Someone had previously thought that such laws against “foreign agents” and “spies” demanding mandatory decryption of traffic can be passed only in countries where human rights are not too respected. But practice shows that the authorities of Great Britain and Australia are also trying to establish tight control over the electronic communications of citizens. The situation is worsening everywhere, not only in Russia.
- Australia is a member of the Five Eyes Alliance, along with Canada, the United States, New Zealand, and the United Kingdom. These countries agree to share intelligence information, and in September 2018, they issued a joint statement announcing that IT companies would make it easier for them to access this information: “If governments continue to face obstacles to legitimate access to information necessary to protect Citizens of our countries, the statement of the five countries states, we can take technological, law-enforcement, legislative or other measures to achieve legal access decisions. ”
In light of the above, it is likely that such bills may be passed by other countries of the alliance.
Many experts agree that such laws do more harm than good and actually weaken security rather than strengthen it: “This law has serious flaws and it will probably lead to a weakening of overall cyber security in Australia, a decrease in confidence in e-mail security. trade, reducing security standards for data storage and reducing the protection of civil rights, ”said the statement of the human rights organization Digital Rights Watch.
- Most likely, the law will begin to apply not only against terrorists but also against individuals, says Mark Gregory, who specializes in network engineering and Internet security at the University of Melbourne RMIT: “It is too hasty, widely and poorly worded and eventually will be used incorrectly. It can be used not only in criminal matters but also in corporate law. ”
“There are issues related to transparency, accountability, oversight, and potential abuse,” adds Monique Mann, a technology, law and regulatory researcher at the Queensland University of Technology.
Representatives of the IT-industry say that the law threatens the export of IT-services from the country because the world will have less confidence in the reliability of Australian programs.