Mozilla Argues Australia's Encryption Busting Legislation Needs To be Repealed
Written by Sue Gee   
Tuesday, 26 February 2019

Mozilla has added its voice to criticism of Australia's recently enacted anti-encryption laws, warning that they could effectively force companies to treat Australian employees as potential saboteurs.

Austrailia's controversial legislation is known as TOLA, the Telecommunication & Other Legislation Amendment (Assistance & Access) Act of 2018. A draft bill was presented in August 2018 and it was enacted in December 2018, just before the Australian Parliament rose for its Christmas break. It sets out to tackle the problem posed by end-to-end encryption, used by services such as What's App, which allows only the sender and recipient to view a message, enhancing privacy and security. However, by preventing a message from being unscrambled by the service provider, end-to-end encryption provides the opportunity for avoiding surveillance.

In some countries, China, Russia and Turkey, services offering end-to-end encryption are banned. Under Australia's legislation, intended to circumvent the technology, security and law enforcement agencies can force companies to create a technical function, a back door, that would give them access to encrypted messages without the user's knowledge.

According to its proponents in the Australian government, the laws, are necessary to help combat terrorism and crime. Mike Burgess, Director-General of the Australian Signals Directorate  addressed what he characterized as "inaccurate commentary" in a document outlined seven myths about TOLA  concluding:

Many of the claims about the “dangerous” nature of the Act are hyperbolic, inaccurate and influenced by self-interest, rather than the national interest.

The true danger is the thing the TOLA Act seeks to prevent: terrorists, paedophiles and other criminals communicating in secret, without law enforcement and security agencies being able to ‘crack their code’.

Australia’s law enforcement and national security agencies do not ask for legislative change lightly or routinely. But when technology evolves, the law should evolve too – so we can continue our mission to keep Australians safe.

However, some of the concerns of its critics, including its affects on developers cannot be so easily dismissed. The Electronic Frontier Foundation has pointed out that under TOLA  police can order individual IT developers to create back doors without their company's knowledge. EFF's Senior Information Security Counsel, Nate Cardozo, went on record saying:

“Australia’s new law might allow police to order engineers to program surveillance features into software behind their company’s back—with ‘the potential for Australian tech firms to have no clue whether they were even subject to an order” 

Although TOLA was enacted less than three months ago, it is already under review by the Australian Parliamentary Joint Committee on Intelligence and Security and Mozilla made its submission on February 22nd. In its opening comments Mozilla states:

This legislation grants sweeping and dangerous new powers to Australian law enforcement and intelligence agencies, and thanks to the foreign assistance provisions, extends these powers to foreign authorities as well. In doing so, this legislation raises grave concerns for the security of internet users and infrastructure in Australia and abroad, and fails to place appropriate limits on government surveillance. 

Mozilla's position is stated as:

We do not believe that this law should have been passed in the first place, and we believe the best possible path is to repeal this legislation in its entirety and begin afresh with a proper, public consultation.

However as Mozilla recognizes this is unlikely it gives details of changes in order of priority. The first of these it that TOLA needs to clarify that Australian authorities cannot target employees of a Designated Communications Provider (DCP) rather than the DCP itself, arguing that, as it stands,

It is easy to imagine how Australian authorities could abuse their powers and the penalties of this law to coerce an employee of a DCP to compromise the security of the systems and products they develop or maintain.

 a situation that could:

 "force DCP’s to treat Australia-based employees as
potential insider threats"

The procedure that TOLA sets out is that initially it asks technology companies for help decrypting a user’s communications, using an order called a technical assistant request (TAR). If DCPs don’t want to comply the next type of order,  called a technical assistance notice (TAN), forces them to do so. Finally where companies don’t want to help and say that they couldn’t anyway because their own technology stops them, the law allows the government to issue a technical capability notice (TCN) which forces the company to alter its systems. All of these are subject to secrecy through restrictions on disclosure. Asking that the restrictions on disclosure be removed, particulaly with regard to TCN's where companies are forced to alter their systems in secret,  Mozilla suggests that TOLA's secrecy would adversely impinge on open source software development: 

As an open source company, we are committed to developing our products and services publicly. More than just a philosophical choice, open source development allows myriad actors outside of Mozilla to identify bugs in our code, and in doing so making our products and services more resilient and secure. This benefits the hundreds of millions of people who use Mozilla products every day. Developing in the open also allows our users to have more trust in the integrity of our code. The restrictions on disclosure in TOLA around building backdoors and other “acts and things” that may be required under the law are not just antithetical to us an open source company but would undermine the security and trust of all of our users.

At the end of its submission Mozilla repeats its opinion that the best course of action would be to repeal a law that:

represents an unprecedented and unchecked threat to the privacy and security of users in Australia and abroad.



More Information

Telecommunication & Other Legislation Amendment (Assistance & Access) Act of 2018

Related Articles

Scapegoating Encryption

Final EU Copyright Directive Spells Disaster

Are You Ready For GDPR?

Ever Increasing Need For Secure Programming



Last Updated ( Tuesday, 26 February 2019 )