Mozilla Says Australia’s Compelled Access Law Could Turn Staff There Into ‘Insider Threats’

Despite unanimous warnings from experts that it was a really bad idea, the Australian government went ahead and passed its law enabling compelled access to encrypted devices and communications. Apparently, the powers have already been used. Because of the way the Australian government rammed the legislation through without proper scrutiny, the country’s Parliamentary Joint Committee on Intelligence and Security has commenced a review of the new law. That’s the good news. The bad news is that Andrew Hastie, the Chair of the Committee, still thinks fairy tales are true:

I note with the House the concerns raised by some stakeholders in the tech sector about these laws, including in today’s press. I welcome the ongoing contribution from these stakeholders as the committee continues its review. I note, however, that the legislation as passed prohibits the creation of so-called back doors. Companies cannot be required to create systemic weaknesses in their encrypted products or be required to build a decryption capability.

Sure, whatever, Andrew. One of the stakeholders that has made a submission to the Committee is Mozilla, which is worried by one aspect in particular (pdf):

Due to ambiguous language in [the compelled access law], one could interpret the law to allow Australian authorities to target employees of a Designated Communications Provider (DCP) rather than serving an order on the DCP itself through its General Counsel or an otherwise designated official for process. It is easy to imagine how Australian authorities could abuse their powers and the penalties of this law to coerce an employee of a DCP to compromise the security of the systems and products they develop or maintain.

As Tim Cushing explained in his December post when the compelled access law was approved, that would put employees in an impossible position. They would be forced by the authorities to put backdoors of some kind in a product, but it had to be accomplished in secret. Moreover, they risked five years in prison if any of their colleagues noticed, which they probably would, since unauthorized changes to code would naturally be spotted and challenged. Because of that ridiculous situation, Mozilla warns it would have to take drastic action:

this potential would force DCP’s [like Mozilla] to treat Australia-based employees as potential insider threats, introducing another vector for compromise that could undermine trust in critical products and incentivizing companies to move critical roles to other localities.

What’s true for Mozilla, is true for every foreign software company: in order to protect the integrity of their code, they would be forced to regard every Australian coder as a security risk, and downgrade their access to the code accordingly. The difficulties of managing that kind of situation will probably force software companies to pull out of Australia completely. It will also have a big impact on the trustworthiness of any code produced in the country. In fact, that’s already a problem, as another submission to the Parliamentary Joint Committee makes clear. It comes from one of the leading Australian software companies, FastMail, which provides hosted email services to 40,000 companies around the world. It says that “we have seen existing customers leave, and potential customers go elsewhere, citing this bill as the reason for their choice.” Like Mozilla, FastMail is worried about the impossible position of employees (pdf), who may be coerced by the Australian authorities into weakening the company’s code:

Our staff have expressed concerns that they may be forced to attempt to secretly add back doors or security holes in our service — actions that would be just cause for dismissal — and be unable to tell us why they have made these changes.

This is not just a matter of looking after our own staff’s mental health, it also makes it harder for Australians looking to work for overseas companies if there is any risk that they will be compelled to act against their employer’s interests.

The comments of these two organizations show clearly the practical problems of this ill-thought-out legislation. They also confirm that bringing in this kind of law is one of the quickest ways to undermine the local software industry, and increase dependence on foreign companies that are less likely to comply with demands to insert backdoors in their code. If the Australian government cares about those consequences, or indeed about the online safety of its citizens, it would do well to heed the words that conclude Mozilla’s submission to the review:

This law represents an unprecedented and unchecked threat to the privacy and security of users in Australia and abroad. We urge the Committee and the Australian Parliament to move swiftly to remedy the significant harms posed by this legislation. Ultimately, the best course of action is to repeal this law and start afresh with a proper, public consultation.

Follow me @glynmoody on Twitter or, and +glynmoody on Google+

Permalink | Comments | Email This Story