leowolfert - Fotolia
Apple has challenged the premise behind Australia’s proposed decryption law, claiming that weakening encryption would lead to the profound risk of making criminals’ jobs easier.
In its submission to the Australian parliament on the draft legislation, which will require technology companies to provide law enforcement agencies with access to encrypted communications if passed, Apple said encryption is the best way to protect data and ultimately lives.
“Software innovations of the future will depend on the foundation of strong device security,” it said. “To allow for those protections to be weakened in any way slows our pace of progress and puts everyone at risk.”
Calling the suggestion of making encrypted data available only to those sworn to uphold the public good a false premise, Apple said “encryption is simply math” and that any process that weakens the mathematical models behind encryption will by extension weaken the protections for every user.
Apple also took issue with the “dangerously ambiguous” terms of the draft legislation pertaining to encryption and security.
These include “overly broad powers that could weaken cyber security and encryption”, a “lack of appropriate independent judicial oversight”, and “technical requirements based only on the government’s subjective view of reasonableness and practicability”, among others.
Apple said these terms could “allow the government to order the makers of smart home speakers to install persistent eavesdropping capabilities into a person’s home” and “require a provider to monitor the health data of its customers for indications of drug use”.
They could also allow the government to “require the development of a tool that can unlock a particular user’s device regardless of whether such tool could be used to unlock every other user’s device as well”.
“All of these capabilities should be as alarming to every Australian as they are to us,” Apple said, even as it was appreciative of the government’s inclusion of language that prohibits requiring a provider to implement or build a systemic weakness or systemic vulnerability, or prevent remediation of a systemic weakness.
In addition, Apple noted that the proposed legislation was unclear on the scope and breadth of judicial review over notices that demand technical assistance from technology suppliers, adding that any bill permitting the government to mandate sweeping technical changes that could jeopardise the security and privacy of users should be approved by an independent judicial body.
It urged the government to consider a provision similar to the UK’s Investigatory Powers Act that requires judicial review of proposed technical capability notices before such notices can be served on a supplier.
Besides Apple, Cisco has also raised concerns over the proposed decryption law. In its submission, it expressed “serious reservations” regarding provisions that threaten to undercut sustained efforts by Cisco and others to develop and maintain technologies that are secure, transparent, trustworthy and accountable.
Noting that other governments could follow Australia’s footsteps and draft similar laws, Cisco said it was concerned that others may not have Australia’s commitment to restrain executive power.
“Without further amendment, we believe the net result of these changes would harm the security interests of Australia by setting a precedent that could be adopted by less liberal regimes,” it said.
Australia’s draft legislation is being supported by the Police Federation of Australia (PFA), representing the professional and industrial interests of 62,000 members at the national level.
In a statement, it argued that technologies such as encryption – while an important part of Australians’ everyday life – are also being used by organised criminals as well as terrorists.
By 2020, all communications among organised crime groups and terrorists will be encrypted, according to PFA estimates. Some 95% of Australia’s most dangerous criminals and terrorists already use encrypted communications, and 90% of the data being lawfully intercepted by the Australian Federal Police uses some form of encryption.
The PFA said it has been advised that similar obligations already apply to domestic communications companies, and that the proposed law “simply expands those obligations to offshore providers who are providing communication services in Australia”.
Read more about cyber security in Australia
- Australia’s national cyber security blueprint has been a catalyst for improvements, but its long-term impact remains to be seen.
- Nearly a quarter of data breaches reported under Australia’s new mandatory data breach regime took place in the healthcare sector.
- Australia and Singapore will conduct joint cyber security exercises, among a raft of measures to secure critical infrastructure and bolster cyber security knowhow in the two countries.
- Besides bridging the security gap between IT and operational technology teams, Australia is driving efforts to bolster the security of IoT devices.