Mozilla Says Australia's Compelled Access Law Could Turn Staff There Into 'Insider Threats'
from the how-to-undermine-your-software-industry-without-really-trying dept
Despite unanimous warnings from experts that it was a really bad idea, the Australian government went ahead and passed its law enabling compelled access to encrypted devices and communications. Apparently, the powers have already been used. Because of the way the Australian government rammed the legislation through without proper scrutiny, the country's Parliamentary Joint Committee on Intelligence and Security has commenced a review of the new law. That's the good news. The bad news is that Andrew Hastie, the Chair of the Committee, still thinks fairy tales are true:
I note with the House the concerns raised by some stakeholders in the tech sector about these laws, including in today's press. I welcome the ongoing contribution from these stakeholders as the committee continues its review. I note, however, that the legislation as passed prohibits the creation of so-called back doors. Companies cannot be required to create systemic weaknesses in their encrypted products or be required to build a decryption capability.
Sure, whatever, Andrew. One of the stakeholders that has made a submission to the Committee is Mozilla, which is worried by one aspect in particular (pdf):
Due to ambiguous language in [the compelled access law], one could interpret the law to allow Australian authorities to target employees of a Designated Communications Provider (DCP) rather than serving an order on the DCP itself through its General Counsel or an otherwise designated official for process. It is easy to imagine how Australian authorities could abuse their powers and the penalties of this law to coerce an employee of a DCP to compromise the security of the systems and products they develop or maintain.
As Tim Cushing explained in his December post when the compelled access law was approved, that would put employees in an impossible position. They would be forced by the authorities to put backdoors of some kind in a product, but it had to be accomplished in secret. Moreover, they risked five years in prison if any of their colleagues noticed, which they probably would, since unauthorized changes to code would naturally be spotted and challenged. Because of that ridiculous situation, Mozilla warns it would have to take drastic action:
this potential would force DCP’s [like Mozilla] to treat Australia-based employees as potential insider threats, introducing another vector for compromise that could undermine trust in critical products and incentivizing companies to move critical roles to other localities.
What's true for Mozilla, is true for every foreign software company: in order to protect the integrity of their code, they would be forced to regard every Australian coder as a security risk, and downgrade their access to the code accordingly. The difficulties of managing that kind of situation will probably force software companies to pull out of Australia completely. It will also have a big impact on the trustworthiness of any code produced in the country. In fact, that's already a problem, as another submission to the Parliamentary Joint Committee makes clear. It comes from one of the leading Australian software companies, FastMail, which provides hosted email services to 40,000 companies around the world. It says that "we have seen existing customers leave, and potential customers go elsewhere, citing this bill as the reason for their choice." Like Mozilla, FastMail is worried about the impossible position of employees (pdf), who may be coerced by the Australian authorities into weakening the company's code:
Our staff have expressed concerns that they may be forced to attempt to secretly add back doors or security holes in our service -- actions that would be just cause for dismissal -- and be unable to tell us why they have made these changes.
…
This is not just a matter of looking after our own staff's mental health, it also makes it harder for Australians looking to work for overseas companies if there is any risk that they will be compelled to act against their employer's interests.
The comments of these two organizations show clearly the practical problems of this ill-thought-out legislation. They also confirm that bringing in this kind of law is one of the quickest ways to undermine the local software industry, and increase dependence on foreign companies that are less likely to comply with demands to insert backdoors in their code. If the Australian government cares about those consequences, or indeed about the online safety of its citizens, it would do well to heed the words that conclude Mozilla's submission to the review:
This law represents an unprecedented and unchecked threat to the privacy and security of users in Australia and abroad. We urge the Committee and the Australian Parliament to move swiftly to remedy the significant harms posed by this legislation. Ultimately, the best course of action is to repeal this law and start afresh with a proper, public consultation.
Follow me @glynmoody on Twitter or identi.ca, and +glynmoody on Google+
Thank you for reading this Techdirt post. With so many things competing for everyone’s attention these days, we really appreciate you giving us your time. We work hard every day to put quality content out there for our community.
Techdirt is one of the few remaining truly independent media outlets. We do not have a giant corporation behind us, and we rely heavily on our community to support us, in an age when advertisers are increasingly uninterested in sponsoring small, independent sites — especially a site like ours that is unwilling to pull punches in its reporting and analysis.
While other websites have resorted to paywalls, registration requirements, and increasingly annoying/intrusive advertising, we have always kept Techdirt open and available to anyone. But in order to continue doing so, we need your support. We offer a variety of ways for our readers to support us, from direct donations to special subscriptions and cool merchandise — and every little bit helps. Thank you.
–The Techdirt Team
Filed Under: australia, backdoors, encryption, insider threats
Companies: fastmail, mozilla
Reader Comments
Subscribe: RSS
View by: Time | Thread
Two people: One to code, one to look for sabotage of the code
What's true for Mozilla, is true for every foreign software company: in order to protect the integrity of their code, they would be forced to regard every Australian coder as a security risk, and downgrade their access to the code accordingly. The difficulties of managing that kind of situation will probably force software companies to pull out of Australia completely
At the point where you have to double-check coding by your own employees, because there's a risk that they've been forced to sabotage it, you might as well fire the lot of them and stick to only having coders in other countries, and this is now a problem that any company employing people in australia, or buying from australia, will face.
The people who passed and continue to defend the monumentally stupid bill may be hiding behind 'going after the bad guys', but they have effectively stabbed their own tech companies and economy in the back more effectively than said 'bad guys' could have dreamed of.
[ link to this | view in chronology ]
Re: Two people: One to code, one to look for sabotage of the cod
There can't be any bad guys if there aren't any guys left.
[ link to this | view in chronology ]
Re: Re: Two people: One to code, one to look for sabotage of the
No, what actually happens is there's nothing left BUT bad guys. You've left no jobs for good guys, forcing the others to either join them, or find work in another line of business... like wash dishes or stock grocery store shelves. Which do you think many will choose?
[ link to this | view in chronology ]
Re: Re: Re: Two people: One to code, one to look for sabotage of
I hear the Houston PD may have some openings soon.
[ link to this | view in chronology ]
Re: Two people: One to code, one to look for sabotage of the cod
To be fair, you're supposed to be doing that anyway; it's called code review. For non-trivial projects, not doing code reviews tends to result in software so riddled with bugs there is no need for backdoors anyway.
Of course, code reviews are usually done to prevent low-quality code from sneaking in, not to guard against sabotage...
[ link to this | view in chronology ]
Re: Re: Two people: One to code, one to look for sabotage of the
With this law, policies will have to require one non-Australian code review. And not a cursory one, but one done by the type of person who understands the tricks used in the Underhanded C Contest.
[ link to this | view in chronology ]
Legislate what you do not understand
Someone is going to have to tell Australian MPs that programmers actually work together and cooperatively. That may shatter their firmly held beliefs about programmers living in their mothers' basements without human contact other than shouting on twitter. Is it illegal in Australia to shake an MPs wrong beliefs?
[ link to this | view in chronology ]
Question for Andrew Hastie,
In that case, how are they meant to provide access to communications.
[ link to this | view in chronology ]
Re: Question for Andrew Hastie,
There is the loophole that Mozilla, et. al., are worried about. If you cannot force the company, just force individual programmers working for the company.
[ link to this | view in chronology ]
Re: Re: Question for Andrew Hastie,
True, but what comment do they put on their commits? Required by Austarlia would be a big red flag, as would no comment.
[ link to this | view in chronology ]
Re: Re: Question for Andrew Hastie,
Mozilla like any other open source project has a possible work around, just mark where commits are coming from, so that outsiders can pay extra attention to code coming from Australia.
[ link to this | view in chronology ]
Re: Question for Andrew Hastie,
I think what he means by that is "look, we know that there must exist ways for you to give us what we want without introducing any weaknesses, if you'd just nerd harder you'd figure it out".
[ link to this | view in chronology ]
Re: Re: Question for Andrew Hastie,
But, but, any means that allows an outside party to decrypt messages is a weakness in a crypto system, even if that party is a government.
[ link to this | view in chronology ]
Re: Re: Re: Question for Andrew Hastie,
Look, all we're asking for is seven mutually perpendicular red lines drawn with green ink. How hard can it be?
[ link to this | view in chronology ]
Re: Re: Re: Re: Question for Andrew Hastie,
You just need seven-dimensional space and move fast enough to cause a certain amount of red-shift.
Implementation left as an exercise for the reader.
[ link to this | view in chronology ]
Re: Question for Andrew Hastie,
My question for him is did he flunk arithmetic in elementary school. Encryption is a rather math-heavy subject that is difficult to do well when not worrying about back doors. Many with STEM degrees, like myself, barely have enough math to vaguely follow the math.
[ link to this | view in chronology ]
Is there a law in Australia...
that MPs have to be technically illiterate and unbelievably stupid?
[ link to this | view in chronology ]
Re: Is there a law in Australia...
It's not required, but it helps! ;)
And it's every nation, now, not just Australia.
[ link to this | view in chronology ]
Re: Is there a law in Australia...
Upton Sinclair
Is the best explanation I have found for why elected officials do the stupid things they do.
[ link to this | view in chronology ]
Re: Re: Is there a law in Australia...
It would be interesting to study whether their salaries really do depend on this stupidity. Do politicians that act reasonably lose more often at re-election time?
[ link to this | view in chronology ]
Re: Is there a law in Australia...
'Oh no Minister! That would be unthinkable. It could never be government policy. Only government practice.'
[ link to this | view in chronology ]
Damn, what would an employee even have as options in order to not end up in jail? If they put the backdoor in, they can go to jail if the company catches them. If they refuse the order by the government they can go to jail for direct refusal. Are they legally allowed to quit their job? Or are they just literal secret slaves to the government?
[ link to this | view in chronology ]
Re:
For myself (in the US), I'd smile and nod to the gentlemen from the government, then go and report the issue to the security team at work. I'd also contact an attorney ASAP and fill him in, just in case I "disappear". If it comes to it the attorney's job is to keep the matter from bypassing the courts and my position in the courtroom would be that I was asked to do something I'm not legally allowed to do and I did what I was legally required to do and reported the request to the appropriate authority. Let the government argue with the judge about whether they're entitled to require me to break the law or not.
[ link to this | view in chronology ]
Who wants to bet that the MPs solution will be to ammend the law to prohibit companies from firing workers who comply with these requests?
(I wish I was being sarcastic...)
[ link to this | view in chronology ]
Re:
Given the company is not allowed to be informed of the request, it would effectively be illegal to ever fire someone for breaching security.
[ link to this | view in chronology ]
it is a pointless debate, moles are much better
"They would be forced by the authorities to put backdoors of some kind in a product"
That seems to me rather unlikely: obviously major developers like Mozilla must already have dozens/hundreds/thousands of moles planted by every major security service (China, USA, Israel, UK, Russia, India, ...).
Moles are the number one method of security services, and all they have to do to get backdoors cleverly disguised as bugs is to recruit, bribe or blackmail engineers at Google, Facebook, Intel, Mozilla, AWS, Microsoft, ... either before they apply for jobs or after they have got them.
That does not leave much of a paper trail, and is plausibly deniable.
[ link to this | view in chronology ]
Re: it is a pointless debate, moles are much better
Yeah, but thanks to this new law, companies now know beyond any doubt that 100% of all Australian citizens are moles. Even in other countries. And can monitor their actions accordingly.
[ link to this | view in chronology ]
Can someone please explain this obsession that software and internet companies have for opening up offices and facilities in every single country in the world. Hello, there's this thing called "the internet" that allows people in one country to access computers in another country without physically being there.
[ link to this | view in chronology ]
Re:
Well there are these things called time zones and languages,.........
[ link to this | view in chronology ]
Re: Re:
To be fair, that doesn't imply a need for offices, which reduces the parent's question down to: "why do companies need offices?". They're a significant expense, so some bean counters must have studied it and decided it's worthwhile.
[ link to this | view in chronology ]
Re: Re:
Neither of which requires a physical presence in another country. The software running the website can be set to change the language based on the location of the IP address, or just offer users a choice of what language they want to use.
If you're mentioning time zones in relation to customer service, as in a user in one time zone might want help when it's 4am in the company's time zone, that doesn't wash either. Email doesn't care what time it is and most companies don't answer email immediately anyway. Many of these companies don't have phone support and it's easy enough to hire people who stay up late for live chats.
[ link to this | view in chronology ]
When questioned, an Australian Government spokesperson had this to say: "Pfffft."
[ link to this | view in chronology ]
Relax people.
It's only the legislation's "primary effect", not its "primary intent".
[ link to this | view in chronology ]