Any Internet company is obliged to secretly change the program code at the request of the authorities

    Any Internet company is obliged to secretly change the program code at the request of the authorities

    On December 6, 2018, the Australian Parliament passed Assistance and Access Bill 2018 - amendments to the Telecommunications Act 1997 on the rules for the provision of telecommunication services.

    In legal terms, these amendments "set standards for voluntary and mandatory assistance from telecommunications companies to law enforcement and intelligence agencies regarding encryption technologies after receiving requests for technical assistance."

    In fact, this is an analogue of the Russian "Spring Law", which requires Internet companies to comprehend traffic on demand at the request of law enforcement agencies. In some moments, Australian law is even more severe than Russian. Some experts are wondering how such legislation in general could be adopted in a democratic country andcall it a "dangerous precedent . "

    Legal sabotage

    The development of the new law lasted more than a year, it is extremely complex and voluminous. At the beginning, the “golden rule” is declared, which the law enforcement agencies do not have: they have no right to demand that IT companies introduce “systemic vulnerabilities” into their products. However, the text does not define what is considered a system vulnerability.

    Further, it is argued that IT companies are obliged to assist in deciphering messages from users who have been included in the development by law enforcement agencies. The list of compulsory "assistance" includes the following items:

    • removal of one or more forms of electronic protection;
    • provision of technical information;
    • facilitating access to services and equipment;
    • software installation;
    • technology change;
    • hiding the fact that any of the above has been done.

    The last point is especially noteworthy. It is not only about hiding information from users, so that they do not block the installation of a fresh "security update" on their devices. Everything is much more interesting.

    If you look at the definition of the “designated communication provider“ in paragraph 317C (clause 6), then even an individual developer , if he is an Australian citizen, must fulfill the law enforcement agencies requirement, introduce a backdoor into the program and must hide this information from his employer , otherwise he faces imprisonment .

    Designated communication provider

    It remains an open question to what extent the law applies to Australian programmers who work for foreign companies.

    According to the adopted amendments, for example, the police has the right to send a “request for technical assistance” to the address of the Australian division of Facebook company with the requirement to update Facebook Messenger or other software so that the police can access the messages of the interested person. If you literally follow the definition from paragraph 317C , then these requests can be sent not only to companies, but also to individual developers and system administrators of Internet services. In fact, it is legalized sabotage of computer systems.

    This is the key difference between Australian law and similar laws in other democratic countries, which require law-enforcement assistance from IT companies. For example, the vulnerability of similar British legislationThe fact is that if a company is technically unable to decrypt user messages (for example, if end-to-end encryption is correctly implemented there), the authorities will not achieve anything from it.

    But according to Australian law, the authorities may require a "software upgrade." They may even require that you completely disable encryption in the program, if necessary. This is a dangerous precedent, experts say.

    Other possible “assistance” options that IT companies are required to provide:

    • modification of a hardware device, such as Apple Home or Amazon Alexa, for continuous sound recording;
    • Requirements for the service provider to create a fake website;
    • the requirement for the company to transfer more accurate data geolocation phone.

    “Now, companies are also obliged, upon the first request of law enforcement agencies, to completely disable all encryption and help in hacking their own software. This law includes all IT companies operating in Australia. Including various sites and Internet services.

    One of the largest IT companies in Australia is Atlassian - the authors of BitBucket, JIRA, HipChat, Zephyr, Bamboo and other well-known services. For her, the consequences of such a decision by lawmakers can be monstrous, it is likely that a company can change jurisdiction under such pressure from its state.

    Such “lawmaking”, masquerading as well-intentioned, such as countering terrorism, etc., does not help such a struggle. Terrorists will always find a way to communicate what actions the state would not take. The only affected party in this situation will be ordinary users, whose level of security in cyberspace will drop significantly due to backdoors being introduced on demand.

    It is impossible in the 21st century to create such a secret door, the key to which only good guys will have. The presence of vulnerabilities in software designed for use by law enforcement agencies, gives exactly the same opportunity for attackers to use them. And in the fight against terrorism and child pornography, they produce only zero, if not negative exhaust. - writesAlexander Litreev, Russian IT security expert and author of the popular Cybersecurety and Co telegram channel.

    The only mitigation, which was achieved by opponents of the bill - the Australian government promised to use this legislation only in the investigation of serious crimes that provide for imprisonment of three years .

    However, even this restriction includes a very large list of violations, for example, a false emergency call. Australia recently passed another dubious Espionage and Foreign Interference Act 2018 , which provides for current or former civil servants with criminal penalties of up to five years for disclosing "information that could harm national interests." Human rights activists believe that this law is directed against informers and journalists.

    "Five Eyes"

    Someone used to think that such laws against “foreign agents” and “spies” demanding mandatory traffic decoding can be adopted only in countries where human rights are not too respected. But practice shows that the authorities of Great Britain and Australia are also trying to establish tight control over the electronic communications of citizens. The situation is worsening everywhere, not only in Russia.

    Australia is a member of the Five Eyes Alliance .(Five Eyes) along with Canada, USA, New Zealand and the UK. These countries agree to share intelligence information, and in September 2018 they issued a joint statement announcing that IT companies would make it easier for them to access this information: “If governments continue to face obstacles to legitimate access to information necessary to protect citizens of our countries, ”the five countries' statement says ,“ we can take technological, law-enforcement, legislative or other measures to achieve legal access decisions. ”

    In light of the above, it is likely that such bills may be passed by other countries of the alliance.

    Many experts agree that such laws do more harm than good and actually weaken security rather than reinforce it: “This law has serious flaws and will probably lead to a weakening of overall cyber security in Australia trade, reducing security standards for data storage and reducing the protection of civil rights, ”said Digital Rights Watch in a statement .

    Most likely, the law will be applied not only against terrorists, but also against individuals, says Mark Gregory, who specializes in network engineering and Internet security at the University of Melbourne RMIT: “It is too hasty, widely and poorly worded, and ultimately will be used incorrectly . It can be used not only in criminal matters, but also in corporate law. ”

    “There are issues related to transparency, accountability, oversight, and potential abuse,” adds Monique Mann, a technology, law and regulatory researcher at Queensland University of Technology.

    Representatives of the IT-industry say that the law threatens the export of IT-services from the country, because the world will have less confidence in the reliability of Australian programs.

    Also popular now: