​Apple clashes with Canberra over ‘dangerously ambiguous’ encryption-law overhaul

19 October 2018 8:34am
iPhone Screen

17 October 2018. By James Panichi.

A bitter clash between Australia and US technology companies over Canberra’s planned overhaul of laws governing encrypted communications is set to continue, with smartphone maker Apple describing the bill before parliament as “dangerously ambiguous” and out of step with similar laws around the world.

In a strongly worded submission to an Australian parliamentary committee examining the encryption bill, Apple also said that the vagueness of the draft legislation undermined the government’s stated commitment not to build a “back door” into devices — a permanent point of entry for authorities to bypass data encryption.

“We encourage the government to stand by [its] stated intention not to weaken encryption or compel providers to build systemic weaknesses into their products,” Apple’s submission said. “Due to the breadth and vagueness of the bill’s authorities, coupled with ill-defined restrictions, that commitment is not currently being met.”

Apple’s opposition to the bill’s current wording comes against a backdrop of a mounting political tension between Silicon Valley and Canberra. Last week, Home affairs minister Peter Dutton accused US tech companies of dodging tax, misusing personal data and cozying up to dictators.

Australia’s overhaul of encryption laws is designed to grant law enforcement agencies the ability to monitor communications among people suspected of criminal activity. Announcing the draft legislation in August, the government was adamant it wouldn’t include a requirement that back doors be established.

But Apple’s submission to parliament suggested the bill’s wording left open the possibility that authorities could require technology companies to build software granting law enforcement agencies ongoing access to the contents of a phone — a back door in all but name.

Apple said that demands for such ongoing access to specific devices would compromise the security of all its devices. “Any process that weakens the mathematical models that protect user data for anyone will, by extension, weaken the protections for everyone,” the company argued.

“It would be wrong to weaken security for millions of law-abiding customers in order to investigate the very few who pose a threat,” Apple’s submission said.

The company said that, implemented in its current form, the bill would allow authorities to compel providers to “install or test software or equipment, facilitate access to customer equipment, turn over source code, remove forms of electronic protection, modify characteristics of a service, or substitute a service.

“All of these capabilities should be as alarming to every Australian as they are to us,” Apple said. “While we share the goal of protecting the public and communities, we believe more work needs to be done on the bill to iron out the ambiguities on encryption and security to ensure that all Australians are protected to the greatest extent possible in the digital world.”

Apple also revealed that over the past five years it had processed more than 26,000 requests from Australian law-enforcement agencies for information to help investigate, prevent and solve crimes. The company suggested that such case-by-case cooperation was preferable to the proposed legislative revamp.

— Pressure —

Over recent weeks, Canberra has put increased pressure on US technology companies to accept the proposed overhaul.

Earlier this month, the chief of Australia’s top intelligence agency, Duncan Lewis, sounded a warning bell, saying that the increased use of encrypted communications by criminals, terrorists, spies and hackers had left the country’s law enforces flying blind (see here).  

Then, last week, Dutton launched an extraordinary attack on what he described as “multibillion-dollar Silicon Valley companies” that “need to be hounded pay tax in Australia and other jurisdictions ... the same companies who have misused personal data to commercial advantage.”

Both Lewis and Dutton have repeated that no demands for back doors would be made as part of the revamp.

“The bill specifically provides that companies cannot be required to create systemic weaknesses in their encrypted products, or be required to build a decryption capability, and robust measures will ensure individual privacy is protected and cybersecurity safeguarded,” Dutton said.

— Inadequate judicial review —

Apple’s submission to the committee also cast doubt on the government’s highly touted guarantee of a judicial review of requests to tech companies for the decryption of communications. The company's said that, at worst, the bill “fails to provide for vital oversight and redress procedures.”

“We believe that any bill permitting the government to mandate sweeping technical changes that could jeopardize the security and privacy of countless users should require approval by an independent judicial body prior to issuance of such a directive,” Apple said.

The company went on to suggest that Australia should use UK legislation — the Investigatory Powers Act 2016 — as a model for its revamp. The British law, Apple said, allowed for judicial reviews of requests for information before notice could be served on providers.

At the heart of Apple’s argument is the fear that although the bill allows providers to appoint experts to determine whether a request for information violates Australian laws, the proposed legislation gives too much discretion to the Australian executive.

“The bill … gives undue weight to the government’s interpretation of the law’s terms and the technical facts,” Apple said in its submission. “If the government believes that a particular measure is reasonable and proportionate, it would matter little that a wide swath of security experts and technology companies believe it to be dangerous and irresponsible.”

— Extraterritoriality —

The submission went on to argue that the proposed law would create significant enforcement problems for the government because it failed to fully address the bill’s extraterritorial application.

Many foreign jurisdictions wouldn’t allow technology companies to disclose user information to third parties. That prompted a provision in the draft legislation to allow foreign-based companies to sidestep information demands when those contravened the laws of a foreign country.  

Apple said it welcomed that provision, but said the immunity granted in such cases couldn't cover liability in foreign jurisdictions. In other words, a US-based tech company could be prosecuted in the US for assisting Australian authorities.

Apple also warned Australian legislators that the bill could fall foul of the European Union’s new privacy rules, the General Data Protection Regulation.

“If Australian authorities were to issue a [demand] that required access to data of European Union citizens, Apple could face stiff penalties of up to 4 percent of its annual turnover under the General Data Protection Regulation, were it to comply,” the company said.

GDPR