Apple urges Australian government not to weaken encryption with backdoors

Posted:
in General Discussion edited December 2018
Apple has submitted its formal response to a draft bill undergoing debate by the Australian government, with the iPhone maker calling for "increasingly stronger - not weaker - encryption" as a way to protect against the growing number of online threats.

Parliament House, Canberra


Provided to AppleInsider by Apple, the the seven-page submission to the Australian Parliamentary Joint Committee on Intelligence and Security on the "Telecommunications and Other Legislation Amendment (Assistance and Access) Bill 2018," arguing for clarity on the bill's aims, and encouraging the government to avoid going down the route of weakening encryption.

Introduced to the parliamentary calendar in August, the bill proposes updates to the country's telecommunications-related laws, including a need for private sector firms to "provide greater assistance to agencies." While the bill demands assistance from companies like Apple, the language used is ambiguous enough to potentially mean the creation of backdoors into encrypted apps and services, something which many tech companies strongly disagree with.

Noting Apple's role in protecting national security and citizen's lives, and its teams working to stay one step ahead of criminal attackers, the letter claims the threats that pry for personal data or co-opting hardware for broader assaults "only grow more serious and sophisticated over time.

"It is precisely because of these threats that we support strong encryption," Apple assets. Highlighting the trillion transactions conducted online and protected by encryption every day, the threats to these communications are said to be "very real and increasingly sophisticated."

Referencing the government's Notifiable Data Breaches database's records of 2.5 or more daily data breaches over the last quarter, - "And that's just breaches that were identified and reported," Apple offers up the NotPetya attack from 2017 as an example of a need for robust security, an attack which effectively shut down Cadbury's manufacturing systems and impacting other firms.

"In the face of these threats, this is no time to weaken encryption. There is a profound risk of making criminals' jobs easier, not harder," writes Apple. "Increasingly stronger - not weaker - encryption is the best way to protect against these threats."

Apple assists Australian law enforcement now

Apple also challenges the suggestion that weaker encryption is needed to help law enforcement. The company works with the Australian government and other law enforcement agencies globally in the interest of public safety. In Australia alone, it has processed over 26,000 requests from local security forces over the last five years, and recently announced efforts to expand its law enforcement training efforts for obtaining information from the company within its legal guidelines.

There is encouragement for the government to "stand by their stated intention not to weaken encryption or compel providers to build systemic weaknesses into their products," but due to the "breadth and vagueness of the bill's authorities" and "ill-defined restrictions," Apple suggests the intention is not being met by the bill in its current form.

Broad surveillance isn't good for Apple, or Australian citizens

Apple suggests the bill could force smart home speakers to install persistent eavesdropping capabilities, or require a provider to monitor health data of its customers for signs of drug use, or the creation of a tool to unlock a specific user's device, even if that tool could be used to unlock every other user's devices as well.

"All of these capabilities should be as alarming to every Australian as they are to us," Apple adds, before calling for the laws to be "clear and unambiguous."

"Encryption is the single best tool we have to protect data and ultimately lives. Software innovations of the future will depend on the foundation of strong device security," said Apple. "To allow for those protections to be weakened in any way slows our pace of progress and puts everyone at risk."

The submission then goes on to highlight specific overarching themes that those working on the draft of the bill need to take into account. First, the company complains about how "Overly broad authorities could weaken cybersecurity and encryption."

"For instance, the government may seek to compel a provider to develop custom software to bypass a particular device's encryption. The government's view is that if it only seeks such tool for a particular user's device, it will create no systemic risk," argued Apple. "As we have firmly stated, however, the development of such a tool, even if deployed only to one phone, would render everyone's encryption and security less effective."

This echoes previous comments made by Apple CEO Tim Cook, arguing the technique is analogous to leaving a key under a doormat, an action that makes it available to authorities if necessary, but also makes it findable by burglars. "Criminals are using every technology tool at their disposal to hack into people's accounts," said Cook. "If they know theres a key hidden somewhere, they won't stop until they find it."

Not the first time that Apple has said this

This echoes previous comments made by Apple CEO Tim Cook, arguing the technique is analogous to leaving a key under a doormat, an action that makes it available to authorities if necessary, but also makes it findable by burglars. "Criminals are using every technology tool at their disposal to hack into people's accounts," said Cook. "If they know theres a key hidden somewhere, they won't stop until they find it."

Apple also advises insufficient judicial review can reduce customer trust and security, arguing there is concern that an independent judicial review is not required before the government could issue a technical assistance notice (TAN) or capability notice (TCN). The UK's Investigatory Powers Act is suggested as a model Australia could follow, as it requires such reviews before a provider can be served a notice.

There is also a concern the key factual determinations depend only on the government's own assessment on circumstances and the technical complexities involved. The government is advised it should take into account other views, such as from security experts, academics, and privacy concerns, before making any determinations.

Whistleblowers beware

The bill also introduces problems regarding its secrecy requirements, in that while they are welcomed in principle, they are too broad and could stifle innocent disclosures, or disclosures for the purpose of reporting abuse.

"If an engineer working for a provider tasked with complying with a TCN had a legitimate legal or ethical concern, they could be imprisoned for five years for merely disclosing the fact of a TCN to his or her employer's human resources office," wrote Apple. "Similarly, an employee of a provider who legitimately believed a TAN or TCN violated the law, could not disclose that concern for fear of punishment."

Apple suggests there should be more of a balance between maintaining secrecy and ensuring customers and providers that the laws are "being executed properly and lawfully."

Incompatible internationally

Lastly, Apple expresses concern over how the laws would impact companies outside Australia, as while the draft advises it is an allowable defense for a provider to claim a TCN or TAN may contravene a foreign jurisdiction's law if they are based abroad, it doesn't go far enough. The bill does grant immunity for compliance with TAN or TCNs, it only applies to Australia, and does not take into account breaches of laws in other countries while complying to the notice.

"Forcing business with operations outside Australia to comply with TANs or TCNs that violate the laws of other countries in which they operate, will just incentivize criminals to use service providers that never assist Australian authorities or ones that operate underground in jurisdictions unfriendly to Australian interests," Apple concluded. "Rather than serving the interests of Australian law enforcement, it will just weaken the security and privacy of regular customers while pushing criminals further off the grid."

Earlier in October, it was revealed Apple was joining Alphabet, Amazon, and Facebook in opposing the proposals, a continuation of a campaign by tech companies to fight backdoors and other legislative changes that weaken security for all users. The firms have previously issued statements to various governments and security agencies around the world to combat the growing calls by lawmakers and heads of law enforcement agencies to make it easier to access hard-to-obtain information that is securely encrypted.

Outside of tech companies, some lawmakers in the U.S. are attempting to put a stop to similar measures being implemented by the government. The "Secure Data Act," proposed in May, aims to prevent courts and federal agencies from issuing orders to create backdoors or other security-weakening features.

Comments

  • Reply 1 of 14
    VicWVicW Posts: 11member
    Good for Apple! These laws are a misguided attempt to counter real world threats. Yes, the threats are absolutely real but every one of these proposed laws would put every digital asset anyone has at permanent risk. Having followed Apple's privacy efforts for years, and being a security researcher/product developer/cto/engineer I know something about this topic. We live in a world where highly intelligent people make remarkable progress everywhere from medicine to technology. On the consuming side of these advances are lawmakers who, sadly, are not capable of understanding what they make decisions on. You can't entirely blame them: As a species we have this dichotomy between those who "can" and those who "can't". Pick a topic.
    edited October 2018 StrangeDayssteven n.chasmjbdragonradarthekatolswatto_cobrajony0
  • Reply 2 of 14
    entropysentropys Posts: 1,751member
    Most politicians these days have never had a real job, having chosen politics as a “career” rather than a vocation to serve others. Worse, they generally study law, and as the saying goes, if the only tool you have is a hammer, every problem is a nail.
    This Bill is terrible. It should be withdrawn by the government.
    StrangeDaysdewmejbdragonnewBelieverolsfreethinkingwatto_cobrajony0
  • Reply 3 of 14
    And sadly, Apples strict App Store would prevent outside app developers from offering an app that replaces the weak security with stronger than ever security.
  • Reply 4 of 14
    microbe said:
    And sadly, Apples strict App Store would prevent outside app developers from offering an app that replaces the weak security with stronger than ever security.
    Nah. Having a curated app store has increased app safety, not decreased it. Additionally Apple is bound by the country's law and couldn't let App Store apps circumvent what local law requires.

    Try again. 
    edited October 2018 dewmeRayz2016watto_cobrajony0
  • Reply 5 of 14
    microbe said:
    And sadly, Apples strict App Store would prevent outside app developers from offering an app that replaces the weak security with stronger than ever security.
    That’s just dumb.  Let’s say I submit a App that I claim to have 2048bit encryption.  It’s a proprietary encryption setup, and not based upon any of the vetted standards.  The encryption could contain anything including bugs, flaws, and back doors.  Apple maintains standards to prevent garbage entering the App Store, and threatening users security.

    Your post is extremely suspicious... what government do you work for anyway?  I hope its not mine.
    edited October 2018 StrangeDaysSoundJudgmentchasmdewmewatto_cobrajony0
  • Reply 6 of 14
    chasmchasm Posts: 1,597member
    While I believe it is wrong for lawmakers (anywhere) to create laws based on poorly-understood or incomplete knowledge of a given topic, it is also unrealistic to expect lawmakers to be experts in everything.

    That said, it is clear that some (like in Australia and elsewhere) are clearly not even trying to listen to experts or a diverse range of fact-based views. Obviously the law-enforcement community, noble as it generally is, is going to “game the system” and want backdoors if they can get them, but lawmakers need to cultivate and welcome clear and articulated arguments like this one from Apple and other involved stakeholders before making a potentially dangerous decision.

    Whoever wrote the Australian proposal (and don’t kid yourself that something like it hasn’t been proposed in your country) should be raked over the coals not only for not “showing their work” in terms of seeking to fully understand the situation, but also for creating a vague and poorly-written bill that most likely wouldn’t pass legal muster, even in countries with very different governing documents to those of, for example, Canada or America.
    mattinozolswatto_cobrajony0
  • Reply 7 of 14
    dewmedewme Posts: 2,099member
    chasm said:
    While I believe it is wrong for lawmakers (anywhere) to create laws based on poorly-understood or incomplete knowledge of a given topic, it is also unrealistic to expect lawmakers to be experts in everything.

    That said, it is clear that some (like in Australia and elsewhere) are clearly not even trying to listen to experts or a diverse range of fact-based views. Obviously the law-enforcement community, noble as it generally is, is going to “game the system” and want backdoors if they can get them, but lawmakers need to cultivate and welcome clear and articulated arguments like this one from Apple and other involved stakeholders before making a potentially dangerous decision.

    Whoever wrote the Australian proposal (and don’t kid yourself that something like it hasn’t been proposed in your country) should be raked over the coals not only for not “showing their work” in terms of seeking to fully understand the situation, but also for creating a vague and poorly-written bill that most likely wouldn’t pass legal muster, even in countries with very different governing documents to those of, for example, Canada or America.
    Good post. You’re being very gentle to suggest that lawmakers are not even trying to listen. That would be too passive aggressive. A fairer assessment would be that they are actively engaged in the application of agnotology techniques (related to security, cryptology, countermeasures) as they have seen it used to great effectiveness for a wide variety of topics of concern in the northern hemisphere. 
    radarthekatRayz2016olsgeorgie01watto_cobrajony0
  • Reply 8 of 14
    jbdragonjbdragon Posts: 2,135member
    microbe said:
    And sadly, Apples strict App Store would prevent outside app developers from offering an app that replaces the weak security with stronger than ever security.
    That’s just dumb.  Let’s say I submit a App that I claim to have 2048bit encryption.  It’s a proprietary encryption setup, and not based upon any of the vetted standards.  The encryption could contain anything including bugs, flaws, and back doors.  Apple maintains standards to prevent garbage entering the App Store, and threatening users security.

    Your post is extremely suspicious... what government do you work for anyway?  I hope its not mine.

    There are 3rd party open source encryption software that you can install in Android that is safe and has no backdoors and there is nothing any government could do to stop someone from using it.  In this case, Android has a advantage if these type of laws requiring a backdoor go through.  Because what are you going to do on iOS with a closed system?  I have a new XS.

    if the law passed, Apple should pull out of the country then cave in and weaken iOS.  If Apple caves here, every other country is going to want the same or worse.  It’ll be the domino effect.

  • Reply 9 of 14
    Wibble69Wibble69 Posts: 3unconfirmed, member
    The scary thing is that Australia, is part of the 'five eyes' arrangement between the US, the UK, New Zealand and Canadia. As such,  should this legislation pass, Australia would be be a point of entry for other 'five eyes' partners through the appropriate request channels. 

    Think Pine Gap is busy now? With this legislation, no one would have any privacy at all. 




    Seriously. No digital privacy. Walking down a street in London - you are tracked on CCTV. Using an app in the US? Requesting an UBER in the Canadia's? Shagging a Sheep in Kiwiland?

    Oh, sure. If you are doing nothing wrong you have nothing to fear. Unless the data collected on you is used for nefarious purposes. In that case, you are on your own, as the 'intelligence agencies' have been specifically covered for liability through legislation. 

    So sorry, old bean. We didn't mean for your data to be used to steal your identity, but as an insurance company/bank/financial institution is currently donating to our 'democracy fund', and we like them more than we like you, you are shit out of luck....
    watto_cobra
  • Reply 10 of 14
    Rayz2016Rayz2016 Posts: 4,630member
    jbdragon said:
    microbe said:
    And sadly, Apples strict App Store would prevent outside app developers from offering an app that replaces the weak security with stronger than ever security.
    That’s just dumb.  Let’s say I submit a App that I claim to have 2048bit encryption.  It’s a proprietary encryption setup, and not based upon any of the vetted standards.  The encryption could contain anything including bugs, flaws, and back doors.  Apple maintains standards to prevent garbage entering the App Store, and threatening users security.

    Your post is extremely suspicious... what government do you work for anyway?  I hope its not mine.

    There are 3rd party open source encryption software that you can install in Android that is safe and has no backdoors and there is nothing any government could do to stop someone from using it.  


     Apple can't host 3rd party encryption software on the App Store? Genuine question.


    watto_cobra
  • Reply 11 of 14
    e1618978e1618978 Posts: 6,074member
    It seems like a no-brainer for Apple to pull out of Australia if this passes.  They would have to shut down 22 Apple stores, and lose a few billion in revenue - pretty insignificant cost overall to send a message that will put Australians into open revolt when they can't buy iPhones or macs anymore.

    The whole ex-China,Japan pacific rim region is an insignificant part of Apple's global revenue.
  • Reply 12 of 14
    e1618978 said:
    It seems like a no-brainer for Apple to pull out of Australia if this passes.  They would have to shut down 22 Apple stores, and lose a few billion in revenue - pretty insignificant cost overall to send a message that will put Australians into open revolt when they can't buy iPhones or macs anymore.

    The whole ex-China,Japan pacific rim region is an insignificant part of Apple's global revenue.
    I really do wish Americans would understand that the world isn't just their country. Maybe Apple should pull out of the EU, the UK and Asia Pacific?
    watto_cobra
  • Reply 13 of 14
    It makes you wonder if Murdoch is a bigger threat than Putin in the long run...
    watto_cobra
  • Reply 14 of 14
    lwiolwio Posts: 88member
    It just takes one country to start this and the citizens will not have access to smart phones, online banking, everything because either they will be withdrawn or become venerable to criminals. All because someone wants to play NCIS.  See how that goes down. 
    watto_cobra
Sign In or Register to comment.