Apple calls on Australian government not to weaken encryption with backdoors

Apple has submitted its official response to a bill under discussion in the Australian government, with the iPhone maker calling for "stronger and stronger encryption – not weaker" as a way to protect against the growing number of threats online.

Provided to AppleInsider by Apple, the seven-page submission to the Australian Parliament's Joint Committee on Intelligence and Security on Bill 2018 "Amendment to the Telecommunications and Other Legislation (Assistance and Access)", calling for clarification of the objectives of the bill and encouraging the government to avoid going down the path of weakening encryption.

Introduced into the parliamentary calendar in August, the bill proposes to update the country's telecommunications laws, including the need for private sector companies to "provide increased assistance to agencies". Although the bill calls for help from companies such as Apple, the language used is ambiguous enough to suggest the creation of backdoors in encrypted applications and services, which many technology strongly disapprove.

Noting the role of Apple in protecting national security and the lives of citizens, and its teams working to keep a long way ahead of criminal attackers, the letter says that threats to research personal data or co-opting equipment for larger assaults "only become more serious and sophisticated time.

"It is precisely because of these threats that we support strong encryption," according to Apple. By highlighting the trillions of online transactions protected by encryption every day, the threats to these communications are said to be "very real and increasingly sophisticated."

Referring to the government's notifiable data breach records for at least 2.5 daily data breaches during the last quarter, "And these are just identified and reported violations," Apple presents the NotPetya attack starting in 2017 as an example of the need for enhanced security, an attack that has the effect of closing down Cadbury's manufacturing systems and impacting other companies.

"In the face of these threats, the time has not come to weaken encryption.There is a significant risk of making the work of criminals easier, no more difficult," Apple writes. "Encryption is becoming more powerful – and not weaker – the best way to protect yourself from these threats."

Apple now attends Australian law enforcement

Apple also disputes the suggestion that weaker encryption is needed to help law enforcement. The company works with the Australian government and other law enforcement agencies around the world in the interest of public safety. In Australia alone, more than 26,000 requests from local security forces have been processed in the last five years and efforts have recently been announced to expand its law enforcement training efforts in order to To obtain information from the company in accordance with its legal guidelines.

The government is encouraged to "maintain its stated intention not to weaken encryption or force suppliers to incorporate systemic weaknesses into their products", but because of the "breadth and vagueness of bill "and" ill-defined restrictions ". Apple suggests that the bill in its current form does not meet his intent.

Extensive surveillance is not good for Apple or Australian citizens

Apple suggests that the bill could force smart home speakers to install persistent listening features or force a provider to monitor its customers' health data for any signs of drug use or to create a tool to to unlock the device of a specific user, even if this tool could be used to unlock the devices of all other users as well.

"All these capabilities should be as alarming for all Australians as for us," Apple said before asking for the laws to be "clear and unambiguous".

"Encryption is the best tool we have to protect data, and ultimately, so that our software innovations rely on the foundation of enhanced device security," said Apple. "Allowing these protections to be weakened in any way slows down our pace of progress and puts everyone at risk."

The presentation then goes on to highlight the specific general themes that those working on the bill need to take into account. First, the company complains of how "overly broad authorities could weaken cybersecurity and encryption".

"For example, the government may seek to compel a provider to develop custom software to bypass the encryption of a particular device.According to the government, it does not create any risk for the device of a particular user it does not create any systemic risk, "said Apple. . "However, as we have clearly stated, the development of such a tool, even if it was deployed on only one phone, would make encryption and security of all less effective."

This echoes previous comments from Apple CEO Tim Cook, saying that this technique is to leave a key under a doormat, an action that allows the authorities to consult if necessary, but also allows burglars to find it. "Criminals use all the technological tools at their disposal to hack people's accounts," Cook said. "If they know a hidden key somewhere, they will not stop until they find it."

The bill is not specific enough

The presentation then goes on to highlight the specific general themes that those working on the bill need to take into account. First, the company complains of how "overly broad authorities could weaken cybersecurity and encryption".

"For example, the government may seek to compel a provider to develop custom software to bypass the encryption of a particular device.According to the government, it does not create any risk for the device of a particular user it does not create any systemic risk, "said Apple. . "However, as we have clearly stated, the development of such a tool, even if it was deployed on only one phone, would make encryption and security of all less effective."

Not the first time that Apple said that

This echoes previous comments from Apple CEO Tim Cook, saying that this technique is to leave a key under a doormat, an action that allows the authorities to consult if necessary, but also allows burglars to find it. "Criminals use all the technological tools at their disposal to hack people's accounts," Cook said. "If they know a hidden key somewhere, they will not stop until they find it."

Apple also believes that insufficient judicial review can reduce customer trust and safety, highlighting the fear that an independent judicial review may not be necessary before the government can issue a technical assistance notice. or a notice of ability. The UK law on investigative powers is suggested as a model to follow for Australia because it requires such reviews before a supplier can receive notice.

It is also of concern that the main factual determinations depend solely on the government's own assessment of the circumstances and the technical complexities involved. The government is informed that it must take into account other points of view, such as security experts, academics and privacy concerns, before making any decision.

Beware of the launchers of alert

The bill also introduces issues with respect to its confidentiality requirements, as although they are in principle well received, they are too broad and could stifle innocent disclosures or to denounce abuses.

"If an engineer working for a supplier charged with complying with a PPR had legitimate legal or ethical concerns, he could be sentenced to five years in jail for simply disclosing the existence of a PPR. at the human resources office of his employer, "wrote Apple. "Similarly, an employee of a supplier who legitimately believed that a TAN or RPT was breaking the law could not reveal this problem for fear of being punished."

Apple suggests that there should be a better balance between maintaining secrecy and granting customers and law providers "executed properly and legally".

Incompatible internationally

Finally, Apple expresses its concern about the impact of corporate laws outside Australia. Indeed, although the project provides that a supplier may invoke a TCN or a TAN, it may violate the law of a foreign country if it is established abroad. go far enough. The bill grants immunity with respect to compliance with the TAN or TCN, it applies only to Australia and does not take into account violations of the laws of other countries when compliance with the notification.

"Forcing companies with activities outside Australia to comply with TANs or TCNs violating the laws of other countries in which they operate will simply incite criminals to seek out suppliers." of services that never help Australian authorities or those who operate in hiding in countries unfavorable to Australian interests, "Apple concluded. "Rather than serving the interests of Australian law enforcement, this will only weaken the security and confidentiality of regular customers while keeping criminals out of the network."

Earlier in October, it was revealed that Apple was joining Alphabet, Amazon and Facebook to oppose the proposals, as a continuation of a campaign by tech companies to fight backdoors and other legislative changes that weaken the safety of all users. The companies had already made statements to various governments and security agencies around the world to counter the increasingly pressing calls of lawmakers and law enforcement officials to facilitate access to information. hard to get and encrypted safely.

Apart from technology companies, some US lawmakers are trying to stop similar measures implemented by the government. The "Data Security Act", proposed in May, aims to prevent courts and federal agencies from making orders to create back doors or other security compromises.