Mozilla Says Australia's Compelled Access Law Could Turn Staff There Into 'Insider Threats'

from the how-to-undermine-your-software-industry-without-really-trying dept

Despite unanimous warnings from experts that it was a really bad idea, the Australian government went ahead and passed its law enabling compelled access to encrypted devices and communications. Apparently, the powers have already been used. Because of the way the Australian government rammed the legislation through without proper scrutiny, the country's Parliamentary Joint Committee on Intelligence and Security has commenced a review of the new law. That's the good news. The bad news is that Andrew Hastie, the Chair of the Committee, still thinks fairy tales are true:

I note with the House the concerns raised by some stakeholders in the tech sector about these laws, including in today's press. I welcome the ongoing contribution from these stakeholders as the committee continues its review. I note, however, that the legislation as passed prohibits the creation of so-called back doors. Companies cannot be required to create systemic weaknesses in their encrypted products or be required to build a decryption capability.

Sure, whatever, Andrew. One of the stakeholders that has made a submission to the Committee is Mozilla, which is worried by one aspect in particular (pdf):

Due to ambiguous language in [the compelled access law], one could interpret the law to allow Australian authorities to target employees of a Designated Communications Provider (DCP) rather than serving an order on the DCP itself through its General Counsel or an otherwise designated official for process. It is easy to imagine how Australian authorities could abuse their powers and the penalties of this law to coerce an employee of a DCP to compromise the security of the systems and products they develop or maintain.

As Tim Cushing explained in his December post when the compelled access law was approved, that would put employees in an impossible position. They would be forced by the authorities to put backdoors of some kind in a product, but it had to be accomplished in secret. Moreover, they risked five years in prison if any of their colleagues noticed, which they probably would, since unauthorized changes to code would naturally be spotted and challenged. Because of that ridiculous situation, Mozilla warns it would have to take drastic action:

this potential would force DCP’s [like Mozilla] to treat Australia-based employees as potential insider threats, introducing another vector for compromise that could undermine trust in critical products and incentivizing companies to move critical roles to other localities.

What's true for Mozilla, is true for every foreign software company: in order to protect the integrity of their code, they would be forced to regard every Australian coder as a security risk, and downgrade their access to the code accordingly. The difficulties of managing that kind of situation will probably force software companies to pull out of Australia completely. It will also have a big impact on the trustworthiness of any code produced in the country. In fact, that's already a problem, as another submission to the Parliamentary Joint Committee makes clear. It comes from one of the leading Australian software companies, FastMail, which provides hosted email services to 40,000 companies around the world. It says that "we have seen existing customers leave, and potential customers go elsewhere, citing this bill as the reason for their choice." Like Mozilla, FastMail is worried about the impossible position of employees (pdf), who may be coerced by the Australian authorities into weakening the company's code:

Our staff have expressed concerns that they may be forced to attempt to secretly add back doors or security holes in our service -- actions that would be just cause for dismissal -- and be unable to tell us why they have made these changes.

This is not just a matter of looking after our own staff's mental health, it also makes it harder for Australians looking to work for overseas companies if there is any risk that they will be compelled to act against their employer's interests.

The comments of these two organizations show clearly the practical problems of this ill-thought-out legislation. They also confirm that bringing in this kind of law is one of the quickest ways to undermine the local software industry, and increase dependence on foreign companies that are less likely to comply with demands to insert backdoors in their code. If the Australian government cares about those consequences, or indeed about the online safety of its citizens, it would do well to heed the words that conclude Mozilla's submission to the review:

This law represents an unprecedented and unchecked threat to the privacy and security of users in Australia and abroad. We urge the Committee and the Australian Parliament to move swiftly to remedy the significant harms posed by this legislation. Ultimately, the best course of action is to repeal this law and start afresh with a proper, public consultation.

Follow me @glynmoody on Twitter or identi.ca, and +glynmoody on Google+

Filed Under: australia, backdoors, encryption, insider threats
Companies: fastmail, mozilla


Reader Comments

Subscribe: RSS

View by: Time | Thread


  • icon
    That One Guy (profile), 28 Feb 2019 @ 12:06pm

    Two people: One to code, one to look for sabotage of the code

    What's true for Mozilla, is true for every foreign software company: in order to protect the integrity of their code, they would be forced to regard every Australian coder as a security risk, and downgrade their access to the code accordingly. The difficulties of managing that kind of situation will probably force software companies to pull out of Australia completely

    At the point where you have to double-check coding by your own employees, because there's a risk that they've been forced to sabotage it, you might as well fire the lot of them and stick to only having coders in other countries, and this is now a problem that any company employing people in australia, or buying from australia, will face.

    The people who passed and continue to defend the monumentally stupid bill may be hiding behind 'going after the bad guys', but they have effectively stabbed their own tech companies and economy in the back more effectively than said 'bad guys' could have dreamed of.

    reply to this | link to this | view in chronology ]

    • identicon
      Paul, 28 Feb 2019 @ 12:19pm

      Re: Two people: One to code, one to look for sabotage of the cod

      There can't be any bad guys if there aren't any guys left.

      reply to this | link to this | view in chronology ]

      • icon
        JoeCool (profile), 28 Feb 2019 @ 12:33pm

        Re: Re: Two people: One to code, one to look for sabotage of the

        No, what actually happens is there's nothing left BUT bad guys. You've left no jobs for good guys, forcing the others to either join them, or find work in another line of business... like wash dishes or stock grocery store shelves. Which do you think many will choose?

        reply to this | link to this | view in chronology ]

    • identicon
      Anonymous Coward, 28 Feb 2019 @ 1:39pm

      Re: Two people: One to code, one to look for sabotage of the cod

      At the point where you have to double-check coding by your own employees

      To be fair, you're supposed to be doing that anyway; it's called code review. For non-trivial projects, not doing code reviews tends to result in software so riddled with bugs there is no need for backdoors anyway.

      Of course, code reviews are usually done to prevent low-quality code from sneaking in, not to guard against sabotage...

      reply to this | link to this | view in chronology ]

      • identicon
        Anonymous Coward, 1 Mar 2019 @ 9:59am

        Re: Re: Two people: One to code, one to look for sabotage of the

        With this law, policies will have to require one non-Australian code review. And not a cursory one, but one done by the type of person who understands the tricks used in the Underhanded C Contest.

        reply to this | link to this | view in chronology ]

  • icon
    hij (profile), 28 Feb 2019 @ 12:19pm

    Legislate what you do not understand

    Someone is going to have to tell Australian MPs that programmers actually work together and cooperatively. That may shatter their firmly held beliefs about programmers living in their mothers' basements without human contact other than shouting on twitter. Is it illegal in Australia to shake an MPs wrong beliefs?

    reply to this | link to this | view in chronology ]

  • identicon
    Anonymous Coward, 28 Feb 2019 @ 12:24pm

    Question for Andrew Hastie,

    Companies cannot be required to create systemic weaknesses in their encrypted products or be required to build a decryption capability.

    In that case, how are they meant to provide access to communications.

    reply to this | link to this | view in chronology ]

    • icon
      JoeCool (profile), 28 Feb 2019 @ 12:35pm

      Re: Question for Andrew Hastie,

      Companies cannot be required

      There is the loophole that Mozilla, et. al., are worried about. If you cannot force the company, just force individual programmers working for the company.

      reply to this | link to this | view in chronology ]

      • identicon
        Anonymous Coward, 28 Feb 2019 @ 12:49pm

        Re: Re: Question for Andrew Hastie,

        True, but what comment do they put on their commits? Required by Austarlia would be a big red flag, as would no comment.

        reply to this | link to this | view in chronology ]

      • identicon
        Anonymous Coward, 28 Feb 2019 @ 1:55pm

        Re: Re: Question for Andrew Hastie,

        Mozilla like any other open source project has a possible work around, just mark where commits are coming from, so that outsiders can pay extra attention to code coming from Australia.

        reply to this | link to this | view in chronology ]

    • icon
      Matthew Cline (profile), 28 Feb 2019 @ 12:42pm

      Re: Question for Andrew Hastie,

      In that case, how are they meant to provide access to communications.

      I think what he means by that is "look, we know that there must exist ways for you to give us what we want without introducing any weaknesses, if you'd just nerd harder you'd figure it out".

      reply to this | link to this | view in chronology ]

    • icon
      madasahatter (profile), 28 Feb 2019 @ 2:39pm

      Re: Question for Andrew Hastie,

      My question for him is did he flunk arithmetic in elementary school. Encryption is a rather math-heavy subject that is difficult to do well when not worrying about back doors. Many with STEM degrees, like myself, barely have enough math to vaguely follow the math.

      reply to this | link to this | view in chronology ]

  • icon
    virusdetected (profile), 28 Feb 2019 @ 12:34pm

    Is there a law in Australia...

    that MPs have to be technically illiterate and unbelievably stupid?

    reply to this | link to this | view in chronology ]

  • icon
    Shufflepants (profile), 28 Feb 2019 @ 1:01pm

    Damn, what would an employee even have as options in order to not end up in jail? If they put the backdoor in, they can go to jail if the company catches them. If they refuse the order by the government they can go to jail for direct refusal. Are they legally allowed to quit their job? Or are they just literal secret slaves to the government?

    reply to this | link to this | view in chronology ]

    • icon
      TKnarr (profile), 28 Feb 2019 @ 4:17pm

      Re:

      For myself (in the US), I'd smile and nod to the gentlemen from the government, then go and report the issue to the security team at work. I'd also contact an attorney ASAP and fill him in, just in case I "disappear". If it comes to it the attorney's job is to keep the matter from bypassing the courts and my position in the courtroom would be that I was asked to do something I'm not legally allowed to do and I did what I was legally required to do and reported the request to the appropriate authority. Let the government argue with the judge about whether they're entitled to require me to break the law or not.

      reply to this | link to this | view in chronology ]

  • identicon
    kallethen, 28 Feb 2019 @ 1:31pm

    Who wants to bet that the MPs solution will be to ammend the law to prohibit companies from firing workers who comply with these requests?

    (I wish I was being sarcastic...)

    reply to this | link to this | view in chronology ]

  • identicon
    Walex, 28 Feb 2019 @ 1:44pm

    it is a pointless debate, moles are much better

    "They would be forced by the authorities to put backdoors of some kind in a product"

    That seems to me rather unlikely: obviously major developers like Mozilla must already have dozens/hundreds/thousands of moles planted by every major security service (China, USA, Israel, UK, Russia, India, ...).

    Moles are the number one method of security services, and all they have to do to get backdoors cleverly disguised as bugs is to recruit, bribe or blackmail engineers at Google, Facebook, Intel, Mozilla, AWS, Microsoft, ... either before they apply for jobs or after they have got them.

    That does not leave much of a paper trail, and is plausibly deniable.

    reply to this | link to this | view in chronology ]

    • icon
      Bergman (profile), 2 Mar 2019 @ 1:35am

      Re: it is a pointless debate, moles are much better

      Yeah, but thanks to this new law, companies now know beyond any doubt that 100% of all Australian citizens are moles. Even in other countries. And can monitor their actions accordingly.

      reply to this | link to this | view in chronology ]

  • identicon
    Rekrul, 28 Feb 2019 @ 4:44pm

    Can someone please explain this obsession that software and internet companies have for opening up offices and facilities in every single country in the world. Hello, there's this thing called "the internet" that allows people in one country to access computers in another country without physically being there.

    reply to this | link to this | view in chronology ]

    • identicon
      Anonymous Coward, 28 Feb 2019 @ 5:13pm

      Re:

      Well there are these things called time zones and languages,.........

      reply to this | link to this | view in chronology ]

      • identicon
        Anonymous Coward, 1 Mar 2019 @ 10:08am

        Re: Re:

        To be fair, that doesn't imply a need for offices, which reduces the parent's question down to: "why do companies need offices?". They're a significant expense, so some bean counters must have studied it and decided it's worthwhile.

        reply to this | link to this | view in chronology ]

      • identicon
        Rekrul, 6 Mar 2019 @ 1:15pm

        Re: Re:

        Well there are these things called time zones and languages,.........

        Neither of which requires a physical presence in another country. The software running the website can be set to change the language based on the location of the IP address, or just offer users a choice of what language they want to use.

        If you're mentioning time zones in relation to customer service, as in a user in one time zone might want help when it's 4am in the company's time zone, that doesn't wash either. Email doesn't care what time it is and most companies don't answer email immediately anyway. Many of these companies don't have phone support and it's easy enough to hire people who stay up late for live chats.

        reply to this | link to this | view in chronology ]

  • identicon
    Anonymous Coward, 28 Feb 2019 @ 6:25pm

    When questioned, an Australian Government spokesperson had this to say: "Pfffft."

    reply to this | link to this | view in chronology ]

  • identicon
    Bobvious, 1 Mar 2019 @ 4:32am

    Relax people.

    It's only the legislation's "primary effect", not its "primary intent".

    reply to this | link to this | view in chronology ]


Add Your Comment

Have a Techdirt Account? Sign in now. Want one? Register here



Subscribe to the Techdirt Daily newsletter




Comment Options:

  • Use markdown. Use plain text.
  • Remember name/email/url (set a cookie)

Close

Add A Reply

Have a Techdirt Account? Sign in now. Want one? Register here



Subscribe to the Techdirt Daily newsletter




Comment Options:

  • Use markdown. Use plain text.
  • Remember name/email/url (set a cookie)

Follow Techdirt
Insider Shop - Show Your Support!

Advertisement
Report this ad  |  Hide Techdirt ads
Essential Reading
Techdirt Deals
Report this ad  |  Hide Techdirt ads
Techdirt Insider Chat
Advertisement
Report this ad  |  Hide Techdirt ads
Recent Stories
Advertisement
Report this ad  |  Hide Techdirt ads

Close

Email This

This feature is only available to registered users. Register or sign in to use it.