A collective of companies and civil liberty groups including Apple, Amazon, Google, Microsoft, Facebook, Privacy International, Linux Australia, and the Electronics Frontier Foundation have issued a warning that requirements to silently add law enforcement into encryption chats could introduce vulnerabilities and create new risks to systems.
“Still, we have seen existing customers leave, and potential customers go elsewhere, citing this bill as the reason for their choice “We are [also] regularly being asked by customers if we plan to move.” Gondwana’s comments are similar to those of Senetas, which said it now “regularly fields questions” from customers about how encryption-busting laws might impact the products they have installed and are using.
GCHQ has proposal to surveill encrypted messaging and phone calls. For various reasons, some systems like WhatsApp allow the server to add new users to your group chat. The reason nobody hardens their key distribution systems against these attacks is because vendors saw them as impractical.
Technical capability notice: A notice issued by the attorney general, requiring tech companies to “build a new capability” to decrypt communications for law enforcement.
Facebook has always maintained that it only collected data from users who opted in, but in a tranche of internal emails obtained as part of a lawsuit against the company and released by the digital, culture, media and sport committee, employees discuss how to minimise the amount of consent they would need to ask for to begin the collection.
At a committee hearing in Canberra on Friday, witnesses from Cisco, Optus and Telstra called for a better definition of the bill’s main safeguard that tech companies cannot be asked to build “systemic” weaknesses into their products.
In a submission [PDF] to the Parliamentary Joint Committee on Intelligence and Security -- which is currently reviewing the legislation as the government attempts to ram it through Parliament -- Cisco called out Canberra for not allowing greater transparency on disclosing notices and requests from Australian authorities to access encrypted communications.
The submission's signatories are concerned about any attempt, anywhere in the world, to undermine encryption — the process that keeps online products and services secure, said Sharon Bradford Franklin, its co-author and Open Technology Institute's director of cybersecurity policy in Washington, DC.
Peter Dutton’s proposed legislation to expand the government’s surveillance capabilities into telecommunication devices through the inclusion of spyware risks could create “systemic weakness or vulnerability” that would be open to exploitation, Australia’s peak industry group has warned.