Sophos Cloud Optix
Mozilla has told the Australian government that its anti-encryption laws could turn its own employees into insider threats.
The Mozilla Corporation, which is the arm of the Mozilla Foundation that develops and maintains its software, made the striking warnings in a letter to the country’s government last week.
The letter, written to the Parliamentary Joint Committee on Intelligence and Security, criticises the country’s controversial Telecommunication & Other Legislation Amendment (Assistance & Access) Act of 2018 (TOLA).
TOLA is Australia’s attempt to provide the government with access to encrypted communications. It enables the authorities to ask technology companies nicely for help decrypting a user’s communications, using an order called a technical assistant request (TAR). If they are technically able to help but don’t want to, the government can force them to with an order called a technical assistance notice (TAN).
What about companies that don’t want to help and say that they couldn’t anyway because their own technology stops them from giving up customer communications? In this case, the law allows the government to issue a technical capability notice (TCN). This forces the company to alter its systems to make them more, um, co-operative.
In its letter, Mozilla frets that TOLA’s language allows authorities to make these requests of individuals rather than of the companies they work for (otherwise known as designated communications providers, or DCPs). It says:
It is easy to imagine how Australian authorities could abuse their powers and the penalties of this law to coerce an employee of a DCP to compromise the security of the systems and products they develop or maintain.
It also warned that this would effectively force companies to treat Australian employees as potential saboteurs:
This potential would force DCP’s [sic] to treat Australia-based employees as potential insider threats, introducing another vector for compromise…
This problem is exacerbated by the fact that employees targeted with TOLA orders aren’t allowed to tell anyone, Mozilla added. It worries that this could enable the government to force an Australian employee to introduce weaknesses in code and then keep those changes secret.
According to Mozilla, TOLA’s danger is compounded by the fact that TCNs don’t require review from a judge, or from ministries outside the Attorney General’s office. TOLA powers can be delegated to relatively low-level government employees, the company warned:
Providing these powers to any police officer in Australia is irresponsible, risks the dangerous overuse of TOLA’s powers, and in doing so demonstrates a cavalier attitude toward the privacy and security of users in Australia and abroad.
TOLA powers can be delegated to foreign governments too, with what Mozilla calls “utterly insignificant safeguards”.
Mozilla raised its concerns and recommended ways to mitigate them but prefers another option. It said:
We do not believe that this law should have been passed in the first place, and we believe the best possible path is to repeal this legislation in its entirety and begin afresh with a proper, public consultation.
The software company wasn’t the only one to raise concerns. FastMail, an Australian email provider that prides itself on secure email services, worried in its own letter that government access to encrypted communication would damage consumer trust.
FastMail also argued that keeping a TCN secret wasn’t technically possible anyway. Weaknesses introduced via TCN would be detectable and would have to be understood by the whole team to avoid them being accidentally neutralised, it pointed out, adding:
TOLA’s requirements for secrecy put all companies which are built on a trusted relationship with their customers at risk. To conclude that additional capabilities built under TCN can be kept a secret, whether from staff or customers, is naive at best.
Of the 343 submissions that the Australian government received during the public comment period before it passed TOLA, only one was favourable, according to the Economist. The director general of the Australian Signals Directorate responded with a rare public statement supporting the law.
Looks like a really good reason to shut down the Australian office. No Australian employees no problem…
Winging about the law is not going to do any good, if it was the law would not have been passed in the first place.
The only thing that is gong to make a difference is companies firing all their Australian employees and moving out of Australia. While I can see why the tech companies are hesitant to walk away from the EU or larger markets however Australia is a pretty small market. The best thing the tech companies could do is leave Australia and block access. Then leave it to the people of Australia to fix their Govt because really it is their job not the non-Australian based tech companies.
And that’s all it takes to turn any country into China, one ridicules law.
What snooping App are they going to force on everyone’s cell phone? Or will the gov just work a deal with FB?
Made easier via the revised OSI model
xkcd/2105
I was taught the “extended 9-layer” OSI model when I was at university.(8 = political, 9 = religious.)
Strangely appropriate Duck–your comment currently has nine upvotes.
Can we set it in stone as it is and ever shall be?
I’ll start praying right now for an inspirational confirmation.
Some countries do these secretly and a lot of countries are going to do it “openly” by legalization and laws
A legislation like this should make it impossible for international companies to do business with Australian tech companies, and force international tech companies to shut down software development and data centers in the country.
Even having a data center in Australia could pose a risk to customer outside Australia if employees can be forced to compromise infrastructure etc.
As an Aussie in this industry I sadly have to concur.
This law has the potential to cripple the entire sector here.
>> This problem is exacerbated by the fact that employees targeted with TOLA orders aren’t allowed to tell anyone, Mozilla added.
Can you put a canary on the log on screen
“I confirm that I am not subject to any court order requiring me to undermine Mozilla security. I understand that any false statement is a total breach of trust and will render me liable to instant dismissal together with loss of any accrued pension rights”
A failure to tick the box rings an immediate alarm?
The employee will not have told anyone?
Canaries are explicitly disallowed by that law as far as I am aware.
So if a developer in the USA maintains the Mozilla Developers’ login screen and includes a canary, how does Australia enforce its ban on canaries?
I can only see an Australian Law explicitly requiring someone being served with a TOLA to lie when faced with a canary – and I can’t see how that is workable.
“The employee will not have told anyone?”
Yes, but there will be a lot of false alarms. Too bad you can’t phrase it in the positive sense instead of the negative sense.
Ha! Australia deserves to lose all the tech companies that expanded there. And the current elected leadership deserves to lose their jobs. Byebye encryption, hello hiding your messages in your didgeridoo? Good job.
Lock down source code so that only people living in other countries can commit changes.
Sad times ahead for Australia’s Tech Industry, and after they bothered with the NBN as well. I will miss AWS having AZ’s in Oz and likewise for Azure, looks like Netflix will be back to ADSL streaming speeds again once their storage goes offshore again