Mozilla warns decryption laws will break open source
The foundation said in a submission to the government that being forced to secretly create vulnerabilities in an open source product would be extremely difficult.
Mozilla express a number of concerns, including:
The limitation on systemic vulnerabilities is inadequate.
The key provision seeking to limit the widespread security risks of this bill is a prohibition on forcing companies to build a “systemic vulnerability” into their systems or to prevent them from rectifying a systemic vulnerability. However, the term “systemic” is not defined
in the bill, leaving dangerous ambiguity that could be exploited by the government. The accompanying Explanatory Document provides some additional clarity but not confidence in stating that systemic vulnerabilities exclude “actions that weaken methods of
encryption or authentication on a particular device.”
The Government goes on to say that this legislation would permit “requir[ing] a provider to enable access to a particular service, particular device or particular item of software.”
For a company to enable this capability would effectively be to create a systemic vulnerability, whether the capability is provided by “one-off” upgrades sent to specific devices or by inserting a remote access capability to all versions of their products. In
either case, the company will be left with a fast-path method to compromising their user’s data, thus creating a high risk of compromise by malicious actors.
You can download the PDF here: Mozilla Submission