The foundation said in a submission to the government that being forced to secretly create vulnerabilities in an open source product would be extremely difficult.
Mozilla express a number of concerns, including:
The limitation on systemic vulnerabilities is inadequate.
The key provision seeking to limit the widespread security risks of this bill is a prohibition on forcing companies to build a “systemic vulnerability” into their systems or to prevent them from rectifying a systemic vulnerability. However, the term “systemic” is not defined
in the bill, leaving dangerous ambiguity that could be exploited by the government. The accompanying Explanatory Document provides some additional clarity but not confidence in stating that systemic vulnerabilities exclude “actions that weaken methods of
encryption or authentication on a particular device.”
The Government goes on to say that this legislation would permit “requir[ing] a provider to enable access to a particular service, particular device or particular item of software.”
For a company to enable this capability would effectively be to create a systemic vulnerability, whether the capability is provided by “one-off” upgrades sent to specific devices or by inserting a remote access capability to all versions of their products. In
either case, the company will be left with a fast-path method to compromising their user’s data, thus creating a high risk of compromise by malicious actors.
You can download the PDF here: Mozilla Submission
The bill “could allow the government to order the makers of smart home speakers to install persistent eavesdropping capabilities into a person’s home, require a provider to monitor the health data of its customers for indications of drug use, or require the development of a tool that can unlock a particular user’s device regardless of whether such tool could be used to unlock every other user’s device as well", Apple said in a parliamentary submission.
In the submission, Apple said, "The encryption technology built into today’s iPhone represents the best data security available to consumers. And cryptographic protections on the device don't just help prevent unauthorized access to your personal data — they're a critical line of defense against a criminal who seeks to implant malware or spyware, and use the device of an
unsuspecting person to gain access to a business, public utility or government agency."
They go open to say "While the bill presents many questions and opportunities for clariﬁcation, we focus our comments on several overarching themes: (1) overly broad powers that could weaken cybersecurity and encryption; (2) a lack of appropriate independent judicial oversight, (3) technical requirements based only on the government’s subjective view of reasonableness and practicability, (4) unprecedented interception requirements, (5) unnecessarily stiﬂing secrecy mandates, and (6) extraterritoriality and global impact.".
It plans to present the legislation – dubbed the Telecommunication and Other Legislation Amendment (Assistance and Access) Bill – before December 7 this year.
I have heard the arguments from ordinary users stating that they have nothing to hide so why should they care? There are a number of aspects to this.
1. Whilst the government is not a corrupt totalitarian regime, you may have little to fear from them but history has shown that this is not guaranteed and can change very quickly.
2. Your communications which expose personal information such as your banking information, your username and password for the various services you access etc. should always be secure and encrypted. If the government has a backdoor then what stops criminals from exploiting this back door? Its a valid argument because trusting the custodians of the backdoor key has been proven to be folly as it will always be exploited. Just look at the leaks from supposedly secure government organisations such as the NSA, CIA and FBI in the US.
3. On another level, if your data can be decrypted in transit by third parties, what is there to stop this information from being mined and used for marketing or to profile individuals for other purposes?
4. If you are not convinced that it is a bad idea, just think about the countless millions of accounts that have been hacked due to the custodians of your personal data being hacked. This information has been used to steal money, create false identities for other criminal activities etc.
It's interesting that governments that were formerly conservative in their thinking are now on the bandwagon of trying to impose these types of laws. Historically it was always more likely to come from the left of politics that would push such ideas.
Article published on itnews site.