Global software industry advocate BSA, the software alliance, has urged the Australian Government to include in its encryption bill a judicial oversight and challenge mechanism in order to ensure that any new powers given to law enforcement are not abused.
The organisation, formerly known as the Business Software Alliance, made its views known through its APAC policy director Darryn Lim. It represents a list of technology companies that includes most companies that produce software that is in common use around the globe. Two prominent absentees are Google and Facebook.
The draft bill ― officially known as the Telecommunications and Other Legislation Amendment (Assistance and Access) Bill 2018 ― was introduced into the lower house of Parliament on Thursday by Home Affairs Minister Peter Dutton.
Lim told iTWire that cyber security, privacy protection, innovation and economic growth would all be affected by policies that mandated the breaking of encryption.
And, he added, any national policies on encryption "have limitations because of the global nature of the Internet, and the fact that criminal or terrorist acts are not limited by national borders".
Asked about other possible solutions to the problems that law enforcement claim to be facing due to the use of encryption by law-breakers, Lim said: "One key solution would be to deepen collaboration between private industry and law enforcement, and make use of easy access to technology community support. Such collaboration can generate practical and impactful solutions to the challenges facing law enforcement."
He was interviewed by email. The full interview is below:
iTWire : First, I always provide information about any conflicts of interest, so please let me know the companies that BSA represents.Darryn Lim:BSA’s members include: Adobe, Amazon Web Services, ANSYS, Apple, Autodesk, AVEVA, Baseplan Software, Bentley Systems, Box, CA Technologies, Cad Pacific/Power Space, Cad Pacific, Cisco, CNC/Mastercam, DataStax, DocuSign, IBM, Informatica, Intel, Mathworks, Microsoft, Okta, Oracle, PTC, Salesforce, SAS Institute, Siemens PLM Software, Splunk, Symantec, Trend Micro, Trimble Solutions Corporation, and Workday.
The eight principles you enumerate appear to want to do everything and anything. You can't break crypto and then expect people to be safe. Please elaborate on these eight principles and how each will be implemented. Improving data security: Providers of data services ― storing, managing or transmitting personal or business data ― must be permitted to use the best available technology to thwart attacks against that data or the entities and individuals who depend on those services. Enhancing law enforcement and counter-terrorism capabilities: Law enforcement agencies, subject to appropriate privacy and civil liberties safeguards, should have access to the best available resources, information, and tools available to prevent and prosecute terrorist and criminal acts. Promoting privacy: Individuals have a right to be secure in their public, private and commercial lives and interactions. Protecting confidential government information: National, state and local agencies should ensure that the data they hold is secure against threats of domestic and foreign intrusion. Encouraging innovation: Developers and providers of innovative data security tools should be free of government mandates on how to design technology products and tools for digital security. Defending critical infrastructure: Providers of essential services, such as banking, health, electricity, water and other critical infrastructure providers, should be empowered to provide the best available security technologies to their users. Best practices should be widely shared. Understanding the global impact: Criminal and terrorist acts are not limited by national borders, and laws and policies must create consistency and clarity in all countries where security technologies are developed and used. Increasing transparency: There should be full, transparent, and considered public dialogue before any legislative proposal concerning the future of technology mandates or encryption is adopted. The FBI has beencaught lying about the extent of encrypted devices that need to be cracked for investigations. How do we know that Australian law enforcement agencies are levelling with us?In our experience, the needs of law enforcement, technology providers, and the consumers whose privacy interests are at stake, are best met by governments that have a robust mechanism for judicial oversight, transparency of activities, privacy protections, and clearly defined processes for bidirectional communication on law enforcement needs.
In our submission to the Australian Government, we have accordingly recommended incorporating in the draft legislation a judicial oversight and challenge mechanism that provides for full and transparent due process. We also urged continued engagement between the Australian government, policy-makers, and industry to ensure that the solution eventually adopted would balance the legitimate rights, needs, and responsibilities of the government, citizens, providers of critical infrastructure, third-party stewards of data, and innovators.
One way of trying to keep the whole thing quiet is by legislating fines for anyone who discloses that an act to break encryption has been carried out. Prison terms have also been threatened. But what would the government do if a foreign news site writes about something happening in Australia block it in the way China does?BSA does not have any knowledge or insight, and is therefore not able to comment, on the Australian Government’s plans for imposing penalties on those who do not adhere to any new encryption laws.
Our role here is to work with governments and law enforcement agencies in Australia and around the world to ensure that law enforcement can access digital evidence in support of lawful criminal investigations in a timely manner pursuant to appropriate safeguards that protect privacy, cyber security, and trust in the digital economy.
What, in your view, are the risks and challenges associated with policies that mandate the breaking of encryption?In BSA’s view, mandating technical approaches or weakening encryption standards (whether intentionally or not) would not only be ineffective, but, in fact, would be counter-productive to the goal of enhancing security. Any benefits of these approaches would likely be outweighed by the potentially detrimental impact that such measures would have on security, privacy, and trust in the digital economy. Some of these risks and challenges include:
Cyber security:Encryption technology is fundamental to cyber security: encryption is used to protect sensitive data where it is stored and while it is in transit, to safeguard devices against unauthorised use, and to assist in the authentication of users’ identities. Introducing weaknesses to such technologies could enhance risk across the Internet ecosystem, undermining key defences against malicious cyber-attacks.
Privacy protection:One of the fundamental principles underlying data protection laws is the principle of protecting privacy and handling personal data responsibly. These principles are enshrined in international law and upheld in Australia through the Privacy Act and associated regulations. Encryption is a core pillar of privacy because it protects private communications from unauthorised access. Unfortunately, mandating technical access to encrypted data risks weakening encryption, which in turn risks weakening the privacy of individuals.
Innovation and economic growth:Digital innovation rests to a large extent on technologies such as encryption, because trust in the digital economy requires that communications and transactions are private and secure. Australian businesses will be disadvantaged if they cannot use and collect data while managing concerns about privacy and security. However, any legislation mandating technical access to encrypted communications risks undermining trust in the digital economy, which will undoubtedly have consequences for innovation and economic growth.
National encryption policies have limitations:National approaches to encryption have limitations because of the global nature of the Internet, and the fact that criminal or terrorist acts are not limited by national borders.
Fragmented and piecemeal approaches by individual countries may only serve to further weaken encryption protections globally. Thus, any regulatory approach to encryption should be developed by reference to the international nature of the Internet and the threats facing individuals and organisations in the digital economy.
What other solutions are there?One key solution would be to deepen collaboration between private industry and law enforcement, and make use of easy access to technology community support. Such collaboration can generate practical and impactful solutions to the challenges facing law enforcement.
Technology companies seek a trust relationship with their customers such that customers are confident companies will not disclose their data to anyone including law enforcement without their authorisation. These companies also take seriously their responsibilities to support lawful evidence collection. Many major technology companies respond to hundreds of data requests, including search warrants, from law enforcement authorities around the world every day. However, their ability to respond to such requests is sometimes hindered by the lack of necessary information in the request, or the request coming from an improper authority or being addressed to the wrong service provider.
As Australian law enforcement navigates the ever-evolving multitude of digital platforms, configurations, and applications to seek digital evidence, there are opportunities for collaboration with technology companies to streamline or standardise request processes, access technical support, and facilitate greater co-ordination and communication between the law enforcement and technology communities. BSA therefore urges the Australian government to engage with key technology companies to identify obstacles to such coordination and communication, and to develop concrete collaborative steps to address them.
Iraised the issue of open source operating systems in a piece I wrote recently. How does the government solve this issue? Do you ban such systems - which include linux, a kernel that is present in billions of devices?Effective cyber security involves layered, multi-faceted approaches to defending networks. To ensure government agencies are able to obtain the most innovative, effective cyber security solutions, BSA recommends that acquisition rules and regulations should remain technology-neutral. Procurement policies should specify security objectives, but leave the technical approaches regarding how to best meet those objectives to vendors to decide.
In the context of procurement, there are also other steps that governments can take to enhance their overall cyber security:
Ensure the use of licensed software.The use of unlicensed software exposes enterprises and government agencies to heightened risks of malware infections and other security vulnerabilities. Because unlicensed software is less likely to receive critical security updates that would otherwise mitigate the risks associated with malware exposure, its use heightens the risk of harmful cyber security incidents. Unlicensed technology from untrusted sources may also contain embedded malware inserted by malicious actors. The adoption of transparent and verifiable software asset management (SAM) practices, based on international recognised standards, can help government agencies secure IT inventories by identifying uses of unlicensed software, which often remains unpatched and vulnerable, and take action to remediate it.
Ensure that software procured by the government is vendor-backed.As government agencies increasingly purchase and “consume” IT resources as online services, rather than as products, it becomes more imperative than ever that government agencies work with IT suppliers with a proven track record of offering robust and reliable support for their offerings. This recommendation should apply equally to all IT solutions, regardless of licensing or development model. Open-source technology can be integrated into government IT systems but, unless backed by vendor support to manage ongoing security patches and upgrades, such systems can introduce risk into government networks.
Leverage the security benefits of cloud services.Just as a bank can better protect the assets of its patrons than individuals can at home, cloud services providers can provide a level of protection for their customers’ digital assets that exceeds what most individual organisations can provide on their own.
Why doesn't the BSA undertake some education of government officials to understand exactly what can, and what cannot, be done?BSA is currently engaging with Australian Government officials on this proposed legislation. We’re committed to partnering with the Australian Government to participate in any industry and stakeholder groups, not only to assess the impact of the Bill, but also to help develop and deliver other enduring solutions to address the challenges of accessing evidence in the digital age.
Would you agree with the proposition that the encryption genie was let out of the bottle a long time and there is no way to stopper it again?There are no easy answers to the encryption debate, nor must there be winners and losers in this debate. Policymakers must recognise, however, that encryption is now a part of almost every service or device we use to live our lives online. Every day, often without us even being aware of it, encryption keeps our personal data private and secure. Encryption is a vault that secures our personal information that is held by businesses and government agencies. It is a lock that prevents identity thieves from stealing our information when we log on to our bank accounts. It is an extra layer of security to safeguard our critical infrastructures. And it is a secure envelope that keeps hackers from reading our personal communications.
Anything else you would like to raise?BSA recommends a deepening collaboration between government, private industry, and law enforcement based on the principles BSA developed which can generate practical and impactful solutions to the challenges facing law enforcement. BSA therefore welcomes the opportunity to bring an industry perspective on the Bill and strongly urges continued engagement between government, policy-makers, and industry to find a solution that balances the legitimate rights, needs, and responsibilities of governments, citizens, providers of critical infrastructure, third-party stewards of data, and innovators.