Published on the 16/10/2018 | Written by Pat Pilcher
Are Apple’s objections valid? Or do they just have the pip?..
Apple’s strong views on encrypting devices are well known and have seen them challenging 11 court orders to unlock i-devices. Now it appears they are taking exception to the soon-to-be-law Access and Assistance bill. In a submission to the Australian government, Apple argues the bill could weaken digital security, making criminals harder to catch.
The objections expressed by Apple run counter to the concerns circulated by the Australian government who claim that encryption is helping criminals avoid capture by masking their communications and keeping their data away from investigators.
“This is no time to weaken encryption. There is a profound risk of making criminals’ jobs easier, not harder.”
Apple says that encryption strengthens consumer protection from cybercriminals and terrorists as encryption makes devices such as iPhones and iPads significantly less vulnerable to malicious activities that could see criminals accessing personal, financial data, and public/corporate infrastructure. Given the recent spate of hacks at Facebook and more recently Google, there may be some validity to their argument.
In their submission, Apple says “The devices you carry not only contain personal emails, health information and photos but are also conduits to corporations, infrastructure and other critical services… In the face of these threats, this is no time to weaken encryption. There is a profound risk of making criminals’ jobs easier, not harder. Increasingly stronger – not weaker – encryption is the best way to protect against these threats.”
The Access and Assistance bill aims to increase the capabilities of Australian law enforcement and intelligence agencies to access encrypted information. It also proposes that there be new computer access warrants enabling law enforcement agencies to covertly obtain evidence in the form of data directly from a device. The bill also seeks to bolster powers for law enforcement agencies to access data using search and seizure warrants.
The issues highlighted by Apple stem from concerns that subpoenas could require companies like Apple to bypass or weaken encryption, install backdoors and other measures to provide easier access to encrypted on-device and cloud-stored data.
While Apple has expressed concerns around the bill, they have also been careful not to condemn it. They do however specifically say that “We appreciate the government’s outreach to Apple and other companies during the drafting of this bill. While we are pleased that some of the suggestions incorporated improve the legislation, the unfortunate fact is that the draft legislation remains dangerously ambiguous with respect to encryption and security. We encourage the government to stand by their stated intention not to weaken encryption or compel providers to build systemic weaknesses into their products. Due to the breadth and vagueness of the bill’s authorities, coupled with ill-defined restrictions, that commitment is not currently being met.”
As reasonable as the objections in Apple’s submission sound, they could become a major headache for the Australian government in the future. Apple has already demonstrated their willingness to defend privacy and encryption, having gone to court in the US in 2016 over their refusal to unlock the San Bernardino shooter’s iPhone.
Once the Access and Assistance bill becomes law, it is possible that the government could find itself tied up in costly courtroom battles against Apple.
It wasn’t just Apple either. Digital rights activists Access Now expressed similar concerns. They said that “Schedule 1 of the Assistance and Access Bill creates new authorities that can be exercised broadly without appropriate legal standards or necessary safeguards. If exercised as written these authorities will have a deleterious impact on digital security while actually increasing the potential for criminal activity.”
The Inspector General of Intelligence and Security (IGIS) also weighed in citing concerns around administering the complexities and compliance costs of implementing and managing the bill once it becomes law.
The inspectorate commented that: “The task of performing oversight of agency operations that involve multiple sources of legal authority (including multiple sources of immunities, coercive collection powers and intrusive covert collection powers) will be complex, particularly where choices exist about the sources of relevant powers and immunities. Further, as the immunities conferred on communications providers under the scheme will remove third party rights to recover damages or obtain other legal remedies in relation to loss or damage caused by acts done pursuant to notices and requests, this may be a new source of complaints to IGIS.”
While many of the submissions highlighted concerns around weakening encryption, The Department of Home Affairs says the bill is needed for reasons of practicality and economics. In their submission to the Parliamentary Joint Committee on Intelligence and Security inquiry into the bill, they argued that the bill is needed otherwise law enforcement agencies would be forced to use the costly services of third-party vendors known as ‘grey hats’ to access encrypted data.