Amazon blasts Australia's "technically flawed" anti-encryption laws

Amazon has criticised Australia’s anti-encryption laws for forcing technology companies to weaken their security, suggesting that protections against systemic weaknesses or vulnerabilities are “technically flawed”.

The e-commerce and cloud computing giant has also warned a lack of balance between the needs of law enforcement and national security agencies and consumers could “reduce consumer trust in technology”.

In its submission [pdf] to the latest review of the Assistance and Access Act (AA Act), Amazon broadsides so-called protections afforded in the law to prohibit the creation of systemic weaknesses or vulnerabilities.

“The Act has provided new powers for law enforcement and security agencies that could be used to order technology providers to create or install new ways to access secure systems and data,” Amazon said.

“Each of these ways of access would constitute a security vulnerability.”

“The underlying assumption of the Act, that a security vulnerability can be created for a targeted technology without creating a systematic weakness or vulnerability, is technically flawed.

“Data cannot be made more secure by introducing any security into a technology system.”

The company said that despite legislation explicitly banning agencies the introduction of systemic weakness or vulnerabilities “into a form of electronic protection”, the definition meant agencies could still require providers to create vulnerabilities elsewhere.

“A technology provider can be required to install or maintain any software or equipment, or to implement or build systemic weaknesses or vulnerabilities into any other component of a network, system, product or service,” Amazon said.

Home Affairs insists that if any industry assistance power genuinely does create either a systemic weakness or vulnerability in a device or network, providers “will not be required to meet those obligations”.

Amazon wants the legislation amended so that the term “systemic” is deleted from the legislation and replaced with an exhaustive list in line with the recommendations of the Parliamentary Joint Committee on Intelligence & Security (PJCIS). 

It said this would ensure “that a notice cannot require a technology provider to implement or build a weakness or vulnerability into a network, system, product or service”.

“Deliberately creating for one party a means of access to otherwise secure data will create weaknesses and vulnerabilities that, regardless of any good intentions, creates the opportunity for other actors – including malicious ones – to access that same data,” Amazon said.

“Simply stated, if anyone creates a vulnerability in a technology that allows access to otherwise secure data then that vulnerability is capable of being exploited by another party with the knowledge and means to do so.”

Amazon also used its submission to suggested that the hastily introduced law had altered the balance between the rights of law enforcement and consumers to such an extent that it risked reducing consumer trust in technology.

“[The AA Act] alters the balance between law enforcement needs to access readable data and the right of technology users to expect that the products and services they use are free from interference,” the company said.

Amazon has called on the government to balance the law by introducing measures that can “establish public confidence and trust in the use of those powers”. These include altering the legislation so that only an independent judicial offer can issue a notice.

“Amazon acknowledges that there is no simple solution to the security of data dilemma faced by law enforcement and security agencies,” it said.

“Any law however that puts the data of Australians at greater risk and reduces trust in technology is not the answer.”