AWS asks govt to ban systemic weaknesses in online takeover bill

Amazon Web Services has called on the government to ban any action that would result in systemic weaknesses or vulnerabilities under its proposed online account takeover powers for authorities.

The concerns centre on similarities between the Surveillance Legislation Amendment (Identity and Disrupt) Bill 2020 and the government’s controversial encryption-busting laws, legislated in late 2018.

The new bill, introduced to parliament in December, will allow the Australian Federal Police to take control of a person’s online account to gather evidence about serious offences, as well as add, copy, delete or alter data material.

In its submission [pdf] to a parliamentary joint committee (PJCIS) review, AWS said the bill was a “significant departure” from existing warrants available to law enforcement, allowing officers to “effectively stand in the (online) shoes of persons suspected of engaging in potential criminal activity”.

It said that the “elevated risk to the liberty and privacy of citizens whose online accounts are impacted by law enforcement activities” would require law enforcement officers taking extra care.

“The warrants will necessitate an increased responsibility on the relevant law enforcement agencies to act with care and propriety, and their use should be appropriately circumscribed by propionate checks and balances,” the company said.

This is particularly the case for any data relating to online acounts “provided from a cloud computing service as those computers and accounts could be servicing potentially thousands or millions of entities.” 

AWS is concerned that – like the Assistance and Access Act – electronic service or designated communication providers may need to take actions that would undermine security protections introduced to protect data.

“As the committee would be aware, AWS expressed reservations in 2018 that provisions of the Assistance and Access Act… could require actions that has the potential to make technology systems less secure,” it said.

“Chief among our concerns was the possibility that technology providers may be required to take actions that would defeat security protections provided to customers in a way that would systematically undermine the very purpose of those protections.

“In response to these concerns, the government included in the Assistance and Access Act provisions that listed matters that decision makers had to consider when determining whether notices seeking industry assistance under that Act were reasonable and proportionate.”

In order to address these concerns, AWS has asked the government to amend the bill so that “technical feasibility” is an “express consideration for those issuing warrants”, much like it did with the Assistance and Access Act.

“Given the purpose of the warrants proposed in the Bill, AWS further submits that a relevant consideration for an issuing authority should be whether what is proposed by the law enforcement applicant is in all the circumstances technically feasible,” it said.

“This would require the applicant to make a case to the issuing authority as to how they propose, in particular, to disrupt data or takeover an online account. Warrants should not allow technical fishing expeditions that put at risk third parties.”

AWS has also recommended the bill be amended to prohibit warrants that “require a person to implement or build a systemic weakness into a form of electronic protection; or prevent a person from rectifying a systemic weakness”.

“AWS submits that the execution of the warrants proposed in the bill should not result in
the introduction of systemic weaknesses or vulnerabilities into any form of electronic protection of data implemented in a technology provider’s systems,” it said.

AWS also raised concerns with the bill allowing Australian Federal Police (AFP) or Australian Criminal Intelligence Commission (ACIC) officers to require a “specific person to provide information or assistance to enable the execution of warrants”, which it said was “highly problematic and most unlikely” for a cloud services provider.

“As drafted, the bill does not provide, in our view, sufficient protection for individual employees of technology providers such as cloud services, and creates an assistance regime that is different from that specified for technology providers under the Assistance and Access Act,” it said.

“The bill enables law enforcement to seek an assistance order requiring a specified person to provide any information or assistance that is reasonable and necessary to execute the warrant.

“A specified person includes an employee of the owner or lessee of the computer, or a person engaged under a contract for services by the owner or lessee of the computer, or a person who is or a system administrator for the system including the computer.

“These definitions could include employees of a cloud service provider.”

AWS also wants provisions introduced into the bill to protect third-parties from liability for providing assistance in good faith to law enforcement officers executing a warrant, though recognises the “difficulties in framing an appropriately narrow immunity for warrants”.

It has similarly recommended amendments to the Surveillance Devices Act and Telecommunications Act to ensure only judges have the power to issue data disruption and network activity warrants.