Mozilla may treat Aussie staff as 'insider threats' to code base

Mozilla - maker of the Firefox browser - and hosted email provider FastMail are worried that individual employees will be put in untenable positions by law enforcement exercising new anti-encryption laws.

In separate submissions to a senate inquiry examining the now-passed laws, the two technology companies raised concerns about how they could trust their workers.

Both Mozilla [pdf] and FastMail [pdf] worry that individual employees could be targeted by law enforcement to make secret changes to systems.

The employee would then be under secrecy provisions that prevented them from even informing their own employer about what they had done.

Mozilla warned that if the laws weren’t clarified, that it may need to treat any Australian workers as potentially “insider threats” to its code base.

“Serving an order on an individual employee rather than a provider itself would fail to allow a provider to avail itself fully of the protections afforded under this legislation in regards to consultations, assessments, and legal challenges,” Mozilla said.

“Further, this potential would force providers to treat Australia-based employees as potential insider threats, introducing another vector for compromise that could undermine trust in critical products and incentivising companies to move critical roles to other localities.”

FastMail, which is based in Australia, said its staff had already “expressed concerns that they may be forced to attempt to secretly add backdoors or security holes in our services - actions that would be just cause for dismissal - and be unable to tell us why they have made these changes.”

CEO Bron Gondwana believed that organisations - rather than individuals - were most likely to be targeted. Still, he said, it would be nice if the laws reflected that, if indeed it is the intent.

“By far the biggest concern for our staff is that they would inadvertently leak information about a capability that we had built in response to a [law enforcement notice], possibly not even knowing that it was built for [that purpose],” he said.

“Any secret capability only known to some people causes “bus factor” headaches for management and is more likely to lead to process breakdowns and a lack of trust within teams.”

Gondwana said he was not only concerned about staff at his immediate organisation.

“This is not just a matter of looking after our own staff’s mental health, it also makes it harder for Australians looking to work for overseas companies if there is any risk that they will be compelled to act against their employer’s interests,” he said.

Mozilla said that secrecy “should not be the default” in any case that law enforcement demands a “capability” be built into someone’s products or services.

“The government should have to periodically justify to the court why the continuation of a restriction on disclosure is warranted, and all orders should become public eventually,” Mozilla said.

The browser maker cited the 2016 San Bernardino iPhone cracking case as an important example of why surveillance capability discussions should play out in public.

It warned that secrecy provisions in Australia’s laws “effectively prohibits the much-needed conversation about the appropriate limits of government surveillance as well as use of exploits that undermine the security of internet users, products, and services.”

Mozilla also sought, among other things, the addition of judicial approvals and a better definition of what constitutes “systemic weaknesses and vulnerabilities”, a key term that is still poorly-defined in the laws.

However, it said that changes to the laws should only be a reserve option, undertaken in the absence of political will to kill the laws entirely.

Mozilla said that it did “not believe that this law should have been passed in the first place”.

“We believe the best possible path is to repeal this legislation in its entirety and begin afresh with a proper, public consultation,” it said.

“This law represents an unprecedented and unchecked threat to the privacy and security of users in Australia and abroad.