Salesforce and Kaspersky have raised concerns that the government’s proposed decryption bill could undermine user trust in their products.
The vendors' opinions on the bill are among the first to come from beyond industry bodies or lobby groups and support the contention that the proposed law, which would give Australian intelligence agencies wide-ranging powers that would compel anyone involved in the end-to-end delivery of a technology product or service to undermine or weaken the security of their product, could have striking unintended consequences.
Kaspersky said in a submission [pdf] published yesterday that, “looking from a business perspective, the bill may undermine the confidence of law-abiding consumers in software products and software companies.”
The security vendor worried that it would be asked to do “technically impossible” things to its anti-virus and malware detection solutions, or be obliged “to provide decryption keys and access to data” which would “undermine users’ confidence in the most essential software products.”
Kaspersky said that weaknesses would also be “downright impossible” to conceal.
“Under Kaspersky Lab’s Global Transparency Initiative, software updates will be reviewed by an independent third party in Switzerland to verify the integrity of our products and limit the ability to implement undocumented functionality in our products,” it said.
“Hence an attempt to stop a release of updates for specific systems or adding new hidden functionalities under a technical capability notice will likely be discovered, putting [the] company’s employees at risk of imprisonment” under the proposed Australian laws.
Software-as-a-service provider Salesforce was also worried that “consumer trust in digital technologies, service providers, and government” could be undermined if the decryption laws are passed.
“Customer trust is our number one value,” Salesforce said [pdf].
“Our success depends on the delivery of reliable services to our customers in Australia, and around the globe”.
Salesforce joined the Law Council of Australia in seeking judicial oversight of the proposed regime. There are live concerns that too much power is being considered for intelligence agencies, with no recourse for anyone impacted by their decisions.
Salesforce also wanted to see specific provisions that protected source code that might have to be shared with agencies under the regime.
Telstra has raised similar concerns about having its inner-workings exposed or breached by having to share this data with more parties.
Both Kaspersky and Salesforce were also critical of the reach of the decryption bill to territories beyond Australia.
However, as both made submissions based on an earlier form of the proposed bill, some limitations have since been introduced that would prevent companies doing things in foreign countries that broke those countries’ laws.