ThoughtWorks raises anti-encryption compo as distrust swirls

ThoughtWorks Australia has asked the government to set aside funds to compensate companies for reputational damage they might suffer in the wake of anti-encryption laws.

The software maker and consultancy, which has worldwide operations including 300 people locally, added its voice [pdf] to the chorus of industry and citizen dissent surrounding the laws rushed through late last year.

ThoughtWorks said the laws had resulted in “unprecedented unanimity among the business, academic, and civil society sectors”, and sought - as other industry players have - for the entire thing to be repealed.

However, as others have done, ThoughtWorks also offered several areas for improvement in the event that the political will to repeal the laws entirely was absent.

One of the more contentious points raised by ThoughtWorks is who ends up shouldering financial losses that the laws might cause.

ThoughtWorks suggested that provisions be added to compensate companies for damage they might face from having forced cooperation with law enforcement exposed.

“There is no recognition that while companies can be compensated for work done, there is no provision for compensation for damage of reputation and standing of products and services that may be perceived as broken by the market,” the company said.

ASX-listed Senetas, along with firms like FastMail and Mozilla, have already complained of dull sales and renewals after the laws passed, as customers are no longer sure they can trust software developed in Australia.

ThoughtWorks said that fears could be well-founded, since “the potential outcome [of the laws] in terms of digital security is devastating.”

“Breaking a secure system for one person necessarily makes it insecure for everyone who uses it,” the company said.

“If one device is rendered insecure, for example, by a surveillance mechanism applied by a software author or a government, all users of that kind of device should, from that point, consider it vulnerable.”

ThoughtWorks said it rejected assertions by the government that the laws were not intended to break encryption.

“Whilst the Assistance and Access Act may not explicitly mandate the breaking of cryptographic algorithms, it requires tech companies to compromise/break the security of their systems and their users’ data,” the company said.

Overall, ThoughtWorks branded the laws as “being among the worst examples of policy making we have witnessed”.

“Shortcomings include: inadequate consultation with stakeholders; inordinate haste in passage through the parliament, with 67 pages of quickly-drafted amendments passed without debate on the very day they were tabled; and a review of their implication occurring after the fact of Royal Assent.”

It called for judicial oversight as well as more independent assessors of any disputed attempts by law enforcement to gain access to devices or services.

ThoughtWorks also sought a better definition of what constitutes a systemic weakness or vulnerability being introduced to a product or service, given this is a key part of determining what may or may not be permissible.

Additionally, ThoughtWorks believed the laws should not apply to less serious offences.