Apple has laid out some of the ways it could be forced to spy on its customers if the decryption bill before Australian parliament passes into law.
The bill “could allow the government to order the makers of smart home speakers to install persistent eavesdropping capabilities into a person’s home, require a provider to monitor the health data of its customers for indications of drug use, or require the development of a tool that can unlock a particular user’s device regardless of whether such tool could be used to unlock every other user’s device as well," Apple said in a parliamentary submission [pdf].
In addition, Apple said it was “deeply concerned that the government may seek to force providers to provide real-time interception of messages or internet-based audio or video calls should the law pass in its current form.”
“All of these capabilities should be as alarming to every Australian as they are to us,” Apple said.
Gateways to corporations, critical infrastructure
Apple warned the government that devices and services were not just gateways to personal data that could be useful to law enforcement investigations.
The computer giant said the decryption laws carried a “profound risk of making criminals’ jobs easier, not harder”.
That is, while law enforcement agencies might solve one crime by weakening security, there is a high chance the weakness will be spotted and exploited by others.
“The devices you carry not only contain personal emails, health information and photos but are also conduits to corporations, infrastructure and other critical services,” Apple said.
“Vital infrastructure - like power grids and transportation hubs - become more vulnerable when individual devices get hacked.
“Criminals and terrorists who want to infiltrate systems and disrupt sensitive networks may start their attacks by accessing just one person’s smartphone.
“In the face of these threats, this is no time to weaken encryption.”
The numbers don’t stack up
Critics of the decryption bill are worried about the number of requests and notices that law enforcement agencies will bombard communications providers with, should the bill become law.
Apple revealed that, even without these laws, it has “processed over 26,000 requests from Australian law enforcement agencies for information to help investigate, prevent and solve crimes” in the past five years alone.
It does not indicate what would happen to the number of requests should the bill pass; however, the government’s own overseer of intelligence agencies is worried the number of requests and notices could border on “oppression”.
Apple said it had “conducted extensive law enforcement training in Australia last month” in a bid to
“help law enforcement officers understand how they can obtain information from Apple consistent with our legal guidelines”.
“Like we have always done, we will continue to work with Australian authorities in connection with lawful investigations,” it said.
One-off weaknesses a ‘false premise’
The bill requires organisations ranging from technology companies and service providers to website operators to do whatever it takes to bypass security protections, but on a "one-off" and not a “systemic” basis.
Apple branded the intentions “a false premise”.
“Encryption is simply math,” it said.
“Any process that weakens the mathematical models that protect user data for anyone will by extension weaken the protections for everyone.
“It would be wrong to weaken security for millions of law-abiding customers in order to investigate the very few who pose a threat.”
Law remains dangerous
Apple said that the the draft legislation “remains dangerously ambiguous with respect to encryption and security.”
The bill text continues to prevent the creation of “systemic vulnerabilities or weaknesses” at the behest of Australian law enforcement, without defining the term.
“Without clearly defined parameters, we see no reason why the government could not seek to prevent particular users from receiving general security updates or prohibit providers from fixing mere security flaws that impact large numbers of customers but that may not qualify as ‘systemic’ in the government’s eyes,” Apple said.
It complained about the lack of pre-judicial review of technical assistance and technical capability notices being issued, and the vague court options available to providers that want to fight them.
Home Affairs provided some extra detail on this last week, though much of that detail is not reflected in the bill text, and indicated the government had no intention of allowing much legal oversight for fear of slowing down access to encrypted data.
Apple said that the bill put too much power in the hands of government to decide what was “reasonable”, “proportionate” or “practical” in any given circumstance.
“The bill still gives undue weight to the government’s interpretation of the law’s terms and the technical facts,” Apple said.
“For instance, if the government believes that a particular measure is reasonable and proportionate, it would matter little that a wide swath of security experts and technology companies believe it to be dangerous and irresponsible.”