Credit: Dreamstime
Mozilla, the developers of the Firefox browser, has called the Assistance and Access Bill intentionally vague on the "form and extent of what might be compelled by a TCN".
Mozilla is one of the many technology companies to make a submission to the parliamentary inquiry into the Telecommunications and Other Legislation Amendment (Assistance and Access) Bill 2018.
A Technical Capability Notice (TCN) is one of three powers proposed by the Bill, which also includes Technical Assistance Request (TAR) and Technical Assistance Notice (TAN).
A TAR provides a framework for making requests of communications providers, including provisions that indemnify providers that voluntarily assist agencies. A TAN allows agencies to compel communications providers to provide assistance, if they are able.
Meanwhile, the TCN can only be exercised by the Attorney-General and compels communications providers to develop new capabilities in anticipation of a future TAR or TAN.
"The bill as it stands does not provide sufficient limitations on the scope of potential requests to mitigate the challenges associated with these new powers," Mozilla wrote.
According to Mozilla, some sections provide a loose description of areas that need consideration.
"The bill is intentionally vague on the form and extent of what might be compelled by a TCN, so it is difficult to say what kinds of capabilities might be requested," the company added, via a submission.
"We wish to emphasise that an under-specified authority to impose technical capabilities onto a software vendor not only introduces substantive problems through insufficient clarity, but also fails to provide certainty for both users and developers of technology."
Furthermore, Mozilla said that a TCN is an international introduction of a security vulnerability.
The web browser developer showed concerns over the lack of opportunities to challenge requests the Bill proposes and also over the built of systemic vulnerabilities.
"The key provision seeking to limit the widespread security risks of this bill is a prohibition on forcing companies to build a “systemic vulnerability” into their systems or to prevent them from rectifying a systemic vulnerability," the submission read.
"However, the term 'systemic' is not defined in the bill, leaving dangerous ambiguity that could be exploited by the government.
"The accompanying Explanatory Document provides some additional clarity but not confidence in stating that systemic vulnerabilities exclude “actions that weaken methods of encryption or authentication on a particular device."
Overall, Mozilla stated that a rush to enact the legislation as it stands could do harm to the internet.
"TCNs in particular present the government with capabilities that we don’t believe are appropriate, as well as being a significant risk to the security of the internet," the submission added. "The Bill as proposed represents a one-sided view, without adequate consideration for the broader and longer-term costs and repercussions of its implementation.
"Critical in evaluating risks and costs is the process by which the powers the bill grant agencies are safeguarded. The purposefully unclear definition of what can be requested, the secrecy provisions, and the lack of process and oversight are significant problems."
Mozilla went further saying that this bill will harm the ability of Australians and Australian companies to be competitive in the global industry created by the internet.
"We recognise that information exchanged using Internet-based services can be critical to investigation and prosecution of crime, and the role that this plays in protecting society," the submission said.
"Yet, as proposed, the bill provides powers that represent a real risk of harm to the internet and additionally does not provide proper safeguards around the new powers it defines. We ask Australia to join us in strengthening the security of the Internet, not weaken it."
The Bill was introduced into the House of Representatives on 20 September and referred to the Committee for inquiry and report by the Attorney-General. An initial public hearing is expected to be held on 19 October 2018.
