On Dec. 6, Australia passed a surprising law with a global impact on privacy. The new law requires any Australian company to build backdoors to encrypted data and communications when instructed to do so by the government, while also requiring secrecy about the existence of such surveillance capabilities from individuals and enterprise customers. This unverifiable question of compromised encryption presents many technical threats and introduces international regulatory compliance challenges as well.
This law also requires individual technologists to obey surveillance commands in silence on threat of up to 10 years of imprisonment (Section 64A), effectively conscripting every Australian civilian technology employee as a spy resource for government surveillance. If you’re thinking a warrant canary might bypass the secrecy order, the Australian government was one step ahead, banning organizations from making any public reference to the “existence or non-existence of such a warrant” in 2015. Like the anti-encryption law, disclosing any information about warrants, even the lack of a warrant, carries a personal liability of imprisonment for two years.
While most software development life cycles have security controls that would prevent a single employee from quietly compromising an application’s security, a company’s upper management could be forced to bypass these controls to implement weak encryption or insecure access without disclosing it to end users or customers. It seems the organization would also be compelled to falsify information that might disclose this action during an audit. What does this mean for international customers of Australian software platforms and applications?
Australian sub-processors under the GDPR
Let’s consider PagerDuty, a digital operations management solution from Australia. This service provides communications for security incident response, analytics, on-call support and management, alerts and other critical operations functions. Currently, PagerDuty customers rely on the system’s end-to-end encryption to secure their sensitive system data. How many security and IT managers want the Australian government potentially observing communications about infrastructure vulnerabilities and incident response during a data breach? Even if the authorized legal authorities don’t abuse this information, what are the risks that a government backdoor would be discovered and quietly exploited by another attacker?
Atlassian, well known for development applications such as Jira and Confluence, offers functionality similar to PagerDuty with applications such as Opsgenie and the Jira product suite. Many companies use Confluence or HipChat for confidential internal communications, sometimes including information about their enterprise customers’ implementations and secure environments. Atlassian’s CI/CD solution, Bamboo, could house the entirety of an organization’s code and software intellectual property. Could a Bitbucket repository’s security be compromised by a backdoor in one of the integrated communication tools? How would you know if it was, or be certain that it wasn’t?
Evaluating the risk
Since any surveillance or mandated security weakness would be secret, no customer can be fully assured that data storage or communications on an Australian software platform are truly secure. Even removing public security and encryption claims from the company website may constitute a disclosure of the surveillance. A compliance team tasked with reviewing sub-processors under the EU General Data Protection Regulation could be understandably confused by the implications of contracting with an Australian software vendor. Without the ability to believe the answers provided on a vendor questionnaire or perhaps even the assurances of contracted security commitments regarding encryption, how does an EU data controller under the GDPR evaluate an Australian sub-processor?
At this point, there are many questions and few answers. It’s unclear what would happen if the EU’s personal data protection regulations ever came into conflict with Australia’s burgeoning anti-encryption stance and antagonism toward data privacy, and Australia could still revise the law or make important clarifications that would preserve individual privacy and communications encryption. European and multinational organizations would be wise to at least identify vendors headquartered or operating in Australia and watch for any further news about the effects of this law.
photo credit: Visual Content Data Breach via photopin (license)