Australia Releases A Pair Of New Technology Laws

The Morrison government continues to take the lead in technology policy with new bill to expand surveillance powers.

With the introduction of last month’s “Surveillance Legislation Amendment (Identify and Disrupt) Bill 2020” last month, the government in Canberra is once again pushing technology policy for the Five Eyes nations and others. However, in doing so, the Liberal–National Coalition is proposing a further incursion into protected and encrypted communications, apps, software, and hardware in the name of law enforcement. This new legislation follows a 2018 law that allows the Australian government to order technology companies to assist in decrypting and handing over communications. Under the new bill, some of Australia‘s law enforcement agencies would be able to use new “data disruption warrants” to stop and interfere with online crimes. Additionally, agencies could use “network activity warrants” to surveil online criminal activity and may obtain “account takeover warrants” to seize online accounts to acquire evidence in the course of an investigation.

Like the new bill, the “Telecommunications and Other Legislation Amendment (Assistance and Access) Act 2018” was enacted in December 2018. In mid-2020, Australia’s Independent National Security Legislation Monitor (INSLM) issued its report on “Telecommunications and Other Legislation Amendment (Assistance and Access) Act 2018” (TOLA). The Parliamentary  Joint  Committee on Intelligence and Security had requested that the INSLM review the statute, and so INSLM engaged in a lengthy review, including input from the public. As explained in the report’s preface, the “INSLM independently reviews the operation, effectiveness and implications of national  security  and  counter-terrorism  laws;  and  considers  whether  the  laws  contain  appropriate  protections  for  individual  rights,  remain  proportionate  to  terrorism or national security threats, and remain necessary.”

INSLM claimed

In this report I reject the notion that there is a binary choice that must be made between the effectiveness of agencies’ surveillance powers in the digital age on the one hand and the security of the internet on the other. Rather, I conclude that what is necessary is a law which allows agencies to meet technological challenges, such as those caused by encryption, but in a proportionate way and with proper rights protection. Essentially this can be done by updating traditional safeguards to meet those same technological challenges – notably, those who are trusted to authorise intrusive search and surveillance powers must be able to understand the technological context in which those powers operate, and their consequences. If, but only if, the key recommendations I set out in this report in this regard are adopted, TOLA will be such a law.

INSLM stated “[t]he essential effects of TOLA are as follows:

a. Schedule 1 gives police and intelligence agencies new powers to agree or require significant industry assistance from communications providers.

b. Schedules 2, 3 and 4 update existing powers and, in some cases, extended them to new agencies. c. Schedule 5 gives the Australian Security Intelligence Organisation (ASIO) significant new powers to seek and receive both voluntary and compulsory assistance.

INSLM found

  • In relation to Schedule 1, for the reasons set out in greater detail in the report, Technical Assistance Notice (TANs) and Technical Capability Notice (TCNs) should be authorised by a body which is independent of the issuing agency or government. These are powers designed to compel a Designated Communications Provider (DCP) to reveal private information or data of its customers and therefore the usual practice of independent authorisation should apply.
  • I am satisfied that the computer access warrant and associated powers conferred by Schedule 2 are both necessary and proportionate, subject to some amendments.
  • I am generally satisfied that the powers conferred by Schedules 3 and 4 are both necessary and proportionate, but there are some matters that should be addressed and further monitored.
  • I have concluded that Schedule 5 should be amended to limit its breadth and clarify its scope.

Moreover, as the Office of Australia’s Information Commissioner (OAIC) wrote of TOLA, “[t]he powers permitted under the Act have the potential to significantly weaken important privacy rights and protections under the Privacy Act…[and] [t]he encryption technology that can obscure criminal communications and pose a threat to national security is the same technology used by ordinary citizens to exercise their legitimate rights to privacy.”

The new “Surveillance Legislation Amendment (Identify and Disrupt) Bill 2020” would “introduce new law enforcement powers to enhance the ability of the Australian Federal Police (AFP) and the Australian Criminal Intelligence Commission (ACIC) to combat online serious crime” according to the Explanatory Memorandum issued along with the legislation.

This policy justification is being offered for the legislation:

  • Cyber-enabled serious and organised crime, often enabled by the dark web and other anonymising technologies, such as bespoke encrypted devices for criminal use, present a direct challenge to community safety and the rule of law. For example, on the dark web criminals carry out their activities with a lower risk of identification and apprehension. Many anonymising technologies and criminal methodologies can be combined for cumulative effect, meaning it is technically difficult, and time and resource intensive, for law enforcement to take effective action. Just as online criminals are constantly changing their operations and reacting to new environments, the law must adapt in order to give law enforcement agencies effective powers of response.
  • Existing electronic surveillance powers, while useful for revealing many aspects of online criminality, are not suitably adapted to identifying and disrupting targets where those targets are actively seeking to obscure their identity and the scope of their activities. Without the critical first step of being able to identify potential offenders, investigations into serious and organised criminality can fall at the first hurdle. Being able to understand the networks that criminals are involved in and how they conduct their crimes is also a crucial step toward prosecution.

The memorandum contains the following high-level summary of the legislation:

  • This Bill addresses gaps in the legislative framework to better enable the AFP and the ACIC to collect intelligence, conduct investigations, disrupt and prosecute the most serious of crimes, including child abuse and exploitation, terrorism, the sale of illicit drugs, human trafficking, identity theft and fraud, assassinations, and the distribution of weapons.
  • The Bill contains the necessary safeguards, including oversight mechanisms and controls on the use of information, to ensure that the AFP and the ACIC use these powers in a targeted and proportionate manner to minimise the potential impact on legitimate users of online platforms.
  • The Bill introduces three new powers for the AFP and the ACIC. They are:
    • Data disruption warrants to enable the AFP and the ACIC to disrupt data by modifying, adding, copying or deleting in order to frustrate the commission of serious offences online
    • Network activity warrants to allow agencies to collect intelligence on serious criminal activity being conducted by criminal networks, and
    • Account takeover warrants to provide the AFP and the ACIC with the ability to take control of a person’s online account for the purposes of gathering evidence to further a criminal investigation.

However, in using the “data disruption warrant,” the activities of the AFP and ACIC would be “covert” and these agencies could conceal their activities. And while these powers would not be used solely for the purpose of collecting evidence, the agencies may collect evidence in the course of altering, disrupting, adding, or deleting information. It seems probable that as with agencies in other nations, there will be a blurring of this line and this sort of warrant will at some point be used predominantly for collecting evidence perhaps with a fig leaf of intending to change some of the information.

In the Explanatory Memorandum, the Coalition uses the hammer of online child sexual material to justify the expansion of the government’s powers:

The purpose of the data disruption warrant is to offer an alternative action to the AFP and the ACIC, where the usual circumstances of investigation leading to prosecution are not necessarily the option guaranteeing the most effective outcome. For example, removing content or altering access to content (such as child exploitation material), could prevent the continuation of criminal activity by participants, and be the safest and most expedient option where those participants are in unknown locations or acting under anonymous or false identities.

Of course, these materials are plaguing the victims, relatives, and investigators of these crimes, but it bears note the data disruption warrant appears not to be limited to those instances. For example, cyber-crime is a massive problem, and so would this warrant be issued for those collecting, amassing, and selling credit card numbers? How about advocacy organizations that may have information on covert Australian government activities Canberra does not want exposed?

Only “eligible” judges or a “nominated Administrative Appeals Tribunal (AAT) member” may issue a data disruption warrant on the basis of an officer’s reasonable grounds that:

  • one or more relevant offences are being, are about to be, or are likely to be, committed, and
  • those offences involve, or are likely to involve, data held in a computer, and
  • disruption of data held in the target computer is likely to substantially assist in frustrating the commission of one or more of the relevant offences previously specified that involve, or are likely to involve, data held in the target computer.

Likewise, for network activity warrants, the specter of online child sexual exploitation material is used to justify the establishment of a new criminal investigation power:

These warrants will be used to target criminal networks about which very little is known, for example where the AFP or the ACIC know that there is a group of persons using a particular online service or other electronic platform to carry out criminal activity but the details of that activity are unknown. Network activity warrants will allow agencies to target the activities of criminal networks to discover the scope of criminal offending and the identities of the people involved. For example, a group of people accessing a website hosting child exploitation material and making that material available for downloading or streaming, will be able to be targeted under a network activity warrant.

Consequently, this warrant is intended to defeat “anonymising technologies” used to mask the commission of crimes:

Network activity warrants will allow the AFP and the ACIC to access data in computers used, or likely to be used, by a criminal network over the life of the warrant. This means that data does not have to be stored on the devices, but can be temporarily linked, stored, or transited through them. This will ensure data that is unknown or unknowable at the time the warrant is issued can be discovered, including data held on devices that have disconnected from the network once the criminal activity has been carried out (for example, a person who disconnected from a website after downloading child exploitation material).

This seems to suggest this type of warrant would allow the AFP and ACIC to chase network activity, or really the data wherever it may go. Hence, if Microsoft is shuttling the data around the world data center to data center, and the AFP is holding such a warrant, it could follow these data legally from Sydney to Singapore to San Francisco.

The Coalition’s initial overview elided an aspect of this warrant that implicates encryption. Deeper in the Explanatory Memorandum, we learn:

The AFP and the ACIC will be authorised to add, copy, delete or alter data if necessary to access the relevant data to overcome security features like encryption. Data that is subject to some form of electronic protection may need to be copied and analysed before its relevancy or irrelevancy can be determined.

As a practical matter, this is how intelligence and law enforcement agencies around the world are taking on, and in most cases, circumventing encryption. But, this pushes the debate over encryption into new territory, for if even more agencies in Australia are working to disable or defeat encryption, it may be foreseeable that commercial, widely used encryption methods will be further weakened. And, as seen with the hack of the Central Intelligence Agency’s hacking tools and exploits, it is often just a matter of time before methods to defeat security in online communications are exposed.

As with data disruption warrants, network activity warrants can only be issued by “eligible” judges or nominated AAT member:

  • a group of individuals are engaging in or facilitating criminal activity constituting the commission of one or more relevant offences, and
  • access to data held in computers will substantially assist in the collection of intelligence about those criminal networks of individuals in respect of a matter that is relevant to the prevention, detection or frustration of one or more kinds of relevant offences.

While this warrant “will not be permitted to be used in evidence in criminal proceedings, other than for a breach of the secrecy provisions of the SD Act,” it “may, however, be the subject of derivative use, allowing it to be cited in an affidavit on application for another investigatory power, such as a computer access warrant or telecommunications interception warrant.” And so, information gathered pursuant to this type of warrant could be used for surveillance by Australia’s security services. And for this reason, the “Inspector-General of Intelligence and Security (IGIS) will have oversight responsibility for network activity warrants given their nature as an intelligence collection tool.”

The third warrant, the account takeover warrant, would “enable the AFP and the ACIC to take control of a person’s online account for the purposes of gathering evidence about serious offences.” Under current law, an account takeover may occur only with a person’s consent, and the unsaid implication is that a significant number of people and suspects are not willing to hand over control of their accounts. The threshold for obtaining this type of warrant seems lower as a “magistrate will need to be satisfied that there are reasonable grounds for suspicion that an account takeover is necessary for the purpose of enabling evidence to be obtained of a serious Commonwealth offence or a serious State offence that has a federal aspect.” What’s more, “[t]his power enables the action of taking control of the person’s account and locking the person out of the account.”

In a related development, the Department of Infrastructure, Transport, Regional Development, and Communications (Department) has published a draft “Online Safety Bill” for consultation and is accepting input until 14 February 2021. The bill would modify four existing statutes that aim to protect people online and introduce a new regulatory scheme.

The Department claimed in its press statement the legislation:

  • The provisions in the Enhancing Online Safety Act 2015 (EOSA) that are working well to protect Australians from online harms, such as the image-based abuse scheme;
  • A set of core basic online safety expectations for social media services, relevant electronic services and designated internet services, clearly stating community expectations, with mandatory reporting requirements;
  • An enhanced cyberbullying scheme for Australian children to capture a range of online services, not just social media platforms;
  • A new cyber abuse scheme for Australian adults, to facilitate the removal of serious online abuse and harassment;
  • A modernised online content scheme, to replace the schemes in Schedules 5 and 7 of the Broadcasting Services Act 1992 (BSA). The Bill will create new classes of harmful online content and will reinvigorate out of date industry codes to address such content;
  • New abhorrent violent material blocking arrangements that allow the eSafety Commissioner to respond rapidly to an online crisis event such as the Christchurch terrorist attacks, by requesting internet service providers block access to sites hosting seriously harmful content; and
  • Consistent take-down requirements for image-based abuse, cyber abuse, cyberbullying and harmful online content, requiring online service providers to remove such material within 24 hours of receiving a notice from the eSafety Commissioner.

In a Reading Guide, the Department asserted “[t]he Bill proposes five schemes to deal with different types of harmful online material. Four already exist in law (but are being appropriately updated)…[and] [o]ne is new – the adult cyber abuse scheme:

  • Cyber-bullying Scheme – Provides for the removal of material that is harmful to Australian children. This scheme reflects the current regime in the Enhancing Online Safety Act (EOSA), however reduces the take-down time for such material from 48 hours to 24 hours and extends the scheme to more services.
  • Adult Cyber-abuse Scheme – Provides for the removal of material that seriously harms Australian adults. This scheme is new. It extends similar protections in the cyber-bullying scheme to adults, however with a higher threshold of ‘harm’ to reflect adults’ higher levels of resilience.
  • Image-based Abuse Scheme – Provides for the removal of intimate images shared without the depicted person’s consent. This scheme reflects the current regime in the EOSA, however reduces the take-down time for such material from 48 hours to 24 hours.
  • Online Content Scheme – Provides for the removal of harmful material in certain circumstances. This scheme reflects and simplifies the current regime in Schedules 5 and 7 of the BSA, with some clarifications of material and providers of services captured by the scheme, and extending the eSafety Commissioner’s take-down powers for some material to international services in some circumstances.
  • Abhorrent Violent Material Blocking Scheme – Provides for the blocking of abhorrent violent material, such as images or video of terrorist attacks. This scheme is new, but mirrors existing legislation in the Criminal Code Act 1995 (the Criminal Code).

Not surprisingly, under the bill, providers of online services and materials will have increased obligations. The Department stated “[t]he Basic Online Safety Expectations (BOSE) framework is an enhancement of the basic online safety requirements, coupled with new powers for the eSafety Commissioner to require service providers to report on compliance with the BOSE.” The Department explained that BOSE “will include, in legislation, core expectations that:

  • End-users are able to access services in a safe manner;
  • The extent of harmful material is minimized;
  • Technological or other measures are in effect to prevent access by children to class 2 materials; and
  • There are clear and readily identifiable mechanisms that enable end-users to report and make complaints about harmful material.

© Michael Kans, Michael Kans Blog and michaelkans.blog, 2019-2021. Unauthorized use and/or duplication of this material without express and written permission from this site’s author and/or owner is strictly prohibited. Excerpts and links may be used, provided that full and clear credit is given to Michael Kans, Michael Kans Blog, and michaelkans.blog with appropriate and specific direction to the original content.

Image by RobertDychto from Pixabay

Five Eyes Again Lean On Tech About Encryption

In the latest demand, the usual suspects are joined by two new nations in urging tech to stop using default encryption and to essentially build backdoors.

The Five Eyes (FVEY) intelligence alliance plus two Asian nations have released an “International Statement: End-To-End Encryption and Public Safety,” which represents the latest FVEY salvo in their campaign against technology companies using default end-to-end encryption. Again, the FVEY nations are casting the issues presented by encryption through the prism of child sexual abuse, terrorism, and other horrible crimes in order to keep technology companies on their proverbial policy backfoot. For, after all, how can the reasonable tech CEO argue for encryption when it is being used to commit and cover up unspeakable crimes.

However, in a sign that technology companies may be facing a growing playing field, India and Japan joined the FVEY in this statement; whether this is a result of the recent Quadrilateral Security Dialogue is unclear, but it seems a fair assumption given that two of the FVEY nations, the United States and Australia make up the other two members of the Quad. And, of course, the United Kingdom, Canada, and New Zealand are the three other members of the FVEY.

In the body of the statement, FVEY, Japan, and India asserted:

  • We, the undersigned, support strong encryption, which plays a crucial role in protecting personal data, privacy, intellectual property, trade secrets and cyber security.  It also serves a vital purpose in repressive states to protect journalists, human rights defenders and other vulnerable people, as stated in the 2017 resolution of the UN Human Rights Council.  Encryption is an existential anchor of trust in the digital world and we do not support counter-productive and dangerous approaches that would materially weaken or limit security systems. 
  • Particular implementations of encryption technology, however, pose significant challenges to public safety, including to highly vulnerable members of our societies like sexually exploited children. We urge industry to address our serious concerns where encryption is applied in a way that wholly precludes any legal access to content.  We call on technology companies to work with governments to take the following steps, focused on reasonable, technically feasible solutions:
    • Embed the safety of the public in system designs, thereby enabling companies to act against illegal content and activity effectively with no reduction to safety, and facilitating the investigation and prosecution of offences and safeguarding the vulnerable;
    • Enable law enforcement access to content in a readable and usable format where an authorisation is lawfully issued, is necessary and proportionate, and is subject to strong safeguards and oversight; and
    • Engage in consultation with governments and other stakeholders to facilitate legal access in a way that is substantive and genuinely influences design decisions.

So, on the one hand, these nations recognize the indispensable role encryption plays in modern communications and in the fight against authoritarian regimes and “do not support counter-productive and dangerous approaches that would materially weaken or limit security systems.” But, on the other hand, “[p]articular implementations of encryption technology” is putting children at risk and letting terrorism thrive. Elsewhere in the statement we learn that the implementation in question is “[e]nd-to-end encryption that precludes lawful access to the content of communications in any circumstances.”

And, so these nations want companies like Facebook, Apple, Google, and others to take certain steps that would presumably maintain strong encryption but would allow access to certain communications for law enforcement purposes. These nations propose “[e]mbed[ding] the safety of the public in systems designs,” which is a nice phrase and wonderful rhetoric, but what does this mean practically? Companies should not use default encryption? Perhaps. But, let’s be honest about second order effects if American tech companies dispensed with default encryption. Sophisticated criminals and terrorists understand encryption and will still choose to encrypt their devices, apps, and communications, for in this scenario the devices and apps would no longer be encrypted as the default. Rather, people would have to go to the time and trouble of figuring out how to do this. . To be fair, neophyte and careless criminals and terrorists may not know to do so, and their communications would be fairly easy to acquire.

Another likely second order effect is that apps and software offering very hard to break encryption will no longer be made or legally offered in FVEY nations. Consequently, the enterprising individual interested in encryption that cannot be broken or tapped by governments will seek and likely find such technology through a variety of means produced in other countries. It is unlikely encryption will get put back in the bottle because FVEY and friends want it so.

Moreover, given the current technological landscape, the larger point here is that building backdoors into encryption or weakening encryption puts legitimate, desirable communications, activities, and transactions at greater risk of being intercepted. Why would this be so? Because it would take less effort and computing power to crack a weaker encryption key.

But, sure, a world in which my midnight snacking does not lead to weight gain would be amazing. And so it is with the FVEY’s call for strong encryption they could essentially defeat as needed. Eventually, the keys, technology, or means would be leaked or stolen as has happened time and time again. Most recently, there was a massive exfiltration of the Central Intelligence Agency’s (CIA) Vault 7 hacking tools and sources and methods. It would only be a matter of time before the tools to defeat encryption were stolen or compromised.

Perhaps there is a conceptual framework or technology that would achieve the FVEY’s goal, but, at present, it will entail tradeoffs that will make people less secure in their online communications. And, in the defense of the FVEY, they are proposing to “[e]ngage in consultation with governments and other stakeholders to facilitate legal access in a way that is substantive and genuinely influences design decisions.” Again, very nice phraseology that does not tell us much.

Of course, the FVEY nations are calling for access under proper authorization. However, in the U.S. that might not even entail an adversarial process in a court, for under the Foreign Intelligence Surveillance Act (FISA), there is no such process in the secret proceedings. Additionally, in the same vein, the phrase “subject to strong safeguards and oversight” is downright comical if the U.S. system is to be the template given the range of shortcomings and failures of national security agencies in meeting U.S. law relating to surveillance.

The FVEY, Japan, and India conclude with:

We are committed to working with industry to develop reasonable proposals that will allow technology companies and governments to protect the public and their privacy, defend cyber security and human rights and support technological innovation.  While this statement focuses on the challenges posed by end-to-end encryption, that commitment applies across the range of encrypted services available, including device encryption, custom encrypted applications and encryption across integrated platforms.  We reiterate that data protection, respect for privacy and the importance of encryption as technology changes and global Internet standards are developed remain at the forefront of each state’s legal framework.  However, we challenge the assertion that public safety cannot be protected without compromising privacy or cyber security.  We strongly believe that approaches protecting each of these important values are possible and strive to work with industry to collaborate on mutually agreeable solutions.

More having one’s cake and eating it, too. They think strong encryption is possible with the means of accessing encrypted communications related to crimes. This seems to be contrary to expert opinion on the matter.

As mentioned, this is not the FVEY’s first attempt to press technology companies. In October 2019, the U.S., the UK, and Australia sent a letter to Facebook CEO Mark Zuckerberg “to request that Facebook does not proceed with its plan to implement end-to-end encryption across its messaging services without ensuring that there is no reduction to user safety and without including a means for lawful access to the content of communications to protect our citizens.” These governments claimed “[w]e support strong encryption…[and] respect promises made by technology companies to protect users’ data…[but] “[w]e must find a way to balance the need to secure data with public safety and the need for law enforcement to access the information they need to safeguard the public, investigate crimes, and prevent future criminal activity.” The officials asserted that “[c]ompanies should not deliberately design their systems to preclude any form of access to content, even for preventing or investigating the most serious crimes.”

In summer 2019 the FVEY issued a communique in which it urged technology companies “to include mechanisms in the design of their encrypted products and services whereby governments, acting with appropriate legal authority, can obtain access to data in a readable and usable format.” Interestingly, at that time, these nations lauded Facebook for “approaches like Mark Zuckerberg’s public commitment to consulting Governments on Facebook’s recent proposals to apply end-to-end encryption to its messaging services…[and] [t]hese engagements must be substantive and genuinely influence design decisions.” It begs the question of what, if anything, changed since this communique was issued and the recent letter to Zuckerberg. In any event, this communique followed the Five Eyes 2018 “Statement of Principles on Access to Evidence and Encryption,“ which articulated these nations’ commitment to working with technology companies to address encryption and the need for law enforcement agencies to meet their public safety and protection obligations.

In Facebook’s December 2019 response, Facebook Vice President and WhatsApp Head Will Cathcart and Facebook Vice President and Messenger Head Stan Chudnovsky stated “[c]ybersecurity experts have repeatedly proven that when you weaken any part of an encrypted system, you weaken it for everyone, everywhere…[and] [t]he ‘backdoor’ access you are demanding for law enforcement would be a gift to criminals, hackers and repressive regimes, creating a way for them to enter our systems and leaving every person on our platforms more vulnerable to real-life harm.”

Moreover, one of the FVEY nations has enacted a law that could result in orders to technology companies to decrypt encrypted communications. In December 2018, Australia enacted the “Telecommunications and Other Legislation (Assistance and Access) Act 2018” (TOLA). As the Office of Australia’s Information Commissioner (OAIC) wrote of TOLA, “[t]he powers permitted under the Act have the potential to significantly weaken important privacy rights and protections under the Privacy Act…[and] [t]he encryption technology that can obscure criminal communications and pose a threat to national security is the same technology used by ordinary citizens to exercise their legitimate rights to privacy.”

This past summer, Australia’s Independent National Security Legislation Monitor (INSLM) issued its report on “Telecommunications and Other Legislation Amendment (Assistance and Access) Act 2018” (TOLA). The Parliamentary  Joint  Committee on Intelligence and Security had requested that the INSLM review the statute, and so INSLM engaged in a lengthy review, including input from the public. As explained in the report’s preface, the “INSLM independently reviews the operation, effectiveness and implications of national  security  and  counter-terrorism  laws;  and  considers  whether  the  laws  contain  appropriate  protections  for  individual  rights,  remain  proportionate  to  terrorism or national security threats, and remain necessary.”

INSLM claimed

In this report I reject the notion that there is a binary choice that must be made between the effectiveness of agencies’ surveillance powers in the digital age on the one hand and the security of the internet on the other. Rather, I conclude that what is necessary is a law which allows agencies to meet technological challenges, such as those caused by encryption, but in a proportionate way and with proper rights protection. Essentially this can be done by updating traditional safeguards to meet those same technological challenges – notably, those who are trusted to authorise intrusive search and surveillance powers must be able to understand the technological context in which those powers operate, and their consequences. If, but only if, the key recommendations I set out in this report in this regard are adopted, TOLA will be such a law.

The European Union may have a different view, however. In a response to a Minister of the European Parliament’s letter, the European Data Protection Board (EDPB) articulated its view that any nation that implements an “encryption ban” would endanger its compliance with the General Data Protection Regulation (GDPR) and possibly result in companies domiciled in those countries not being able to transfer and process the personal data of EU citizens. However, as always, it bears note the EDPB’s view may not carry the day with the European Commission, Parliament, and courts.

The EDPB stated

Any ban on encryption or provisions weakening encryption would undermine the GDPR obligations on the  concerned  controllers  and  processors  for  an  effective  implementation  of  both  data  protection principles and the appropriate technical and organisational measures. Similar considerations apply to transfers to controllers or processors in any third countries adopting such bans or provisions. Security measures are therefore specifically mentioned among the elements   the   European Commission must take into account when assessing the adequacy of the level of protection in a third country. In the absence of such a decision, transfers are subject to appropriate safeguards or maybe based on derogations; in any case the security of the personal data has to be ensured at all times.

The EDPB opined “that any encryption ban would seriously undermine compliance with the GDPR.” The EDPB continued, “[m]ore specifically, whatever the instrument used,  it would represent a major  obstacle in recognising a level of protection essentially equivalent to that ensured by the applicable  data protection law in the EU, and would seriously question the ability of the concerned controllers and processors to comply with the security obligation of the regulation.”

© Michael Kans, Michael Kans Blog and michaelkans.blog, 2019-2020. Unauthorized use and/or duplication of this material without express and written permission from this site’s author and/or owner is strictly prohibited. Excerpts and links may be used, provided that full and clear credit is given to Michael Kans, Michael Kans Blog, and michaelkans.blog with appropriate and specific direction to the original content.

Image by OpenClipart-Vectors from Pixabay

Australia Cybersecurity Strategy/White Paper

Canberra is trying to recalibrate its cybersecurity strategy in he face of increased PRC hacking.

Australia has issued a new Cyber Security Strategy that replaces its 2016 strategy and proposes to change incrementally how the nation would approach cybersecurity and data protection paired with more funding for these activities. Notably, the government of Prime Minister Scott Morrison seems to be proposing a set of binding cybersecurity standards on certain sectors of critical infrastructure and a program of offensive cyber operations as a means of fending off threats from malicious nation state and criminal actions. The government in Canberra is also floating a voluntary code of conduct for the manufacturers and developers of Internet of Things (IoT) and a rewrite of privacy and data protection laws. In preparation for this strategy, Australia released a call for views in September 2019 on a discussion paper and received more than 200 comments.

Cybersecurity has been much on the minds of the government in Australia. Last fall, the Australian government leaked word that People’s Republic of China (PRC) hackers had penetrated the Parliament’s systems in Canberra even though the Morrison government declined to publicly accuse the PRC. According to media accounts, the Australian Signals Directorate determined that the PRC’s Ministry of State Security attacked Australia’s Parliament and hacked into both parties. In June 2020, Morrison told reporters “Australian organizations are currently being targeted by a sophisticated state-based cyber actor.” He contended “[t]his activity is targeting Australian organizations across a range of sectors, including all levels of government, industry, political organizations, education, health, essential service providers and operators of other critical infrastructure.” In concert with Morrison’s statement, the Australian Cyber Security Centre (ACSC) and the Department of Home Affairs issued an advisory describing “the tactics, techniques and procedures (TTPs) identified during the ACSC’s investigation of a cyber campaign targeting Australian networks.” Some experts are saying it must be the PRC, especially after Canberra all but publicly named the PRC as the entity that hacked into Parliament.

The Department of Home Affairs (Department) stated that “[t]his Strategy will invest $1.67 billion AUD over 10 years to achieve our vision…[and] [t]his includes:

  • Protecting and actively defending the critical infrastructure that all Australians rely on, including cyber security obligations for owners and operators.
  • New ways to investigate and shut down cyber crime, including on the dark web.
  • Stronger defences for Government networks and data.
  • Greater collaboration to build Australia’s cyber skills pipeline.
  • Increased situational awareness and improved sharing of threat information.
  • Stronger partnerships with industry through the Joint Cyber Security Centre program.
  • Advice for small and medium enterprises to increase their cyber resilience.
  • Clear guidance for businesses and consumers about securing Internet of Things devices.
  • 24/7 cyber security advice hotline for SMEs and families.
  • Improved community awareness of cyber security threats.

The Department addressed encryption at a high level even though Australia’s 2018 legislation, the Telecommunications and Other Legislation Amendment (Assistance and Access) Act, creates the first process for potentially ordering technology companies to decrypt encrypted systems and communications. The Department continued to emphasize the threats created by criminals using encrypted communications, particularly in crimes against children or sex crimes. The Five Eyes nations have increasingly turned to this tactic with the United States government hitting this theme hard whenever encryption policy is discussed. The Department claimed

  • Encryption is an important way of protecting consumer and business data, but the increasing use of the dark web and encryption technologies that allow people to remain anonymous online is challenging law enforcement agencies’ ability to protect our community. The dark web enables cyber criminals to broadcast child sexual exploitation and abuse, trade in stolen identities, traffic drugs and  rearms, and plan terror attacks. These platforms make committing serious crimes at volume, and across borders, easier than ever before.
  • The Telecommunications and Other Legislation Amendment (Assistance and Access) Act introduced in 2018 has helped Australia’s law enforcement and security agencies, working with industry, tackle online criminal and terrorist threats. Through this Strategy, the Australian Government will ensure law enforcement agencies have appropriate legislative powers and technical capabilities to deter, disrupt and defeat the criminal exploitation of anonymising technology and the dark web.

The Department explained generally the legislative changes that may result in greater regulation of certain critical infrastructure owners and operators:

The Australian Government will also work with businesses to consider legislative changes that set a minimum cyber security baseline across the economy. This consultation will consider multiple reform options, including:

  • the role of privacy, consumer and data protection laws
  • duties for company directors and other business entities
  • obligations on manufacturers of internet connected devices.

This consultation will examine ways to simplify and reduce the cost of meeting any future minimum baseline.

The Department stated “Australia’s enhanced critical infrastructure security regulatory framework will clarify what infrastructure owners need to do to meet our minimum expectations of cyber security,” including:

  • an enforceable positive security obligation for designated critical infrastructure entities;
  • enhanced cyber security obligations for those entities most important to the nation
  • Australian Government assistance for businesses in response to the most significant cyber attacks to Australian systems
  • voluntary measures to strengthen engagement with businesses in relation to risk, and support an entity’s security uplift.

The Department added that “[t]his enhanced regulatory framework will be delivered through amendments to the Security of Critical Infrastructure Act 2018.”

As mentioned, the Department touched on how Canberra would address the cybersecurity of IoT:

  • To support businesses in taking action to protect themselves and their customers, the Australian Government will release the voluntary Code of Practice: Securing the Internet of Things for Consumers, to inform businesses about the cyber security features expected of internet-connected devices available in Australia. The 13 principles in the voluntary Code of Practice will signal to manufacturers the importance of protecting consumers. Adoption of the Code of Practice, together with associated guidance material produced by the ACSC, will benefit Australians and SMEs by increasing the number of secure products available for purchase. The Australian Government will provide consumers with information about what to take into consideration when purchasing Internet of Things devices.
  • Similar to steps taken in the United Kingdom, the Australian Government will co-design supply chain principles for decision makers and suppliers, to encourage security-by-design; transparency; and autonomy and integrity in investment, procurement and security. The Australian Government will build these principles into decision-making practices, supporting competition and diversity in the
  • market. To keep guidance up to date as technology and threats continue to evolve, the Australian Government will continue to monitor and build on existing government initiatives that promote innovation in sovereign cyber security research and development. AustCyber  is well placed to assure continued commercialisation and scaling of cyber security capabilities that support our nation’s needs.

The Department is accepting comment on its Protecting Critical Infrastructure and Systems of National Significance Consultation Paper​ and explained

  • We want to explore with you how Australia can position itself to meet cyber threats, now and into the future. In forming a view, we will need to consider whether responsibilities are appropriately assigned in keeping everyone safe. This will require a thoughtful discussion about how Government, businesses and individuals can share responsibility for cyber security in the future to get the best outcome for everyone.
  • For the Strategy to be successful, we need to develop and deliver it in partnership with the Australian community. This discussion paper seeks views from all Australians about how to grow Australia’s cyber security and future prosperity. Cyber security affects us all and we are seeking views from small, medium and large businesses, industry bodies, academia, advocacy groups, not for pro ts, government agencies, community groups and members of the public. We have posed a series of questions you may wish to answer as you offer your thoughts.
  • By working together, governments, academia, industry and the community can strengthen our nation’s cyber resilience across the economy to ensure we prosper as a nation and protect our interests online.

Last month, Australia’s 2020 Cyber Security Strategy Industry Advisory Panel issued its report and recommendations “to provide strategic advice to support the development of Australia’s 2020 Cyber Security Strategy.” The body was convened by the Minister for Home Affairs. The panel “recommendations are structured around a framework of five key pillars:

  • Deterrence: The Government should establish clear consequences for those targeting businesses and Australians. A key priority is increasing transparency on Government investigative activity, more frequent attribution and consequences applied where appropriate, and strengthening the Australian Cyber Security Centre’s (ACSC’s) ability to disrupt cyber criminals by targeting the proceeds of cybercrime.
  • Prevention: Prevention is vital and should include initiatives to help businesses and Australians remain safer online. Industry should increase its cyber security capabilities and be increasingly responsible for ensuring their digital products and services are cyber safe and secure, protecting their customers from foreseeable cyber security harm. While Australians have access to trusted goods and services, they also need to be supported with advice on how to practice safe behaviours at home and work. A clear definition is required for what constitutes critical infrastructure and systems of national significance across the public and private sectors. This should be developed with consistent, principles-based regulatory requirements to implement reasonable protection against cyber threats for both the public and private sectors.
  • Detection: There is clear need for the development of a mechanism between industry and Government for real-time sharing of threat information, beginning with critical infrastructure operators. The Government should also empower industry to automatically detect and block a greater proportion of known cyber security threats in real-time including initiatives such as ‘cleaner pipes’.
  • Resilience: We know malicious cyber activity is hitting Australians hard. The tactics and techniques used by malicious cyber actors are evolving so quickly that individuals, businesses and critical infrastructure operators in Australia are not fully able to protect themselves and their assets against every cyber security threat. As a result, it is recommended that the Government should strengthen the incident response and victim support options already in place. This should include conducting cyber security exercises in partnership with the private sector. Speed is key when it comes to recovering from cyber incidents, it is therefore proposed that critical infrastructure operators should collaborate more closely to increase preparedness for major cyber incidents.
  • Investment: The Joint Cyber Security Centre (JCSC) program is a highly valuable asset to form a key delivery mechanism for the initiatives under the 2020 Cyber Security Strategy should be strengthened. This should include increased resources and the establishment of a national board in partnership with industry, states and territories with an integrated governance structure underpinned by a charter outlining scope and deliverables.

Additionally, the Ministry of Defence issued its 2020 Force Structure Plan that promised even more investment in cybersecurity in the military realm. The planning document discussed the “Information and Cyber Domain” first among the traditional domains (e.g. Maritime), placing greater emphasis on the importance of cyberspace operations to the Australian government. The Ministry offered this summary of its plans:

  • 3.1 Defence is becoming more reliant on fast, reliable and secure internet-based communications. But the threat to this connectivity from malicious actors is also growing. There has been a marked increase in cyber-attacks against Australia by foreign actors and criminals.
  • 3.2 Secure and resilient information systems are essential to Defence’s ability to conduct operations. The Government’s plans for investments in Defence’s information warfare capabilities in the Information and Cyber domain are critical to ensure information can be securely and reliably shared across Defence, with other Government agencies, and with international partners. Future planned investments will protect Defence in cyberspace and enable operations against adversary systems. These plans include investments in offensive cyber and operational cyberspace capabilities for deployed forces.
  • 3.3 In addition to cyber capabilities, the Government plans to make additional investments in enhanced information and electronic warfare systems, and in improved joint command, control and communications systems to strengthen Defence’s warfighting capability. Proposed investments would improve network security and resilience, and the capacity to share information with international partners. Furthermore, Defence intelligence capability will be bolstered with funding to integrate intelligence, surveillance and reconnaissance programs and data, and continued investment in signals intelligence capabilities. Funding will be set aside to ensure Defence remains competitive in the future as emerging technologies, such as artificial intelligence, arise in this domain.
  • 3.4 The total program of investment in strengthened Information and Cyber domain capabilities is expected to comprise approximately $15 billion over the next decade.

© Michael Kans, Michael Kans Blog and michaelkans.blog, 2019-2020. Unauthorized use and/or duplication of this material without express and written permission from this site’s author and/or owner is strictly prohibited. Excerpts and links may be used, provided that full and clear credit is given to Michael Kans, Michael Kans Blog, and michaelkans.blog with appropriate and specific direction to the original content.

Image by OpenClipart-Vectors from Pixabay

Coming and Recent Events (5 August)

Still on holiday, but just a quick post on some recent hearings of interest and some future ones of interest.

Coming Events

  • On 6 August, the Federal Communications Commission (FCC) will hold an open meeting to likely consider the following items:
    • C-band Auction Procedures. The Commission will consider a Public Notice that would adopt procedures for the auction of new flexible-use overlay licenses in the 3.7–3.98 GHz band (Auction 107) for 5G, the Internet of Things, and other advanced wireless services. (AU Docket No. 20-25)
    • Radio Duplication Rules. The Commission will consider a Report and Order that would eliminate the radio duplication rule with regard to AM stations and retain the rule for FM stations. (MB Docket Nos. 19-310. 17-105)
    • Common Antenna Siting Rules. The Commission will consider a Report and Order that would eliminate the common antenna siting rules for FM and TV broadcaster applicants and licensees. (MB Docket Nos. 19-282, 17-105)
    • Telecommunications Relay Service. The Commission will consider a Report and Order to repeal certain TRS rules that are no longer needed in light of changes in technology and voice communications services. (CG Docket No. 03-123)
  • On 7 August, Australia’s Parliamentary Joint Committee On Intelligence and Security will hold a public hearing “to review amendments made to Commonwealth legislation by the Telecommunications and Other Legislation Amendment (Assistance and Access) Act 2018.” The committee is supposed to wrap up this inquiry by 30 September.
  • The National Institute of Standards and Technology (NIST) will hold the “Exploring Artificial Intelligence (AI) Trustworthiness: Workshop Series Kickoff Webinar,” “a NIST initiative involving private and public sector organizations and individuals in discussions about building blocks for trustworthy AI systems and the associated measurements, methods, standards, and tools to implement those building blocks when developing, using, and testing AI systems” on 6 August.
  • On 18 August, the National Institute of Standards and Technology (NIST) will host the “Bias in AI Workshop, a virtual event to develop a shared understanding of bias in AI, what it is, and how to measure it.”

Recent Past Events

  • On 3 August the House Oversight and Reform Committee held a hearing on the tenth “Federal Information Technology Acquisition Reform Act” (FITARA) scorecard on federal information technology.
  • On 4 August, the Senate Armed Services Committee held a hearing titled “Findings and Recommendations of the Cyberspace Solarium Commission” that follows a 30 July House Armed Services hearing on the same topic. These witnesses appeared before the committee:
    • Senator Angus S. King, Jr. (I-ME), Co-Chair, Cyberspace Solarium Commission
    • Representative Michael J. Gallagher (R-WI), Co-Chair, Cyberspace Solarium Commission
    • Brigadier General John C. Inglis, ANG (Ret.), Commissioner, Cyberspace Solarium Commission
  • On 5 August the Senate Commerce, Science, and Transportation Committee held an oversight hearing on the Federal Trade Commission (FTC) with the agency’s chair and four commissioners.
  • On 5 August, the Senate Energy and Natural Resources Committee held a hearing to “Examine Efforts to Improve Cybersecurity for the Energy Sector” with these witnesses:
    • Mr. Alexander Gates, Senior Advisor, Office of Policy for Cybersecurity, Energy Security, & Emergency Response, U.S. Department of Energy
    • Mr. Joseph McClelland, Director, Office of Energy Infrastructure Security, Federal Energy Regulatory Commission
    • Mr. Steve Conner, President and CEO, Siemens Energy, Inc.
    • Mr. Thomas F. O’Brien, Senior Vice President and Chief Information Officer, PJM Interconnection

© Michael Kans, Michael Kans Blog and michaelkans.blog, 2019-2020. Unauthorized use and/or duplication of this material without express and written permission from this site’s author and/or owner is strictly prohibited. Excerpts and links may be used, provided that full and clear credit is given to Michael Kans, Michael Kans Blog, and michaelkans.blog with appropriate and specific direction to the original content.

Image by Bishnu Sarangi from Pixabay

Further Reading, Other Developments, and Coming Events (24 July)

First things first, if you would like to receive my Technology Policy Update, email me. You can find some of these Updates from 2019 and 2020 here.

Here are Further Reading, Other Developments, and Coming Events.

Coming Events

  • On  27 July, the House Judiciary Committee’s Antitrust, Commercial, and Administrative Law Subcommittee will hold its sixth hearing on “Online Platforms and Market Power” titled “Examining the Dominance of Amazon, Apple, Facebook, and Google” that will reportedly have the heads of the four companies as witnesses.
  • On 28 July, the Senate Commerce, Science, and Transportation Committee’s Communications, Technology, Innovation, and the Internet Subcommittee will hold a hearing titled “The PACT Act and Section 230: The Impact of the Law that Helped Create the Internet and an Examination of Proposed Reforms for Today’s Online World.”
  • On 28 July the House Science, Space, and Technology Committee’s Investigations and Oversight and Research and Technology Subcommittees will hold a joint virtual hearing titled “The Role of Technology in Countering Trafficking in Persons” with these witnesses:
    • Ms. Anjana Rajan, Chief Technology Officer, Polaris
    • Mr. Matthew Daggett, Technical Staff, Humanitarian Assistance and Disaster Relief Systems Group, Lincoln Laboratory, Massachusetts Institute of Technology
    • Ms. Emily Kennedy, President and Co-Founder, Marinus Analytics
  •  On 28 July, the House Homeland Security Committee’s Cybersecurity, Infrastructure Protection, & Innovation Subcommittee will hold a hearing titled “Secure, Safe, and Auditable: Protecting the Integrity of the 2020 Elections” with these witnesses:
    • Mr. David Levine, Elections Integrity Fellow, Alliance for Securing Democracy, German Marshall Fund of the United States
    • Ms. Sylvia Albert, Director of Voting and Elections, Common Cause
    • Ms. Amber McReynolds, Chief Executive Officer, National Vote at Home Institute
    • Mr. John Gilligan, President and Chief Executive Officer, Center for Internet Security, Inc.
  • On 30 July the House Oversight and Reform Committee will hold a hearing on the tenth “Federal Information Technology Acquisition Reform Act” (FITARA) scorecard on federal information technology.
  • On 30 July, the Senate Commerce, Science, and Transportation Committee’s Security Subcommittee will hold a hearing titled “The China Challenge: Realignment of U.S. Economic Policies to Build Resiliency and Competitiveness” with these witnesses:
    • The Honorable Nazak Nikakhtar, Assistant Secretary for Industry and Analysis, International Trade Administration, U.S. Department of Commerce
    • Dr. Rush Doshi, Director of the Chinese Strategy Initiative, The Brookings Institution
    • Mr. Michael Wessel, Commissioner, U.S. – China Economic and Security Review Commission
  • On 4 August, the Senate Armed Services Committee will hold a hearing titled “Findings and Recommendations of the Cyberspace Solarium Commission” with these witnesses:
    • Senator Angus S. King, Jr. (I-ME), Co-Chair, Cyberspace Solarium Commission
    • Representative Michael J. Gallagher (R-WI), Co-Chair, Cyberspace Solarium Commission
    • Brigadier General John C. Inglis, ANG (Ret.), Commissioner, Cyberspace Solarium Commission
  • On 6 August, the Federal Communications Commission (FCC) will hold an open meeting to likely consider the following items:
    • C-band Auction Procedures. The Commission will consider a Public Notice that would adopt procedures for the auction of new flexible-use overlay licenses in the 3.7–3.98 GHz band (Auction 107) for 5G, the Internet of Things, and other advanced wireless services. (AU Docket No. 20-25)
    • Radio Duplication Rules. The Commission will consider a Report and Order that would eliminate the radio duplication rule with regard to AM stations and retain the rule for FM stations. (MB Docket Nos. 19-310. 17-105)
    • Common Antenna Siting Rules. The Commission will consider a Report and Order that would eliminate the common antenna siting rules for FM and TV broadcaster applicants and licensees. (MB Docket Nos. 19-282, 17-105)
    • Telecommunications Relay Service. The Commission will consider a Report and Order to repeal certain TRS rules that are no longer needed in light of changes in technology and voice communications services. (CG Docket No. 03-123)

Other Developments

  • Slack filed an antitrust complaint with the European Commission (EC) against Microsoft alleging that the latter’s tying Microsoft Teams to Microsoft Office is a move designed to push the former out of the market. A Slack vice president said in a statement “Slack threatens Microsoft’s hold on business email, the cornerstone of Office, which means Slack threatens Microsoft’s lock on enterprise software.” While the filing of a complaint does not mean the EC will necessarily investigate, under its new leadership the EC has signaled in a number of ways its intent to address the size of some technology companies and the effect on competition.
  • The National Institute of Standards and Technology (NIST) has issued for comment NIST the 2nd Draft of NISTIR 8286, Integrating Cybersecurity and Enterprise Risk Management (ERM). NIST claimed this guidance document “promotes greater understanding of the relationship between cybersecurity risk management and ERM, and the benefits of integrating those approaches…[and] contains the same main concepts as the initial public draft, but their presentation has been revised to clarify the concepts and address other comments from the public.” Comments are due by 21 August 2020.
  • The United States National Security Commission on Artificial Intelligence (NSCAI) published its Second Quarter Recommendations, a compilation of policy proposals made this quarter. NSCAI said it is still on track to release its final recommendations in March 2021. The NSCAI asserted
    • The recommendations are not a comprehensive follow-up to the interim report or first quarter memorandum. They do not cover all areas that will be included in the final report. This memo spells out recommendations that can inform ongoing deliberations tied to policy, budget, and legislative calendars. But it also introduces recommendations designed to build a new framework for pivoting national security for the artificial intelligence (AI) era.
    • The NSCAI stated it “has focused its analysis and recommendations on six areas:
    • Advancing the Department of Defense’s internal AI research and development capabilities. The Department of Defense (DOD) must make reforms to the management of its research and development (R&D) ecosystem to enable the speed and agility needed to harness the potential of AI and other emerging technologies. To equip the R&D enterprise, the NSCAI recommends creating an AI software repository; improving agency- wide authorized use and sharing of software, components, and infrastructure; creating an AI data catalog; and expanding funding authorities to support DOD laboratories. DOD must also strengthen AI Test and Evaluation, Verification and Validation capabilities by developing an AI testing framework, creating tools to stand up new AI testbeds, and using partnered laboratories to test market and market-ready AI solutions. To optimize the transition from technological breakthroughs to application in the field, Congress and DOD need to reimagine how science and technology programs are budgeted to allow for agile development, and adopt the model of multi- stakeholder and multi-disciplinary development teams. Furthermore, DoD should encourage labs to collaborate by building open innovation models and a R&D database.
    • Accelerating AI applications for national security and defense. DOD must have enduring means to identify, prioritize, and resource the AI- enabled applications necessary to fight and win. To meet this challenge, the NSCAI recommends that DOD produce a classified Technology Annex to the National Defense Strategy that outlines a clear plan for pursuing disruptive technologies that address specific operational challenges. We also recommend establishing mechanisms for tactical experimentation, including by integrating AI-enabled technologies into exercises and wargames, to ensure technical capabilities meet mission and operator needs. On the business side, DOD should develop a list of core administrative functions most amenable to AI solutions and incentivize the adoption of commercially available AI tools.
    • Bridging the technology talent gap in government. The United States government must fundamentally re-imagine the way it recruits and builds a digital workforce. The Commission envisions a government-wide effort to build its digital talent base through a multi-prong approach, including: 1) the establishment of a National Reserve Digital Corps that will bring private sector talent into public service part-time; 2) the expansion of technology scholarship for service programs; and, 3) the creation of a national digital service academy for growing federal technology talent from the ground up.
    • Protecting AI advantages for national security through the discriminate use of export controls and investment screening. The United States must protect the national security sensitive elements of AI and other critical emerging technologies from foreign competitors, while ensuring that such efforts do not undercut U.S. investment and innovation. The Commission proposes that the President issue an Executive Order that outlines four principles to inform U.S. technology protection policies for export controls and investment screening, enhance the capacity of U.S. regulatory agencies in analyzing emerging technologies, and expedite the implementation of recent export control and investment screening reform legislation. Additionally, the Commission recommends prioritizing the application of export controls to hardware over other areas of AI-related technology. In practice, this requires working with key allies to control the supply of specific semiconductor manufacturing equipment critical to AI while simultaneously revitalizing the U.S. semiconductor industry and building the technology protection regulatory capacity of like-minded partners. Finally, the Commission recommends focusing the Committee on Foreign Investment in the United States (CFIUS) on preventing the transfer of technologies that create national security risks. This includes a legislative proposal granting the Department of the Treasury the authority to propose regulations for notice and public comment to mandate CFIUS filings for investments into AI and other sensitive technologies from China, Russia and other countries of special concern. The Commission’s recommendations would also exempt trusted allies and create fast tracks for vetted investors.
    • Reorienting the Department of State for great power competition in the digital age. Competitive diplomacy in AI and emerging technology arenas is a strategic imperative in an era of great power competition. Department of State personnel must have the organization, knowledge, and resources to advocate for American interests at the intersection of technology, security, economic interests, and democratic values. To strengthen the link between great power competition strategy, organization, foreign policy planning, and AI, the Department of State should create a Strategic Innovation and Technology Council as a dedicated forum for senior leaders to coordinate strategy and a Bureau of Cyberspace Security and Emerging Technology, which the Department has already proposed, to serve as a focal point and champion for security challenges associated with emerging technologies. To strengthen the integration of emerging technology and diplomacy, the Department of State should also enhance its presence and expertise in major tech hubs and expand training on AI and emerging technology for personnel at all levels across professional areas. Congress should conduct hearings to assess the Department’s posture and progress in reorienting to address emerging technology competition.
    • Creating a framework for the ethical and responsible development and fielding of AI. Agencies need practical guidance for implementing commonly agreed upon AI principles, and a more comprehensive strategy to develop and field AI ethically and responsibly. The NSCAI proposes a “Key Considerations” paradigm for agencies to implement that will help translate broad principles into concrete actions.
  • The Danish Defence Intelligence Service’s Centre for Cyber Security (CFCS) released its fifth annual assessment of the cyber threat against Denmark and concluded:
    • The cyber threat pose a serious threat to Denmark. Cyber attacks mainly carry economic and political consequences.
    • Hackers have tried to take advantage of the COVID-19 pandemic. This constitutes a new element in the general threat landscape.
    • The threat from cyber crime is VERY HIGH. No one is exempt from the threat. There is a growing threat from targeted ransomware attacks against Danish public authorities and private companies.  The threat from cyber espionage is VERY HIGH.
    • The threat is especially directed against public authorities dealing with foreign and security policy issues as well as private companies whose knowledge is of interest to foreign states. 
    • The threat from destructive cyber attacks is LOW. It is less likely that foreign states will launch destructive cyber attacks against Denmark. Private companies and public authorities operating in conflict-ridden regions are at a greater risk from this threat. 
    • The threat from cyber activism is LOW. Globally, the number of cyber activism attacks has dropped in recent years,and cyber activists rarely focus on Danish public authorities and private companies. The threat from cyber terrorism is NONE. Serious cyber attacks aimed at creating effects similar to those of conventional terrorism presuppose a level of technical expertise and organizational resources that militant extremists, at present, do not possess. Also, the intention remains limited. 
    • The technological development, including the development of artificial intelligence and quantum computing, creates new cyber security possibilities and challenges.

Further Reading

  • Accuse, Evict, Repeat: Why Punishing China and Russia for Cyberattacks Fails” – The New York Times. This piece points out that the United States (US) government is largely using 19th Century responses to address 21st Century conduct by expelling diplomats, imposing sanctions, and indicting hackers. Even a greater use of offensive cyber operations does not seem to be deterring the US’s adversaries. It may turn out that the US and other nations will need to focus more on defensive measures and securing its valuable data and information.
  • New police powers to be broad enough to target Facebook” – Sydney Morning Herald. On the heels of a 2018 law that some argue will allow the government in Canberra to order companies to decrypt users communications, Australia is considering the enactment of new legislation because of concern among the nation’s security services about end-to-end encryption and dark browsing. In particular, Facebook’s proposed changes to secure its networks is seen as fertile ground of criminals, especially those seeking to prey on children sexually.
  • The U.S. has a stronger hand in its tech battle with China than many suspect” – The Washington Post. A national security writer makes the case that the cries that the Chinese are coming may prove as overblown as similar claims made about the Japanese during the 1980s and the Russian during the Cold War. The Trump Administration has used some levers that may appear to impede the People’s Republic of China’s attempt to displace the United States. In all, this writer is calling for more balance in viewing the PRC and some of the challenges it poses.
  • Facebook is taking a hard look at racial bias in its algorithms” – Recode. After a civil rights audit that was critical of Facebook, the company is assembling and deploying teams to try to deal with the biases in its algorithms on Facebook and Instagram. Critics doubt the efforts will turn out well because economic incentives are aligned against rooting out such biases and the lack of diversity at the company.
  • Does TikTok Really Pose a Risk to US National Security?” – WIRED. This article asserts TikTok is probably no riskier than other social media apps even with the possibility that the People’s Republic of China (PRC) may have access to user data.
  • France won’t ban Huawei, but encouraging 5G telcos to avoid it: report” – Reuters. Unlike the United States, the United Kingdom, and others, France will not outright ban Huawei from their 5G networks but will instead encourage their telecommunications companies to use European manufacturers. Some companies already have Huawei equipment on the networks and may receive authorization to use the company’s equipment for up to five more years. However, France is not planning on extending authorizations past that deadline, which will function a de facto sunset. In contrast, authorizations for Ericsson or Nokia equipment were provided for eight years. The head of France’s cybersecurity agency stressed that France was not seeking to move against the People’s Republic of China (PRC) but is responding to security concerns.

© Michael Kans, Michael Kans Blog and michaelkans.blog, 2019-2020. Unauthorized use and/or duplication of this material without express and written permission from this site’s author and/or owner is strictly prohibited. Excerpts and links may be used, provided that full and clear credit is given to Michael Kans, Michael Kans Blog, and michaelkans.blog with appropriate and specific direction to the original content.

EDPB Opines Encryption Ban Would Endanger A Nation’s Compliance with GDPR

As the US and others call on technology companies to develop the means to crack encrypted communications, an EU entity argues any nation with such a law would likely not meet the GDPR’s requirements.

First things first, if you would like to receive my Technology Policy Update, email me. You can find some of these Updates from 2019 and 2020 here.

In a response to a Minister of the European Parliament’s letter, the European Data Protection Board (EDPB) articulated its view that any nation that implements an “encryption ban” would endanger its compliance with the General Data Protection Regulation (GDPR) and possibly result in companies domiciled in those countries not being able to transfer and process the personal data of EU citizens. However, as always, it bears note the EDPB’s view may not carry the day with the European Commission, Parliament, and courts.

The EDPB’s letter comes amidst another push by the Trump Administration, Republican allies in Congress, and other nations to have technology companies develop workarounds or backdoors to its end-to-end encrypted devices, apps, and systems. The proponents of this change claim online child sexual predators, terrorists, and other criminals are using products and services like WhatsApp, Telegram, and iPhones to defeat legitimate, targeted government surveillance and enforcement. They reason that unless technology companies abandon their unnecessarily absolutist position and work towards a technological solution, the number of bad actors communicating in ways that cannot be broken (aka “going dark”) will increase, allowing for greater crime and wrongdoing.

On the other side of the issue, technology companies, civil liberties and privacy experts, and computer scientists argue that any weakening of or backdoors to encryption will eventually be stolen and exposed, making it easier for criminals to hack, steal, and exfiltrate. They assert the internet and digital age are built on secure communications and threatening this central feature would wreak havoc beyond the crimes the US and other governments are seeking to prevent.

The EDPB stated

Any ban on encryption or provisions weakening encryption would undermine the GDPR obligations on the  concerned  controllers  and  processors  for  an  effective  implementation  of  both  data  protection principles and the appropriate technical and organisational measures. Similar considerations apply to transfers to controllers or processors in any third countries adopting such bans or provisions. Security measures are therefore specifically mentioned among the elements   the   European Commission must take into account when assessing the adequacy of the level of protection in a third country. In the absence of such a decision, transfers are subject to appropriate safeguards or maybe based on derogations; in any case the security of the personal data has to be ensured at all times.

The EDPB opined “that any encryption ban would seriously undermine compliance with the GDPR.” The EDPB continued, “[m]ore specifically, whatever the instrument used,  it would represent a major  obstacle in recognising a level of protection essentially equivalent to that ensured by the applicable  data protection law in the EU, and would seriously question the ability of the concerned controllers and processors to comply with the security obligation of the regulation.”

The EDPB’s view is being articulated at a time when, as noted, a number of nations led by the United States (US) continue to press technology companies to allow them access to communications, apps, platforms, and devices that are encrypted. Last year, the US, United Kingdom, Australia, New Zealand, and Canada (the so-called Five Eyes nations) met and claimed in one of the communiques, the Five Eyes ministers asserted that

We are concerned where companies deliberately design their systems in a way that precludes any form of access to content, even in cases of the most serious crimes. This approach puts citizens and society at risk by severely eroding a company’s ability to identify and respond to the most harmful illegal content, such as child sexual exploitation and abuse, terrorist and extremist material and foreign adversaries’ attempts to undermine democratic values and institutions, as well as law enforcement agencies’ ability to investigate serious crime.

The five nations contended that “[t]ech companies should include mechanisms in the design of their encrypted products and services whereby governments, acting with appropriate legal authority, can obtain access to data in a readable and usable format.” The Five Eyes also claimed that “[t]hose companies should also embed the safety of their users in their system designs, enabling them to take action against illegal content…[and] [a]s part of this, companies and Governments must work together to ensure that the implications of changes to their services are well understood and that those changes do not compromise public safety.”

The Five Eyes applauded “approaches like Mark Zuckerberg’s public commitment to consulting Governments on Facebook’s recent proposals to apply end-to-end encryption to its messaging services…[and] [t]hese engagements must be substantive and genuinely influence design decisions.”

The Five Eyes added

We share concerns raised internationally, inside and outside of government, about the impact these changes could have on protecting our most vulnerable citizens, including children, from harm. More broadly, we call for detailed engagement between governments, tech companies, and other stakeholders to examine how proposals of this type can be implemented without negatively impacting user safety, while protecting cyber security and user privacy, including the privacy of victims.

In October 2019, in an open letter to Facebook CEO Mark Zuckerberg, US Attorney General William P. Barr, United Kingdom Home Secretary Priti Patel, Australia’s Minister for Home Affairs Peter Dutton, and then acting US Homeland Security Secretary Kevin McAleenan asked “that Facebook does not proceed with its plan to implement end-to-end encryption across its messaging services without ensuring that there is no reduction to user safety and without including a means for lawful access to the content of communications to protect our citizens.” In Facebook’s December 2019 response, Facebook Vice President and WhatsApp Head Will Cathcart and Facebook Vice President and Messenger Head Stan Chudnovsky stated “[c]ybersecurity experts have repeatedly proven that when you weaken any part of an encrypted system, you weaken it for everyone, everywhere…[and] [t]he ‘backdoor’ access you are demanding for law enforcement would be a gift to criminals, hackers and repressive regimes, creating a way for them to enter our systems and leaving every person on our platforms more vulnerable to real-life harm.”

However, one of the Five Eyes nations has already taken legislative action to force technology companies and individuals cooperate with law enforcement investigations in ways that could threaten encryption. In December 2018, Australia enacted the “Telecommunications and Other Legislation (Assistance and Access) Act 2018” (TOLA). As the Office of Australia’s Information Commissioner (OAIC) wrote of TOLA, “[t]he powers permitted under the Act have the potential to significantly weaken important privacy rights and protections under the Privacy Act…[and] [t]he encryption technology that can obscure criminal communications and pose a threat to national security is the same technology used by ordinary citizens to exercise their legitimate rights to privacy.”

In a related development, this week, Australia’s Independent National Security Legislation Monitor (INSLM) issued its report on “Telecommunications and Other Legislation Amendment (Assistance and Access) Act 2018” (TOLA). The Parliamentary  Joint  Committee on Intelligence and Security had requested that the INSLM review the statute, and so INSLM engaged in a lengthy review, including input from the public. As explained in the report’s preface, the “INSLM independently reviews the operation, effectiveness and implications of national  security  and  counter-terrorism  laws;  and  considers  whether  the  laws  contain  appropriate  protections  for  individual  rights,  remain  proportionate  to  terrorism or national security threats, and remain necessary.”

INSLM claimed

In this report I reject the notion that there is a binary choice that must be made between the effectiveness of agencies’ surveillance powers in the digital age on the one hand and the security of the internet on the other. Rather, I conclude that what is necessary is a law which allows agencies to meet technological challenges, such as those caused by encryption, but in a proportionate way and with proper rights protection. Essentially this can be done by updating traditional safeguards to meet those same technological challenges – notably, those who are trusted to authorise intrusive search and surveillance powers must be able to understand the technological context in which those powers operate, and their consequences. If, but only if, the key recommendations I set out in this report in this regard are adopted, TOLA will be such a law.

INSLM stated “[t]he essential effects of TOLA are as follows:

a. Schedule 1 gives police and intelligence agencies new powers to agree or require significant industry assistance from communications providers.

b. Schedules 2, 3 and 4 update existing powers and, in some cases, extended them to new agencies. c. Schedule 5 gives the Australian Security Intelligence Organisation (ASIO) significant new powers to seek and receive both voluntary and compulsory assistance.

INSLM found

  • In relation to Schedule 1, for the reasons set out in greater detail in the report, Technical Assistance Notice (TANs) and Technical Capability Notice (TCNs) should be authorised by a body which is independent of the issuing agency or government. These are powers designed to compel a Designated Communications Provider (DCP) to reveal private information or data of its customers and therefore the usual practice of independent authorisation should apply.
  • I am satisfied that the computer access warrant and associated powers conferred by Schedule 2 are both necessary and proportionate, subject to some amendments.
  • I am generally satisfied that the powers conferred by Schedules 3 and 4 are both necessary and proportionate, but there are some matters that should be addressed and further monitored.
  • I have concluded that Schedule 5 should be amended to limit its breadth and clarify its scope.

© Michael Kans, Michael Kans Blog and michaelkans.blog, 2019-2020. Unauthorized use and/or duplication of this material without express and written permission from this site’s author and/or owner is strictly prohibited. Excerpts and links may be used, provided that full and clear credit is given to Michael Kans, Michael Kans Blog, and michaelkans.blog with appropriate and specific direction to the original content.

Image by OpenClipart-Vectors from Pixabay