The email service provider FastMail has told an Australian Parliamentary Joint Committee on Intelligence and Security that its staff are concerned about potentially being required by law to install secretive backdoors in the company’s software under the 2018 Australian Assistance and Access Bill.
If you’re not familiar with this bill, it requires Australian companies to provide three levels of assistance to Australian law enforcement when accessing encrypted data. One of these levels is called a TCN (Technical Capability Notice) which requires companies to build new capabilities into their software to decrypt communications. Companies or individuals that are issued with a TCN are legally required to keep details of these TCNs secret.
At the time this bill was proposed, many critics highlighted that TCNs could be used to compel employees at any Australian company to secretly install backdoors in company software. However, people defending the bill suggested these concerns were unfounded and that TCNs would only be issued to organizations. FastMail’s recent statement gives more weight to the concerns of these critics and suggests that individual employees being targeted with TCNs is more likely than defenders of the bill would have people believe.
In its statement to the committee, FastMail said the following about TCNs:
Our staff have expressed concerns that they may be forced to attempt to secretly add backdoors or security holes in our service – actions that would be just cause for dismissal – and be unable to tell us why they have made these changes.
FastMail also said that its staff’s biggest concern is inadvertently leaking information about backdoors that have been built in response to a TCN, without even knowing that the backdoors were built to comply with a TCN.
The statement cites the example of Yahoo!’s company management being required to secretly install a backdoor in response to a government request which was then later discovered by the company’s security team. This incident ultimately destroyed internal trust at Yahoo! and led to key security staff resigning.
FastMail fear that TCNs will have a similar effect on Australian companies. If the company’s systems behave unexpectedly, staff will naturally investigate and possibly discover new capabilities that have been added as a result of a TCN. The bill would make acknowledging that these capabilities exist, when they are inevitably discovered by staff, a criminal offense. It’s incompatible with best practices for computer security.
FastMail summarizes its position by saying:
To conclude that additional capabilities built under TCN can be kept a secret, whether from staff or customers, is naive at best.
The company suggests not trying to keep the capabilities secret is a more practical solution because it would only require staff to keep the details of specific warrants for specific users secret – a requirement that all of FastMail’s staff are happy with.
FastMail believes that it’s likely that an organization and not individual employees would be targeted with TCNs. However, since the text of the bill is not clear on how these TCNs will be served, FastMail suggests that the text of the bill should be amended to clarify this exact intent.