Big quote: “Cryptographic protections on the device don't just help prevent unauthorized access to your personal data — they're a critical line of defense against a criminal who seeks to implant malware or spyware, and use the device of an unsuspecting person to gain access to a business, public utility or government agency.”
Apple sees itself as being forced to choose a side: stronger on-device security or aiding law enforcement. They’ve been trying to choose both, creating an international web portal for law enforcement data access requests, but also creating a ‘USB Restricted Mode’ that prevents law enforcement from hacking locked iPhones. Meanwhile, governments have been pushing for them to more heavily favor law enforcement, but thus far, Apple hasn’t complied.
Australia took it a step further by drafting new legislation that requires tech companies like Apple to give access to devices or be fined up to AU$10 million (US$7.3 million). In response, Apple sent the Australian government a letter highlighting how device security is a key line of defense against online “criminals and terrorists” and challenged the idea that “weakening encryption is necessary to aid law enforcement.”
The letter evaluated six key issues with the law – called the Assistance and Access Bill – and then politely demanded that they are solved.
The first issue is that the bill grants the government and law enforcement “extraordinarily broad and vague powers” over device security implementation. While the bill currently prohibits “implementing or building a systematic weakness or systematic vulnerability” into a device, it doesn’t define either of those terms. The Australian government insists that they don’t want to weaken encryption, but Apple says that needs to be integrated into the bill in case future governments abuse its power.
The second issue is the absence of judiciary oversight. In the bill’s current form, only the Attorney General’s permission is required to force a company to hand over access keys or fine them the AU$10 million. Apple wants a jury to decide if a warrant is appropriate or not and wants another jury to decide if Apple should pay the fine if the warrant is ignored.
The third issue is that it is entirely law enforcement’s decision if a warrant is appropriate or not. Even if every expert, researcher, scientists or academic out there believes a warrant is unnecessary and immoral, the government can make the decision without consulting any of them. Apple wants a panel of experts appointed to review each warrant.
While the bill doesn’t require companies to bake-in intercept capabilities (the ability for law enforcement to remotely view messages and calls in real time), Apple claims that the “exceptions swallow the rule.” One such exception is a ‘computer access warrant’ that is frequently given out to the Australian Security Intelligence Organization (ASIO) that would grant them full intercept capabilities. Apple wants all intercepts prohibited.
One of the worst issues is that if an employee at a company receives a warrant but believes it to be immoral, there is nothing they can do about it. Due to security concerns, speaking about a warrant is punishable with 5 years’ imprisonment – they can’t even consult their boss. Apple wants internal discussion to be permitted and potentially a primitive appeal process.
The last issue is contradictions with foreign law. An example Apple provided is that by allowing ASIO to intercept messages, they would be susceptible to US criminal law because they store the data in America. They claim that “Apple could face stiff penalties of up to 4% of its annual turnover under the General Data Protection Regulation” in Europe.
Personally, I find it very hard to believe that this bill is even required at all. While there have been valid complaints that law enforcement hasn’t been able to access devices, Apple has complied with nearly 26,000 requests for access in Australia alone.