Last week, my colleagues Tim Fawcett, Matt Carling and I had the honor and pleasure of representing Cisco in a hearing before the Australian Parliamentary Joint Committee on Intelligence and Security.
The topic: pending legislation to expand the government’s lawful surveillance authorities – called the “Assistance and Access Bill.” The bill would allow the government to demand that companies with even a single user in Australia build new capabilities that could have broad impacts on the security of technology.
Cisco raised concerns about this bill for three reasons:
- The interconnected nature of the global Internet means that actions taken in Australia can have impacts abroad;
- We want our customers to know that we know their trust is hard won and must be continually earned;
- And we want to avoid false tradeoffs between privacy and security.
The bill includes an important limitation – at least notionally – on what the government can demand from technology providers.
Specifically, the text provides that the government cannot demand companies render assistance or build new capabilities into their products that would have the effect of creating a “systemic weakness.”
As the hearing made clear, however, we have a different view from the government about what required steps might introduce risks we would view a being “systemic.” Given that changes to technology required by the government in Australia could have impacts on the security of users beyond its borders, we counseled in favor of narrowly defining the term and enabling companies served with a demand under the bill to have a mechanism to raise a challenge in court concerning security risks that might result from complying with the government’s mandate.
At Cisco, we understand that the trust of our customers must be continually earned and can easily be wiped away.
It is, therefore, vital that we can say, as Chuck Robbins has unequivocally stated, “We don’t provide backdoors. There is no special access to our products.”
To maintain the trust of our customers, Cisco transparently describes the capabilities and features in our products, including those required by law. We are, therefore troubled, by what appears to be an authority in the bill to prohibit public disclosure about the development of new surveillance capabilities demanded by the government.
Cisco deeply appreciates the nature of the problem that the Australian government is grappling with in terms of fighting crime and terror.
Yet, we must not lose sight of the foundational importance of strong encryption to the secure delivery of critical services.
As we noted in our comments, this debate is not really about how to balance or tradeoff privacy and security. There are actually competing aspects of security in tension with each other, which counsels in favor of ensuring that the development of this legislation proceed only after careful deliberation and public debate.