AWS asks new Australian computer warrant provide immunity for account takeovers
Amazon Web Services (AWS) has asked for the introduction of a mechanism that can provide online account providers with immunity when responding to account takeover warrants issued by certain Australian law enforcement bodies.
The call for such a mechanism follows the Surveillance Legislation Amendment (Identify and Disrupt) Bill 2020 being introduced into Parliament, which, if passed, would hand the Australian Federal Police (AFP) and the Australian Criminal Intelligence Commission (ACIC) three new warrants for dealing with online crime.
The first warrant is a data disruption warrant, which according to the Bill’s explanatory memorandum is intended to be used to prevent “continuation of criminal activity by participants, and be the safest and most expedient option where those participants are in unknown locations or acting under anonymous or false identities”.
The second is a network activity warrant that would allow the AFP and ACIC to collect intelligence from devices that are used, or likely to be used, by those subject to the warrant.
The last warrant is an account takeover warrant that will allow the agencies to take control of an account for the purposes of locking a person out of the account.
AWS said the first and third warrants are “formulated for fundamentally different objectives for law enforcement, compared to warrants that law enforcement agencies can currently seek”.
“These two warrants are intended not for the purpose of gathering evidence per se, but to allow law enforcement agents to effectively stand in the (online) shoes of persons suspected of engaging in potential criminal activity,” it wrote in a submission [PDF] to the Parliamentary Joint Committee on Intelligence and Security as part of its review into the Bill.
“Though ancillary to existing warrants, both of these warrants are a significant departure from current provisions and their issue will involve an elevated risk to the liberty and privacy of citizens whose online accounts are impacted by law enforcement activities.”
AWS believes the execution of warrants by law enforcement or provision of assistance in good faith to law enforcement officers executing a warrant should not result in civil liability to a person.
It said that for account takeover warrants and assistance provided under assistance orders relating to account takeover warrants, there should be provision protecting third parties from liability.
“AWS submits that the Bill should be amended to introduce a new immunity for online account providers in relation to the execution of account takeover warrants,” it wrote.
“The immunity should extend to criminal and civil liability, or an action or other form of proceeding for damages, in relation to an act or omission done in good faith in purported compliance with, or in the furtherance of a requirement under, an account takeover warrant.”
AWS is also concerned the new warrants might force the cloud giant into introducing systemic weaknesses or vulnerabilities into its systems.
AWS raised similar issues a few years ago, previously stating that provisions of the Telecommunications and Other Legislation (Assistance and Access) Act 2018 could require actions that have the potential to make technology systems less secure.
Provisions were eventually included in the Act, which listed matters that decision makers had to consider when determining whether notices seeking industry assistance under that Act were reasonable and proportionate
For the latest draft legislation, it has requested that similar considerations be added and for technical feasibility to be an express consideration for those issuing warrants.
“Additionally, AWS submits that the execution of the warrants proposed in the Bill should not result in the introduction of systemic weaknesses or vulnerabilities into any form of electronic protection of data implemented in a technology provider’s systems,” it wrote.
“Such a warrant would be unreasonable in any circumstance as it would create significant and lasting risk to innocent third parties.”
Another request of AWS is that given the potential cross-over of legislative provisions in relation to seeking assistance, that the Bill use the criteria within the Assistance and Access Act to determine what is “reasonable and proportionate”.
“As drafted, the Bill does not provide, in our view, sufficient protection for individual employees of technology providers such as cloud services, and creates an assistance regime that is different from that specified for technology providers under the Assistance and Access Act,” AWS wrote.
“The Bill enables law enforcement to seek an assistance order requiring a specified person to provide any information or assistance that is reasonable and necessary to execute the warrant. A specified person includes an employee of the owner or lessee of the computer, or a person engaged under a contract for services by the owner or lessee of the computer, or a person who is or was a system administrator for the system including the computer.”
It said these definitions could include employees of a cloud service provider.
AWS is also concerned employees who might be ordered to either do an act or thing or omit to do an act or thing under an assistance order may then be forced to breach a foreign law or cause another person to breach a foreign law.
It has, as a result, asked the Bill make it clear that any such requirement would be unreasonable or provide a defence for an individual who refuses to do the act or make the omission.