New Zealand-based cloud file storage company Mega is expressing its concerns with a new anti-terrorism law being drafted in the wake of the 2019 Christchurch massacre.
A submission from Mega's executive chairman Stephen Hall on the proposed new law says the company supports the intent and some changes suggested, but pushes back on other proposals that would hold platform service providers such as itself accountable for the activities of their users.
Mega's concerns are all the more notable because the Christchurch terrorist uploaded copies of his manifesto to the company's platform ahead of the attack.
Hall's submission takes issue with clauses 10 through 14 of the bill that extend the existing terrorism finance offence framework to criminalise wider forms of material support for terrorist activities or organisations.
"Mega supports the intention behind such proposed extension," the submission said. "However, Mega has grave concerns as to the wording proposed by the Bill to bring this into effect.
"The current suggested wording would potentially make Mega (and other similar online service providers) liable in situations where it is neither possible or practically feasible for Mega do more than it currently does to combat the use of its services by terrorist elements."
The approach proposed was out of step with the approach adopted by other laws to determine the potential liability of online service providers in various situations, Hall argued.
"The end-to-end encrypted cloud storage and online chat services provided by Mega are of interest to a wide range of people, companies, organisations and governments who wish to securely communicate or conduct business online," he wrote.
Given the type of online services Mega provided, he continued, "literally any person on the planet with access to the internet" could have reason to make use of the services for the enhanced security and privacy provided by user-controlled end-to-end encryption.
There was therefore a risk that such services could also be used by a "tiny minority" of individuals and entities with terrorist intent.
It was unreasonable, therefore, that Mega and other similar online service providers could find themselves being charged with an offence when there was only the mere possibility that its services could be used to plan or carry out a terrorist act.
Hall argued the proposed approach was also unworkable and impractical because Mega's cloud storage and chat service were encrypted end-to-end. It was therefore impossible for the company to know the content of the material transiting or being stored on its system unless the user shared an encryption key.
"It is only in the limited circumstances where a user chooses to make public a link to a file, folder or chat hosted by Mega, for example by sharing the link including its related decryption key, that Mega or anyone else would be able to see the content that is linked to.
"If that happens ... Mega will promptly, on being provided notice of such link, disable access to it."
Last month, the FBI issued a warning that the Mega site was being used by ransomware attackers.
In a response similar to the new submission, Mega said it was also impossible to know what its 220 million account holders kept on their encrypted files, except if law enforcement or a hacked company alerted the company.
"If they found a Mega link, it would be reported to us and [the account] closed within minutes," Mega chief executive and chair Stephen Hall told RNZ.
According to a report late last year, Auckland-based Mega has 50 local staff, twenty more in Spain and others distributed around the world. It uses six data centres, mostly based in Europe.
Mega also took issues with new proposed warrantless search powers created by proposed changes to the Search and Surveillance Act 2012 (SSA).
"Mega does support in theory the ability for law enforcement to be able to act quickly and without a warrant with regards to entry, search, and surveillance in accordance with the very specific circumstances in which the SSA allows such, when planning or preparation to carry out a terrorist act is suspected," Hall submitted.
"However, Mega does have concerns with regards to the basis on which this particular amendment proposed by the bill was progressed, as well as the disproportionate effect the exercise of such new powers is likely to have on companies such as MEGA, who provide key online services."
Hall argued there should have been greater consultation with the industries likely to be most affected by the proposed extension of the warrantless entry, search and surveillance powers.
Mega was originally founded in 2013 by controversial internet identity Kim Dotcom and associates, however he is no longer involved.
Dotcom fought a long-running battle to avoid extradition from New Zealand to face charges of copyright piracy in the US after his earlier venture, Megaupload, was seized and shut down by US authorities in 2012.