
The Internet Reacts To Australia's Anti-Encryption Bill - lysp
https://www.gizmodo.com.au/2018/12/the-internet-reacts-to-australias-anti-encryption-bill/
======
sandov
I wonder what goes on in the mind of politicians who support this kind of
laws.

Do they not understand it? Did they get paid to pass it? Do they hate freedom?
Do they actually think it's a good law? Would they like to have lived in the
USSR so they can experience the peak non-freedom experience? Are they
masochists?

~~~
prawn
They worry that they'll be wedged on national security if they vote against it
and then there is an incident. Their opponents will aggressively label them
soft on terrorism and the 'reason' the attack couldn't be stopped.

Meanwhile, if they vote for it, they annoy the few people paying attention or
who have strong feelings about it. Low risk in the short term.

~~~
cyphar
This is exactly the reason. It's one of the many risks of having a de-facto
two-party system -- if you piss off the other guy's base you'll lose the next
election. As I've said for many years, we need much stronger third parties in
Australia. Personally, I think problem is that there's too much political
apathy.

~~~
BLKNSLVR
"too much political apathy" x 21,000,000

I only took an interest in politics since the selling of Telstra and then the
NBN stuff, and man, I wish I'd been more aware earlier in my life.

I haven't worked out how I'm going to introduce my kids to "the decisions that
will shape their futures" yet, without turning them into suicidal nihilists
bereft of hope for the future of the species / planet - but that's kinda the
point.

~~~
Joakal
I agree and what disturbs me the most is that the two parties have recently
massively increased requirements to being a candidate with more requirements
on the way. Why? One independent senator out of 76 got elected legitimately by
votes and ABC Antony Green complaining about too many choices on the ballot.

The biggest attackers to Australian democracy is Liberal/Labor's actions. Are
they trying to turn Australia's democracy into USA's?

------
tanbog
Hasn't passed the Senate yet.

There is an arm-wrestle over a nasty piece of refugee legislation that might
see both acts not get voted on today. That means it won't be back in
parliament until next year and the government is looking so shaky it might not
be in power then so... who knows!

~~~
cyphar
It just passed the Senate. But even if it hadn't passed, the problem was that
Labor (to non-Aussies: the opposition) voted for it unanimously. Only two MPs
voted against it in the House of Representatives (Andrew Wilkie [Independent]
and Adam Bandt [Greens]).

------
schappim
We (Australia) are doing this mostly as a five-eyes partner on behalf of the
US to support their intelligence efforts.

This is the price we the Australian people pay for:

    
    
      1) The promise of future protection by the US in the event of a war (hmmm I wonder who will start it) [1]
      2) In theory better terms of trade (ok, after lots of haggling) [2]
      3) Access to exclusive visas w/ the US (ok, not so exclusive if Ireland have their way). [3]
    

Worth it?

    
    
      [1] https://www.news.com.au/world/asia/the-miscalculation-that-could-escalate-into-war-between-china-and-the-us/news-story/c597fe4fa7ea9e7a9929b4258625bd19
      [2] https://www.abc.net.au/news/2018-03-10/malcolm-turnbull-donald-trump-working-tariff-exemption-agreement/9534984
      [3] https://www.irishcentral.com/news/politics/what-is-e3-bill-what-would-it-mean-for-irish

~~~
dgzl
Of course not.

------
x0x0
Does anyone understand how this affects fastmail?

their blog post seems to say it isn't a big deal
[https://fastmail.blog/2018/09/10/access-and-assistance-
bill/](https://fastmail.blog/2018/09/10/access-and-assistance-bill/)

~~~
snowwrestler
Email providers already have the keys to all the data they store, so this bill
does not affect them. They can already fulfill any lawful warrant that is
requesting data.

The fear is that a service that is encrypted end-to-end will be forced to add
a backdoor to accommodate warrants for data. But email is not encrypted E2E.

~~~
BornInCode
Some email providers like Protonmail provide E2E emails. :)

------
infradig
First the UK and now Australia. Next New Zealand and then Canada. Then the USA
will have its five-eyes partners outsourced and fully-equiped to do all its
internal spying.

~~~
cyphar
Australia has no privacy protections (and is the only Five-Eyes country where
this is the case). There's no need to get a similar law passed in New Zealand,
the Five-Eyes agreement allows for intelligence analysis to be outsourced.
Basically Australia will now be used as a way to subvert the privacy rights of
all other Five-Eyes countries -- including countries where such analysis would
violate their laws.

The most disgusting thing is that our opposition government voted for this
shit. What a fucking joke.

------
aetherspawn
Is this even technically possible? What happens to all the businesses in
Australia that built products around crypto where it’s impossible to go
backwards.

~~~
caf
The meat of the bill is the ability to issue three sorts of notices to service
providers (which only need have some incidental presence in Australia to be
served, like for example a company owned storefront):

Technical Assistance Request - a non-compulsory request to provide requested
information they have access to; Technical Assistance Notice - a compulsory
version of a Technical Assistance Request, to use a capability that the
recipient already has to obtain data; Technical Capability Notice - a
compulsory instruction to develop a new interception capability.

So it doesn't constrain the way you can build products (now or in the past),
they're instead just going to require your assistance to attack the targeted
endpoints if that's the only way in.

~~~
aetherspawn
So the government can now ask you to do specialised software development to
retardify your own systems and if you refuse then they can fine you?

I didn’t think there was any basis whatsoever to be able to make a law that
assumes a company is capable of maintaining or modifying their systems or
infrastructure. That seems too generalised.. what if they’re running on a
system that they don’t have the source code for?

~~~
caf
Pretty much. Maybe they'll just ask you to sign a binary they've built
themselves.

They obviously won't be able to ask you to do something you technically can't.
If you sell, say, IoT devices that don't phone home for updates then you'll
probably be safe.

~~~
brokenmachine
_> If you sell, say, IoT devices that don't phone home for updates then you'll
probably be safe._

They can demand source code to find vulnerabilities in those IoT devices
however.

------
jddj
The expectation of bipartisanship on 'national security issues' definitely
makes the average citizen feel powerless, which is particularly worrying
because all of the privacy/centralised control overreaches are easily framed
as such.

I'd happily contribute monthly donations to an EFF-style organisation who are
proving effective (or at least tenacious) in lobbying for individual rights
protections and extensions, does anyone have any personal recommendations
based on their own research?

I'm aware that the EFF has an Australian partner branch, and that there are a
small handful of other digital rights groups, but if someone has looked into
it more thoroughly it would be nice to hear what you found.

~~~
dwd
GetUp is probably the most effective group for mobilising activists (based on
MoveOn.org) but are under a lot of pressure for supposedly taking donations
from overseas. (George Soros was blamed as usual) The Government is trying to
blunt their influence by passing laws to cut off their access to funding.

I haven't seen anything specific regarding the anti-encryption bill but they
supported action in protest of the data retention bill that was passed a few
years ago.

Expect to see them a lot this election, particularly in Dickson, Peter
Dutton's electorate.

------
ajwin
173 Amendments = One wish for every politician granted to buy the bill?

------
senectus1
ugh. I'll never forgive the LIB's for what they did to the NBN project.

Now I'm being pushed to put the ALP on the same shelf. If this shitshow of
legislation passes the senate then Australia is no longer safe and can no
longer export tech to places like Europe.

what a fucking joke.

------
cyphar
I think it's about time that we Australians had a discussion about a
constitutional bill of rights (modelled on Switzerland ideally).

The common argument against this is that common law protections would be
strong enough to make it unnecessary, but that's ignoring that governments can
pass laws that end up invalidating older common law protections. And as we've
seen in the past decade, our government (both Labor and the Liberals) have
been slowly degrading our rights -- they effectively suspended habeas corpus
in 2005. From memory, there are even restrictions on how much you can tell
your lawyers about you being tried for terrorism!

A constitutional referendum is going to be a very hard fight. But I think that
the Australian public could see the problem if we compare ourselves to other
nations -- the "it's all for national security" argument is specious given
that we can show evidence of many countries which have such protections and
still have national security protections.

One of the most concerning things is that the canonical example that motivated
this bill actually includes a presumption of guilt of the person being
investigated. That's a great start...

~~~
schappim
People like to wave a constitutional bill of rights (or lack of it) as an
issue for Australia.

Whilst that is true, our rights are just spread out within Australia's common
law.

This can actually be a good thing, as the laws are in theory easier to get
changed for the times. Such as the right to bear arms[1].

    
    
      [1] https://www.youtube.com/watch?v=RpeUznIhgLU

~~~
dgzl
American rights aren't presented as rights that the people explicitly have
(other than right to life, liberty and pursuit of happiness). Most Americans
don't even realize that out Bill of Rights outlines implicit rights for
citizens. That is, the laws say "government can make no law regarding this
subject". This is important because if the government "gives you rights" then
they're not actual rights, they're only temporary privileges that can be
removed.

No offense, but if the government of Australia is "giving" you your rights,
then you don't actually have them.

~~~
cyphar
This is a very strange argument, and is one that a lot of Americans seem to
believe. Is this purely because of the wording of the 10th Amendment? The
reason I ask is because there isn't (as far as I know) a legal distinction
between being _given_ a freedom and there being a restriction such that
"Congress shall make no law abridging $some_freedom". To test this theory,
consider if there was a new amendment that completely invalidated the bill of
rights. Would you still have the same freedoms you have today? Of course not
-- so therefore (regardless of the framing) the bill of rights _gives_ you
certain rights.

------
DuskStar
If the US couldn't pull it off 20 years ago, why the hell does Australia
expect to successfully mandate encryption backdoors today?

~~~
cyphar
Australia has effectively no free speech or privacy protections, and so it's
very likely they'll get big companies to play ball. The US ran into trouble
for a variety of reasons but it wasn't an "in principle this is untenable"
problem (and let's not forget the "export" encryption has caused problems for
many years thanks to the US policies).

I am quite worried about free software that implements encryption. As an
Australian, I'm quite concerned that software I've written and is free
software will be asked to be backdoored by the Australian government. I'm
small fish, but if I was a GnuPG developer I'd be more worried -- will GnuPG
even accept my patches anymore given my nationality?

~~~
caf
_As an Australian, I 'm quite concerned that software I've written and is free
software will be asked to be backdoored by the Australian government._

I don't believe this is a significant risk, at least for the case of source
code. The proposed legislation doesn't allow them to ask for _" systemic
weaknesses"_ \- so a sneaky change in the source that leaks few bits of key
material or something should be out. And a big part of this is secrecy - they
don't want those targeted to know they're under surveillance - so it would be
self-defeating to ask you to put an "if (user == osama_bin_laden) {
send_to_ausgov(msg); }" line in the public source.

If you distribute your free software through an app store or something there
could be more risk, in that you might be asked to distribute a binary with
code to target certain users - but even there I'd say there's still too much
chance that people analysing the binary would discover the backdoor code, so
it's doubtful they'd go that way either.

It seems to me that the most likely use of the TCN power would be to ask the
OS vendor to deploy some Game Over malware to a targeted endpoint (using their
existing update or app store mechanism). We already know what that malware
looks like, the hardest part is getting it onto the device.

I find it hard to credit that Apple would stomach this, after they were
seemingly prepared to go to the mat with the FBI in the All Writs Act case
over a very similar issue. Would they withdraw entirely from the Australian
market? You'd have to think that is a live possibility.

~~~
cyphar
> The proposed legislation doesn't allow them to ask for "systemic
> weaknesses".

My problem with this argument is that the whole "systemic weaknesses"
restriction is just a word-game so that the bill can escape certain criticism.

As a hypothetical, if I implement an e2e system which is "entirely secure" and
as a provider I have no method of attacking it (and let's imagine it's free
software and uses reproducible builds, so users can trivially verify if their
binary is backdoored) -- how can I respond to a Technical Assistance Notice? I
simply cannot, without taking my existing program and making it insecure.
Without creating a weakness which, by the nature of the problem, is systemic.

Do you see what happened? The government hasn't _asked_ me to create a
systemic weakness but because of the very situation I've now been _forced_ to
make one -- it's just a word-game. They can't _ask_ you to create a systemic
weakness, but they sure as hell can put you in a situation where (in order to
fulfill a "completely reasonable request" under threat of exceptionally large
fines and civil prosecution) you _must_ create a systemic weakness.

Now of course, most programs are insecure and so this hypothetical isn't
entirely practical. But the principle stands that there will be many
situations where (in order to avoid exceptionally large fines and civil
prosecution) companies will opt into creating a systemic weakness out of fear
of not being able to comply with future Technical Assistance Notices.

~~~
caf
I assume you mean Technical Capability Notice where you've written Technical
Assistance Notice? (the latter only requires you to use an existing capability
that you have - if you don't have the capability, they can't force you to use
it).

My reading of that is that the authorities would have to ask you for some
specific technical solution. You lay out how your e2e system with reproducible
builds works, and they ask you for something specific - like a backdoored
build. It's up to them to figure out how to deal with issues like the
reproducible build one.

~~~
cyphar
I guess you could argue I'm referring to both (though Technical Capability
Notice is more obvious).

The only requirement applied to a Technical Assistance Notice is that "the
Director General of Security or the chief officer of an interception agency
[...] is satisfied that [...] compliance with the notice is practicable and
technically feasible" (317P). So if the case officer is "satisfied" it doesn't
really matter whether you can practically follow it -- and it's not clear to
me what recourse someone has if they are given such a notice.

Now, Technical Capability Notice restrictions are quite odd. I'm not a lawyer,
so 317T.8 is pretty obfuscated to me but it appears to support the argument
that they cannot require you to modify a telecommunications system so that it
"has the capability to enable a communication passing over the system to be
intercepted in accordance with an interception warrant". But I simply must not
be reading that part of the bill correctly, because that would imply that e2e
couldn't be subverted at all -- which obviously is false because that's
precisely what the government wants to do. Technical Capability Notices do
have review periods (which can be waived if the Attorney-General says it's
urgent) and so on, but I'd be quite worried about how much of a say you really
have in those situations...

The 317ZG limitations _sound good in theory_ , but as above it feels like it's
just word-games to try to avoid criticism.

Given the criminal penalties for disclosure of "technical capability notice
information", I wonder how this situation would work if you were the
maintainer of a GPLv3 project where not providing the source code would be a
violation of copyright law.

------
contingencies
Updating
[https://en.wikipedia.org/wiki/Mass_surveillance_in_Australia](https://en.wikipedia.org/wiki/Mass_surveillance_in_Australia)
...

~~~
BLKNSLVR
Published in 2014 so it's missing some of the up-to-date discussions and
issues, but it's still worth a read for the history of paranoia:

[https://www.goodreads.com/book/show/23890331-australia-
under...](https://www.goodreads.com/book/show/23890331-australia-under-
surveillance)

------
_Nat_
Tangential, but the article badly malfunctions in Chrome with JavaScript
disabled. It seems to redirect to
[https://www.gizmodo.com.au/?nojs=1](https://www.gizmodo.com.au/?nojs=1),
which then starts to reload the page over-and-over at about half-second
intervals on my machine.

Anyone know what's going on with the article?

~~~
tyingq
It is unusually bad. Loaded with javascript on, and after just scrolling and
reading, it's up to 633 http requests and 6+MB to show an article:
[https://imgur.com/a/u0UZswK](https://imgur.com/a/u0UZswK)

------
bigbluedots
Is this really what passes for journalism, a bunch of links to twitter posts?
Anyway, I believe that this law will result in technology providers ceasing to
offer their services in Australia. Of course if that happens, only businesses
that can be compelled provide technical assistance etc will be left.

------
cyphar
An update to all those watching, it just passed the Senate and has been signed
into law (once it gains Royal Assent).

------
hiisukun
Here is my attempt at apolitical summary for those seeking a quick rundown on
the situation. Apologies for brevity since I'm on mobile - there's a lot of
small things joining together to make this an interesting situation.

Aussie Parliament has two houses: the lower house of representatives, and the
upper house (of review). A bill has to pass both in the same form before it
can become an Act (law). This one has passed the lower house, and not yet the
upper.

The current government can't force through legislation without support from
independents since they don't have a clear majority in both houses, and there
are some types of lost votes in Parliament that if lost threaten the concept
that they're actually a 'government'. This situation involves something like
that, but it's a rare thing (1940s was the last time this kind of situation
resulted in a government resigning).

Today was the last day of Parliament sitting for this year, and the government
had promised to put through the encryption legislation by now, so it's in
place for Christmas. They have some reputation on the line, stating many times
it is a necessary law to have in place for the safety of the Australian people
over summer.

At the same time, there is some legislation in the Parliament that will change
how some Australian refugees on the island of Naru are treated, potentially
allowing them into Australia. This is a very hot political topic with lots of
debate and nuance - so forgive me if I simply say the government wants the
refugees to stay on Naru and the opposition wants them to be able to come into
Australia.

Both of these law changes were in the Parliament today, and both were expected
to go before a house for a vote this afternoon. There is argument over the
opposition deliberately aligning the to issues, but I'm not across it.
Importantly, it was almost certain that if the Naru bill went to a vote, the
government would lose, and be in the unfortunate position above of perhaps not
being a legitimate government anymore.

The government therefore faced two choices: Allow the situation to contribute,
lose on immigration and stability, but win on security and reputation; or
prevent the Parliament continuing and win (for now) on Naru, but lose on
security. They chose the latter.

Subsequently, both the government and the opposition have blamed the other for
putting politics before people, on one of the two issues respectively.
However, the encryption bill only passed the lower house because of the
support from the opposition (at the time), who may have been in a better
position to know the Naru bill was going to line up in terms of timing.

Quite a busy and tense close to our country's Parliament for the year!

