
Australia Wants to Take Government Surveillance to the Next Level - adventured
https://www.nytimes.com/2018/09/04/opinion/australia-encryptian-surveillance-bill.html
======
freedomben
The headline is a little misleading. It's much more terrifying than that. It
isn't _just_ Australia. It is the US, Australia, Canada, UK, and New Zealand
all together (known as the "Five Eyes")[1]. Australia is just the country that
put the memo together.

> _The "Five Eyes", often abbreviated as "FVEY", refer to an intelligence
> alliance comprising Australia, Canada, New Zealand, the United Kingdom and
> the United States. _ [1]

[1]
[https://en.wikipedia.org/wiki/UKUSA_Agreement](https://en.wikipedia.org/wiki/UKUSA_Agreement)

~~~
yesenadam
Gee, I hadn't heard of that. The Australian prime minister Gough Whitlam only
learnt of it when the Attorney-General raided ASIO, Australia's version of the
FBI, in 1973. Wikipedia says UKUSA is pronounced _yoo-koo-SAH_. Rather
appropriate - _yakuza_ are "members of transnational organized crime
syndicates"...

~~~
sdrothrock
> Rather appropriate - yukuza are "members of transnational organized crime
> syndicates"

That would be "yakuza." (YAH-koo-zah)

~~~
yesenadam
Of course, thank you! Corrected.

------
davidklemke
The article mentions that Australia has no bill of rights which, whilst
technically true, doesn't mean we don't have equivalent protections. Some are
enshrined in our constitution whilst others are parts of common law and other
legislation.

The conclusion they draw from that is right however; a lot of laws can be
introduced to our parliament that might not get off the ground elsewhere. It's
why we've fervently fought against many other, similar laws that would impinge
on our rights and freedoms in the past. I spent a good part of my youth
fighting against the Clean Feed legislation (it was a great big Internet
filter for Australia, a terrible idea) which was thankfully defeated before it
got off the ground.

We'll have to do the same for this.

~~~
skissane
> The article mentions that Australia has no bill of rights which, whilst
> technically true, doesn't mean we don't have equivalent protections. Some
> are enshrined in our constitution

The protections provided by the Australian constitution (as interpreted by the
High Court) are quite weak in comparison to those included in the US Bill of
Rights, it isn't really a fair comparison.

> whilst others are parts of common law and other legislation.

Anything in common law or legislation isn't worth much, since a single
ordinary Act of Parliament is all it takes to cancel them out.

~~~
basicplus2
True, but once you introduce a bill of rights all your commom law protections
go out the window.. including stuff you didnt know you had

~~~
geggam
The US bill of rights doesnt define the rights. The bill of rights calls out
special rights that the govt shall not touch.

The rights are granted to us by our creator aka natural law. The same law used
to declare our independence from the crown and an inherent part of the fabric
of the US.

Not sure if this is clearly stated yet.

~~~
toomanybeersies
The Constitution and Declaration of Independence are legal documents setting
out the foundations of a government and a nationstate, not some divine text
from a higher power. The founding fathers were not a group of infallible
prophets.

~~~
zaroth
That’s not what geggam is saying. The underlying philosophy of the Bill of
Rights as stated by the founders/framers is that the rights are “natural”
rights which all are imbued at birth, and that the rights listed are not
exhaustive but merely representative. In fact, the founders were wary of a
Bill of Rights specifically because by enumerating some of them the list might
be seen as complete.

But the notion is that governments do not “grant” these rights, and likewise
government can never infringe upon god given rights.

~~~
mindcrime
_In fact, the founders were wary of a Bill of Rights specifically because by
enumerating some of them the list might be seen as complete._

Right, which is why we have the 9th and 10th amendments. Unfortunately they
are effectively ignored, along with the Enumerated Powers clause, meaning our
government effectively has unlimited power. :-(

------
saagarjha
> The government has been quick to claim that this is not a back door, and the
> bill prohibits requests to companies to create “systemic” weaknesses.

Claiming that you're not backdooring something doesn't stop it from being a
backdoor.

------
mrmondo
Digital Rights Watch has more information and a submission system to help
people write their feedback to the government:
[https://digitalrightswatch.org.au/2018/08/19/defend-
encrypti...](https://digitalrightswatch.org.au/2018/08/19/defend-encryption/)

~~~
femto
What the parent doesn't explicitly mention is that there is a government
inquiry open _RIGHT NOW_. You have to get your submissions in by 10th of
September (5 days time). Every Australian here needs to make a submission
(please).

The parent's link, allows you to post a boilerplate submission with a single
click. Far better to write and email your own submission, as form letters tend
to get aggregated into one during evaluation. Your own submission only has to
be a few lines, even if it just paraphrases a form submission. Uniqueness
counts over bulk submissions.

The page for the inquiry is:

[https://www.homeaffairs.gov.au/about/consultations/assistanc...](https://www.homeaffairs.gov.au/about/consultations/assistance-
and-access-bill-2018)

The email address for submissions is:

AssistanceBill.Consultation@homeaffairs.gov.au

Less time critically, you also need to write to or call your federal MP, but
I'd suggest that a personal submission to the inquiry is the most "bang for
buck".

~~~
almccann
After some calling around it seems this Bill has originated from Minister for
Home Affairs Peter Dutton MP. His office number is 02 6277 7860.

------
valtism
I feel like the linked article on ABC has a much more detailed and balanced
description of the bill [1].

The Government says that "systemic" weaknesses cannot be demanded. That said,
the third part of the demands that can be made, the "technical capability
notice", seems ripe for abuse.

At the very least, the acceptance of a bill like this will erode trust in app
stores. I would expect to see some sort of checksum verification by users
becoming commonplace as people become wary of potential targeted attacks.

[1] [http://www.abc.net.au/news/science/2018-08-20/tech-
surveilla...](http://www.abc.net.au/news/science/2018-08-20/tech-surveillance-
laws-labelled-aggressive-by-critics/10128166)

~~~
dane-pgp
By "some sort of checksum verification by users", I guess you mean some sort
of informal alternative / addition to this:

[https://wiki.mozilla.org/Security/Binary_Transparency](https://wiki.mozilla.org/Security/Binary_Transparency)

------
throw2016
Its interesting to think back when Saudi Arabia and the UAE tried to force
Blackberry to fall in line there was global outrage including here about the
'backwardness' of these countries and values of democracy and freedom.

Now just a decade later this 'backward' behavior is now 'normalized'.

This is evidence things are moving too fast for us to fully comprehend or
contemplate how far down the slippery slope we may be at the current time and
how 'values' and definitions change in just a decade.

------
gumby
I don't know why the Five Eyes countries issued a joint statement the other
day (tellingly, via the Aussie government's web site). Modus Operandi for each
Five Eyes country since forever is to ship their secrets to another partner so
they could claim not to be spying on their own people. All they need is for
AUS to have the backdoor and then all data could be channeled that way.

I appreciate that the author mentioned the gross incompetence of our
intelligence operation which I presume doesn't get much mention outside the
country.

PS: nice original Mac illustration for that article!

------
aussiethrow1234
40 years ago my parents emigrated from an authoritarian South-East Asian
country with a dubious human rights record to come to Australia where their
kids could enjoy freedom and opportunity away from all that.

Today, I see this announcement in the news and I am wondering which country I
can emigrate to with my own kids because I am disgusted with the increasing
authoritarian bent of our government, as well as our plummeting human rights
record...

------
BLKNSLVR
This method won't work for most 'after the event' scenarios, such as the San
Bernadino case, because the subjects are often deceased, and so unlikely to be
updating the software on their phones or computers, so it can only possibly
apply "upon suspicion". ie. pre-crime...

This opens up questions as to how someone becomes 'suspicious' if their
communication is already encrypted. And if they're already a person of
interest, how many myriad other ways do they have of surveilling them or
checking out their activities? Terrorist attacks require non-electronic items
that have to be purchased, stored, and constructed in non-electronic places.
There are existing ways to surveil people, under warrant. GPS trackers, phone
records, bank statements, listening devices, watching devices, IMSI catchers,
metadata (which Australia has legislated must be kept by ISP's for a couple of
years).

This new legislation feels like a LOT of effort for a very small percentage
return over and above those things I've already listed, especially
considering:

\- How long would it take to develop and deploy a targetted version of a
program?

\- What's the likelihood of the target updating their program during the
useful window of time?

\- Is this timeframe going to be of use to law enforcement?

\- If the timeframe is justified, what's the time limit? Is 'suspect' going to
have their comms intercepted for the foreseeable future? At what point is the
well deemed to be dry?

\- At what point does warranted surveillance become government harassment?

What this looks like from the outside is more psychology than technology:

\- Hey Terrorists, we can do these things so, you know, re-think your life's
direction

\- Chilling effects: encourage paranoia, discourage dissent, even discourage
disagreement

~~~
ThrustVectoring
>How long would it take to develop and deploy a targetted version of a
program?

Not particularly relevant - they can require a targeted version of the program
be developed before someone comes under suspicion.

>What's the likelihood of the target updating their program during the useful
window of time?

Doesn't matter - they can require a force-push update system be built to
silently update a specific customer's app version. The law is broadly enough
worded that they can order whatever software is in their way to become broken
upon receipt of a court order.

>Is this timeframe going to be of use to law enforcement?

Yes, because the law will allow them to force commercial companies to build
automated, scaled systems.

>If the timeframe is justified, what's the time limit? Is 'suspect' going to
have their comms intercepted for the foreseeable future? At what point is the
well deemed to be dry?

We'll never know, because it's designed to be used in secret.

------
tananaev
It seems like they are just making it more explicit that companies must
cooperate with the police. Isn't it already the case anyway if there is an
appropriate court order?

At least they are not suggesting to compromise or limit encryption in any way.

What I fail to understand is how all this would help fighting crime. Criminals
and terrorists can easily use end-to-end encryption for the communication.
There is plenty of software for that and it's really easy to do nowadays.

~~~
Kostchei
Unfortunately it gives them the legal capability to require your startup/IT
company/multinational to _put development time in_ at their request to enable
your software to give them the access they want.

For example-

get chats in real time

log IP addresses and pass them to gov

open containers stored on your infrastructure

get into the phone or device you have sold to a client previously

These are not interpretations of the legislation- these are the use cases they
wrote it to solve.

As ex LEO I get it but the burden on organisations is going to bad for
business, not to mention the insecure solutions that are going to get drummed
up/coded on the fly to comply with these requests- security nightmare.

There is some reasonable paranoia that this might be a Trojan to enable access
in the US. Can't pass legislation in the US? Easy, get your vassal state (AU)
to pass it, then ask them to investigate your target and then force people to
comply with your vassals state's request.

"yeh I know you can't do that in Texas but you can in Western Australia and
we, the US, has a treaty with Australia so you're just going to hand over that
data. We'll deliver it to the Aussies for you"

I may be paranoid, but I'm not the only one seeing this angle on it.

Big conspiracies- count me out. Gov is lazy and disorganised. Little
conspiracies between gov-buddies ? Absolutely.

~~~
peteretep
... sounds like asking a phone company to tap a phone, which is pretty well
established?

~~~
rstuart4133
> sounds like asking a phone company to tap a phone, which is pretty well
> established?

That is exactly what they are asking for. In fact, the legalisation enabling
them to gather the data and under what conditions (the authorisation required,
like a court order) isn't being changed. This new piece of legislation just
extends who they can force to collect it form them. It use to be the telco's,
which was originally just phone taps but then extended to internet data. They
are now extending that to software companies. (Also cloud providers like
SpiderOak and "secure email" companies.)

In a few words this extension allows them to order a software company to (with
suitable compensation of course):

1\. Develop / assist in developing an undetectable tap / bug for them, and

2\. Surreptitiously install it for them via an over the air update.

This extends their reach from phone calls to any device that auto-installed
software updates / patches. Whether you consider the ability to install a
"phone tap" into your phone, tv, car, router, wifi camera, pc, robot vacuum,
modem, that can read all the data on there, enable the microphone and camera,
monitor the GPS and other sensors, read keystrokes, fingerprints and other
authentication data to be roughly as intrusive as someone monitoring your
phone calls is I guess a mater of taste.

------
acutesoftware
I came across this video that shows the potential issues with this bill
[https://youtu.be/eW-OMR-iWOE](https://youtu.be/eW-OMR-iWOE)

What is concerning is I am building a information management system that
focuses on privacy and this sort of bill makes a mockery of the entire
concept.

------
GreyZephyr
Is anyone actively organising against this bill? I feel that ever since the
Iraq war protests failed ever time some thing like this happens, people
complain a little bit, but don't actually manage to change anything. I was
wondering if there are any groups out there that are actively protesting this
that I could join, or if not, if any one is interested in forming one? It
seems to be an issue that will affect the majority of the readers of HN in a
negative way, regardless of your usual political affiliation.

~~~
King-Aaron
People seem to just express their anger at news facebook pages these days, but
are far too apathetic to actually go outside and do something about it.

There also seems to be a growing "anti-complaining" feeling around people's
interactions, where it at least appears that a large number of people find it
amusing to actively attack those who are highlighting a problem.

~~~
GW150914
Ask someone who was an environmentalist for a couple of decades if shooting
the messenager is a new or growing phenomena. It definitely isn’t, and is
always at its peak issue makes people feel powerless, and they know that it
would take personal sacrifice to make a difference. Few people like being told
that rough seas are ahead, and the only way to make it through is with
extensive teamwork, compromise, and putting aside petty personal issues.

Of course it’s often enhanced by orgsnizations which benefit from the status
quo. For a long time being in favor of EV’s fell into the “tree hugger”
category of ridicule and censure, and only when it became possible to adopt
the tech without significant personal sacrifice did that change. The idea of
organizing people and exercising mass political power is obviously hard,
potentially risky, and involves more than making a 5 minute video or paragraph
of posting. If people have already chosen not to do that, they tend to resent
the people loudly reminding them that there is another way they simply chose
to ignore.

------
mirimir
This is mostly about "terrorism", right?

And for Australia, about immigration from flooding areas in Southeast Asia,
right? Which arguably has follow-on roles in "terrorism". [I use scare quotes
because the definition of "terrorism" is so politicized.]

------
jacques_chester
There are many things to admire about Australia and many reasons that I am
grateful that I grew up in Australia.

But the ongoing ritual humiliation of Australian technologists over the past
several decades is really tiresome.

~~~
BLKNSLVR
It's also a confusing situation given the cyclical nature of headlines and
government concern with Australia's brain drain (all the smart ones leave for
better opportunities overseas), and the recent-ish pronouncements of
Innovation! through having a specific Department and Minister for Innovation
(which has now been decommissioned by the new Prime Minister).

... and the NBN debacle is another nail in Australia's "ability to compete on
the world stage" coffin.

... and any lead Australia had in regards to renewable energy projects,
investment, and research has been very effectively and efficiently squandered.

------
ehnto
I found the Assistance Bill to be relatively palatable although still
disagreeable and I have emailed in to the forum saying I think it should not
pass.

I was just surprised that it had so much awareness of the concerns around what
it was doing.

The most worrying part for me was the enabling of remotely serving a warrant.
In other words, if they had a warrant for your device they could hack your
device instead of physically recovering it. This would mean their
cybersecurity team will be broadening it's capabilities and weaponry in that
area.

That is worrying. Much in the same way I don't want police cruising town in
armoured vehicles with a small arsenal, I am not too hot on investigators
being able to sick the hounds on an unsuspecting network. Collateral is a real
issue in the digital world too. What if my org network goes down because a
warrant was being served remotely on an employee and their exploits were not
precision enough?

------
mrschwabe
The message is to entrepreneurs: don't build companies - build protocols.

------
nereus
Do they think that is this law is introduced that criminals will be using
Facebook and Australian hosted communications providers to communicate with
one another?

------
worik
I cannot read that article in Firefox. Ironic

~~~
css
Works for me with Noscript, Ublock Origin, Privacy Badger, and HTTPS
Everywhere.

------
siruncledrew
It’s interesting these are all common law Anglosphere countries which declared
independence from Great Britain. The UK still has a lot of soft power.

~~~
geowwy
Since WWII the UK is definitely the junior power.

------
NoPicklez
For those that would like more reading here is the explanatory bill:
[https://bit.ly/2NR4tTh](https://bit.ly/2NR4tTh)

Three important things to note technical assistance requests, technical
assistance notice and technical capability notice.

~~~
steve_taylor
They keep insisting they're not asking for backdoors. Here's what the
explanatory bill says:

 _The type of assistance that may be requested or required under the above
powers include (amongst other things):_

* _Removing a form of electronic protection applied by the provider, if the provider has an existing capability to remove this protection._

* _Providing technical information like the design specifications of a device or the characteristics of a service._

* _Installing, maintaining, testing or using software or equipment given to a provider by an agency._

* _Formatting information obtained under a warrant._

* _Facilitating access to devices or services._

* _Helping agencies test or develop their own systems and capabilities._

* _Notifying agencies of major changes to their systems, productions or services that are relevant to the effective execution of a warrant or authorisation._

* _Modifying or substituting a target service._

* _Concealing the fact that agencies have undertaken a covert operation_

~~~
adrian_mrd
I wonder if the bureaucrat(s) or technocrat(s) who originally wrote or co-
wrote this bill, has a technology background or is a white label lawyer from
one of the big legal firms who often write legislation for the Australian
Parliament on an expensive consulting basis? Or just an in-house lawyer from
the A-G's office - whose expertise is purely legal rather than technological?

Many of these clauses are so vague ("Providing technical information like the
design specifications...") that they show either a fundamental lack of
practical technology knowledge, or, are deliberately vague so that the arms of
the Orwellian Australian federal government octopus can create the intended
backdoor without explicitly calling it a backdoor. Maybe both are true?

Was it William Shakespeare who once proffered: is a backdoor by another,
obfuscated name, still a backdoor?

