
Australia's anti-encryption law will merely relocate the backdoors: Expert - axiomdata316
https://www.zdnet.com/article/australias-anti-encryption-law-will-merely-relocate-the-backdoors-expert/
======
femto
There is a government consultation process open _RIGHT NOW_ for this bill. You
have to get your submissions in by the end of today (6 hours time). Every
Australian here needs to make a submission (please).

The page for the inquiry is:

[https://www.homeaffairs.gov.au/about/consultations/assistanc...](https://www.homeaffairs.gov.au/about/consultations/assistance-
and-access-bill-2018)

The email address for submissions is:

AssistanceBill.Consultation@homeaffairs.gov.au

A submission only has to be a few lines, so just bang out a few words. Whilst
a well researched submission is the gold standard, even a rudimentary email
will send the message that people care about this issue and counter whoever is
whispering in politicians' ears. Anything is better than nothing.

Less time critically, you also need to write to or call your federal MP.

\--- Edit:

The committee might also be swayed by submissions from non-Australian experts?
Australia first, your country next.

~~~
Benjamin_Dobell
_> Australia first, your country next._

Absolutely, specifically if you're living in a country that is a member of the
Five Eyes.

They've actually been surprisingly transparent that this is a coordinated
effort. The Official Communiqué opens with:

 _> We, the Homeland Security, Public Safety, and Immigration Ministers of
Australia, Canada, New Zealand, the United Kingdom, and the United States met
on the Gold Coast, Australia, on August 28-29 2018, to discuss how we can
better collaborate to meet our common security challenges._

Full read: [https://www.homeaffairs.gov.au/about/national-
security/five-...](https://www.homeaffairs.gov.au/about/national-
security/five-country-ministerial-2018)

~~~
fit2rule
The 5 eyes nations are a true New World Order. This is terrifying, and we
should _not_ be allowing our sovereignty to be so easily usurped for the
purpose of building this new order.

~~~
myrryr
The others maybe, but new Zealand is no one's new world order :).

Aus + UK + US are the real drivers.

~~~
ta2354235235
Aus the primary driver? A 25m population country with an economy smaller than
California, and we're driving things.

Dutton is being fed from defense dollars, from the US.

~~~
fit2rule
6th largest 'defence' budget in the world.

 _SIXTH_...

~~~
Benjamin_Dobell
Reference please.

The Stockholm International Peace Research Institute ranks Australia as 13th,
at 2% of Australia's GDP[1][2].

Which is below the worldwide average of 2.2%, although given our geographic
remoteness and relative security, I absolutely agree that it's too much.

The International Institute for Strategic Studies places Australia at 12th.

[1]
[https://www.sipri.org/sites/default/files/1_Data%20for%20all...](https://www.sipri.org/sites/default/files/1_Data%20for%20all%20countries%20from%201988%E2%80%932017%20in%20constant%20%282016%29%20USD.pdf)
[2]
[https://en.wikipedia.org/wiki/List_of_countries_by_military_...](https://en.wikipedia.org/wiki/List_of_countries_by_military_expenditures)

------
justsee
The key example justifying the need for this bill is as follows:

> A high risk Registered Sex Offender (RSO) was placed on the register for
> raping a 16 year old female, served nine years imprisonment and is now
> monitored by Corrections via two ankle bracelets whilst out on parole.
> Victoria Police received intel that he was breaching his RSO and parole
> conditions by contacting a number of females typically between 13 and 17
> years of age. Enquiries showed that he was contacting these females and
> offering them drugs in return for sexual favours. The suspect was arrested
> and his mobile phone was seized but despite legislative requirements he
> refused to provide his passcode. Due to an inability to access his phone as
> well as the fact that he used encrypted communication methods such as
> Snapchat and Facebook Messenger, Victoria Police was unable to access
> evidence which would have enabled them to secure a successful prosecution
> and identify further victims and offences. These are high victim impact
> crimes that are being hindered by the inability of law enforcement to access
> encrypted communications.

The limited information reveals they identified some targets, which means they
would know (some of) his Facebook and Snapchat account names.

While the content of messages can be encrypted, the connection graph is not,
so why couldn't Victorian Police request details of accounts the suspect's
account had communicated with and request the parents of those users provide
endpoint access to the encrypted chat history?

~~~
TomK32
Why must we all open our communication just because of a few sick individuals
who are already imprissioned or under surveillance?

~~~
josefresco
You'd be surprised at what "a few sick individuals" can do to _civilized_
society.

~~~
fit2rule
Especially when they are in power and can operate in unfettered secrecy, away
from civil society - the only really truly effective governor of heinous human
activities such as those enacted by the current mob of Australian
politicos/oligarchs.

------
DoctorOetker
From a different article referenced by this article:

Turnbul says:

> "A back door is typically a flaw in a software program that perhaps the --
> you know, the developer of the software program is not aware of and that
> somebody who knows about it can exploit," he said. "And, you know, if there
> are flaws in software programs, obviously, that's why you get updates on
> your phone and your computer all the time."

>"So we're not talking about that. We're talking about lawful access."

And again, the warfare is linguistic dictionary wars all over again (like
"collection" etc...)

He just redefines "back door" to denote 0-day in order to be able to define
"lawful access" as the TrustZone root & automagical updates which is the
backdoor they demand access to.

------
dajonker
It's frightening how politicians with such little knowledge and understanding
of certain subjects have so much power to create legislation about those
subjects. But apparently that's how we have built our civilization, through
trial and error.

~~~
dogma1138
The problem is that we as a society already agreed that it’s acceptable.

We allowed the government to open mail, open locks and tap phones with a
warrant all of which were technically challenging.

Phone networks must be set up with specific dedicated access for law
enforcement heck I remember crawling through the SNMP MIBs on my Motorola
cable modem 15 years ago and discovering a whole class of them dedicated to
lawful interception.

Most networking equipment providers even have guides on how to set these up:
[https://www.cisco.com/c/en/us/td/docs/ios-
xml/ios/sec_usr_cf...](https://www.cisco.com/c/en/us/td/docs/ios-
xml/ios/sec_usr_cfg/configuration/xe-3s/sec-usr-cfg-xe-3s-book/sec-lawful-
intercept.pdf)

And this is why the encryption battle is a bit odd to me as much as I would
like encryption to be never tampered with we’ve already as a society agreed
that the government in some cases should have access so what makes WhatsApp so
different to a phone call?

If encryption isn’t a way to backdoor ourselves out of the existing legal
interception laws then as much as I hate to admit it we don’t have a leg to
stand on.

If it is then we should just publicly say that the government shouldn’t be
able to tap phones regardless of what technology they are using to
communicate.

~~~
mrsteveman1
> If it is then we should just publicly say that the government shouldn’t be
> able to tap phones regardless of what technology they are using to
> communicate.

They can tap phones, and should be able to tap phones, along with VoIP, video
calls, and mail. But while privacy isn't absolute, their ability to wiretap
communications with a court order has never been absolute either, merely
opportunistic.

These are opportunities they don't have available to them, and it needs to
stay that way.

They should not be permitted to set aside all other concerns just to keep that
wiretap and search ability in the cases where it comes up, because it simply
isn't that important compared to all of the problems they will cause in the
process.

People, including whistleblowers and political dissidents, even in the U.S.,
will be harassed, threatened, blackmailed, or even killed as a result of their
tampering, and the government itself will misuse those expanded access powers,
just like all the others they've publicly or secretly obtained.

~~~
dogma1138
>They can tap phones, and should be able to tap phones, along with VoIP, video
calls, and mail. But while privacy isn't absolute, their ability to wiretap
communications with a court order has never been absolute either, merely
opportunistic.

No it was never opportunistic, it was always by design and mandated by law as
telecommunication providers must provide LEI capabilities this affects how
they design and implement their networks and the equipment they use which is
why LEI capabilities appear even in CPE equipment such as your modem and the
FCC and other regulatory bodies enforce this as part of their certification
process.

The case here is that that now the telecommunication providers aren't actually
that useful for LEI or at least it's that WhatsApp/Facebook isn't classified
as one because if it was it would be required to provide LEI capabilities by
law.

>People, including whistleblowers and political dissidents, even in the U.S.,
will be harassed, threatened, blackmailed, or even killed as a result of their
tampering, and the government itself will misuse those expanded access powers,
just like all the others they've publicly or secretly obtained.

If we turn back the clock even only 5 years ago where essentially nothing was
encrypted in a manner that would invalidate LEI this wasn't an issue, nor does
it grant the government any new powers.

------
close04
I'm curious about the _principle_ of these laws. [Later Edit: not Australian
specific, something that can be applied anywhere]

If the only way to convict a suspect would be for them to self incriminate
during testimony should the 5th amendment be waived?

How many other rights should be cancelled because they prevent law enforcement
from having an easier job?

Banning guns to make doctors' jobs easier is out of the question but banning
privacy to make policemen's jobs easier isn't?

~~~
pcl
Bear in mind that this is an Australian law, so the 5th Amendment isn't
involved. I don't know much about Australian law, so I don't know if they have
an equivalent right within their legal system.

~~~
close04
No, I'm fully aware it's not the US, I simply used a principle that's popular
enough (from movies) that many people could relate. It's the principle that
matters. I edited the original comment a little to highlight this.

I'm sure that there must be something in the Australian constitution that
guarantees a right for the citizens. Should it be taken away just to make
someone job a little easier?

------
consp
> _" Furthermore, what is described remains a backdoor, albeit a keyed
> backdoor. There is no requirement for backdoors to be universally
> exploitable to be considered a backdoor, it merely needs to provide an
> alternative entry point into the target system or protocol."_

If someone just looking for holes in the law already sees this, what would the
supposed to be knowledgeable politician do/think they are doing.

Note: It's wrong because you are creating a universal access point in
encryption to violate the original intent of the encryption (which is end to
end most likely). This would mean you sell/show end to end encryption which
has a man in the middle no matter what you do. And if it is poorly
implemented, which is often the case with backdoors, it is probably
universally accessible. Even if they say it's not. As already stated by the
author.

------
michaelmrose
So basically since the vast majority of technology products are produced
outside of Australia while one can imagine them forcing them to only sell
hardware products with broken security just for australia however.

\- The population of australia is only 24 million less than 1/10th of the US
and this would require expensive engineering just to sell to this market.

\- Caving to Australia makes this look like an attractive option to other more
lucrative markets.

\- Some people would just import their own phones from overseas

\- Software products are unlikely to desire to compromise their
networks/products for Australia and its 1000x easier to import software than
hardware.

The best strategy would seem to be ignore Australia.

------
dbg31415
Privacy vs. security... it's a complicated. Nobody cares that the police can
tap a phone line... so by that logic, why can't they tap any other
communication medium?

But... what I do know is that the Australian government is not the one to
solve the problem. They're a small market, without a lot of technical
expertise... having lived in Sydney for some time now... I know you don't want
the Australian government involved in tech.

* Australian PM Calls for End-to-End Encryption Ban, Says the Laws of Mathematics Don't Apply Down Under | Electronic Frontier Foundation || [https://www.eff.org/deeplinks/2017/07/australian-pm-calls-en...](https://www.eff.org/deeplinks/2017/07/australian-pm-calls-end-end-encryption-ban-says-laws-mathematics-dont-apply-down)

* 1,464 Western Australian government officials used ‘Password123’ as their password. Cool, cool. - The Washington Post || [https://www.washingtonpost.com/technology/2018/08/22/western...](https://www.washingtonpost.com/technology/2018/08/22/western-australian-government-officials-used-password-their-password-cool-cool/?noredirect=on&utm_term=.35df184ee840)

* NBN regional connections to cost about $7000 per premise || [https://www.news.com.au/technology/online/nbn/nbn-regional-c...](https://www.news.com.au/technology/online/nbn/nbn-regional-connections-to-cost-about-7000-per-premise/news-story/a067409cc4c04fc946ceef54c8d89f54)

------
BLKNSLVR
If Australia was really concerned about encrypted communication as a threat to
national security then they would outlaw end-to-end encrypted messaging.
Terrorists and child abusers and wife beaters walking free because law
enforcement can't read the private messages of "these people" due to this
thing called encryption.

They should specify that any form of private communication cannot be encrypted
end-to-end where the decryption keys are only accessible to the communication
participants. Internet browsing, online shopping and banking transactions are
allowed, as is communication which is encrypted by a service provider, and as
such can be decrypted by said service provider upon request from law
enforcement.

Anyone caught using end-to-end encrypted communications can AND WILL be fined.

The effect of this would be the same as what they're currently proposing, but
they're currently hiding it behind words that most of the population don't
comprehend, and therefore doesn't make the kind of mainstream headlines that
it should.

By taking this weasel-worded approach the Australian Government is being
intentionally ambiguous about their intentions and the effect of this
legislation.

------
sir-alien
The problem is that with physical telecoms providers, you can mandate these
LEI implementations. If the provider doesn't comply you ban the sale of the
device. Yes, you can get a few black market devices to get around this but you
can't head into your local shop to obtain it.

With the current scale of open source software, you can mandate a law for
backdoors but countries that do not have such laws would be able to remove
these backdoors from the open source software if they are ever put in. Simply
banning OSS won't help either since many countries that have banned encryption
still see widespread use of encryption software as the internet has no
borders. Firewalls don't count because that is equivalent to trying to stop a
million tunnel diggers from digging over the border all at the same time with
a million more diggers ready to go. Ask China with their great firewall full
of holes.

Backdooring or banning major providers like WhatsApp, etc will only push more
and more people to an open solution that is globally distributed.

The only solution to gaining encryption access is the simple option. The
option that if you are an interesting enough person, will get to play catch
with a wrench while your hands are tied.

------
gravelc
Can anyone comment on how this is likely to affect multinational entities like
Apple? Given the Australian market is so small, would it not more sense to
leave the jurisdiction entirely rather than compromise security? Same goes for
App makers like Signal. Why bother with Australia? (I'm Australian, and really
don't want to see this happen FWIW, but it seems the rational decision)

~~~
lrvick
Closed tools like Signal, Snapchat, Slack, Whatsapp, iMessage, Messenger,
Hangouts etc will all make the promises about privacy you want to hear, but at
the end of the day they are closed source and updates or commands can be sent
to your handset to send plaintext to their servers at any time.

The question is under what criteria this will happen. Insider abuse?
Government order? To make money?

Trying to make it illegal for companies to do this sort of thing on a country
by country basis is worth pursuing, but it is not a real solution. We need to
stop trying to use the law to enforce security.

The solution is to use tools that take court ordered backdoors off the table.
Support open and federated communications networks where anyone can build
their own clients or servers where pressuring of any entity can't put
community built clients at risk.

There are a range of clients/protocols that meet this criteria such IRC with
OTR, XMPP, IRCv3, Silence, Matrix.org.

Take your pick, and convince your contacts to use that instead of companies
where you have to just take their word for it they won't backdoor you as it
suits them.

~~~
cyphar
Signal is free software[1] -- GPLv3 in fact. Don't get me wrong, it has its
own issues with Moxie having very strange views of the threat model (and being
anti-federation and anti-distribution), but it is definitely not proprietary.
I also concur with the Matrix.org recommendation.

[1]: [https://github.com/signalapp/Signal-
Android](https://github.com/signalapp/Signal-Android)

~~~
lrvick
Signal likes to throw around that they are free software but really that is
more marketing than fact.

The signal -client- is open source, but the server is closed. Yes partial
server code is open, but running your own server is not allowed. The signal
signed clients will only talk to the closed server and Moxie has made it clear
he does not want forked clients or clients not built by his team connecting to
his network. Open source f-droid builds are not permitted, and if you want
updates you must use the play store builds. Those with open source phones must
turn on unverified sources and risk man in the disk attacks to install the apk
from the signal website.

Security you can't fully verify, is just called marketing.

~~~
cyphar
> The signal -client- is open source, but the server is closed. Yes partial
> server code is open, but running your own server is not allowed.

This is not true at all, the server is _entirely AGPLv3_ [1]. You can run your
own server, but they don't _want_ to federate and don't _want_ people to
distribute forks of their code (that connect to their servers). What they want
is irrelevant because the license they've put the code under explicitly allows
you to do these things -- though arguably they are allowed to restrict
connections to their servers because that's a freedom under AGPLv3.

So while I agree (and I _explicitly_ said I agreed in an earlier comment) with
the problems with Signal -- you are not helping explain why Signal has issues
by spreading misinformation about it being proprietary. It isn't proprietary
nor is it unverifiable, instead it is run by a company that has no interest in
federation or solving much more important issues with their service. That is a
serious enough problem that you don't need to make up issues that will just
discredit legitimate complaints.

[1]: [https://github.com/signalapp/Signal-
Server](https://github.com/signalapp/Signal-Server)

~~~
lrvick
It does look like they have moved away from closed server components like
RedPhone and claim all sources are published now. I appreciate that
correction.

The source code for -a- signal server is a nice gesture for anyone that wants
to build a signal fork but it does nothing to prove the signal server actually
in use is fully open source and does not have last minute patches applied.
Can't run my own for the real network so I must hope an employee won't be
pressured into changing live systems or signing malicious client binaries at
any time with no one noticing. Seems we both agree this is a real problem.

Verifiable security and centralized trust are incompatible.

I do still generally consider any code that can't be verified to be closed but
I agree accuracy is important.

~~~
cyphar
Again, the server code is AGPLv3 so it would copyright infringement (of the
contributors to the code) on the part of WhisperSystems if they were to patch
the server code and not provide the sources to users. There isn't a technical
way to stop this problem (federation wouldn't solve it either -- it would
allow you to switch to a host that you trust more but that's a different
problem), you just sort of have to trust that WhisperSystems isn't breaking
the law.

To reiterate -- I agree with you on the general point that federation and
having a decentralised system is important for many reasons. But you're moving
the goal-posts so that now, even if the server code is AGPLv3 (which requires
giving source code access to network users) you still can't be sure that code
is running in production, and thus it's still effectively proprietary. That's
not a reasonable argument.

As an aside, WhisperSystems has remote attestation of parts of the server code
using Intel SGX, which means that it actually has some degree of
verifiability[1].

[1]: [https://signal.org/blog/private-contact-
discovery/](https://signal.org/blog/private-contact-discovery/)

~~~
lrvick
These goal posts are related.

Given the context of the five eyes backdoor discussions it is not unreasonable
to expect that a government could pressure WhisperSystems to manipulate a
client update or patch a server, GPL laws be damned. A single employee could
also be bribed or blackmailed. Intel could also be compelled to falsely attest
an SGX enclave.

When it comes to protecting privacy against highly motivated and sophisticated
adversaries then centralized trust is just not an option to be taken
seriously. It creates a Lavabit sized target.

A company that is as serious about privacy as their marketing indicates would,
like TOR, encourage as many servers to run as possible to ensure there is no
central pressure point to abuse.

Cards on the table: I find Moxies insistence on a walled garden while using
Open Source and Privacy to market it simply unethical.

I do again appreciate the updates on the current status of their public source
code though. I will strive for better accuracy in the future on this.

------
boobahdoobah
Hello, I'm writing to oppose the 2018 Assistance & Access Bill. Although I
recognize the difficulties encryption poses to law enforcement & counter-
terrorism, it is not a strong enough reason to compromise the safety, security
& privacy of 24 million Australian citizens. Every Australian has a right to
reliable, mathematically guaranteed privacy & security, not
compromised/undermined by oppressive legislature. Neither domestic nor
international companies should be required to assist anyone in breaking
privacy protections, nor should warrants allow access to protected devices,
and nor should existing legislature be strengthened. Would these changes help
law enforcement catch a few criminals? Probably. Will it weaken the safety,
security & privacy of millions of respectable, law-abiding Australians?
Definitely. Cheers, Louise

------
sbhn
If it is a success in Australia, it will be rolled out across the rest of the
commonwealth

~~~
ObsoleteNerd
People are missing the entire point. This was never just about Australia doing
it. It's a proposal by Australia AS PART OF THE 5 EYES to bring this in.
They're absolutely planning for this to roll out to all the 5 Eyes countries.

If we really want to quash this, we need to start making that clear to
everyone in the UK, US, CA, NZ, and AU, that this effects ALL of us.

They're just using Australia to launch it for this exact reason, 95% of the
population of the 5 Eyes will think they're not effected, not fight it, and
it'll pass. Then good luck stopping their momentum.

~~~
cyphar
It's my understanding that once Australia passes it there's no need for the
other 5 Eyes countries to pass it, since they have agreements to be able to
send data they've collected to other 5 Eyes countries. Which means that they
could just send all of the data to Australia and have the encryption broken
(as-a-Service you might say).

Unfortunately I was out of the country when this whole shitshow went down. I
sent an email, but I'm going to go see my Federal MP in person tomorrow.

~~~
fit2rule
It works in other ways too - for example, the ADF can do things that the
American military can't. Thus, the Americans come calling to their Australia
partners in crime when they want some nefarious deed done on the
battlefield... and Australians just roll over and let it happen - as long as
there are avocado's to smash, Australians just don't care what their
government is up to.

~~~
cyphar
And even shit that the ADF is not allowed to do, they do anyway because
there's almost no chance anyone will find out about it (especially with the
new 10-year mandatory minimum punishments for leaking government information)
and even if they did find out about it they can always hold an inquiry that
provides weak recommendations that nobody ends up following. The whole fucking
thing is a farce.

~~~
fit2rule
It is such a travesty of democratic principles I have personally decided to
not have anything to do with the place, and abandoned the continent.

"I probably won't go back, at least not before I switch citizenships in
protest."- __

Oops, I just broke the Australian sedition law. Not allowed to talk about
_that_ , either.

 __-note:quotes

------
paulie_a
"it could affect 'every website that is accessible from Australia'"

It won't matter to any of my websites, I will ignore their law. Just like I
ignore GDPR. I don't do anything egregious, but those laws simply are/would
not be relevant to me.

~~~
king_phil
Your view includes only a fraction of the real world.

From a european ISP standpoint: the introduction of a systemic weakness is a
violation of Art. 32 GDPR. We just can't do it.

Classic double-bind. GDPR is more important than Australia to us, so we just
block all access from and to austrialia. We have 195.000 affected webhosting
customers (domain, email, website, servers), btw.

~~~
jstanley
> so we just block all access from and to austrialia

Please don't do this. The internet does not respect borders, and there's
absolutely nothing positive that can come from changing that.

By blocking Australia you're just screwing over ordinary Australian people who
probably don't agree with what their politicians have decided.

~~~
Grangar
Maybe that's necessary to push some resistance among the common Australian.

~~~
jstanley
It's not OK to make ordinary people's lives difficult just to further your own
political interests, regardless of how noble those interests might be.

------
justatdotin
this is just icing on the cake. we need to urgently dismantle Heimat and
Interior

------
dhx
China passed a similar law last year[1] forcing citizens and companies to
provide assistance with state intelligence matters.

Are these laws just a public acknowledgement and formalisation of what has
been going on since early civilisation?

In the cold war it was bugged typewriters[2] and sabotaged chips and
industrial components. Ten years ago it was counterfeit chips from China
causing early failures in US military equipment[3] and US backdooring of
cryptography standards[4]. More recently, Chinese companies have been factory
backdooring hundreds of millions mobile phones[5] and Western countries have
been vacuuming up the Internet[6]. How many integrated circuits purchased from
factories abroad today can be trusted when hardware backdoors have been shown
to be almost undetectable even to the best resourced labs?[7][8]

Instead of manufacturers around the world being coerced into backdooring
technology[9][10] without regulation, at least there may now be some
formality. These laws don't change how much trust can be placed in foreign
technology (answer: not much at all). It shouldn't be a shock that Australia
has banned Chinese equipment from the likes of Huawei and ZTE from broadband
and 5G mobile network rollouts[11]. And it shouldn't be a surprise to
Australian companies if China bans the import of Australian technology.

[1] [https://www.lawfareblog.com/beijings-new-national-
intelligen...](https://www.lawfareblog.com/beijings-new-national-intelligence-
law-defense-offense)

[2]
[http://www.cryptomuseum.com/covert/bugs/selectric/](http://www.cryptomuseum.com/covert/bugs/selectric/)

[3]
[https://web.archive.org/web/20081011075757/http://www.busine...](https://web.archive.org/web/20081011075757/http://www.businessweek.com/magazine/content/08_41/b4103034193886.htm?chan=magazine+channel_top+stories)

[4] [https://bits.blogs.nytimes.com/2013/09/10/government-
announc...](https://bits.blogs.nytimes.com/2013/09/10/government-announces-
steps-to-restore-confidence-on-encryption-standards/)

[5]
[http://www.kryptowire.com/adups_security_analysis.html](http://www.kryptowire.com/adups_security_analysis.html)

[6]
[https://en.wikipedia.org/wiki/Global_surveillance_disclosure...](https://en.wikipedia.org/wiki/Global_surveillance_disclosures_\(2013%E2%80%93present\))

[7]
[http://www.emsec.rub.de/media/crypto/veroeffentlichungen/201...](http://www.emsec.rub.de/media/crypto/veroeffentlichungen/2014/07/03/BeckerChes13.pdf)

[8]
[https://web.eecs.umich.edu/~taustin/papers/OAKLAND16-a2attac...](https://web.eecs.umich.edu/~taustin/papers/OAKLAND16-a2attack.pdf)

[9] [https://www.usatoday.com/story/opinion/2013/08/27/nsa-
snowde...](https://www.usatoday.com/story/opinion/2013/08/27/nsa-snowden-
russia-obama-column/2702461/)

[10]
[https://en.wikipedia.org/wiki/FBI%E2%80%93Apple_encryption_d...](https://en.wikipedia.org/wiki/FBI%E2%80%93Apple_encryption_dispute)

[11] [http://www.abc.net.au/news/2018-08-23/huawei-banned-from-
pro...](http://www.abc.net.au/news/2018-08-23/huawei-banned-from-
providing-5g-mobile-technology-australia/10155438)

~~~
dhx
Also on the front page of HN, France declaring a desire for additional
technology independence from the US:

[https://news.ycombinator.com/item?id=17950155](https://news.ycombinator.com/item?id=17950155)

------
Jedi72
I have spent the last ~2 hours reading the 100 page explanatory document [1],
these are some of my thoughts.

The bill pretty explicitely talks about ASIO. I don't think these laws will be
used for much less than espionage, or possibly deep corruption cases. For
example, right now ASIO dont have the power to remove a computer to inspect
it. That actually surprised me (what would not surprise me is that they
routinely do this anyway). In many cases I dont see why physical access is
required though, I am sure ASIO are capable of hacking most routers/IoT
devices, possibly even laptops, just using known methods (are drug-lords
really that up to date on L1TF?). The biggest issue I have is that the
granting of warrants always comes down to whether some judge or minister
thinks its all good. Although, in one of the sub-sections they say the
Attorney-General can delegate their powers to a senior ASIO officer, so this
is a C-suite level person inside ASIO likely to have these powers (note that
they explicitely point out that this person can not further delegate that
power, so these decision makers are direct reports to the Attorney General
presumably).

On the topic of getting people to give up passwords and/or keys, it says that
agencies have "the ability to compel persons" to hand them over... whatever
that means. Does "compel" mean, breaking fingers compel? I am pretty sure this
is with a warrant.

There are provisioms for situations where evidence may be lost, or other dire
circunstances, where they can request things orally and immediately, but they
do have reporting requirements around such circumstances.

Probably the most alarming thing is the technical notices. With these, they
can basically ask first, but if required - demand - tech companies to add in
back-doors. They try to deny it but thats what they are. It is pretty explicit
that they cant compel companies to introduce 'systemic weaknesses', so its not
about making product wide easter eggs that give you root permissions. I think
they mean more like "put a clause in your code that when Dr Evil logs into
WhatsApp, and only Dr Evil, it forwards all comms to us." Thats pretty strong
power, and not really a systemic weakness is WhatsApp, but most definitely
fits the definition of a back door to me. They say companies will be
compensated on a 'no loss, no profit' basis. One kind of nice limitation on
this is that it will definitely be expensive for ASIO to do this. Companies
are in some ways incentivized to restrict their acts to single customers,
because if ASIO want to monitor 10 people, well that requires 10x the budget
doesnt it.

This was my first time trying to read law. If you read law as code, then law
is TERRIBLY written. This amendment is the worlds most ancient pull-request
system, putting this into VC would make it much clearer for all involved.
There is no concept of a dependency tree, instead other acts are referenced at
will and with no version lock to say whether that definition is still current.
I suspect there are a lot of regression fails when they write new legislation,
unless someone is pouring over all other acts looking for things which
reference the act we want to change.

TL:DR; I'm gonna let this go through to the keeper. Writing law is complex.
Ultimately it always comes down to, can we trust our government and public
institutions, as well as our companies, to do the right thing? How much must
we bind ourselves as a society, to ensure that they cannot abuse us? Its
tough. I tend to think that the 99% of the people writing these laws, and the
officers enforcing them, aren't monsters or evil people - they are my fellow
Australians.

[1]
[https://www.homeaffairs.gov.au/consultations/Documents/expla...](https://www.homeaffairs.gov.au/consultations/Documents/explanatory-
document.pdf)

~~~
throwaway59229
I have been reading through the proposed law (see my posts elsewhere in this
thread) and I have to say that I disagree with your assessment that the law
implies or requires targetting of specific individuals or groups rather than
dragnet-style operations. Unfortunately, there doesn't seem to be anything in
the bill to limit the scope of a TCN/TAN so that the government agencies can't
use a single request to cover a wide range of unrelated cases/investigations.
As it is written, it seems that a TCN/TAN could require that a company builds
and signs arbitrary code that is handed to them by a government agency. [1]
This code would be the backdoor (or Remote Access Tool or whatever they choose
to they call it) and likely would be distributed as a software update
(possibly also by the company although there might be some legal wrangling
about whether the government might be required to host the backdoored software
themselves).

What this all means is that a single TCN could theoretically be issued to
cover a specific case (say a reasonable investigation into some potential
terrorist activity) but the signed backdoor/remote access tool that comes out
of it could be used arbitrarily by the agencies involved with little to no
oversight.

I know that this is a difficult area for law-enforcement to operate in and I
understand that part of the problem that they have at the moment is that they
sometimes have no certainty about whether they can get access to specific
pieces of electronic evidence (even with a warrant) but the intelligence
community (including here in Australia) has a lot of bridges to build if they
want to actually have this discussion in a rational manner.

There are probably some reading this who think that I am being hysterical or
paranoid about ASIO/ASIS/ASD and that they are rational and ethical actors,
but I suspect that anyone who thinks that is likely under informed about their
historical activities.

There is currently some international investigation into evidence of recent
(in the last 15 years) potential wrongdoing [2] that the current Attorney
General (who would be the individual responsible for approving these TCN/TANs)
is attempting to frustrate. [3] These moves by the current federal AG are so
extraordinary that a former NSW DPP (Director of Public Prosecution) and a
former Victorian Appeals Court judge have stated that "[...] unlawful activity
was undertaken on our behalf to improve the government’s negotiating position"
and that "there is a genuine question about whether the general interests of
Australians would be served by the prosecution of either person." (the
whistle-blower or their lawyer). [4]

Given the evidence of poor behavior by these agencies and their apparent
disregard for due process, it seems extraordinary to think that these
extensive new powers could not be abused as they are currently proposed.

[1] See section 317E of the law which states that providers are required to
"facilitate or assist access to software that is capable of being installed on
a computer, or other equipment, that is, or is likely to be, connected to a
telecommunications network" and, crucially, paragraph (f) which states that
providers must "assist with the testing, modification, development or
maintenance of a technology or capability"

[2] In Australia bugging East Timor during negotiations over a $40-56 billion
oil deal. See [http://www.abc.net.au/news/2014-03-04/icj-orders-
australia-t...](http://www.abc.net.au/news/2014-03-04/icj-orders-australia-to-
keep-east-timor-files-sealed/5296444)

[3] [https://theconversation.com/the-shaky-case-for-
prosecuting-w...](https://theconversation.com/the-shaky-case-for-prosecuting-
witness-k-and-his-lawyer-in-the-timor-leste-spying-scandal-100446)

[4] [https://www.smh.com.au/politics/federal/top-lawyers-jump-
to-...](https://www.smh.com.au/politics/federal/top-lawyers-jump-to-the-
defence-of-former-australian-spy-witness-k-20180629-p4zojl.html)

------
Nicksil
Non-AMP link:

[https://www.zdnet.com/article/australias-anti-encryption-
law...](https://www.zdnet.com/article/australias-anti-encryption-law-will-
merely-relocate-the-backdoors-expert/)

~~~
dang
Thanks. Changed to that from [https://www-zdnet-
com.cdn.ampproject.org/v/s/www.zdnet.com/g...](https://www-zdnet-
com.cdn.ampproject.org/v/s/www.zdnet.com/google-amp/article/australias-anti-
encryption-law-will-merely-relocate-the-backdoors-
expert/?amp_js_v=0.1#amp_tf=From%20%251%24s).

