
Did Australia Poke a Hole in Your Phone’s Security? - boyter
https://www.nytimes.com/2019/01/22/technology/australia-cellphone-encryption-security.html
======
et2o
I doubt that Apple will build a significant backdoor. Most likely they will
figure out some symbolic way to accommodate this law, exploiting the vague
wording.

The nuclear option is probably to just stop selling their products in
Australia. The population of Australia is only 25 million people. It would be
a huge hit but not insurmountable, and then the Australian politicians would
face significant backlash and probably walk back the law.

~~~
cronix
> The nuclear option is probably to just stop selling their products in
> Australia.

Someone needs to. With EU laws, Australian laws, US laws, and more and more
every day, the internet is rapidly becoming a tool of the least common
denominator. In other words, whatever country has the toughest laws will
govern the planetary internet system as all others will have to follow by
extension. Apple, for example, can't make an iphone for every country to
comply with that countries individual laws that differ from every other
country, which also change with a regular basis.

Of course though, there will always be hackers skating on top relatively free.
We're becoming a two-tiered internet. The relatively few who know how to get
around the restrictions, and everybody else.

All Apple has to do is float the possibility they may not sell their products
in Australia anymore, and point out why. The rest would take care of itself.

~~~
discordance
Apple is required by law in Japan to make iPhones make a sound when taking a
photo, and they complied.

These new voyuer laws in Australia are obviously much more severe, but there
is precedent for a company to customise phones by jurisdiction.

~~~
et2o
Camera shutter sounds aren’t a moral issue apple has staked a position on.

~~~
discordance
Wouldn't it be nice, as a courtesy from Apple, if your phone emitted a sound
everytime the government attempted to access private data off your phone

------
chillfox
This sort of thing happens because the tech industry doesn't bother with
lobbying or really any political fighting other than the occasional angry
letter.

Meanwhile, the mining industry successfully countered a law they didn't like a
few years ago by spending a few million on tv advertising demonising the
government. The gambling industry got rid of a law by suing the government.
The banking industry managed to convince the regulator to not use their powers
through a combination of making it extremely costly and basically infiltrating
them.

Only the tech industry is like children when it comes to lobbying and
politics.

Ideally, every industry would be like the tech industry and not manipulate the
government. But if they want to get rid of this particular law then there is
plenty of examples to learn from.

~~~
dwd
You mean by offering some future payback whether a cushy overpaid consulting
or lobbying job or an industry recognition award like Barnaby Joyce got from
Gina?

I think witholding future products or services and running ad campaigns to say
they wont be offering them in Australia due to the law would be the way to do
it. If we could collectively get our act together, boycotting Federal
Government for IT services would get the message across - chance of that
happening is probably <1%.

~~~
chillfox
All of it.

Basically what I am saying is that if the tech industry doesn't want the risk
of future laws ruining their fun then they will have to engage in lobbying
just like everyone else.

Sitting back and relying on the politicians to not do anything stupid is, well
stupid... Stupid is the default.

In this particular case an advertising campaign is probably the only thing
that is going to work, but with an election in the not too distant future, it
should be pretty efficient in scaring the politicians into getting rid of the
law.

~~~
dwd
I'm coming around to the opinion that anything the Government does
(particularly if they think it's a clever policy) triggers the Law of
Unintended Consequences.

Except for some situations where they correct or curtail market excesses, most
programs seem to end up causing more damage than they try to solve and worse
outcomes long term.

One of the few exceptions was Rudd simply handing out cash to the general
population in the middle of the GFC to keep the economy turning over.
Generally most incentives don't have the desired effect.

------
devy
Some of previous discussions regarding this law:

[https://news.ycombinator.com/item?id=17756020](https://news.ycombinator.com/item?id=17756020)

[https://news.ycombinator.com/item?id=17949653](https://news.ycombinator.com/item?id=17949653)

[https://news.ycombinator.com/item?id=18631493](https://news.ycombinator.com/item?id=18631493)

[https://news.ycombinator.com/item?id=18661483](https://news.ycombinator.com/item?id=18661483)

[https://news.ycombinator.com/item?id=18636076](https://news.ycombinator.com/item?id=18636076)

------
_bxg1
"The law says the Australian authorities cannot ask a company to build
universal decryption capabilities or introduce systemwide weaknesses."

I've seen this proposed as an enormous loophole, since every backdoor is a
"systemwide weakness", and the lawmakers just don't understand that fact.

~~~
tzs
What counts as a systemwide weakness"? For example, if it allows the
Australian government to decrypt things, but does not make it any easier for
anyone else to decrypt things unless they do so by going through the
Australian government (either with Australia's cooperation, or by hacking
them, or by the Australian government leaking private keys), would that be a
systemwide weakness?

~~~
_bxg1
You either store the keys centrally, or use a weaker encryption strategy.
Those are the only ways to decrypt something. Either one makes it easier for
anybody to hack.

The classic metaphor is that of a castle wall. If you put a gate in it, no
matter how well your fortify that gate, it remains a weak point compared to
the rest of the wall.

~~~
tzs
> You either store the keys centrally, or use a weaker encryption strategy.
> Those are the only ways to decrypt something. Either one makes it easier for
> anybody to hack.

That was right before 1973. The development of public key cryptography in 1973
adds another option. Take the symmetrical key the device uses to encrypt user
data and encrypt a copy of that key using a public key of the entity that the
back door is for.

The authorized back door user can decrypt that copy using their private key.
If the public key system parameters are chosen correctly anyone else trying to
get in who does not have a copy of that private key faces a problem at least
as hard as brute forcing the underlying device encryption.

~~~
_bxg1
They still hold a copy of their own private key somewhere, you're just punting
the issue a little bit. Plus, there would have to be a single key for all
users, or you'd have to give every user's key to the institution as well. That
means more travel over the wire, that means central storage of skeleton keys,
etc. Each of these factors introduces another vector of possible attack. If
there's a gate, there's a way to get in, and no matter how many keys are
required or where they're kept, they'll always be more vulnerable than a wall
with no gate.

------
mtgx
> _“We never thought it would pass,” said Alan Jones, chief executive of M8
> Ventures, a tech investment firm in Sydney. “We all just figured that
> Australia’s political leaders would consider the expert advice that told
> them this was nuts.”_

This is a counter-argument to all the comments I see on HN about "waiting and
see if the proposal goes anywhere".

It's usually too late to stop it if you do that and allow most if not all of
the negotiation between parties to take place by the time you wake up and
react.

~~~
stephen_g
This time there actually was a big ground-swell of opposition. In the
consultation period there were hundreds of submissions, all of them negative
(except one from some random church in Tasmania). These were a mix of letters
from technical groups, business groups, law groups, human rights groups, civil
society groups, and individuals (both developers/specialists and regular
concerned citizens).

When the bill was being considered by the Parliamentary Joint Committee for
Intelligence and Security, some of these groups were called up. I read the
Hansard (transcript) of the hearing - the testimony was impeccable. Clear,
concise, and absolutely demolished the bill. Unfortunately, to give you the
level some of the senators were working at, a lot of the questions came back
to "but don't you think we need to stop terrorists?" when going through how
it's technically impossible to do what the law enforcement wants without
creating systemic weaknesses/vulnerabilities, and you can't just define that
away like the bill tried to...

Coming up to it being passed, there was a huge amount of calls, emails and
letters to the members of parliament and senators. Several mentioned the
unusual volume in Parliament, and also many in the opposition mentioned
multiple times how many problems there was with the bill. They illogically
passed it in mid-December to "keep Australia safe over Christmas" (despite the
fact that nothing in the bill could be put into effect for _months_ and
Australian law enforcement and intelligence services already have far more
over-reaching powers to do all sorts of stuff that would be illegal in the US
and Europe).

Opposition to the bill was way better organised, and way bigger than anything
previous for the tech industry. We are getting better at the politics, but
given the irrational actions of the opposition in voting for it (who had the
numbers in the Senate to block the bill) I can only conclude that there must
have been some dirty dealing going on either between the parties, or between
the intelligence services and the parliamentarians.

~~~
vogelke
Could you provide a link to that transcript?

~~~
stephen_g
Here is the PDF transcript:

[https://parlinfo.aph.gov.au/parlInfo/download/committees/com...](https://parlinfo.aph.gov.au/parlInfo/download/committees/commjnt/b9247c77-dfa4-44bb-8aa3-ce6bc01d20ca/toc_pdf/Parliamentary%20Joint%20Committee%20on%20Intelligence%20and%20Security_2018_11_30_6818_Official.pdf;fileType=application/pdf)

The testimony from the experts was great, and the questions and responses from
our senators was embarrassing. Just search 'terror' for some of them like the
ones I paraphrased.

~~~
sullyj3
The transcript mentions a couple of times interference in the process by Peter
Dutton and Scott Morrison, the PM, does anyone know what this is referring to?

------
brian-armstrong
What's the defense to this? For starters I think you'd want to close your
Australian offices and lay off any Australian-born personnel, but what else?

~~~
adamc
I think the defense is to absolutely not do business in Australia, and to mark
your products as not for sale there.

~~~
owenversteeg
Which, I'd like to point out, isn't a big loss: it's population 24 million,
about the size of Taiwan. If you're making a physical product, shipping and
taxes will make it criminally expensive to sell there, and if you're making a
digital product, there's this and the considerations of slow internet and a
different time zone.

I think it's actually quite reasonable and doable for companies to boycott
Australia over this, and I hope we see some. It'd be free press for the
company and cost relatively little - I'd imagine the press would pay for any
missed Australian sales. And it'd put some pressure on the Australian
government for this idiocy.

~~~
ianhowson
Australians are quite accustomed to bypassing geoblocks and import
restrictions, in any case.

But that's not really the problem here -- it's more that Australian products
and employees may be tainted by unknown government interference.

------
andrewstuart
I want Amazon, Apple, Microsoft and Facebook to make clear statements as to
whether or not their systems have been compromised by Australia's security
laws.

Is my phone now compromised?

Is the Amazon AWS Sydney data centre now backdoored?

Without clarity, it appears the big tech companies plan to comply with the
legislation, which means they might be backdoored.

~~~
jacques_chester
> _I want Amazon, Apple, Microsoft and Facebook to make clear statements as to
> whether or not their systems have been compromised by Australia 's security
> laws._

The A&A bill specifically prohibits this. You can't answer yes or no to the
question of whether you have been served a notice. Warrant canaries are not
effective -- they're not even _allowed_ , on my reading.

------
voycey
"Australia does not have a strong tech industry..."

I'm sorry - what?

Having moved to Australia from the UK I am continually amazed at the tech
industry here, sure in comparison to the US ours is small but that is because
there is a vast difference between our populations. America only sees size as
a measure of strength

------
shitloadofbooks
Literally no one understands this bill. The best resource I've found so far is
this:
[https://github.com/alfiedotwtf/AABillFAQ](https://github.com/alfiedotwtf/AABillFAQ)

~~~
stephen_g
A big criticism of the bill by people like the Law Council (apart from it
being irresponsibly rushed through with way too little oversight) was that it
was intentionally vague and broad in a lot of it's definitions. So you have a
lot of people saying it's incredibly bad, and a lot of others saying, "no,
it's not quite that bad - only really, really bad" but nobody really knows
until you get a notice. It's all up to how the law enforcement and
intelligence services interpret it, and there's insufficient judicial
oversight and almost no recourse if they are telling you to do something that
you think goes beyond what the law allows, and you have to keep it secret, so
it will be hard to tell how far they take it or if it's being abused.

------
dbg31415
* Honest Government Ad | Anti Encryption Law - YouTube || [https://www.youtube.com/watch?v=eW-OMR-iWOE](https://www.youtube.com/watch?v=eW-OMR-iWOE)

This law is a bad law.

------
r32a_
Australia always tries these types of laws, they tried a Great Wall of China-
like firewall a few years ago it didn't go anywhere. I suspect this will be
the same.

~~~
brandonjm
Do you mean the "ISP-only" DNS restrictions of 2016? That was just a lame
attempt to appease the film and media companies. Unfortunately for Aus Gov,
DNS registries are not solely operated by Australia.

~~~
wfriesen
What's particularly strange to me is that devices such as Google WiFi come
preconfigured to point at Google's DNS, so a layman in Australia will be
bypassing these blocks without deliberately doing so.

~~~
brandonjm
It did have some interesting effects though. I know of several of my old
school acquaintances who were very technologically challenged that managed to
navigate their network settings far enough to change DNS.

------
tracker1
How are the data pipes to EU? HTTPS + no device caching

Complying would violate EU law where the data is stored or compromise the
entire system and all devices.

------
renholder
They haven't considered the negative repercussions, like any oppressive
government asking for the same tool and using to quell any dissidence. Fuck
those people, amiright!? /s

------
a-dub
could be interesting if the process involved publishing a txn to the bitcoin
blockchain. that is, every unlock were made publicly and immutably visible
thus putting the government in the hot seat to later justify all uses of the
facility.

~~~
baroffoos
That does literally nothing because the government can just say "Push an
update to this device to not do that" which is what the whole law is about.

~~~
a-dub
the idea is that if there's a _late_ auditable solution, then today's methods
of doing it on the down low become distasteful.

they're gonna do it regardless, but the politicians may agree to forcing them
down a process that is publicly auditable in the long run...

basically if late auditability makes it possible for them to do their jobs,
then the basis for today's sketchy down low approach is ameliorated.

~~~
dane-pgp
Right, this is basically Binary Transparency, with the same sort of social
mechanisms in place as Certificate Transparency has for dealing with
misbehaving CAs.

The idea of storing release hashes (or public keys) in a distributed,
permissionless, append-only log actually makes a lot of sense, and there are
several serious proposals for how to do this, such as EthIKS:

[http://www.jbonneau.com/doc/B16b-BITCOIN-
ethiks.pdf](http://www.jbonneau.com/doc/B16b-BITCOIN-ethiks.pdf)

and Contour:

[https://arxiv.org/pdf/1712.08427.pdf](https://arxiv.org/pdf/1712.08427.pdf)

------
murph-almighty
>Prime Minister Malcolm Turnbull of Australia said in July, “The laws of
mathematics are very commendable, but the only law that applies in Australia
is the law of Australia.”

Does math not apply in Australia? Is this where "new math" comes from?

~~~
i_am_proteus
Finally, somewhere I can go without being bound by the law of gravity.

~~~
endymi0n
Better respect gravity. It‘s the law.

~~~
quicklime
We will decide whether things should fall in this country, and the direction
in which they fall!

