
Notices have already been issued under Australia’s new encryption laws - DyslexicAtheist
https://www.innovationaus.com/2019/02/AA-bill-notices-already-issued
======
samcday
If the idea was for Australia to lead by example on all the ways to NOT
regulate an increasingly digital world, we're doing a bloody good job.

I worked for Atlassian in Sydney. I know there's a pretty decent tech culture
that is thriving in Sydney + Melbourne (and elsewhere, I'm sure). I really
hope more of my colleagues find a passion for politics and get to a position
where they can steer our clearly incompetent government in governance issues
pertaining to technology.

In the meantime, does anyone have a clear idea of how this Act will even work?
Lets talk in specific terms for something like Signal. I'm assuming Signal has
no legal footprint in Australia. How/can Australia compel Signal to allow
Australian enforcement agencies to snoop on conversations?

If they can't, won't one of the worst outcomes of this legislation be that any
kind of technology company that needs to deal with encryption (which these
days should be basically 100% of them) be forced to move overseas? How could a
single Australian-based tech company have even the slightest scrap of
credibility for data security when a law like this exists?

Final note - is anyone from Fastmail around here? I'm a Fastmail customer and
this has me extremely concerned.

~~~
kevin_b_er
Signal: The employee is required to intentionally alter the app to no longer
provide security, such that some communication may be intercepted. They are
not permitted to publicly disclose that they have done this.

Unfortunately, this goes deeper. The law may be capable of compelling Google
or Apple of Australia to force deploy to your phone a malicious version of the
Signal app with the "technical assistance notice".

~~~
Arnt
Will your phone accept an app upgrade which has been signed by Google or Apple
instead of by Signal?

If not, is the law capable of compelling your telephone vendor to ship you an
upgrade that weakens its upgrade testing enough that Apple/Google can ship you
such an upgrade?

~~~
netheril96
Apple controls the root CA on iOS devices. I guess that Google controls the
root CA on Android too. Therefore it is within their technical ability to
issue a certificate that bears the name of Signal and is trusted by almost all
devices. They wouldn’t need to ship any OS upgrades to forge the signature of
Signal, as they are already the ultimate authority of who is Signal. I won’t
speculate on whether they or their Australian employees will actually do so in
the future.

~~~
cesarb
AFAIK, that's not how Android works. Each apk is signed by a standalone
certificate (which does not have to be signed by any CA), and the operating
system will only allow an upgrade if the same certificate is used. Which means
a developer must carefully guard the certificate's private key; if it's lost,
the application can no longer be updated, but it must instead be released as a
new application with a separate name. And since AFAIK this mechanism is part
of the operating system (not the constantly-updated Google Play store), to
bypass it would require a full OS update.

(This has other consequences: if a developer releases the same apk to several
stores, but it's signed by different certificates on each store, a user who
installed the apk from one store will not be able to upgrade it using the
other store.)

~~~
GordonS
I don't know, but I presume Google cross-signs APKs that are approved through
the Play Store?

~~~
Arnt
No.

Easily checked, run jarsigner -verify -verbose -certs some.apk on an APK of
your choice. I ran it on 31 just now, no cross-signing visible anywhere.

------
rrggrr
Here's a brief of companies that could/might be impacted. I don't agree that
server location is sufficient enough protection. Correct me if wrong, but
can't the authorities compel the Aussie company's directors to hand over
foreign server credentials?

Xero

Atlassian

Canva

Fastmail

99 Designs

~~~
kevin_b_er
Good angle.

But we're not just talking about headquartered companies.

Cloudflare has datacenters in Brisbane, Melbourne, Perth, and Sydney and an
office in Sydney. Could they be compelled to hand over your website's
certificate that they have because they're the front end load balancing proxy
for your website?? That way the police can man in the middle your website.
Cloudflare would be gagged from telling you they gave away your private TLS
certificate you entrusted them with.

~~~
xucheng
By this logic, there is no need to compel Cloudflare to handover the private
TLS key. They can just compel any CA based in Australia to sign a fake cert.
Or directly compelling OS vendors (Google, Apple, Microsoft,etc) to make
government cert as a root CA.

~~~
kevin_b_er
A fraudulently issued cert compelled by government might be detected by CA
reporting. This was already done to watch for direct government controlled CAs
issuing bad certs.

Stealing your own existing cert is less likely to be detected.

------
victorNicollet
The hotel room analogy is almost correct.

Hotel rooms usually provide a small safe for which guests can pick the
combination. There is also a secret backdoor combination or master key that
lets hotel staff open the safe.

This creates an obvious security hole : if the backdoor combination is easy to
guess, or a copy of the master key falls into the hands of unscrupulous
employees or ex-employees, then the contents of the safe can be stolen. As a
guest, there is nothing you can do to reduce this risk.

Now, imagine that a hotel found a solution where locked safes are destroyed
and replaced at almost no cost to them, and could give up on the backdoor.
Burglaries involving the backdoor would vanish, and although this slightly
increases the risk of losing your belongings by forgetting your combination
(since the hotel can no longer open the safes of forgetful guests), it's a net
improvement in security.

Ten years later, the hotel community has reached a consensus that safes-
without-backdoors are the Right Thing to Do. The state then mandates that all
hotels should be able to give access to the contents of those safes to the
police. But they're not saying that hotels have to use a backdoor combination
or master key, so they're not really asking anyone to reduce the security of
their safes...

------
mark-r
“The legislation in no way compromises the security of any Australians’
digital communications.”

Reminds me of the time someone tried to legislate pi=3. There's absolutely no
way to give police a back door into encryption without giving criminals the
same back door.

~~~
Gaelan
> There's absolutely no way to give police a back door into encryption without
> giving criminals the same back door.

This feels disingenuous to me. It would be fairly trivial, for example, to
store a copy of all keys, encrypted with the government’s public key. Of
course, there’s a million eats to go wrong, but that’s different from
“mathematically impossible.”

~~~
sprucely
But the million ways to go wrong IS the problem. I may be appealing to
authority here, but is it disingenuous when an overwhelming majority of
encryption and security experts agree?

[https://www.washingtonpost.com/news/powerpost/paloma/the-
cyb...](https://www.washingtonpost.com/news/powerpost/paloma/the-
cybersecurity-202/2018/06/11/the-cybersecurity-202-we-surveyed-100-experts-a-
majority-rejected-the-fbi-s-push-for-encryption-back-
doors/5b1d39eb1b326b6391af094a/?utm_term=.cebc72f7c3b1)

[https://www.schneier.com/blog/archives/2018/05/ray_ozzies_en...](https://www.schneier.com/blog/archives/2018/05/ray_ozzies_encr.html)

[https://www.justsecurity.org/53316/criminalize-security-
crim...](https://www.justsecurity.org/53316/criminalize-security-criminals-
secure/)

~~~
tzs
Note that he was replying to a comment that was saying that a back door that
is not wide open to criminals is comparable to thinking pi = 3.

As is pointed out in the Schneier article, the problems with a key escrow
scheme are on the law enforcement side of things. They could lose access to
their keys, especially if a lot of different agencies have keys.

Those are difficulties that can in theory be overcome, although it may not be
practical to do so. That's a far cry from a pi = 3 issue.

~~~
mattnewton
The original argument was “The legislation in no way compromises the security
of any Australians’ digital communications.”

This is approaching a pi = 3 level falsehood because of the “in no way
compromises” clause. There are many schemes that are outright illegal (in my
not a lawyer interpretation of this law), and it nakedly makes the other
schemes harder with state actors as additional points of failure.

------
ChrisLok1
We already in process of ending our Atlassian contracts, currently moving all
our data out.

~~~
generated
This is short sighted.

1\. The law applies to all tech companies who have users in Australia,
regardless of where the company is incorporated.

2\. Atlassian offers primarily self hosted products, to which this law does
not apply.

~~~
pmiller2
How can Australia exert legal authority over a company that has no legal
presence in the country and one Australian user?

~~~
LiquidFlux
I'm not informed on the subject, but narrow-mindedly, GDPR and serving EU
customers?

~~~
nybble41
Yeah, that has exactly the same problem with respect to jurisdiction.

The only difference is that it's easier to write off Australia than the entire
EU.

------
hamilyon2
So, is it time to distrust every ssl cert issued by Australian cert provider?
Is there a list?

~~~
kevin_b_er
You would also need to distrust any ssl cert a multinational company's
australians can access, as the law can compel and gag them to steal your ssl
cert. All Australian residents and citizens, including potentially abroad, are
now legislated to be untrustworthy when it comes to holding any cryptographic
secrets or access to systems of your customers.

~~~
jacques_chester
> _including potentially abroad_

On my reading of the A&A bill there was no extra-territoriality clauses, so I
think it only applies within Australia.

However, I am not a lawyer and this is not legal advice.

~~~
shakna
It also appears to apply to Australian citizens living abroad, potentially
making dual-citizens into covert actors.

~~~
jacques_chester
Do you know which clause gives it extra-territoriality? I didn't see one in my
pass over it.

~~~
shakna
The devil is in the details. 317c, defining "communications provider".

> 5\. the person provides a service that facilitates, or is ancillary or
> incidental to, the provision of an electronic service that has one or more
> end‑users in Australia

> 6\. the person develops, supplies or updates software used, for use, or
> likely to be used, in connection with:

> (a) a listed carriage service; or

> (b) an electronic service that has one or more end‑users in Australia

> 8\. the person manufactures or supplies components for use, or likely to be
> used, in the manufacture of a facility for use, or likely to be used, in
> Australia

There's several more.

A communications provider, under the given definitions is not bound to be on
Australian soil, but rather interacting with Australia as a nation.

Applying this law to those of different nationality is difficult, and unlikely
to succeed, however those of dual-citizenship can be held accountable.

This opinion I have, that the law does apply to those internationally, is one
I have seen supported by several law firms I have occasional contact with.

Probably aided by:

> 317F. This Part extends to every external Territory.

> 317ZC.4 Part 4 of the Regulatory Powers (Standard Provisions) Act 2014, as
> it applies in relation to section 317ZB of this Act, extends to:

> (a) every external Territory; and

> (b) acts, omissions, matters and things outside Australia.

> 317ZD (Enforceable Undertakings).

> Part 6 of the Regulatory Powers (Standard Provisions) Act 2014, as it
> applies in relation to section 317ZB of this Act, extends to:

> (a) every external Territory; and

> (b) acts, omissions, matters and things outside Australia.

There's a few more - but as the Act is stating it is enforceable to both
external Territories and acts, omissions, matters and things outside
Australia, I do think the most likely reading is that 'acts' can be enforced
upon Australians living outside the borders.

~~~
jacques_chester
"External Territories" here means Christmas Island, the Australian Antarctic
Territory etc etc. When I say "extra-territoriality" I mean the application of
law outside of Australia's borders.

The "acts, ommissions, matters and things" appears to give extra-
territoriality to subject matter but not to legal personalities (ie companies
and people).

The "communications provider" part is very broad, and while in Australia I am
_definitely_ covered by it. But the courts will not generally interpret
legislation as having extra-territorial effect unless it explicitly says so.
Otherwise every Act would need a stuff like "ps. the _Fisheries Amendments
(Rex Hunt Is A Wanker) Act_ is non-territorial".

My question is not about whether a legal personality (ie, a company) is
affected if they have a physical-legal presence in Australia, because of
course they are affected. My question is whether someone like me, who is
outside Australia's boundaries, can be served a notice while I am out of the
country. On my reading it's still a "no".

But I am still not a lawyer.

------
carbocation
I feel like I must be misreading, because my first-pass interpretation is that
companies would terminate all of their Australian citizen employees, and add
terms to the remaining contracts saying that employees must notify them if
they become an Australian citizen.

~~~
brokenmachine
As an Australian, I dearly hope all international companies actually do this.

We are a testing ground for this insanity, the time to fight it is now.

Australian citizens did not ask for this. All the "consultation" letters were
ignored in favour of creating a police state.

------
test6554
Australian tech companies need to release a program called UltraDecrypt that
simply brute-force decrypts any message on their platforms given billions of
years and sell it for $10M per license.

Then when law enforcement claims they are not being cooperative, they can say
they have a tool that meets their needs if they're patient.

~~~
Klathmon
You'd probably be charged with something and punished.

Courts don't take to kindly to people trying to be cute with their demands.
It's not like they are going to say "well they are technically right" and give
up, they are going to just up the consequences or clarify the request until
you comply in the way that everyone knows they want you to.

~~~
coldacid
This. The biggest weakness to encryption systems isn't the math, it's the guy
in the uniform who has tied you to a chair and keeps strapping your feet with
a rubber hose.

~~~
kjsbfkjbf
Thus once again revealing -- to those who believed otherwise -- that the
police do not exist to "protect" the citizens.

------
gorb314
I am not a cryptologist, not a lawyer, and only a marginally capable software
engineer.

But I think we've had the option to send personally encrypted end-to-end
messages for a while now. (Open)PGP anyone?

So instead of using Signal, or Whatsapp, or whatever and depending on their
client-side-encryption (and possible server-side-decryption) of private
messages, how about plain email using standalone user-encryption.

Two things may come of this: Google will stop "interpreting" my email
messages, and laws like these stop mattering very much.

Of course, 5th amendment (and its siblings in other countries) still apply...

------
m-p-3
This is where a political problem needs to be fought back where it hurts the
government the most, threaten to get the hell out and see their corporate
taxes income dwindle.

------
brokenmachine
The general point that I disagree with is the premise that there can be no
such thing as a private conversation.

Do you want a police state? Because secret surveillance of all citizens is how
you end up with a police state.

------
ohiovr
Would letsencrypt be compelled to issue certs for your domain to the
Australian Gman?

