
Australia drafts laws forcing Facebook and Google to reveal encrypted data - Ours90
https://www.theguardian.com/technology/2018/jun/06/planned-laws-to-force-tech-firms-to-reveal-encrypted-data
======
cesarb
> But Nigel Phair, from the Centre for Internet Safety at the University of
> Canberra, said if the legislation avoided having to use a backdoor entry to
> encrypted data then it was likely that it would use a “frontdoor”, a means
> of accessing the information before it was encrypted.

...you mean a backdoor to the device, instead of a backdoor to the encryption?

~~~
dmix
Nice bit of spin there by Nigel.

Using the phrase 'frontdoor' sounds more 'legal' and appropriate. But in
reality the implications of backdooring the device, ie "before encryption"
happens, is actually a far, far worse invasion of privacy than purely server
side decryption. Because it exposes the entire devices to surveillance, every
app and piece of data flowing through the device is then exposed (and many
times not just to the intended target, the police, but also evil black hoodie
sunglasses wearing hackers). While a warrant for a server-side wiretap/search
is just one single data source, narrowly focused on particular data and not
easily exploited by hackers as it happens largely offline.

~~~
cesarb
> Using the phrase 'frontdoor' sounds more 'legal' and appropriate.

It's also wrong, since there already is a "front door" on all devices: just
use the normal password/fingerprint/face picture to unlock it.

------
docdeek
This could be a silly question but how does this:

>> In the second half of 2017 alone Apple received 2,601 requests for access
to devices from Australian law enforcement agencies and granted them in 87% of
cases.

…align with the famed Apple refusal to comply with the request to unlock an
iPhone in the US a while back. Is the jurisdictional context different (re:
the 4th amendment) or is this something different to unlocking a device?

~~~
hiisukun
This is mostly requests to Apple as a service provider. "What IP registered,
and logged into suspect@icloud.com on 1/1/2018? And what are the registered
users details?"

They don't have your iphone passcode on file so they can't provide it to law
enforcement.

~~~
mikejb
This is what I thought, too, but they explicitly state "access to devices",
not "access to data".

Could also very well be that the author didn't distinct between the two
sufficiently.

~~~
DINKDINK
Or that older devices (that have outdated hardware security) are more
prevalent in Australia for which Apple can decrypt.

~~~
thisacctforreal
Would be surprising; even the iPhone 5s from Fall 2013 is equipped with the
Secure Enclave and is getting iOS 12. Including the feature to disable USB
communication pins after 1 hour without the user's passcode. A feature aimed
squarely at disabling Cellebrite from uploading their brute-force firmware.

------
jlangenauer
Truly, Australia is governed by morons. Would it be asking too much for a
highly paid minister of the crown, who supposedly is supposed to lead
government policy in an area, to have substantial knowledge of it?

Instead, we have these lawyers who treat maths, science and technology with
contempt, who legislate for us, and don't understand what the fuck they're
even talking about.

~~~
afarrell
People keep saying "We need more scientists in government", but I think that
trying to make that happen is running into a brick wall: those scientists will
_also_ need to be lawyers and there just aren't that many people who are
competently both. Without an understanding of the law, they'll end up drafting
laws without basic things like mens rea requirements. We live in a highly
specialized world; Can anyone here can butcher a hog, design a building, _and_
plan an invasion with a rock-solid level of competence? No. So stop looking
for a unicorn who is able to:

* Sell themselves to a wide and fickle audience of stangers

* Manage a campaign staff

* Understand problems in the context of history

* Read and write legislation in a way that avoids unintended consequences or misaligned incentives

* Negotiate against people with whom they have fundamental philosophical differences

* Complete a PhD program in science or engineering

That last one isn't necessary for our actual goal... and it doesn't even help
when you consider that this person will _also_ need to be an expert on
military grand strategy, healthcare administration, procurement, urban design,
and agriculture. We don't need a congress full of subject-matter experts. What
we need are people who respect and can work effectively with subject-matter
experts.

So what is it that Senator Ron Wyden and Judge Aslup do that others should
copy?

~~~
Jedi72
I would be happy with a politician who can accomplish even one of these
things.

~~~
chopin
I'll take the first two for granted. Otherwise they wouldn't be in charge,
isn't it?

~~~
TheSpiceIsLife
* Sell themselves to a wide and fickle audience of stangers

* Manage a campaign staff

It is not necessary that politicians _can_ do either / both, it is just that
they appear to be the least worst option for at least a brief moment in the
past.

I'm often reminded of that single panel comic where small child says "Dad, I'm
considering a career in organised crime" and the father, holding a news paper,
says "Government or private sector?".

------
kowdermeister
“The key point here is that we need to modernise our laws and get access to
information for holding criminals and terrorists to account for investigations
and gathering evidence,” he said.

great, now you might catch the dumb ones, but is there a shortage of secure
communication channels? :)

~~~
shakna
> "The laws of Australia prevail in Australia, I can assure you of that," he
> said on Friday. "The laws of mathematics are very commendable, but the only
> law that applies in Australia is the law of Australia." \- Prime Minister,
> Malcolm Turnbull

I'm not certain that they understand what they're asking for, can't be done.
That is, there are politicians who believe math can be bent to fit the law.

~~~
SyneRyder
It was a throwaway joke comment - Turnbull is much smarter than that.

Worth noting that Malcolm Turnbull made part of his money from investing in
the internet sector in the early 90s. He invested $500,000 in OzEMail (one of
Australia's first internet service providers) back in 1994, and sold his stake
for $57 Million to Worldcom in 1999. He's not an engineer, but he's not
entirely ignorant on these matters.

~~~
shakna
However, it is representative of his backers. And the comment wasn't given in
jest, but to reopen the backdoor debate. I'm not worried he doesn't
understand, but the rest of the party?

------
wyld_one
I'll say it no one else will...

Yeah and all is well and good until some faceless stalker tracks down, stalks,
molests, brutalizes and finally murders some 'important/high muckety mucks'
11yr old daughter and posts it all over the net. Then the the gov have no
choice but to enforce 'real' protection of your security.

A house has two doors, frontdoor and backdoor. Either one gives you access to
the contents you're trying to protect.

It's time public/gov wises up and demands REAl security.

------
2T1Qka0rEiPr
In WhatsApp: Australia has joined the conversation

~~~
andrewflnr
That would be a hell of a way to get people aware of the law and lobby against
it. Just have that pop up for all users in Australia.

------
JanisL
Unfortunately tech policy in Australia seems to have a history of being poorly
thought out and this doesn't appear to be an exception to the trend. The thing
I find so disconcerting is just how little expertise seems to be present in
the legislative space around tech in Australia compared with other countries,
how did this come to be? It's not as though there's a complete lack of
legislative skill either, in other areas things seem to be a whole lot better.

~~~
AndrewDavis
>The thing I find so disconcerting is just how little expertise seems to be
present in the legislative space around tech in Australia

There is expertise. Our Prime Minister knows tech, Turnbull is a millionaire
from seeing the potential of the internet in the 90s and heavily invested in
an ISP and took on role of chairman. Half a decade later he'd turned 500k into
$50 million when Ozemail was acquired.

The policies aren't because of incompetence, they're actively malicious
against the publics best interest in favour of the elite set to make bank.

~~~
stephen_g
I don't believe Turnbull had anything to do with the technical side of Ozemail
(which was only ever a dial-up network and mail provider), he was just on the
business side.

Clearly when he became the communications minister I think he demonstrated
that while he was willing to ignore experts and destroy things maliciously for
political gain, I believe he also demonstrated he didn't actually understand
recent tech or broadband networks much at all through a lot of it either.
There were things that I think he actually believed that were rubbish.

------
jaimex2
Yeah... good luck with that.

Our Government cant get a simple census, fibre broadband or even site blocking
right.

~~~
aplummer
Annoyingly bipartisan efforts, I completely forgot about that ridiculous
filter.

------
sjy
The source of this story is a 10-minute interview on ABC Radio this morning
[1]. Unfortunately, there’s no transcript, but it’s a more reliable source
than the second-hand summary in the article.

Despite the headline, it’s not clear that any bill has actually been drafted
and certainly nothing has been introduced to Parliament. According to the
minister, what will be proposed is a law that is ‘completely consistent in
principle with the existing laws for telephone intercepts.’ While he ‘dodged
multiple questions’ about whether the laws would authorise the use of
‘surveillance codes’ (whatever that means), he denied that there was any
proposal to introduce laws requiring the use of backdoored encryption
algorithms.

It would be consistent with the existing telephone intercept laws in Australia
[2] (and most other developed countries) to require service providers to
surveil users upon production of a warrant. In Australia, judges must consider
the seriousness of the offence being investigated, and the impact on privacy,
before issuing a warrant [3]. Warrants can also be obtained to install covert
surveillance devices (ie. bugs) [4] if a telephone intercept or search warrant
is unlikely to produce evidence.

Contrary to the comments suggesting that the legislators are completely
uninformed, an Australian parliamentary committee has been conducting a public
inquiry into the ‘impact of new and emerging information and communications
technology’ since October 2017 [5]. Any member of the public may make a
submission [6] to the inquiry and advocacy groups such as Electronic Frontiers
Australia and the Law Council of Australia have done so. Relevant experts have
also appeared before the committee in public hearings. It is likely that any
draft legislation would be informed by the committee’s findings.

Given that the government recognises the efficacy and importance of strong
encryption, the proposed new laws may look more like the US All Writs Act at
the centre of the FBI–Apple encryption dispute [7]. It might not be practical
to backdoor the ciphers used to encrypt data at rest on an iOS device, or in
flight in a WhatsApp message. But it would be consistent with the principles
of the existing telephone intercept powers (which are targeted and subject to
judicial, parliamentary and ombudsman scrutiny) to require publishers like
Apple to push out backdoored OS updates or apps to targeted users (or
physically seized devices, as in the San Bernardino case). Perhaps the ability
to obtain such targeted warrants would be less socially harmful than increased
use of the existing, but more intrusive, surveillance powers.

[1]:
[http://www.abc.net.au/radionational/programs/breakfast/new-e...](http://www.abc.net.au/radionational/programs/breakfast/new-
encrypted-data-laws-compromise-user-security/9839610)

[2]:
[http://www.austlii.edu.au/au/legis/cth/consol_act/taaa197941...](http://www.austlii.edu.au/au/legis/cth/consol_act/taaa1979410/)

[3]:
[http://www.austlii.edu.au/au/legis/cth/consol_act/taaa197941...](http://www.austlii.edu.au/au/legis/cth/consol_act/taaa1979410/s46.html)

[4]: [https://www.homeaffairs.gov.au/about/national-
security/telec...](https://www.homeaffairs.gov.au/about/national-
security/telecommunications-interception-surveillance)

[5]:
[https://www.aph.gov.au/Parliamentary_Business/Committees/Joi...](https://www.aph.gov.au/Parliamentary_Business/Committees/Joint/Law_Enforcement/NewandemergingICT)

[6]:
[https://www.aph.gov.au/Parliamentary_Business/Committees/Joi...](https://www.aph.gov.au/Parliamentary_Business/Committees/Joint/Law_Enforcement/NewandemergingICT/Submissions)

[7]:
[https://en.wikipedia.org/wiki/FBI–Apple_encryption_dispute](https://en.wikipedia.org/wiki/FBI–Apple_encryption_dispute)

~~~
cesarb
> [...] to require publishers like Apple to push out backdoored OS updates or
> apps to targeted users (or physically seized devices, as in the San
> Bernardino case). Perhaps the ability to obtain such targeted warrants would
> be less socially harmful than increased use of the existing, but more
> intrusive, surveillance powers.

We've seen in the push to Windows 10 that, when automated updates are used in
a harmful manner, people disable automated updates. The same would happen
here: once it's been shown that the automated updated mechanism has been used
to purposefully push a harmful update, people will start disabling automated
updates.

Which means that Apple and Google have a good reason for opposing such
requests.

(And that's before getting to the "elephant in the room": the same mechanism
created for these requests can, and probably will, also be used by malicious
actors.)

~~~
chopin
Can malicious actors issue Windows 10 updates? I heard this for (improperly
implemented) application updates but not for Windows 10 updates. Microsoft has
strong incentives to prevent this and done a good job so far. I agree with you
if MS would push a bad update it would be a PR desaster for MS.

~~~
rainonmoon
Well, the other issue is that if the public lose trust in first-party updates,
they're also potentially skipping security patches, making everyone more
vulnerable on the whole. Obviously this might work in favour of one
government's agenda, but equally opens those devices up to exploiting by
anyone else (including foreign actors.)

------
coldcode
I always wondered if we could steal every piece of private/personal data the
politician demanding these laws has and expose it for all the whole world to
see, what that might do to their attitude. We might even find some real
criminals this way.

~~~
Klathmon
Similar things have happened in the past, in the vast majority of cases the
politician doubles down and ends up spending more time and resources trying to
prosecute the hacker, and use it as an example of why they need to go further
with these kinds of laws so they can find these "hackers" before they can do
damage.

~~~
sbhn
The word ‘steal’ was used ironically. If I looked at you, and decided to write
myself a law that allows me to monitor your every move and communication, and
I charge you for that monitoring through unavoidable taxes, and I keep the
accounting of the costs protected from public scrutiny, and I always remind
you it’s done for your security, and me and my friends are making loads of
money from the surveillance game, raising the prices and adding more security
and justifying more reasons to do so, how do you know it’s not stealing?

------
quickthrower2
Doe this mean with warrant, or without?

~~~
hasseio
With warrant.

~~~
retrogradeorbit
You are making an assumption. We have not seen the proposed bill.

