
Australian draft law requires tech companies to hand over encrypted messages - wp381640
https://www.homeaffairs.gov.au/about/consultations/assistance-and-access-bill-2018
======
rswail
In terms of communications provision, it's not that much different to CALEA in
the US or equivalents in other countries. The troubling section is in section
317C that defines what a "designated communications provider" and "eligible
activities" are.

The worrying items are 3-6 that basically say anyone who provides
software/hardware or _develops_ that software/hardware is part of either used
for providing communications or "an electronic service" are subject to the
notices.

So, are you a software house developing an app? You're providing an electronic
service by running the app and its servers? You're liable under this law to
assist as is "feasible".

Same if you develop software used by another "electronic service". So, writing
some open source software? The library used by another app? You have to assist
under one of these notices.

The only get out clause is 317ZG which says that a provider is not required to
develop anything that introduces a "systemic" vulnerability. But I'm sure
lawyers will have a fun time defining "systemic".

~~~
mrsteveman1
> The worrying items are 3-6 that basically say anyone who provides
> software/hardware or develops that software/hardware is part of either used
> for providing communications or "an electronic service" are subject to the
> notices.

This sounds like it would apply to Tor.

I can't imagine Tor is actually the biggest problem though, certainly compared
to simple encrypted messaging services with hundreds of millions of users.

------
jarym
Maybe they need to go back to 'old fashioned' law enforcement - i.e. haul in
the suspects for questioning, put out media adverts to urge victims to come
forward, etc?

The example provided is pretty poor: "Enquiries showed that he was contacting
these females and offering them drugs in return for sexual favours." \- so
their enquiries showed that and yet the _only_ evidence that could secure a
conviction is supposedly on the phone that law enforcement can't unlock? I
call BS.

------
cf_
_" The Government welcomes your feedback. Submit any comments to
assistancebill.consultation@homeaffairs.gov.au by 10 September 2018."_

~~~
stephen_g
I doubt much would come from that. The Department of Home Affairs is run by
some pretty dodgy characters (i.e Peter Dutton)...

I plan to send letters to key opposition members and crossbench senators,
might have a bit more chance of something coming out of that.

Unfortunately Labor has been in lockstep with the LNP in voting for these kind
of acts so far (our slow descent into authoritarianism) but we can always
hope...

------
lixtra
It looks like they want to be able to selectively install backdoored software
for individual targets. [1] I.e. they could force apple to deliver a patched
whatsapp that disables encryption on the device or sends information to a
third party.

[1]
[https://www.homeaffairs.gov.au/consultations/Documents/expla...](https://www.homeaffairs.gov.au/consultations/Documents/explanatory-
document.pdf) p. 8 and 9

~~~
rswail
They're not allowed to ask for a "systemic" change, which I think is how
they're trying to get around the impossibility of an app providing stuff it
doesn't have. They can ask/demand that whatsapp delivers an app update that
only targets a particular person or persons, with some sort of backdoor, but
not one that is a backdoor for _all_ users.

Of course, there's a whole cost thing there as well as whether an overseas
corporation is required to co-operate with AU law enforcement.

So theoretically, they could say "Whatsapp, give us a backdoored app. Telstra,
push this app to these phones."

Or course, Whatsapp could argue that releasing a backdoored app is creating a
"systemic vulnerability" which is specifically carved out of the requirements
to co-operate.

~~~
aplummer
Explained like that, it does just seem like a really hard to implement
wiretap. Not necessarily the worst thing if it’s per user with the right
warrants etc.

~~~
rswail
Yeah, I'm being nice to them. They'll carefully under-interpret "systemic" to
allow for back doors if they can.

------
jmurphyau
Provide your feedback to AssistanceBill.Consultation@homeaffairs.gov.au

~~~
Arbalest
Email is a convenient way to ignore feedback. Handwrite and mail them instead.

------
wrong_variable
I wonder what this means for Atlassian's international clients.

Does the Australian government have unfretted access to any code hosted with
Atlassian ?

Maybe if you are a small business in Australia you would not care about it -
but big European, Chinese or American clients would definitely not be
convinced by any assurances.

The most important thing is that kind of question should not be raised in the
first place, the biggest threat is not the Australian govt or Australian rival
companies, the biggest threat are rival companies in their own soil that can
take advantage of such a backdoor - it could just be as easy as a cash
transfer to a low level employee in the Australian govt.

All of these factors just means Australia is not a good place to invest when
it comes to cloud infrastructure, data warehousing or intellectual property,
that if is leaked could literally destroy your livelihood.

~~~
rswail
While the idea that the laws of math can be revoked in Australia is silly, any
company that trades with or sells services to Australians is liable under this
proposed law if they are a designated provider.

So Atlassian is no less or more likely to be covered here than any other
software house that sells to Australians.

------
zmmmmm
Some of the provisions are rather bizarre in how badly they seem to be
drafted, eg:

> What can be done undera computer access warrant?

.... long list, then:

> any other thing reasonably incidental to the above things

So "thing" is now a legal concept and any "thing" that can be done if it
happens to go along with the other "things" ...

~~~
rswail
Yes, "thing" is effectively the word they're using to mean "task", "activity",
"modification", etc etc. What word would you use instead?

A judge would interpret the word according to standard English usage. The
judge would also interpret the words "reasonably incidental" in a...
reasonable way.

Law is not code, it gets interpreted by lawyers and judges.

~~~
zmmmmm
Yes, when it comes to the law, if they mean things they should say them. It
seems like they have used these generic terms in order to ensure there is zero
weight on individual rights and maximum weight on the side of those exercising
the power. That is, they really can't be bothered thinking through what powers
they actually need and under what circumestances those are warranted, so let's
just write "the government can do anything to accomplish the things" and put a
story about a child rapist on the front of the legislation. It's lazy,
imprecise and offensive to the idea of civil liberties.

~~~
rswail
Of course... this is the government led by an ex-merchant banker that said
"Well, the laws of Australia prevail in Australia, I can assure you of that.
The laws of mathematics are very commendable, but the only law that applies in
Australia is the law of Australia."

------
pushedx
Good luck trying to decrypt them.

~~~
close04
This is probably a 2 part law. The second part forces them to provide a
feasible decryption mechanism.

~~~
EliRivers
Fortunately, in Australia, mathematical laws are trumped by Australian law, so
there will be no pesky mathematical laws about the impossibility of decryption
getting in the way!

~~~
boyter
For those who do not know, the above is a quote by our current Prime Minister,
who said “The laws of Math are very commendable, but they are not higher than
the laws of Australia”

This is the same muppet who claimed that nobody needs more than 25 Mbps of
network bandwidth.

~~~
candiodari
This is law, so:

[http://imgs.xkcd.com/comics/security.png](http://imgs.xkcd.com/comics/security.png)

Except the guy beating you with the wrench (more likely bankrupting and
imprisoning you) is doing it with full legal authority, and zero recourse to
you (though the Australian police certainly isn't shy about getting in a few
shots while they're doing the bankrupting and imprisoning stuff [1], and I
seriously doubt that in prisons, where you're totally at their mercy, they
behave better).

Parliaments think they're omnipotent, and any company that doesn't want to run
the above risk (Just ask Kim Dotcom), has to comply.

Oh and no worries, if the company itself is safe, are you sure all it's
employees and family members of those employees are safe from that government
too ? [2] "But it can't happen here, our police is better". [3] (is a link to
police officers threatening entire families of immigrants, for years, and when
they are finally found out, the government protected them from prosecution,
instead simply asking them to resign ...)

[1]
[https://www.youtube.com/watch?v=tJWeSh_aKLw](https://www.youtube.com/watch?v=tJWeSh_aKLw)

[2]
[https://www.meydan.tv/en/site/news/21238/](https://www.meydan.tv/en/site/news/21238/)

[3] [https://www.smh.com.au/national/sydney-crime-arrests-the-
ins...](https://www.smh.com.au/national/sydney-crime-arrests-the-inside-story-
of-corruption-in-australian-border-force-20170809-gxsuka.html)

------
contingencies
Added to
[https://en.wikipedia.org/wiki/Mass_surveillance_in_Australia](https://en.wikipedia.org/wiki/Mass_surveillance_in_Australia)

------
throwaway77384
This would obviously only work if the encrypted messages can also be
decrypted.

And that's the worrying part. As soon as that mechanism exists, all assumption
of data safety goes out the window.

~~~
rswail
Which is why the section on systemic vulnerabilities (317GZ) is (IMHO) the
most important to get clarified and expanded.

The other area that needs to get clarified is the definition of "designated
communications provider" in 317C, particularly those related to
software/hardware development and manufacture.

The fact is, this legislation will pass, because both the Liberals and Labor
march in lock step on "national security".

So the fight becomes how to limit the scope to ensure that the requirement to
"implement or build a systemic weakness or systemic vulnerability" is expanded
out to exclude:

a) common security libraries that are shared across operating systems and
applications b) secure hardware (HSMs, SEPs, etc) c) protections and
procedures required under PCI/DSS, banking, medical, GPDR and equivalent laws
d) requests that make it likely that a provider's business will suffer due to
loss of trust of the security of the information that a user/customer
provides.

------
python999
"despite legislative requirements he refused to provide his passcode"

Isn't that disobeying conditions of parole? Why not start there?

------
Humphrey
If you are wondering - The detail of this drafting legislation is found in a
PDF that this article links to. It's a long read!

------
JdeBP
This title is editorialized. The actual title of the page is "The Assistance
and Access Bill 2018".

