Hacker News new | past | comments | ask | show | jobs | submit login
Australia's anti-encryption law will merely relocate the backdoors: Expert (zdnet.com)
278 points by axiomdata316 9 months ago | hide | past | web | favorite | 133 comments



There is a government consultation process open RIGHT NOW for this bill. You have to get your submissions in by the end of today (6 hours time). Every Australian here needs to make a submission (please).

The page for the inquiry is:

https://www.homeaffairs.gov.au/about/consultations/assistanc...

The email address for submissions is:

AssistanceBill.Consultation@homeaffairs.gov.au

A submission only has to be a few lines, so just bang out a few words. Whilst a well researched submission is the gold standard, even a rudimentary email will send the message that people care about this issue and counter whoever is whispering in politicians' ears. Anything is better than nothing.

Less time critically, you also need to write to or call your federal MP.

--- Edit:

The committee might also be swayed by submissions from non-Australian experts? Australia first, your country next.


FWIW, I've had pretty good success in getting non-techie friends and family to write in after showing them this video:

https://www.youtube.com/watch?v=eW-OMR-iWOE

It's very entertaining, and explains it in a way that everyday people can understand how bad it will be. I highly urge all Australians to either send this video out to your circles.

(No affiliation, it came up in a previous thread about this topic)


Easily one of the best channels right now.

Every video is hilarious.

* thejuicemedia - YouTube || https://www.youtube.com/channel/UCKRw8GAAtm27q4R3Q0kst_g

Suggested videos similar to the one above.

* Honest Government Ad | My Police State! - YouTube || https://www.youtube.com/watch?v=XlUQMH19BkQ

* Honest Government Ad | Article 13 (Internet Censorship Bill) - YouTube || https://www.youtube.com/watch?v=89ZkydX0FPw


> Australia first, your country next.

Absolutely, specifically if you're living in a country that is a member of the Five Eyes.

They've actually been surprisingly transparent that this is a coordinated effort. The Official Communiqué opens with:

> We, the Homeland Security, Public Safety, and Immigration Ministers of Australia, Canada, New Zealand, the United Kingdom, and the United States met on the Gold Coast, Australia, on August 28-29 2018, to discuss how we can better collaborate to meet our common security challenges.

Full read: https://www.homeaffairs.gov.au/about/national-security/five-...


Additionally, it doesn't seem that there's anything in the bill that would prevent any of the information gained by a TCN/TAN from being shared with Five Eyes or other governments. While this might seem reasonable in the face of an international criminal/terrorist adversary, it is fundamentally security-breaking if private root signing keys that are requested as part of a TCN/TAN can just be shared with every Five Eyes government.

That means that the Australian government could just order a company to hand over their PKI/signing infrastructure (which is generally a global system) and then forward all of this information to the US or whoever else, completely outside of any judicial oversight.

I'm sure that the governments in question will deny this, and likely state that this is not their policy, but it doesn't seem to be specifically prohibited by the law and the intelligence community doesn't have a great reputation when it comes to respecting traditional legal values and due process (e.g. the FISA court in the US)


The 5 eyes nations are a true New World Order. This is terrifying, and we should not be allowing our sovereignty to be so easily usurped for the purpose of building this new order.


The others maybe, but new Zealand is no one's new world order :).

Aus + UK + US are the real drivers.


Aus the primary driver? A 25m population country with an economy smaller than California, and we're driving things.

Dutton is being fed from defense dollars, from the US.


Australia is kind of an entire continent, with big territorial national security concerns, so they might be a bit more independently interested than Canada.


6th largest 'defence' budget in the world.

SIXTH...


Reference please.

The Stockholm International Peace Research Institute ranks Australia as 13th, at 2% of Australia's GDP[1][2].

Which is below the worldwide average of 2.2%, although given our geographic remoteness and relative security, I absolutely agree that it's too much.

The International Institute for Strategic Studies places Australia at 12th.

[1] https://www.sipri.org/sites/default/files/1_Data%20for%20all... [2] https://en.wikipedia.org/wiki/List_of_countries_by_military_...


Driving under the influence.

UK and Australia are the test beds. US is the target. From there it flows onwards and outwards. Like raw sewage over the Niagara Falls.

The AU my.health opt-out debacle[1] is similar. UK got in first, promised they wouldn’t sell the data then did so. AU then started by copying the UK’s best practice. So... fun times ahead.

They’re still trying to get the gun laws fit for size in the US but the political climate and history is too different. And the attempt on the health system via Obamacare didn’t quite take either. More time needed apparently.

[1] https://www.theguardian.com/australia-news/2018/jul/22/my-he...


Putting this bill in the same basket as gun control seems a bit rich. However, comparing it to public health care is well off the mark. Medicare was first introduced in Australia way back in 1975, 35 years before the US. Access to affordable health-care is widely considered a basic human right, and Medicare in Australia widely considered a smashing success.

Actually, so are our gun control laws, and they were motivated by mass shootings on our own soil, namely the Port Arthur massacre, https://en.wikipedia.org/wiki/Port_Arthur_massacre_(Australi..., this wasn't some ploy by the US or the Five Eyes. The Australian public wanted this, and absolutely still do, myself very much included.


Actually my point was that the US gets changes after they are tested elsewhere. You didn’t address that.

So by omission you’re saying that the US won’t be getting these encryption laws. And that Australian style gun laws won’t arrive in the US either.

Ok then.


> So by omission you’re saying that the US won’t be getting these encryption laws.

Wait... what? Do you always structure your arguments by putting words in other people's mouths then argue against things they never said. In doing so you're wasting your's and everyone else's time.

Not only are you wrong in you assertion. If you'd paid even the smallest amount of attention to the context in which you're posting you'd realise this. I'm the OP for this sub-thread, I suggest you read what I wrote.

Now that we've got that aside...

> And that Australian style gun laws won’t arrive in the US either.

Just stop.

We're talking about the Assistance and Access Bill. Stop trying to validate some totally unrelated belief you hold by loosely latching on to valid arguments that myself and others have made here. The reason I responded to you is that I want to make it perfectly clear to anybody reading this...

I do not hold your views. These are not related issues.


The Australian public worship war and are utterly ignorant of the graves they live upon. Are they really your metric for how it should be?


I'm not sure where the "worship war" idea comes from. I've never heard anyone state something like that before. What are you referring to specifically?

However, Australians are far from perfect. In particular being isolated geographical means lack of exposure to other cultures and leads to a significant portion of society being "casually racist", which sucks. All our modern political parties are a joke as well, and due to our small economy we are in many ways a puppet of the US i.e. this bill.

So no, I don't think we're a metric for how it should be. But the really depressing part is that with all the negativity I've just listed (and there's certainly more), we still have our shit together more than a lot of other countries. That's far from being a reflection on Australia being "good", rather it's a reflection on how bad a significant portion of the world is.

P.S. One positive thing about Australians is that the majority of us aren't particularly patriotic. So we will happily admit to how big of a disgrace our country can be!


Count the war memorials in your city. Now count the memorials to the Stolen Generation, and try to find anything that acknowledges Australias own ethnic cleansing history.


> try to find anything that acknowledges Australias own ethnic cleansing history.

Where do you live? You're very clearly entirely ignorant about the issue you've raised:

http://museum.wa.gov.au/explore/articles/national-apology-st...

Our Prime Minister issued an official apology for the abhorrent acts that took place and led to the term "the Stolen Generation". That doesn't even remotely make those acts okay, but to suggest that it's not even acknowledged by the Australian people is just outright ludicrous.

EDIT: By the way, there's also something called "National Sorry Day", which is kind of a big deal in Australia, I suggest you Google it.


Medicare was introduced in the US in 1966.


Woah, my apologies, thanks for the correction.

I had meant to compare Australian Medicare to when something equivalent was introduced in the USA. However, I really don't know much about the US system. I had very much incorrectly assumed that the Affordable Care Act had introduced legislation bringing in changes making it fairly comparable to Australian Medicare. Alas, that doesn't seem to be the case, they're still extremely different systems.

Also, a little extra research tells me that what I consider to be "Australian Medicare", wasn't actually introduced until 1984, which is when our healthcare became universal.


Five eyes? At least they all have a say in what happens even though they don't listen to anyone but their friends. How about the 14 lapdogs?


14 lapdogs

Help us out! When I google this term I just get "best breeds" lists.


Here is a template:

-----------------------

Hello,

I'm writing to oppose the 2018 Assistance & Access Bill. Although I recognize the difficulties encryption poses to law enforcement & counter-terrorism, it is not a strong enough reason to compromise the safety, security & privacy of 24 million Australian citizens.

Every Australian has a right to reliable, mathematically guaranteed privacy & security, not compromised/undermined by oppressive legislature.

Neither domestic nor international companies should be required to assist anyone in breaking privacy protections, nor should warrants allow access to protected devices, and nor should existing legislature be strengthened.

Would these changes help law enforcement catch a few criminals? Probably. Will it weaken the safety, security & privacy of millions of respectable, law-abiding Australians? Definitely.

Cheers,

<Name>

-----------------------

I really hope this doesn't pass.


Just a side note: Change 'recognize' to 'recognise' since we use Proper English ;)


Damn yankie autocorrect!


Thanks for the template. I based my email off the back of yours.


It's nick-picking - 25 million citizens. As of last month or whatever.

Also +1 for a good template.


I wouldn't normally do this but it seems appropriate in this context:

nitpicking


Touché.


I have already sent my reaponse in, I definitely implore everyone to read the bill and write an appropriate response. This isn't an anit-encryption bill specifically, it's a framework for strong-arming companies into undermining all consumer security measures no matter what they are.

I will say, I found the bill palatable and sympathetic to the concerns of industry. I am impressed at the delicacy of the bill. I still disagree with it fundamentally and emailed to that effect. But I am impressed by our government's ability to read the situation.


I just made this submission:

------

I am a business owner, an employer, a technologist, a programmer and a company director.

I oppose this proposed bill on the basis of it weakening the effective security of Australian Internet service providers, which would be bad for national security. I would like to raise the following points:

1) The proposed bill will inevitably lead to the creation of systemic weaknesses in the security of Australian companies that provide Internet services or products.

The burden of complying with voluntary requests will lead to new, exploitable "backdoors", despite what the home affairs department asserts.

Whether these backdoors are electronic, or process based (i.e. responding to a fraudulent request), the bill would mandate companies to effectively create new attack surfaces; weaknesses in operational security introduced to comply with the bill.

2) The Internet can only facilitate services like payments, banking and communication because of encryption. Encryption is based on mathematics.

You do not need to understand the mathematics to understand that if you provide an alternative to the encryption, you provide a weaker level of security.

As a result, Australian financial, communication or payment services are less secure than international counterparts not burdened by this backdoor.

3) Any crime under investigation can be investigated by existing legal procedures. It is proper for a warrant to be required to access any secure or private information.

4) Providing a "back door" for law enforcement is not necessary. This bill is akin to providing a backdoor for law enforcement to enter a persons home or business without seeking a warrant from a court.

5) Encryption is good. Encryption makes the Internet work.

Australia has critical infrastructure that can only function with proper encryption. Encryption is easily invalidated by inadequate process or procedure. This bill would encourage (or require) Australian companies to compromise their security practices.

Please don't assume that the laws of mathematics can be overruled by the laws of Australia. This would be foolhardy, and not in the interest of Australia's national security.


I've sent my submission - my approach for this particular submission, and I'm not sure whether it's the best approach, was to indicate that I agree with the general arguments that this bill is bad for privacy, but also that if a scheme like this is going to be introduced anyway, that the oversight and transparency regime is not tough enough to allow the public to have confidence that the new powers are being used appropriately, or for researchers to be able to accurately measure the impact of the new regime on privacy and security.

I will also be writing to (and maybe phoning!) my MPs and Senators, and I anticipate this bill will go to a Senate committee for inquiry at which point there will be a further opportunity for submissions.

edit: and oh yeah, don't forget to contact your senators, not just your local MP. I only have 2, those of you who have 12 may have a few crossbench senators who will be crucial if, somehow, Labor can be persuaded to vote against, and in any case could have an outsized impact on proposing amendments to make the new powers less-bad.


I sent off my email although I doubt it is going to do any good.


A bunch of us at Atlassian are sending a group letter (not an official one from the company, just a bunch of us who think the bill is dangerous). Thanks for the info femto.

Edit - Here's the letter we wrote:

Hello, we are a collection of employees who work for Atlassian (a major Sydney based tech company) and we’d like to give our view of why we think this bill is dangerous.

First and foremost, it will damage the view of Australian tech companies. If a foreign company is deciding between our products or a non-Australian company, but knows that Australia may have required Atlassian to build a backdoor into their encryption, the objectively better choice would be to choose the non-Australian company. This isn't just Atlassian losing because of this; the entire Australian tech scene will be damaged.

Secondly, a master key to unlock encryption is a master key that’s available to steal. Time and time again in the tech world we’ve seen “security that can’t be beat” get beat. Equifax lost nearly every American Social Security number. Bitcoin gets stolen every day because someone’s private key gets compromised. Even as far back as World War II, we saw encryption get beat because a master key (the enigma machine) got stolen. History has shown us countless times that a master key leads to a non-secure product. Even if the this bill is only requiring companies to provide the capability to decrypt information, that only changes who controls the master key. It doesn’t remove the damage to security.

Thirdly, requiring companies to be able to break their own encryption will never be a game you can win. Even if every company in the world were compliant with this bill, the tools to make your unbreakable encryption are trivial to find and use. Any agent that was an actual threat to national security would have the resources available to them to create a non-breakable encrypted communication method. The only people who would be affected by this law would be petty criminals, but the dragnet of its implications would affect every Australian citizen in its wake.

Fourthly, this will damage the Australian startup scene. When choosing where to fund a company, the laws and world view of a country come heavily into play. If someone is creating the next messaging app but the public opinion of Australia is that their products are legally required to be insecure, that person will choose a more tech-friendly company to start their company in. Not only that, but if a company knows there are more requirements for compliance in Australia, then it makes a startup’s job harder to release a product. Startups are difficult enough as it is, and lowering the barrier to entry (not raising it) is how you make a tech industry blossom.

Lastly, even if one agrees that the damage to security is worth the tradeoff, the lack of judicial oversight in this bill is extremely worrying. Giving multiple people the ability to issue notices without judicial oversight is a power no person should be able to exercise alone. Overall we feel this bill will harm not only the tech industry, but Australia as a whole.


> (not an official one from the company)

So... Atlassian is for this bill?

Edit downvotes...

This is a serious question, it's a pretty notable Australian tech company and is surprising to hear the company is unwilling to make a stand.

How are you going to reassure companies elsewhere that their company communications are secure when clearly they wount be.


https://twitter.com/mcannonbrookes/status/103909504137169715...

For what it's worth, our CEO has been outspoken against this.

This isn't a, "we're doing this because our company is for the bill" type of thing. It's a "we're doing this because me and my buddies who are working late tonight found out about this so we drafted up a letter to the government". I just don't want to say that I'm representing Atlassian's stance without running things through legal.


I suspected as much, I just felt that if it was a stance worth making it was probably a stance worth running past legal (even if it meant a quick phone call out of hours.)

Whether that call is met with abstantiation or otherwise is what I was wanting to infer.

Because at this point, abstantiation or sitting on the fence is as good as supporting the bill.


I imagine it's because they aren't authorised to speak for the company on topics like what government policies the company is against (and I imagine this is why you got down-voted).

But yes, I also would have expected Atlassian and other Australian-based technology companies to vocally oppose this bill because it will actually result in their customers moving away in the long run (this bill will only affect companies incorporated in Australia or other 5-Eyes countries) -- because this bill explicitly requires companies to architect security systems to be insecure. Unfortunately this doesn't appear to be the case, which is incredibly disappointing.


Email sent!


Don't write emails, make a phonecall.


Email sent!


Thanks for the heads up on the consultation process. Just sent my email.


The key example justifying the need for this bill is as follows:

> A high risk Registered Sex Offender (RSO) was placed on the register for raping a 16 year old female, served nine years imprisonment and is now monitored by Corrections via two ankle bracelets whilst out on parole. Victoria Police received intel that he was breaching his RSO and parole conditions by contacting a number of females typically between 13 and 17 years of age. Enquiries showed that he was contacting these females and offering them drugs in return for sexual favours. The suspect was arrested and his mobile phone was seized but despite legislative requirements he refused to provide his passcode. Due to an inability to access his phone as well as the fact that he used encrypted communication methods such as Snapchat and Facebook Messenger, Victoria Police was unable to access evidence which would have enabled them to secure a successful prosecution and identify further victims and offences. These are high victim impact crimes that are being hindered by the inability of law enforcement to access encrypted communications.

The limited information reveals they identified some targets, which means they would know (some of) his Facebook and Snapchat account names.

While the content of messages can be encrypted, the connection graph is not, so why couldn't Victorian Police request details of accounts the suspect's account had communicated with and request the parents of those users provide endpoint access to the encrypted chat history?


The timing of this story was incredibly suss. Right before they launched this campaign against encryption, and it just doesn't pass the sniff-test.

Why can't they do some old fashioned police work and interview the girls? Get a warrant and physically monitor his movements to catch him visiting them, or them visiting him? You know... investigate. It's what we pay you to do.

They don't get to treat every single one of us as criminals just because they can't be bothered getting off their arses and doing some work. If I tried to make that excuse to my boss (and I'm public sector like them), they'd laugh at me and tell me to get to work or find a new job.


They also assume he's guilty whilst simultaneously claiming they have no evidence to demonstrate to a court that guilt. That's contrary to the Universal Declaration of Human Rights (Art.11).


That's a great point. The whole tone is "we know he is guilty but traditional policing methods have been unable to prove that, therefore we must have these additional powers to prove what we already know".

Also...

> Enquiries showed that he was contacting these females

What are these mysterious enquiries? Why not follow up on those? If one or more of those victims was willing to give access to their devices/accounts they'd get the evidence they needed anyway.


> What are these mysterious enquiries? Why not follow up on those?

I know this is a rhetorical question, but the answer is that the whole "THINK OF THE CHILDREN!" angle is a façade. The real reason to implement any of this is to gain more power over the populace by making meaningful resistance of the government harder.


FTR, Australia long ago gave up any pretence to being an honest supporter of the UNDHR. It has breached it many, many times in recent years, and cynically covers this fact up by referring to the individuals involved as "illegal entrants", "illegal immigrants" and "unauthorised arrivals" .. justifying a long list of heinous crimes committed against these individuals.

Do not fool yourself: Australia is on a slippery slope towards a heinous future, and ignoring the UNDHR is one of the key steps it is taking towards that event horizon. It has never given a damn about the rights of Aborigines and Torres Strait Islanders, by way of example ..


> Due to an inability to access his phone as well as the fact that he used encrypted communication methods such as Snapchat and Facebook Messenger, Victoria Police was unable to access evidence which would have enabled them to secure a successful prosecution and identify further victims and offences.

That's a textbook example of begging the question, huh. Without the alleged evidence, they don't know if they would have been able to get a conviction or not.

It also presumes that none of the parents of those minor children would let police look at their kids' phones. If I were a parent in that situation and the police wanted to see what messages the accused had sent to my child, I've break the speed of sound on my way to the police station to hand it over.

So all in all, what they intended was "OMG please think of the children". What I heard was "we have incompetent police who don't understand how the justice system is supposed to work".


From what I understood Whatsapp does regularly work with the police. The contents is encrypted. But you can easily monitor who communicates with whom. So if one person is unwilling, you can check if the other is willing.

I find it more worrisome that going after one person is more important than the privacy of a huge group.


Why must we all open our communication just because of a few sick individuals who are already imprissioned or under surveillance?


I don't think the justification for spying on you is really why they want to spy on you.


Australia is terrified that its war crimes are going to be discovered in the next few years, and therefore there is a push on to make encryption unusable for the general public.

If the general public knew what the ADF were doing, there would be bodies hanging from the flagpoles in Canberra. This move is a direct response to the fear that officials have, of Australians learning the truth about how the ADF is being used to effectively destroy civilisation in the Middle East and around the world.

However, the truth is out there, and it will be known. The clock is ticking for those who have allowed us all to be conned into the lies and trickery of the so-called 5-eyes new world order.


What's the connection between usable crypto and disclosure of these crimes?


If they have the ability to spy on every single communication, the chances of pulling off a leak are much, much lower. Wikileaks is still alive and running today because of encryption. Once this changes, we won't have transparent societies for anyone but the holders of the keys ..


Yeah, that's not completely unfair.

I tend to think that leaks will always happen, regardless of communications media, surveillance, and encryption. But your point isn't entirely unfounded.


Australia passed a law earlier this year[1] which now has a mandatory 25-year minimum sentence for anyone who leaks government information. They're definitely trying to stop leaks from happening, and it's fucking disgraceful.

I also just discovered that this law also criminalises (with a 10-year prison sentence) creating software vulnerabilities in anything that is part of public infrastructure. This means that you could arguably give any software engineer (that has ever worked on free software the government uses) a mandatory 10-year prison sentence for being a saboteur because they were "reckless".

[1]: https://www.legislation.gov.au/Details/C2018A00067


Absolutely none, obviously.


You'd be surprised at what "a few sick individuals" can do to civilized society.


Especially when they are in power and can operate in unfettered secrecy, away from civil society - the only really truly effective governor of heinous human activities such as those enacted by the current mob of Australian politicos/oligarchs.


Kissinger, Cheney, Clinton, Bolton... I think we're past the point of surprise with this phenomenon.


>Victoria Police received intel that he was breaching his RSO and parole conditions by contacting a number of females typically between 13 and 17 years of age. Enquiries showed that he was contacting these females and offering them drugs in return for sexual favours

That makes it sound as if they've got enough. Metadata Retention, which was legislated a couple of years ago, would be able to join the dots. Can't see the content, can match up sources, destinations, locations, and timestamps. Case closed - or at least it's up to a jury from there.

It's like they're requiring a high definition video of a murder being committed before they can charge someone for the murder even though they've got the murder weapon, motive, opportunity, and all those other things that almost guarantee a conviction.

Additional thought: What if the messages were deleted off the phone as soon as they were sent? Or accounts were added to the phone, messages sent, message deleted, account removed from phone? Like a smart criminal would do? The way they're desperately wanting this data makes it sound as if a lack of it could be used as defense evidence, which is NOT what the authorities would want at all.

They've got enough to make a convincing case. A smoking gun is a luxury, not a requirement.


> encrypted communication methods such as Snapchat and Facebook Messenger

neither of these are encrypted communication methods.


FB Messenger has an encrypted mode (though I've never seen anyone use it!).


The justification is playing on people who don't know why encryption is necessary. It's nothing more than "but think of the children" crap.


From a different article referenced by this article:

Turnbul says:

> "A back door is typically a flaw in a software program that perhaps the -- you know, the developer of the software program is not aware of and that somebody who knows about it can exploit," he said. "And, you know, if there are flaws in software programs, obviously, that's why you get updates on your phone and your computer all the time."

>"So we're not talking about that. We're talking about lawful access."

And again, the warfare is linguistic dictionary wars all over again (like "collection" etc...)

He just redefines "back door" to denote 0-day in order to be able to define "lawful access" as the TrustZone root & automagical updates which is the backdoor they demand access to.


It's frightening how politicians with such little knowledge and understanding of certain subjects have so much power to create legislation about those subjects. But apparently that's how we have built our civilization, through trial and error.


The problem is that we as a society already agreed that it’s acceptable.

We allowed the government to open mail, open locks and tap phones with a warrant all of which were technically challenging.

Phone networks must be set up with specific dedicated access for law enforcement heck I remember crawling through the SNMP MIBs on my Motorola cable modem 15 years ago and discovering a whole class of them dedicated to lawful interception.

Most networking equipment providers even have guides on how to set these up: https://www.cisco.com/c/en/us/td/docs/ios-xml/ios/sec_usr_cf...

And this is why the encryption battle is a bit odd to me as much as I would like encryption to be never tampered with we’ve already as a society agreed that the government in some cases should have access so what makes WhatsApp so different to a phone call?

If encryption isn’t a way to backdoor ourselves out of the existing legal interception laws then as much as I hate to admit it we don’t have a leg to stand on.

If it is then we should just publicly say that the government shouldn’t be able to tap phones regardless of what technology they are using to communicate.


Most of the time such laws are passed on Christmas or New Year's eve (Obama literally allowed the NSA to share Upstream surveillance data with all the other 16 agencies like 3-4 days before his presidency ended - how exactly would anyone have stopped Obama then?!), or people "allow" them to pass through inaction, which I think is not quite the same as actively supporting something. Governments of the world simply take advantage of people's inaction or their lack of attention to certain issues. This is a problem with how most democracies work (the democratic processes are not democratic enough, but we've failed to improve upon them due to complacency).

And 10 years later when people wake up to it they come out and say "but we've been using this for a decade and it's been so helpful in our investigations!". And even if that was true, often they don't provide real proof, and also the government is almost never interested in doing a cost-benefit analysis for such things. Like it may have been "helpful", but how much damage did that lack of privacy and the existence of backdoors caused, too?


That still doesn't answer my question, the legal precedence for all of these was set up decades if not centuries ago. We agreed that a government should be able to tap a phone, in fact it's illegal to be a communication provider in the US and in the majority of the rest of the world essentially every country where there is a rule of law has the same laws without complying with the legal intercept requirements from the government. Every piece of telecommunications equipment already has these backdoors built-in, in fact part of the FCC certification is to ensure compliance with LEI when applicable.

What Obama did with the NSA is also a doesn't have any bearing on this issue, if the NSA surveillance is warrantless it's another issue as far as sharing the contents of the in interception with other agencies well it's again a different issue.

But again this isn't about the NSA, this isn't even about the US the question is and always was what makes WhatsApp any different than a phone call? Your mobile provider by law must provide LEI of data, voice and text, now no one uses voice anymore, most people don't even text not without using alternative apps like WhatsApp or iMessage.

So what is so special about these apps that the laws don't apply to them? and if we are using encryption as a way to back out of the rights we as a society already granted our government then by all means let's do it publicly because there is no reason why the government should be able to tap the phone of a 90 year old grandmother but not yours just because you know how to use WhatsApp.

>Like it may have been "helpful", but how much damage did that lack of privacy and the existence of backdoors caused, too?

Practically none, every telecommunication equipment in the US and the west in large has LEI backdoors built-in these aren't used for exploitation, just like the fact that most mobile phones can be easily tapped by anyone with a $100 worth of SDR equipment.

While these are technically a risk in practice they aren't really a risk because they still have a high barrier for entry, high risk, and essentially very low reward due to the lack of scalability.


>But again this isn't about the NSA, this isn't even about the US

This has everything to do with the US, and the NSA, because the legislation in question is part of a broader campaign orchestrated by the Five Eyes.[1]

[1] https://www.homeaffairs.gov.au/about/national-security/five-...


The difference is that these agencies never even bother with a warrant to store all of our data, and claim to not "collect" anything all while using algorithms to conduct mass surveillance at a scale far beyond the KGB's wildest dreams. And when they do want to spy on an individual more directly, it's done through gag orders and secret courts with no accountability to the public.

Digital data is actually afforded even fewer protections than your example of letters in the mail.


The difference is how we use this "communication". It isn't just communication between peers anymore, but part of our digital... self (i'm blanking on a better word). The equivalent of you accessing your google drive wouldn't have been governed by these laws a few centuries back. You'll have a hard time demonstrating WhatsApp or iMessage are used for nothing more than phone calls usually were.

Yes, all changes are tiny/gradual and the huge effect they have in combination with all others can often only be seen in retrospect. That's what makes your "this barely changes anything, it was always this way" argument usually so hard to argue against. But in this case it is obvious how our lives are becoming more and more digital...


> If it is then we should just publicly say that the government shouldn’t be able to tap phones regardless of what technology they are using to communicate.

They can tap phones, and should be able to tap phones, along with VoIP, video calls, and mail. But while privacy isn't absolute, their ability to wiretap communications with a court order has never been absolute either, merely opportunistic.

These are opportunities they don't have available to them, and it needs to stay that way.

They should not be permitted to set aside all other concerns just to keep that wiretap and search ability in the cases where it comes up, because it simply isn't that important compared to all of the problems they will cause in the process.

People, including whistleblowers and political dissidents, even in the U.S., will be harassed, threatened, blackmailed, or even killed as a result of their tampering, and the government itself will misuse those expanded access powers, just like all the others they've publicly or secretly obtained.


>They can tap phones, and should be able to tap phones, along with VoIP, video calls, and mail. But while privacy isn't absolute, their ability to wiretap communications with a court order has never been absolute either, merely opportunistic.

No it was never opportunistic, it was always by design and mandated by law as telecommunication providers must provide LEI capabilities this affects how they design and implement their networks and the equipment they use which is why LEI capabilities appear even in CPE equipment such as your modem and the FCC and other regulatory bodies enforce this as part of their certification process.

The case here is that that now the telecommunication providers aren't actually that useful for LEI or at least it's that WhatsApp/Facebook isn't classified as one because if it was it would be required to provide LEI capabilities by law.

>People, including whistleblowers and political dissidents, even in the U.S., will be harassed, threatened, blackmailed, or even killed as a result of their tampering, and the government itself will misuse those expanded access powers, just like all the others they've publicly or secretly obtained.

If we turn back the clock even only 5 years ago where essentially nothing was encrypted in a manner that would invalidate LEI this wasn't an issue, nor does it grant the government any new powers.


Perhaps such interception capabilities were developed because encryption technology wasn't widely available at the time. Even back then people with high security needs encrypted phone calls with contemporary encryption technology. Times have changed and encryption technology is widely available now. The question is whether encryption will be broken by people resisting change or whether law enforcement will be satisfied with metadata alone.

EDIT: Should have been posted under grandparent.


>The problem is that we as a society already agreed that it’s acceptable.

>We allowed the government to open mail, open locks and tap phones with a warrant all of which were technically challenging.

If we had a referendum on this ("should the police be able to access the communications of someone as part of the investigation of a crime?") I bet "yes" would win. Myself I also think it's acceptable. Don't think it's so clear-cut.


>If we had a referendum on this ("should the police be able to access the communications of someone as part of the investigation of a crime?") I bet "yes" would win.

I highly doubt so, but if so it should be the way to go because there are backdoors in nearly every piece of telecom gear because the providers are mandated to provide LEI capability by law.


Maybe, and only maybe, you'd get a no in the US, because of the deeply ingrained hate/distrust for the government. But the rest of the world? Seriously. Maybe I'm wrong but I doubt it.


>Maybe, and only maybe, you'd get a no in the US, because of the deeply ingrained hate/distrust for the government. But the rest of the world? Seriously. Maybe I'm wrong but I doubt it.

If anything the if the US has a trust problems with the government then it should be a yes rather than a no.

But anywhere else in the world there is also little to no chance that the population at large would be up for denying the government the ability to have lawful intercept and lawful access to any protected resource during an investigation.

In fact you might not want to deny them that right at all because it would essentially shift the majority of the evidence to circumstantial eyewitness testimonies.

Because why stop at a phone call? why should a government be able to search your residence? open a safe? read a diary? open your computer?

And if you deny them all that then what happens? sure at first the legal system would be in a transition phase where much less people might be convicted because under these new restrictions the prosecution won't be able to meet the bar required for conviction but fairly quickly as soon as conviction rates would drop the legal system would bounce back up and get used to the reality of less evidence and this isn't a good place to be.

Any development in forensic sciences and investigatory techniques has prevented innocent people from being charged and convicted just as it helped to convict the guilty (don't get me wrong I'm not saying it's perfect or that mistakes are not being made, but DNA for example had to exonerate as many people that it helped to put in).

So I'm not entirely sure we want to go back to the days where people were judged in court based on how many character references they could provide.


Ah okay, we have it backwards. I'm saying that people would allow LE to intercept communications everywhere in the world except in the US!


I think i misread the original comment you made then :)


I agree. "yes" votes in referendums are quite rare in Australia. There'd be much political mileage to made campaigning against it.


Please don't use whataboutism.

If it was already agreed there would be no bill.

Just because our forefathers succumbed to the scare tactics, fake news, logical fallacies, propaganda and plain old whataboutism does not mean we must also do so.

The people, society, law makers, whatever made their decisions and it is incredibly hard to undo them.

I would love say today, hey you know what, it was worth while having law enforcement be given access in the past but in light of their abuse re Snowden et al, maybe it's time to roll some of this back. Because you know, the rewards no longer justify the means.

But you know what? That just isn't a workable option.

Now with that said, for the bill I question, It does not just plainly follow that we must make the same mistakes. We have hindsight and should take advantage of that fact, not just squander it.


I work for the tech division of a non-tech related branch of public service. It's scarier than you think. People passing by in the hall are sometimes literally added to the meeting taking place and get to (are obliged ?) voice any advice they might have on the subject being discussed. Boom, they are now an expert and project leader. It's not about legislation though but the consequences are very real (how to project gets implemented with all the dance with contractors and other branches and how it will impact everyone in the country).


"It's frightening how politicians with such little knowledge and understanding of certain subjects have so much power to create legislation about those subjects"

But we've elected these politicians to ... create legislation!

Should leave it up to people like ... Zuckerberg? Jack?


>Should leave it up to people like ... Zuckerberg? Jack?

Why not say, cryptographers, mathmeticians, computer scientists that arent multi-billionaires that actually do have your best interests in mind and haven't been corrupted by money?


Cryptographers, mathematicians, and computer scientists should be consulting politicians, who should have a broader view than just their specialty.

Also, money corrupts without prejudice, even cryptographers, mathematicians, and "computer scientists".


That's what lobbyists are for, and the reason that they aren't inherently bad.


I'm curious about the principle of these laws. [Later Edit: not Australian specific, something that can be applied anywhere]

If the only way to convict a suspect would be for them to self incriminate during testimony should the 5th amendment be waived?

How many other rights should be cancelled because they prevent law enforcement from having an easier job?

Banning guns to make doctors' jobs easier is out of the question but banning privacy to make policemen's jobs easier isn't?


For US law on this subject, check out the Third Party Doctrine. There's a good article by Orin Kerr on it, which is a defense of the doctrine but also goes over its fundamentals(https://repository.law.umich.edu/cgi/viewcontent.cgi?article...)


Bear in mind that this is an Australian law, so the 5th Amendment isn't involved. I don't know much about Australian law, so I don't know if they have an equivalent right within their legal system.


No, I'm fully aware it's not the US, I simply used a principle that's popular enough (from movies) that many people could relate. It's the principle that matters. I edited the original comment a little to highlight this.

I'm sure that there must be something in the Australian constitution that guarantees a right for the citizens. Should it be taken away just to make someone job a little easier?


There is a right to silence under common law apparently.


> "Furthermore, what is described remains a backdoor, albeit a keyed backdoor. There is no requirement for backdoors to be universally exploitable to be considered a backdoor, it merely needs to provide an alternative entry point into the target system or protocol."

If someone just looking for holes in the law already sees this, what would the supposed to be knowledgeable politician do/think they are doing.

Note: It's wrong because you are creating a universal access point in encryption to violate the original intent of the encryption (which is end to end most likely). This would mean you sell/show end to end encryption which has a man in the middle no matter what you do. And if it is poorly implemented, which is often the case with backdoors, it is probably universally accessible. Even if they say it's not. As already stated by the author.


So basically since the vast majority of technology products are produced outside of Australia while one can imagine them forcing them to only sell hardware products with broken security just for australia however.

- The population of australia is only 24 million less than 1/10th of the US and this would require expensive engineering just to sell to this market.

- Caving to Australia makes this look like an attractive option to other more lucrative markets.

- Some people would just import their own phones from overseas

- Software products are unlikely to desire to compromise their networks/products for Australia and its 1000x easier to import software than hardware.

The best strategy would seem to be ignore Australia.


Privacy vs. security... it's a complicated. Nobody cares that the police can tap a phone line... so by that logic, why can't they tap any other communication medium?

But... what I do know is that the Australian government is not the one to solve the problem. They're a small market, without a lot of technical expertise... having lived in Sydney for some time now... I know you don't want the Australian government involved in tech.

* Australian PM Calls for End-to-End Encryption Ban, Says the Laws of Mathematics Don't Apply Down Under | Electronic Frontier Foundation || https://www.eff.org/deeplinks/2017/07/australian-pm-calls-en...

* 1,464 Western Australian government officials used ‘Password123’ as their password. Cool, cool. - The Washington Post || https://www.washingtonpost.com/technology/2018/08/22/western...

* NBN regional connections to cost about $7000 per premise || https://www.news.com.au/technology/online/nbn/nbn-regional-c...


If Australia was really concerned about encrypted communication as a threat to national security then they would outlaw end-to-end encrypted messaging. Terrorists and child abusers and wife beaters walking free because law enforcement can't read the private messages of "these people" due to this thing called encryption.

They should specify that any form of private communication cannot be encrypted end-to-end where the decryption keys are only accessible to the communication participants. Internet browsing, online shopping and banking transactions are allowed, as is communication which is encrypted by a service provider, and as such can be decrypted by said service provider upon request from law enforcement.

Anyone caught using end-to-end encrypted communications can AND WILL be fined.

The effect of this would be the same as what they're currently proposing, but they're currently hiding it behind words that most of the population don't comprehend, and therefore doesn't make the kind of mainstream headlines that it should.

By taking this weasel-worded approach the Australian Government is being intentionally ambiguous about their intentions and the effect of this legislation.


The problem is that with physical telecoms providers, you can mandate these LEI implementations. If the provider doesn't comply you ban the sale of the device. Yes, you can get a few black market devices to get around this but you can't head into your local shop to obtain it.

With the current scale of open source software, you can mandate a law for backdoors but countries that do not have such laws would be able to remove these backdoors from the open source software if they are ever put in. Simply banning OSS won't help either since many countries that have banned encryption still see widespread use of encryption software as the internet has no borders. Firewalls don't count because that is equivalent to trying to stop a million tunnel diggers from digging over the border all at the same time with a million more diggers ready to go. Ask China with their great firewall full of holes.

Backdooring or banning major providers like WhatsApp, etc will only push more and more people to an open solution that is globally distributed.

The only solution to gaining encryption access is the simple option. The option that if you are an interesting enough person, will get to play catch with a wrench while your hands are tied.


Can anyone comment on how this is likely to affect multinational entities like Apple? Given the Australian market is so small, would it not more sense to leave the jurisdiction entirely rather than compromise security? Same goes for App makers like Signal. Why bother with Australia? (I'm Australian, and really don't want to see this happen FWIW, but it seems the rational decision)


Closed tools like Signal, Snapchat, Slack, Whatsapp, iMessage, Messenger, Hangouts etc will all make the promises about privacy you want to hear, but at the end of the day they are closed source and updates or commands can be sent to your handset to send plaintext to their servers at any time.

The question is under what criteria this will happen. Insider abuse? Government order? To make money?

Trying to make it illegal for companies to do this sort of thing on a country by country basis is worth pursuing, but it is not a real solution. We need to stop trying to use the law to enforce security.

The solution is to use tools that take court ordered backdoors off the table. Support open and federated communications networks where anyone can build their own clients or servers where pressuring of any entity can't put community built clients at risk.

There are a range of clients/protocols that meet this criteria such IRC with OTR, XMPP, IRCv3, Silence, Matrix.org.

Take your pick, and convince your contacts to use that instead of companies where you have to just take their word for it they won't backdoor you as it suits them.


Signal is free software[1] -- GPLv3 in fact. Don't get me wrong, it has its own issues with Moxie having very strange views of the threat model (and being anti-federation and anti-distribution), but it is definitely not proprietary. I also concur with the Matrix.org recommendation.

[1]: https://github.com/signalapp/Signal-Android


Signal likes to throw around that they are free software but really that is more marketing than fact.

The signal -client- is open source, but the server is closed. Yes partial server code is open, but running your own server is not allowed. The signal signed clients will only talk to the closed server and Moxie has made it clear he does not want forked clients or clients not built by his team connecting to his network. Open source f-droid builds are not permitted, and if you want updates you must use the play store builds. Those with open source phones must turn on unverified sources and risk man in the disk attacks to install the apk from the signal website.

Security you can't fully verify, is just called marketing.


> The signal -client- is open source, but the server is closed. Yes partial server code is open, but running your own server is not allowed.

This is not true at all, the server is entirely AGPLv3[1]. You can run your own server, but they don't want to federate and don't want people to distribute forks of their code (that connect to their servers). What they want is irrelevant because the license they've put the code under explicitly allows you to do these things -- though arguably they are allowed to restrict connections to their servers because that's a freedom under AGPLv3.

So while I agree (and I explicitly said I agreed in an earlier comment) with the problems with Signal -- you are not helping explain why Signal has issues by spreading misinformation about it being proprietary. It isn't proprietary nor is it unverifiable, instead it is run by a company that has no interest in federation or solving much more important issues with their service. That is a serious enough problem that you don't need to make up issues that will just discredit legitimate complaints.

[1]: https://github.com/signalapp/Signal-Server


It does look like they have moved away from closed server components like RedPhone and claim all sources are published now. I appreciate that correction.

The source code for -a- signal server is a nice gesture for anyone that wants to build a signal fork but it does nothing to prove the signal server actually in use is fully open source and does not have last minute patches applied. Can't run my own for the real network so I must hope an employee won't be pressured into changing live systems or signing malicious client binaries at any time with no one noticing. Seems we both agree this is a real problem.

Verifiable security and centralized trust are incompatible.

I do still generally consider any code that can't be verified to be closed but I agree accuracy is important.


Again, the server code is AGPLv3 so it would copyright infringement (of the contributors to the code) on the part of WhisperSystems if they were to patch the server code and not provide the sources to users. There isn't a technical way to stop this problem (federation wouldn't solve it either -- it would allow you to switch to a host that you trust more but that's a different problem), you just sort of have to trust that WhisperSystems isn't breaking the law.

To reiterate -- I agree with you on the general point that federation and having a decentralised system is important for many reasons. But you're moving the goal-posts so that now, even if the server code is AGPLv3 (which requires giving source code access to network users) you still can't be sure that code is running in production, and thus it's still effectively proprietary. That's not a reasonable argument.

As an aside, WhisperSystems has remote attestation of parts of the server code using Intel SGX, which means that it actually has some degree of verifiability[1].

[1]: https://signal.org/blog/private-contact-discovery/


These goal posts are related.

Given the context of the five eyes backdoor discussions it is not unreasonable to expect that a government could pressure WhisperSystems to manipulate a client update or patch a server, GPL laws be damned. A single employee could also be bribed or blackmailed. Intel could also be compelled to falsely attest an SGX enclave.

When it comes to protecting privacy against highly motivated and sophisticated adversaries then centralized trust is just not an option to be taken seriously. It creates a Lavabit sized target.

A company that is as serious about privacy as their marketing indicates would, like TOR, encourage as many servers to run as possible to ensure there is no central pressure point to abuse.

Cards on the table: I find Moxies insistence on a walled garden while using Open Source and Privacy to market it simply unethical.

I do again appreciate the updates on the current status of their public source code though. I will strive for better accuracy in the future on this.


It seems that the bill [1] is intended to make it possible for ASIO/ASIS/ASD/whoever to force Apple, etc. to share their most powerful private keys (I.E. likely the keys burnt into the ROM bootloader of iOS devices), their source code and build processes. [2]

It might appear from a cursory glance at the bill and the "Industry Assistance Factsheet" [3] that the bill would not allow for this sort of behavior (introducing backdoors), but the relevant section 317ZG of the bill only prohibits government agencies from requesting that companies build weaknesses or backdoors into their software but says nothing of the government doing the same. This is extraordinarily deceptive.

So, Apple's response (and the response of other multinationals) is likely going to be to ensure that all devices that are sold on the Australian market are sold with an Australia-only root certificate/key which they'll be forced to share with the Australian government agencies but whose compromise won't affect business in other countries.

It seems that doing business in Australia (as a multinational) is going to be like doing business in China, and no doubt there will be other countries that decide to not purchase Australian communications technology for fear of backdoors... [5]

What a fucking farce this is.

EDIT: I forgot to add that by writing the bill to allow for the above behavior, the total amount of TCNs and TANs that are required (for dragnet surveillance) is reduced substancially, and given that the only public reporting seems to be a rough yearly count, this is great for PR of a police-state as it means that only a handful of approvals have to be recorded. Also it's punishable by up to 5 years in jail if you reveal the existence of a TCN/TAN (except where required to in legal proceedings and to provide a total count of the number of TCNs/TANs received over the last >6 months).

[1] https://www.homeaffairs.gov.au/consultations/Documents/the-a...

[2] See section 317E, subparagraph (f) of the bill which states that a "communications provider must [...] assist with the testing, modification, development or maintenance of a technology or capability."

[3] https://www.homeaffairs.gov.au/consultations/Documents/indus...

[4] Section 317ZG of the bill: "a [request/notice] must not have the effect of requiring a _designated communications provider_ to implement or build a systemic weakness, or a systemic vulnerability, into form of electronic protection"

[5] https://www.cnet.com/news/australia-to-ban-huawei-from-5g-ro...


> no doubt there will be other countries that decide to not purchase Australian communications technology for fear of backdoors...

To help eliminate any doubt whatsoever: as part of my job, I will absolutely, 100% veto any tech purchases from countries that mandate government encryption backdoors.


Hello, I'm writing to oppose the 2018 Assistance & Access Bill. Although I recognize the difficulties encryption poses to law enforcement & counter-terrorism, it is not a strong enough reason to compromise the safety, security & privacy of 24 million Australian citizens. Every Australian has a right to reliable, mathematically guaranteed privacy & security, not compromised/undermined by oppressive legislature. Neither domestic nor international companies should be required to assist anyone in breaking privacy protections, nor should warrants allow access to protected devices, and nor should existing legislature be strengthened. Would these changes help law enforcement catch a few criminals? Probably. Will it weaken the safety, security & privacy of millions of respectable, law-abiding Australians? Definitely. Cheers, Louise


If it is a success in Australia, it will be rolled out across the rest of the commonwealth


People are missing the entire point. This was never just about Australia doing it. It's a proposal by Australia AS PART OF THE 5 EYES to bring this in. They're absolutely planning for this to roll out to all the 5 Eyes countries.

If we really want to quash this, we need to start making that clear to everyone in the UK, US, CA, NZ, and AU, that this effects ALL of us.

They're just using Australia to launch it for this exact reason, 95% of the population of the 5 Eyes will think they're not effected, not fight it, and it'll pass. Then good luck stopping their momentum.


It's my understanding that once Australia passes it there's no need for the other 5 Eyes countries to pass it, since they have agreements to be able to send data they've collected to other 5 Eyes countries. Which means that they could just send all of the data to Australia and have the encryption broken (as-a-Service you might say).

Unfortunately I was out of the country when this whole shitshow went down. I sent an email, but I'm going to go see my Federal MP in person tomorrow.


It works in other ways too - for example, the ADF can do things that the American military can't. Thus, the Americans come calling to their Australia partners in crime when they want some nefarious deed done on the battlefield... and Australians just roll over and let it happen - as long as there are avocado's to smash, Australians just don't care what their government is up to.


And even shit that the ADF is not allowed to do, they do anyway because there's almost no chance anyone will find out about it (especially with the new 10-year mandatory minimum punishments for leaking government information) and even if they did find out about it they can always hold an inquiry that provides weak recommendations that nobody ends up following. The whole fucking thing is a farce.


It is such a travesty of democratic principles I have personally decided to not have anything to do with the place, and abandoned the continent.

"I probably won't go back, at least not before I switch citizenships in protest."-

Oops, I just broke the Australian sedition law. Not allowed to talk about that, either.

-note:quotes


^^^ hit the nail on the head. Its exactly what happens.


The UK already has a law that is somewhat related to this (and was probably an inspiration for this)[1], but the proposed Australian bill has a ridiculously low standard and no judicial oversight. Even if you think that breaking all encryption systems used in Australia would stop terrorism (and that it would be a fair deal) you should still argue that it needs judicial oversight to stop us from forming a police state.

I can't believe it's actually necessary to argue to our MPs that a bill proposing access to every encrypted message that has anything to do with Australia without any judicial oversight is precisely the sort of tool that a police state wants -- and that even if they agree with the crux of the bill (which they shouldn't) that the bill itself is fucking insane.

[1]: https://en.wikipedia.org/wiki/Investigatory_Powers_Act_2016


"it could affect 'every website that is accessible from Australia'"

It won't matter to any of my websites, I will ignore their law. Just like I ignore GDPR. I don't do anything egregious, but those laws simply are/would not be relevant to me.


Your view includes only a fraction of the real world.

From a european ISP standpoint: the introduction of a systemic weakness is a violation of Art. 32 GDPR. We just can't do it.

Classic double-bind. GDPR is more important than Australia to us, so we just block all access from and to austrialia. We have 195.000 affected webhosting customers (domain, email, website, servers), btw.


> so we just block all access from and to austrialia

Please don't do this. The internet does not respect borders, and there's absolutely nothing positive that can come from changing that.

By blocking Australia you're just screwing over ordinary Australian people who probably don't agree with what their politicians have decided.


Maybe that's necessary to push some resistance among the common Australian.


It's not OK to make ordinary people's lives difficult just to further your own political interests, regardless of how noble those interests might be.


I am not following, why are you concerned about Australian law as a n European isp. Why would you block Australia?


this is just icing on the cake. we need to urgently dismantle Heimat and Interior


China passed a similar law last year[1] forcing citizens and companies to provide assistance with state intelligence matters.

Are these laws just a public acknowledgement and formalisation of what has been going on since early civilisation?

In the cold war it was bugged typewriters[2] and sabotaged chips and industrial components. Ten years ago it was counterfeit chips from China causing early failures in US military equipment[3] and US backdooring of cryptography standards[4]. More recently, Chinese companies have been factory backdooring hundreds of millions mobile phones[5] and Western countries have been vacuuming up the Internet[6]. How many integrated circuits purchased from factories abroad today can be trusted when hardware backdoors have been shown to be almost undetectable even to the best resourced labs?[7][8]

Instead of manufacturers around the world being coerced into backdooring technology[9][10] without regulation, at least there may now be some formality. These laws don't change how much trust can be placed in foreign technology (answer: not much at all). It shouldn't be a shock that Australia has banned Chinese equipment from the likes of Huawei and ZTE from broadband and 5G mobile network rollouts[11]. And it shouldn't be a surprise to Australian companies if China bans the import of Australian technology.

[1] https://www.lawfareblog.com/beijings-new-national-intelligen...

[2] http://www.cryptomuseum.com/covert/bugs/selectric/

[3] https://web.archive.org/web/20081011075757/http://www.busine...

[4] https://bits.blogs.nytimes.com/2013/09/10/government-announc...

[5] http://www.kryptowire.com/adups_security_analysis.html

[6] https://en.wikipedia.org/wiki/Global_surveillance_disclosure...

[7] http://www.emsec.rub.de/media/crypto/veroeffentlichungen/201...

[8] https://web.eecs.umich.edu/~taustin/papers/OAKLAND16-a2attac...

[9] https://www.usatoday.com/story/opinion/2013/08/27/nsa-snowde...

[10] https://en.wikipedia.org/wiki/FBI%E2%80%93Apple_encryption_d...

[11] http://www.abc.net.au/news/2018-08-23/huawei-banned-from-pro...


Also on the front page of HN, France declaring a desire for additional technology independence from the US:

https://news.ycombinator.com/item?id=17950155


I have spent the last ~2 hours reading the 100 page explanatory document [1], these are some of my thoughts.

The bill pretty explicitely talks about ASIO. I don't think these laws will be used for much less than espionage, or possibly deep corruption cases. For example, right now ASIO dont have the power to remove a computer to inspect it. That actually surprised me (what would not surprise me is that they routinely do this anyway). In many cases I dont see why physical access is required though, I am sure ASIO are capable of hacking most routers/IoT devices, possibly even laptops, just using known methods (are drug-lords really that up to date on L1TF?). The biggest issue I have is that the granting of warrants always comes down to whether some judge or minister thinks its all good. Although, in one of the sub-sections they say the Attorney-General can delegate their powers to a senior ASIO officer, so this is a C-suite level person inside ASIO likely to have these powers (note that they explicitely point out that this person can not further delegate that power, so these decision makers are direct reports to the Attorney General presumably).

On the topic of getting people to give up passwords and/or keys, it says that agencies have "the ability to compel persons" to hand them over... whatever that means. Does "compel" mean, breaking fingers compel? I am pretty sure this is with a warrant.

There are provisioms for situations where evidence may be lost, or other dire circunstances, where they can request things orally and immediately, but they do have reporting requirements around such circumstances.

Probably the most alarming thing is the technical notices. With these, they can basically ask first, but if required - demand - tech companies to add in back-doors. They try to deny it but thats what they are. It is pretty explicit that they cant compel companies to introduce 'systemic weaknesses', so its not about making product wide easter eggs that give you root permissions. I think they mean more like "put a clause in your code that when Dr Evil logs into WhatsApp, and only Dr Evil, it forwards all comms to us." Thats pretty strong power, and not really a systemic weakness is WhatsApp, but most definitely fits the definition of a back door to me. They say companies will be compensated on a 'no loss, no profit' basis. One kind of nice limitation on this is that it will definitely be expensive for ASIO to do this. Companies are in some ways incentivized to restrict their acts to single customers, because if ASIO want to monitor 10 people, well that requires 10x the budget doesnt it.

This was my first time trying to read law. If you read law as code, then law is TERRIBLY written. This amendment is the worlds most ancient pull-request system, putting this into VC would make it much clearer for all involved. There is no concept of a dependency tree, instead other acts are referenced at will and with no version lock to say whether that definition is still current. I suspect there are a lot of regression fails when they write new legislation, unless someone is pouring over all other acts looking for things which reference the act we want to change.

TL:DR; I'm gonna let this go through to the keeper. Writing law is complex. Ultimately it always comes down to, can we trust our government and public institutions, as well as our companies, to do the right thing? How much must we bind ourselves as a society, to ensure that they cannot abuse us? Its tough. I tend to think that the 99% of the people writing these laws, and the officers enforcing them, aren't monsters or evil people - they are my fellow Australians.

[1] https://www.homeaffairs.gov.au/consultations/Documents/expla...


I have been reading through the proposed law (see my posts elsewhere in this thread) and I have to say that I disagree with your assessment that the law implies or requires targetting of specific individuals or groups rather than dragnet-style operations. Unfortunately, there doesn't seem to be anything in the bill to limit the scope of a TCN/TAN so that the government agencies can't use a single request to cover a wide range of unrelated cases/investigations. As it is written, it seems that a TCN/TAN could require that a company builds and signs arbitrary code that is handed to them by a government agency. [1] This code would be the backdoor (or Remote Access Tool or whatever they choose to they call it) and likely would be distributed as a software update (possibly also by the company although there might be some legal wrangling about whether the government might be required to host the backdoored software themselves).

What this all means is that a single TCN could theoretically be issued to cover a specific case (say a reasonable investigation into some potential terrorist activity) but the signed backdoor/remote access tool that comes out of it could be used arbitrarily by the agencies involved with little to no oversight.

I know that this is a difficult area for law-enforcement to operate in and I understand that part of the problem that they have at the moment is that they sometimes have no certainty about whether they can get access to specific pieces of electronic evidence (even with a warrant) but the intelligence community (including here in Australia) has a lot of bridges to build if they want to actually have this discussion in a rational manner.

There are probably some reading this who think that I am being hysterical or paranoid about ASIO/ASIS/ASD and that they are rational and ethical actors, but I suspect that anyone who thinks that is likely under informed about their historical activities.

There is currently some international investigation into evidence of recent (in the last 15 years) potential wrongdoing [2] that the current Attorney General (who would be the individual responsible for approving these TCN/TANs) is attempting to frustrate. [3] These moves by the current federal AG are so extraordinary that a former NSW DPP (Director of Public Prosecution) and a former Victorian Appeals Court judge have stated that "[...] unlawful activity was undertaken on our behalf to improve the government’s negotiating position" and that "there is a genuine question about whether the general interests of Australians would be served by the prosecution of either person." (the whistle-blower or their lawyer). [4]

Given the evidence of poor behavior by these agencies and their apparent disregard for due process, it seems extraordinary to think that these extensive new powers could not be abused as they are currently proposed.

[1] See section 317E of the law which states that providers are required to "facilitate or assist access to software that is capable of being installed on a computer, or other equipment, that is, or is likely to be, connected to a telecommunications network" and, crucially, paragraph (f) which states that providers must "assist with the testing, modification, development or maintenance of a technology or capability"

[2] In Australia bugging East Timor during negotiations over a $40-56 billion oil deal. See http://www.abc.net.au/news/2014-03-04/icj-orders-australia-t...

[3] https://theconversation.com/the-shaky-case-for-prosecuting-w...

[4] https://www.smh.com.au/politics/federal/top-lawyers-jump-to-...




[flagged]


Please don't do this here.




Guidelines | FAQ | Support | API | Security | Lists | Bookmarklet | Legal | Apply to YC | Contact

Search: