Oz opposition folds, agrees to give Australians coal in their stockings this Christmas A backroom deal between two of Australia's government and opposition parties should mean local law enforcement can force firms to backdoor their communications by Christmas. The “Access and Assistance” bill allows designated law enforcement agencies to direct a wide range of technology providers – pretty much anybody who uses …
Australia doesnt have the same commercial weight as say Korea or USA.
No, but passing this in Australia helps normalize the idea so that South Korea and the USA and other industrialized democracies can push equivalent legislation through. SIGINT agencies around the world have been begging for this sort of regulation for decades. "Australia did it, and the sky didn't fall" is a useful argument for them.
That it's tremendously foolish and profoundly vile holds no water with those types.
Encryption is just an algorithm and its an openly published one because as we all know secrecy will not guarantee security, in fact its likely to compromise it. So the only way to attack encryption is through key distribution. What the Aussies are demanding is effectively a scheme where they hold the keys -- or the keys are made accessible to them -- which sort of works until someone figures it out (experience with Blu-Ray's uncrackable key scheme wasn't very encouraging -- it becomes a race to see who can crack it the fastest.)
I suppose ultimately what's going to happen is that the Aussies are going to get their keys, unlock the bad guy's communications -- only to discover that's its already been encrypted by something they don't have the keys to. There's no real point trying to explain this to politicians so I'd just shrug and walk away, let them find out at their own pace.
@martinusher
And not only that, but the ASSUMPTION is that the bad guys will use:
a) a service provider
b) a point-to-point communication scheme which identifies the end points
*
There are other ways which this legislation does not cover, such as posting messages on web sites (like The Register). The sender might be hard to identify, and the recipient also. Maybe the Australian government will be asking The Register for "the keys" to the book cipher message below.
*
Hint: https://en.wikipedia.org/wiki/Beale_ciphers
*
5491D4A6E5370DE11BE44A9AE184766F3FD0F07E
7076E0647E66C032502929A4B5DC7F02C810C238
52418114A5725AE5D0B45DF625D9F616DFE50B21
16B8C2BA905565906B3C2C81C5369629315381E3
4A9850FEE2380975B4734C6770959449B4C4B159
402E9444FD6890D4276B541EB4AFF4217FB
The “double-lock authorisation” the ALP agreed to simply means the coercive Technical Capability Notices will need the sign-off of both the attorney-general and the communications minister.
The rubber stamp carrying both signatures is in the final stage of preparation. The delay was both of them deciding on which version of their signatures looked best. Mass production of the stamp will be completed by the end of the week with distribution to the different agencies expedited over the weekend.
Dreyfus' statement continued: “This compromise will deliver security and enforcement agencies the powers they say they need over the Christmas period, and ensure adequate oversight and safeguards to prevent unintended consequences while ongoing work continues”.
The government had warned that the law had to pass before Christmas, because of the elevated risk of terrorism at this time of year, but MacGibbon agreed with AM presenter Sabra Lane that someone receiving a request had 28 days to respond. Make of that what you will.
How the F@*k will rushing this law through help with the "elevated risk of terrorism at this time of year"? The law won't receive Royal Ascent today. It will be lucky if it gets it this week. The "security" agencies will have to identify the individuals to be targeted, determine what encrypted messaging they are using, request the AG and communications minister (who will both be on Christmas break) for approval Oh!, wait, where is that rubber stamp, determine who to send the TCN to and then wait for the response.
The individual companies have 28 days to respond to the TCN by which time it will be January (or later depending on the speed of the previous steps). Even if the companies are feeling generous, they will have to find staff (who will probably be on Christmas break), make changes (assuming it is possible), test the changes (assuming companies bother to do this and not use the public as guinea pigs), roll out the changes to the apps, have the people update their apps. Anyone concerned about the agencies reading their messages will be turning off automatic updates so they don't get the compromised apps.
Only then will the Security agencies be able to look at the messages.
Time to find a new country.
- Jan 2019: First TCNs issued?
Come on, They want to use this law to fight the terror threat at Christmas (or at least that was the BS reason for pushing it through in this sitting of Parliament)... The security agencies will be scrambling over each other to see who can be the first to issue a TCN and will race to have it out so they can justify the speed of passing of the legislation.
I reckon the first TCN will be out he door less than 1 hour after the law receives Royal Ascent.
- Apr 2019: First prosecutions for failure to change the laws of physics?
Now as to the prosecutions... I think that the chances of getting the prosecutions into court in 2019 at all is extremely optimistic. The legal process doesn't work that fast. Only the pseudo-legal processes, like the mass privacy invasion that these laws enable, work that fast.
Revealing the existence of a TCN is illegal. Prosecuting a company for failure to to comply with a TCN will reveal the existence of at least one. Presumably this is legal and the court's ruling and sentence will also be a matter of public record and will be required to show up in SEC filings.
Next year phone adverts will include "already fined for not complying with a TCN".
- Dec 2018: Australia becomes the first nation to nail its colours to the mast.
- Jan 2019: First TCNs issued?
-March 2019 First secret communication of the PM published on social media.
Don't they realise that if there are backdoors anyone can read their private communications - a back door will let anyone in.
"Don't they realise that if there are backdoors anyone can read their private communications - a back door will let anyone in."
I really wonder if they realize that or not. Maybe they do and they just don't care.
I'm reminded of the US' "TSA approved" locks for luggage. Those locks all take one of 8 (IIRC) master keys to open them. All of those keys are readily available for purchase -- or even by 3D printing -- by anybody. The TSA is fully aware of this, and their official stance is that they don't care because that flaw does not have national security implications. It only sucks for the travelers.
To be fair the 'TSA Key set' was based on the 8 most common luggage keys that were in use. Baggage handlers and other airport workers had already made their own bunches of these keys long before they were identified as the 'TSA Standard'. Only one of them is even remotely secure. So this quite a lot different to that...
I'm reminded of the US' "TSA approved" locks for luggage. Those locks all take one of 8 (IIRC) master keys to open them. All of those keys are readily available for purchase -- or even by 3D printing -- by anybody. The TSA is fully aware of this, and their official stance is that they don't care because that flaw does not have national security implications. It only sucks for the travelers.
---------------------------------------------------------------------------------------------------------------------------
Nonsense. Those keys are tightly controlled, and only in the hands of trusted and trustworthy government or approved agents. There aren't more than several million sets in circulation, probably.
I for one hope they catch that elf on a shelf. There's also that fat man that keeps breaking into peoples houses and I'm not sure if Cliff is planning on releasing a record.
Seriously though, is this just going to be a case of passing capability down from the spy agencies to local enforcement?
FISC: What!?
NSA: Santa Claus is a person of interest and a terrorist. Every year he violates US airspace, causes financial mayhem to our economy, drops packages containing god only knows what and ...
FISC: Yes?
NSA: He's got a list... we want it.
Clearly this particular piece of legislation is an appalling mess. Particularly the failure to specify the differences between a TCN and a TAN given the looser (almost non-existent) controls over issuing TANs. That’s never going to be abused...
I am in no way surprised. What I am surprised by is that world+dog-intel agencies invariably cries foul at every such story, but never once mention lawful intercept (as in telephone “tapping”).
Am I right to think we’re all perfectly ok with big G sniffing our SMS messages, but Lord forbid they see our WhatsApps? Seems weird to me.
Why the apparent discord over what is basically the same thing. Yes, there are technological differences, but are we really saying how we send messages affects whether or not we’re ok with them being read by big G?
I understand the tech companies not folding. They’re in it for the money. Saying “no can do’s ville baby doll” keeps customers. Bending over likely loses them customers. But why do *we* the consumer care about the difference? Or do we just forget about lawful intercept?
The media appear to be failing in their job here to bring LI into the discussion. Assuming their job is to educate and create discussion rather than sell ads...
I honestly don’t know the answer to this. Any ideas?
I understand that some ppl require encryption for their safety, and aren’t stupid enough to send sensitive info over SMS/phone call. But generally speaking the states involved in that kind of behaviour don’t need a technological solution beyond an angle grinder. They’re not affected by any of this one way or another.
The difference is that Google, Facebook, etc can't throw you in jail for that torrent you downloaded 3 years ago, or that time you texted while driving. The analogy between the way people used SMS and the way they use modern day technology (such as WhatsApp) is incredibly dull.
On the other end of the spectrum, one could ponder what implications the law would have were a mind reading device to be invented. Realistically, our technological capabilities are somewhere in between SMS and a mind reading device, perhaps more-so on the SMS side but only time will tell.
Using SMS and phone calls as a reason to be able to use any and all technology as a bugging/trojan device should have outlived its use for anyone giving serious intellectual thought to the issue about 5 years ago.
You misunderstand. I’m simply asking two questions:
1. Are we ok with lawful intercept?
2a. If not, why is nobody saying this in these discussions?
2b. If yes, why should one messaging format be privileged and another not (ie why should we accept interception on one and not the other)?
I’m not saying there’s an argument for interception (or against it). I simply want to know if LI even crosses people’s minds in these discussions, and their opinions are on the area as a whole.
Lawful intercept is a fluke from an older era where people routinely sent plain text communications written on paper or talked on a public phone. I also seem to remember that the Ne'er-do-wells tended to use various ciphers (ranging from weak to strong) since they were very much aware of the possibility of interception.
Lawful intercept itself is of dubious use, but also not exactly harmful (as has been pointed out, any LI methods are also generally available to crooks, so smart IT folks now routinely use this newfangled technology called "end to end encryption" when sending valuable / trade secret / etc. data over public wires).
The real danger here is that this bill goes beyond LI and tries to criminalize encryption, to varying effectiveness. What happens, for instance, if two people that want to keep their newfangled invention secret before applying for a patent (remember, first to file, not first to invent like the US used to have, so secrecy is vital) decide to use open source encryption (GPG?) on their client PCs. Is that legal? What happens to the two end users and/or the service provider(s) if the Aussie government or a well-endowed corporation with Aussie gov't ties wants to capitalize on the inventor's hard work and file first?
@Pier_Reviewer
Define "lawful".
*
What most people worry about is "lawful" trawling of ALL COMMUNICATIONS in some particular channel. Again, most people would have few problems with targeted intercepts, backed by evidence and authorised by a court order, against some very limited number of named individuals.
*
But, as the Snowden papers reveal, when governments talk about "lawful intercepts", what they mean is spying on everyone. ....so let's hear your definition of "lawful".
“But, as the Snowden papers reveal, when governments talk about "lawful intercepts", what they mean is spying on everyone. ....so let's hear your definition of "lawful".”
Ah, I understand now. People don’t know what Lawful Intercept actually is :/ That’s a tad scary.
You are incorrect in that quote. LI has a particular meaning. Get your Venn diagrams out folks. All LI is communication interception but not all communication interception is LI.
LI specifically refers to the capability that telcos are *legally mandated* to provide to the state to give effect to court orders that require interception to take place.
The state doesn’t “tap” your phone. Your telco does. It has equipment in its core network for the task, and is legally required to have that equipment.
Sound familiar? That’s because that’s what various states want WhatsApp et al to be required to have.
Forget whether you agree or not. I know it’s not easy, but everyone (on both sides) needs to leave the dogma alone. The fact is, the model proposed already exists in the telco industry. Simple question - should it?
PS I’m interested by Cuddles argument (“LI is here so we accept it”). Scary that we care so much more about the rights we have and might lose than those we’ve already lost...
And if I decide to plug a scrambler into the phone line, that tap won't get very much. This new law seems to be going after encryption and specifically backdooring end user devices, which in the telco analogy is a much wider reach (basically making plugging a non-backdoored device into the network impossible due to the way these services are designed).
"The state doesn’t “tap” your phone. Your telco does. It has equipment in its core network for the task, and is legally required to have that equipment."
Why do you think people here don't understand what LI is? I suspect most do.
I would note, though that when it comes to things like CALEA in the US, that's the state tapping not just your phone, but everyone's. The state is just using the telco as its agent.
"1. Are we ok with lawful intercept?
2a. If not, why is nobody saying this in these discussions?"
They are. The problem is that some technologies are inherently insecure, so there's very little point making a fuss about it. Not all that long ago, the only way to send communications beyond shouting distance was to write it down and give it to someone to carry for you. Complain all you like about whether they should be able to, but there's absolutely nothing you can do to stop anyone from reading that letter, so for the most part people simply didn't bother complaining about it. Similarly, intercepting telegraph and radio signals was not particularly difficult (with broadcast radio, potentially much easier), so if the government says they reserve the right to snoop, why bother complaining? They're going to do it anyway, and there's simply no such thing as a secure alternative.
The arguments about encryption are all coming up now because there's actually an argument to be had. The development of things like public key cryptography and the spread of powerful computers means that people now have the option to have truly secure communications. And not only do they have that option, but since these things have spread before laws regulating them have been made, they've become used to actually using that option. It's similar to how people were willing to buy hilariously overpriced albums because that was the only way to get music, then Napster came along and suddenly there was an argument to be had about how things should work. No matter what your thoughts on ethics and such, once you've shown people a way of doing things that they like, taking it away from them again is not an easy task. Hence Amazon and iTunes and Spotify and so on.
Communications are in essentially the same position now. All communications used to be open to easy snooping, so there didn't used to be much point worrying about it (although some still did; see for example protests about censorship of letters during WWI and II). Now we have some secure methods of communication, but some people want to take them away from us.
As for why some formats should be privileged and others not, see above. There's absolutely nothing you can do to stop someone reading your letters, so complaining that they shouldn't is just wasting your breath. As the British government has demonstrated recently, spy agencies are going to snoop on everything they can whether it's legal or not, and they'll make it retroactively legal if they think it's worth the bother. Since I can't, in practice, protect my letters, I'm willing to accept that they are not protected. But since I can and currently do protect my Whatapp messages, encrypted emails, and so on, I'm willing to fight not to lose access to such things.
While you're mostly correct above, bear in mind ciphers and encryptions existed before the mail service even did. If you didn't want someone to know what you were saying to a friend, you might write something that would be either unintelligible or downright misleading.
This practice continued well into the 20th century. Those Chicago gangsters from the movies certainly weren't wanting to warm their cold hands with their "heaters" etc. after all...
At some point computer-based encryption allowed people to conveniently communicate in plain text without worrying about such codes and ciphers, since the machine would encrypt the communications for them. The larger battle that needs to be won, immediately, is to enshrine the use of client-based encryption (e.g. open source) as a fundamental human right. After all, encryption was available for use for the past several centuries, there is a strong argument to be made that it cannot be banned without a reworking of the entire social contract (and simultaneously plunging the nation into an agrarian dark age).
As far as information going dark, that's been a problem since written records started. Fire and paper don't get along very well, and human memory is so ... fickle.
Here are my personal answers:
"1. Are we ok with lawful intercept?"
Yes.
"2b. If yes, why should one messaging format be privileged and another not (ie why should we accept interception on one and not the other)?"
It's not a matter of being OK with one and not the other, it's a matter of whether or not the government actively prevents you from protecting yourself. That's the part that I don't think is OK. I don't really have a problem with lawful intercept of any communications, WhatsApp or otherwise, but I have a big problem with the government requiring the weakening of defenses. Let's look at telephone tapping -- that's allowed, but but it's also permissible for you and I to use voice scramblers in our calls. If, as these people keep asserting, they just want to maintain the same ability that they have with phone calls -- well, they have that right now. What they really want is much more than that.
The law enforcement agencies in Australia already have those powers, they have the ability to subpoena call information, wire taps , transcripts of conversations and also subpoena information on accounts from all the big players.
This legislation does not help the agencies one bit in identifying or capturing potential or known terrorists or any other type of criminal for that matter.
Before you would want to know any encrypted messages from an individual. You will have a dossier on them. The only reason you would have a dossier on them is due to prior criminal activities, multiple sourced or a single strongly sourced intelligence report of their current activities Criminal History and affiliations. From there you build an association network, using physical and electronic interactions (All currently available via existing laws and processes) .You start probing those associations looking for additional intelligence and information on the person. ( this can take anywhere from 3 weeks to 3 years) depending on the focus you need to devote to that one individual.
At this point it tells you whether the person you are looking at is a player or not.. If so then the big boys kick in, targeted intelligence gathering, physical surveillance, electronic monitoring, etc. Again all available under existing laws.
So I ask you the same question I posed to my local Member ( political that is).
"If this is all possible now why are they trying to introduce a law that will effectively enable Big Brother monitoring on every single person. Without checks and balances, without recourse , without oversight. Every one. including you?"
1. Are we ok with lawful intercept?
Not under the current regime (in the US), with its secrecy, lack of due process, and widespread abuse.
2a. If not, why is nobody saying this in these discussions?
In which discussions? It comes up pretty frequently in my experience.
2b. If yes, why should one messaging format be privileged and another not (ie why should we accept interception on one and not the other)?
Because you fight the battle you're in today, not yesterday's or tomorrow's.
"are we really saying how we send messages affects whether or not we’re ok with them being read by big G?"
Exactly the opposite. Whether I'm okay with messages being intercepted affects how I send them.
For messages needing security, I make sure to use a secure method. WhatsApp's introduction of end-to-end encryption simply adds another method to my list, and takes away one that I had to worry about.
"Am I right to think we’re all perfectly ok with big G sniffing our SMS messages, but Lord forbid they see our WhatsApps?"
No, I don't think you're right. There are plenty of people who strongly object to both of those things.
Apparently, if they buy their software from NSO-Group, they can also monitor your WhatsApp stuff.
Check out the Amnesty International case.
Codes, cyphers, invisible ink. All were around long before SMS or telephony or general postal services. They were all used by not only miscreants but also business folk, eloping lovers etc.
This perhaps is why we should always roll our own for maximum secrecy... if not security.
"This perhaps is why we should always roll our own for maximum secrecy."
If by "roll your own" you mean "apply your own encryption and don't rely on that built into applications", then I agree.
If you mean "invent your own encryption", then I don't agree at all. That would be foolish. Strong crypto is really, really hard to get right (and very, very hard to tell if you've gotten it right or not). Unless you're a mathematician with a focus on cryptography, you really are much better off using crypto that's already been vetted.
Russians tried to suppress Telegram which refused to comply and got where? Nowhere.
They quietly stopped. The conflict also left enough arms lying around which can be picked up by people without the technical acumen and R&D budget of Telegram and use again.
So in the next country and place where this will happen the crypto side will not start from scratch.
Bootnote: It is not "Bouncy Crypto" by the way. It is "Guardians of the Bouncy Castle" and the actual packages go under "Bouncy Castle" name. They are the most common replacement for Sun's crypto libraries in Java. The install base is HUGE. So as far as implementing crypto the guy knows what he is talking about.
I usually get a massive toothache the moment I see it. The reason is that it has implemented every single crypto algo under sun and then some including things that have like only one paper ever published in some obscure magazine.
That gives developers interesting "ideas" like for example using a totally unproven stream cypher which has never been evaluated for the production of pseudorandom values as a random number generator (Hello Apache, recognize that java ssh implementation of yours?).
They want this in place before the next election.
They are making it illegal to reveal the existence of interceptions.
Will they be able to prove that they are not intercepting the communications of the opposing parties?
Since they have deliberately made it impossible to prove that they are doing such interception, the burden of proof falls on them to show that they are not doing so.
The Register 
Biting the hand that feeds IT
Copyright. All rights reserved © 1998–2024
