back to article Oz opposition folds, agrees to give Australians coal in their stockings this Christmas

A backroom deal between two of Australia's government and opposition parties should mean local law enforcement can force firms to backdoor their communications by Christmas. The “Access and Assistance” bill allows designated law enforcement agencies to direct a wide range of technology providers – pretty much anybody who uses …

  1. Anonymous Coward
    Anonymous Coward

    So this law gets a 2/10 for quality and a 1.5/10 for process discipline.

    That'll improve this goverment's average!

    1. Michael Wojcik Silver badge

      2/10 seems high to me.

  2. the Jim bloke
    Big Brother

    Australian Privacy

    Defective by Design..

    1. John Brown (no body) Silver badge

      Re: Australian Privacy

      All the 5-eyes are pushing for this in their own jurisdictions. It looks like Australia is the test case so once implemented, the others can point to it in support of their own local laws and demand the same for themselves.

      1. Danny 14

        Re: Australian Privacy

        more likely companies will just say fuck off. Australia doesnt have the same commercial weight as say Korea or USA.

        1. Michael Wojcik Silver badge

          Re: Australian Privacy

          Australia doesnt have the same commercial weight as say Korea or USA.

          No, but passing this in Australia helps normalize the idea so that South Korea and the USA and other industrialized democracies can push equivalent legislation through. SIGINT agencies around the world have been begging for this sort of regulation for decades. "Australia did it, and the sky didn't fall" is a useful argument for them.

          That it's tremendously foolish and profoundly vile holds no water with those types.

  3. Anonymous Coward
    Anonymous Coward

    What do you call deliberately compromised security?

    Don't know, but it ain't security.

    1. JohnFen

      Re: What do you call deliberately compromised security?

      I call it "insecure".

  4. martinusher Silver badge

    Its diffiuclt to explain what should be obvious so why bother?

    Encryption is just an algorithm and its an openly published one because as we all know secrecy will not guarantee security, in fact its likely to compromise it. So the only way to attack encryption is through key distribution. What the Aussies are demanding is effectively a scheme where they hold the keys -- or the keys are made accessible to them -- which sort of works until someone figures it out (experience with Blu-Ray's uncrackable key scheme wasn't very encouraging -- it becomes a race to see who can crack it the fastest.)

    I suppose ultimately what's going to happen is that the Aussies are going to get their keys, unlock the bad guy's communications -- only to discover that's its already been encrypted by something they don't have the keys to. There's no real point trying to explain this to politicians so I'd just shrug and walk away, let them find out at their own pace.

    1. Anonymous Coward
      Anonymous Coward

      Re: Its diffiuclt to explain what should be obvious so why bother?

      @martinusher

      And not only that, but the ASSUMPTION is that the bad guys will use:

      a) a service provider

      b) a point-to-point communication scheme which identifies the end points

      *

      There are other ways which this legislation does not cover, such as posting messages on web sites (like The Register). The sender might be hard to identify, and the recipient also. Maybe the Australian government will be asking The Register for "the keys" to the book cipher message below.

      *

      Hint: https://en.wikipedia.org/wiki/Beale_ciphers

      *

      5491D4A6E5370DE11BE44A9AE184766F3FD0F07E

      7076E0647E66C032502929A4B5DC7F02C810C238

      52418114A5725AE5D0B45DF625D9F616DFE50B21

      16B8C2BA905565906B3C2C81C5369629315381E3

      4A9850FEE2380975B4734C6770959449B4C4B159

      402E9444FD6890D4276B541EB4AFF4217FB

  5. Oengus

    Rubber stamp

    The “double-lock authorisation” the ALP agreed to simply means the coercive Technical Capability Notices will need the sign-off of both the attorney-general and the communications minister.

    The rubber stamp carrying both signatures is in the final stage of preparation. The delay was both of them deciding on which version of their signatures looked best. Mass production of the stamp will be completed by the end of the week with distribution to the different agencies expedited over the weekend.

  6. Oengus
    Black Helicopters

    The BS is strong with this one

    Dreyfus' statement continued: “This compromise will deliver security and enforcement agencies the powers they say they need over the Christmas period, and ensure adequate oversight and safeguards to prevent unintended consequences while ongoing work continues”.

    The government had warned that the law had to pass before Christmas, because of the elevated risk of terrorism at this time of year, but MacGibbon agreed with AM presenter Sabra Lane that someone receiving a request had 28 days to respond. Make of that what you will.

    How the F@*k will rushing this law through help with the "elevated risk of terrorism at this time of year"? The law won't receive Royal Ascent today. It will be lucky if it gets it this week. The "security" agencies will have to identify the individuals to be targeted, determine what encrypted messaging they are using, request the AG and communications minister (who will both be on Christmas break) for approval Oh!, wait, where is that rubber stamp, determine who to send the TCN to and then wait for the response.

    The individual companies have 28 days to respond to the TCN by which time it will be January (or later depending on the speed of the previous steps). Even if the companies are feeling generous, they will have to find staff (who will probably be on Christmas break), make changes (assuming it is possible), test the changes (assuming companies bother to do this and not use the public as guinea pigs), roll out the changes to the apps, have the people update their apps. Anyone concerned about the agencies reading their messages will be turning off automatic updates so they don't get the compromised apps.

    Only then will the Security agencies be able to look at the messages.

    Time to find a new country.

    1. Flocke Kroes Silver badge

      Re: The BS is strong with this one

      This one is easy to understand. The actual deadline is before the next election.

  7. tfewster
    Facepalm

    Gets popcorn

    - Dec 2018: Australia becomes the first nation to nail its colours to the mast.

    - Jan 2019: First TCNs issued?

    - Apr 2019: First prosecutions for failure to change the laws of physics?

    1. Oengus

      Re: Gets popcorn

      - Jan 2019: First TCNs issued?

      Come on, They want to use this law to fight the terror threat at Christmas (or at least that was the BS reason for pushing it through in this sitting of Parliament)... The security agencies will be scrambling over each other to see who can be the first to issue a TCN and will race to have it out so they can justify the speed of passing of the legislation.

      I reckon the first TCN will be out he door less than 1 hour after the law receives Royal Ascent.

      - Apr 2019: First prosecutions for failure to change the laws of physics?

      Now as to the prosecutions... I think that the chances of getting the prosecutions into court in 2019 at all is extremely optimistic. The legal process doesn't work that fast. Only the pseudo-legal processes, like the mass privacy invasion that these laws enable, work that fast.

      1. Steve K
        Coat

        Re: Gets popcorn

        ...receives Royal Ascent.

        Yes - that's definitely one-upmanship (or womanship?) described here

    2. Flocke Kroes Silver badge

      Re: Gets popcorn

      Revealing the existence of a TCN is illegal. Prosecuting a company for failure to to comply with a TCN will reveal the existence of at least one. Presumably this is legal and the court's ruling and sentence will also be a matter of public record and will be required to show up in SEC filings.

      Next year phone adverts will include "already fined for not complying with a TCN".

      1. Wellyboot Silver badge

        Re: Gets popcorn

        The reply to the first TCN may well contain the line-

        "All our kit comes from China, ask them for the keys"

    3. BebopWeBop
      Thumb Up

      Re: Gets popcorn

      Well the laws of mathematics (as we understand them) anyway

    4. ivan5

      Re: Gets popcorn

      - Dec 2018: Australia becomes the first nation to nail its colours to the mast.

      - Jan 2019: First TCNs issued?

      -March 2019 First secret communication of the PM published on social media.

      Don't they realise that if there are backdoors anyone can read their private communications - a back door will let anyone in.

      1. JohnFen

        Re: Gets popcorn

        "Don't they realise that if there are backdoors anyone can read their private communications - a back door will let anyone in."

        I really wonder if they realize that or not. Maybe they do and they just don't care.

        I'm reminded of the US' "TSA approved" locks for luggage. Those locks all take one of 8 (IIRC) master keys to open them. All of those keys are readily available for purchase -- or even by 3D printing -- by anybody. The TSA is fully aware of this, and their official stance is that they don't care because that flaw does not have national security implications. It only sucks for the travelers.

        1. JimJimmyJimson

          Re: Gets popcorn

          To be fair the 'TSA Key set' was based on the 8 most common luggage keys that were in use. Baggage handlers and other airport workers had already made their own bunches of these keys long before they were identified as the 'TSA Standard'. Only one of them is even remotely secure. So this quite a lot different to that...

          1. JohnFen

            Re: Gets popcorn

            "So this quite a lot different to that."

            It's not really so different, because travelers are required to use the insecure locks.

        2. Anonymous Coward
          Anonymous Coward

          Re: Gets popcorn

          I'm reminded of the US' "TSA approved" locks for luggage. Those locks all take one of 8 (IIRC) master keys to open them. All of those keys are readily available for purchase -- or even by 3D printing -- by anybody. The TSA is fully aware of this, and their official stance is that they don't care because that flaw does not have national security implications. It only sucks for the travelers.

          ---------------------------------------------------------------------------------------------------------------------------

          Nonsense. Those keys are tightly controlled, and only in the hands of trusted and trustworthy government or approved agents. There aren't more than several million sets in circulation, probably.

          1. JohnFen
            Black Helicopters

            Re: Gets popcorn

            "Those keys are tightly controlled, and only in the hands of trusted and trustworthy government or approved agents."

            Oh, no! That means the hobbyist lockpicking community in my area consists of nothing but government agents!

  8. Anonymous Coward
    Anonymous Coward

    possible terrorist threat this Christmas

    I for one hope they catch that elf on a shelf. There's also that fat man that keeps breaking into peoples houses and I'm not sure if Cliff is planning on releasing a record.

    Seriously though, is this just going to be a case of passing capability down from the spy agencies to local enforcement?

    1. Flocke Kroes Silver badge

      Re: possible terrorist threat this Christmas

      FISC: What!?

      NSA: Santa Claus is a person of interest and a terrorist. Every year he violates US airspace, causes financial mayhem to our economy, drops packages containing god only knows what and ...

      FISC: Yes?

      NSA: He's got a list... we want it.

  9. Pier Reviewer

    You can read my SMSs but you can take my WhatsApps from my cold dead hands

    Clearly this particular piece of legislation is an appalling mess. Particularly the failure to specify the differences between a TCN and a TAN given the looser (almost non-existent) controls over issuing TANs. That’s never going to be abused...

    I am in no way surprised. What I am surprised by is that world+dog-intel agencies invariably cries foul at every such story, but never once mention lawful intercept (as in telephone “tapping”).

    Am I right to think we’re all perfectly ok with big G sniffing our SMS messages, but Lord forbid they see our WhatsApps? Seems weird to me.

    Why the apparent discord over what is basically the same thing. Yes, there are technological differences, but are we really saying how we send messages affects whether or not we’re ok with them being read by big G?

    I understand the tech companies not folding. They’re in it for the money. Saying “no can do’s ville baby doll” keeps customers. Bending over likely loses them customers. But why do *we* the consumer care about the difference? Or do we just forget about lawful intercept?

    The media appear to be failing in their job here to bring LI into the discussion. Assuming their job is to educate and create discussion rather than sell ads...

    I honestly don’t know the answer to this. Any ideas?

    I understand that some ppl require encryption for their safety, and aren’t stupid enough to send sensitive info over SMS/phone call. But generally speaking the states involved in that kind of behaviour don’t need a technological solution beyond an angle grinder. They’re not affected by any of this one way or another.

    1. kartstar

      Re: You can read my SMSs but you can take my WhatsApps from my cold dead hands

      The difference is that Google, Facebook, etc can't throw you in jail for that torrent you downloaded 3 years ago, or that time you texted while driving. The analogy between the way people used SMS and the way they use modern day technology (such as WhatsApp) is incredibly dull.

      On the other end of the spectrum, one could ponder what implications the law would have were a mind reading device to be invented. Realistically, our technological capabilities are somewhere in between SMS and a mind reading device, perhaps more-so on the SMS side but only time will tell.

      Using SMS and phone calls as a reason to be able to use any and all technology as a bugging/trojan device should have outlived its use for anyone giving serious intellectual thought to the issue about 5 years ago.

      1. stiine Silver badge
        Black Helicopters

        Re: You can read my SMSs but you can take my WhatsApps from my cold dead hands

        35 years ago. At least that's when I heard the not-so-funny-now joke of applying for a job at the NSA by calling your grandmother and asking for an application.

      2. Pier Reviewer

        Re: You can read my SMSs but you can take my WhatsApps from my cold dead hands

        You misunderstand. I’m simply asking two questions:

        1. Are we ok with lawful intercept?

        2a. If not, why is nobody saying this in these discussions?

        2b. If yes, why should one messaging format be privileged and another not (ie why should we accept interception on one and not the other)?

        I’m not saying there’s an argument for interception (or against it). I simply want to know if LI even crosses people’s minds in these discussions, and their opinions are on the area as a whole.

        1. whitepines
          Boffin

          Re: You can read my SMSs but you can take my WhatsApps from my cold dead hands

          Lawful intercept is a fluke from an older era where people routinely sent plain text communications written on paper or talked on a public phone. I also seem to remember that the Ne'er-do-wells tended to use various ciphers (ranging from weak to strong) since they were very much aware of the possibility of interception.

          Lawful intercept itself is of dubious use, but also not exactly harmful (as has been pointed out, any LI methods are also generally available to crooks, so smart IT folks now routinely use this newfangled technology called "end to end encryption" when sending valuable / trade secret / etc. data over public wires).

          The real danger here is that this bill goes beyond LI and tries to criminalize encryption, to varying effectiveness. What happens, for instance, if two people that want to keep their newfangled invention secret before applying for a patent (remember, first to file, not first to invent like the US used to have, so secrecy is vital) decide to use open source encryption (GPG?) on their client PCs. Is that legal? What happens to the two end users and/or the service provider(s) if the Aussie government or a well-endowed corporation with Aussie gov't ties wants to capitalize on the inventor's hard work and file first?

        2. Anonymous Coward
          Anonymous Coward

          Re: You can read my SMSs but you can take my WhatsApps from my cold dead hands

          @Pier_Reviewer

          Define "lawful".

          *

          What most people worry about is "lawful" trawling of ALL COMMUNICATIONS in some particular channel. Again, most people would have few problems with targeted intercepts, backed by evidence and authorised by a court order, against some very limited number of named individuals.

          *

          But, as the Snowden papers reveal, when governments talk about "lawful intercepts", what they mean is spying on everyone. ....so let's hear your definition of "lawful".

          1. Pier Reviewer

            Re: You can read my SMSs but you can take my WhatsApps from my cold dead hands

            “But, as the Snowden papers reveal, when governments talk about "lawful intercepts", what they mean is spying on everyone. ....so let's hear your definition of "lawful".”

            Ah, I understand now. People don’t know what Lawful Intercept actually is :/ That’s a tad scary.

            You are incorrect in that quote. LI has a particular meaning. Get your Venn diagrams out folks. All LI is communication interception but not all communication interception is LI.

            LI specifically refers to the capability that telcos are *legally mandated* to provide to the state to give effect to court orders that require interception to take place.

            The state doesn’t “tap” your phone. Your telco does. It has equipment in its core network for the task, and is legally required to have that equipment.

            Sound familiar? That’s because that’s what various states want WhatsApp et al to be required to have.

            Forget whether you agree or not. I know it’s not easy, but everyone (on both sides) needs to leave the dogma alone. The fact is, the model proposed already exists in the telco industry. Simple question - should it?

            PS I’m interested by Cuddles argument (“LI is here so we accept it”). Scary that we care so much more about the rights we have and might lose than those we’ve already lost...

            1. whitepines

              Re: You can read my SMSs but you can take my WhatsApps from my cold dead hands

              And if I decide to plug a scrambler into the phone line, that tap won't get very much. This new law seems to be going after encryption and specifically backdooring end user devices, which in the telco analogy is a much wider reach (basically making plugging a non-backdoored device into the network impossible due to the way these services are designed).

            2. JohnFen

              Re: You can read my SMSs but you can take my WhatsApps from my cold dead hands

              "The state doesn’t “tap” your phone. Your telco does. It has equipment in its core network for the task, and is legally required to have that equipment."

              Why do you think people here don't understand what LI is? I suspect most do.

              I would note, though that when it comes to things like CALEA in the US, that's the state tapping not just your phone, but everyone's. The state is just using the telco as its agent.

        3. Cuddles

          Re: You can read my SMSs but you can take my WhatsApps from my cold dead hands

          "1. Are we ok with lawful intercept?

          2a. If not, why is nobody saying this in these discussions?"

          They are. The problem is that some technologies are inherently insecure, so there's very little point making a fuss about it. Not all that long ago, the only way to send communications beyond shouting distance was to write it down and give it to someone to carry for you. Complain all you like about whether they should be able to, but there's absolutely nothing you can do to stop anyone from reading that letter, so for the most part people simply didn't bother complaining about it. Similarly, intercepting telegraph and radio signals was not particularly difficult (with broadcast radio, potentially much easier), so if the government says they reserve the right to snoop, why bother complaining? They're going to do it anyway, and there's simply no such thing as a secure alternative.

          The arguments about encryption are all coming up now because there's actually an argument to be had. The development of things like public key cryptography and the spread of powerful computers means that people now have the option to have truly secure communications. And not only do they have that option, but since these things have spread before laws regulating them have been made, they've become used to actually using that option. It's similar to how people were willing to buy hilariously overpriced albums because that was the only way to get music, then Napster came along and suddenly there was an argument to be had about how things should work. No matter what your thoughts on ethics and such, once you've shown people a way of doing things that they like, taking it away from them again is not an easy task. Hence Amazon and iTunes and Spotify and so on.

          Communications are in essentially the same position now. All communications used to be open to easy snooping, so there didn't used to be much point worrying about it (although some still did; see for example protests about censorship of letters during WWI and II). Now we have some secure methods of communication, but some people want to take them away from us.

          As for why some formats should be privileged and others not, see above. There's absolutely nothing you can do to stop someone reading your letters, so complaining that they shouldn't is just wasting your breath. As the British government has demonstrated recently, spy agencies are going to snoop on everything they can whether it's legal or not, and they'll make it retroactively legal if they think it's worth the bother. Since I can't, in practice, protect my letters, I'm willing to accept that they are not protected. But since I can and currently do protect my Whatapp messages, encrypted emails, and so on, I'm willing to fight not to lose access to such things.

          1. whitepines
            Flame

            Re: You can read my SMSs but you can take my WhatsApps from my cold dead hands

            While you're mostly correct above, bear in mind ciphers and encryptions existed before the mail service even did. If you didn't want someone to know what you were saying to a friend, you might write something that would be either unintelligible or downright misleading.

            This practice continued well into the 20th century. Those Chicago gangsters from the movies certainly weren't wanting to warm their cold hands with their "heaters" etc. after all...

            At some point computer-based encryption allowed people to conveniently communicate in plain text without worrying about such codes and ciphers, since the machine would encrypt the communications for them. The larger battle that needs to be won, immediately, is to enshrine the use of client-based encryption (e.g. open source) as a fundamental human right. After all, encryption was available for use for the past several centuries, there is a strong argument to be made that it cannot be banned without a reworking of the entire social contract (and simultaneously plunging the nation into an agrarian dark age).

            As far as information going dark, that's been a problem since written records started. Fire and paper don't get along very well, and human memory is so ... fickle.

        4. JohnFen

          Re: You can read my SMSs but you can take my WhatsApps from my cold dead hands

          Here are my personal answers:

          "1. Are we ok with lawful intercept?"

          Yes.

          "2b. If yes, why should one messaging format be privileged and another not (ie why should we accept interception on one and not the other)?"

          It's not a matter of being OK with one and not the other, it's a matter of whether or not the government actively prevents you from protecting yourself. That's the part that I don't think is OK. I don't really have a problem with lawful intercept of any communications, WhatsApp or otherwise, but I have a big problem with the government requiring the weakening of defenses. Let's look at telephone tapping -- that's allowed, but but it's also permissible for you and I to use voice scramblers in our calls. If, as these people keep asserting, they just want to maintain the same ability that they have with phone calls -- well, they have that right now. What they really want is much more than that.

        5. FozzyBear
          Black Helicopters

          Re: You can read my SMSs but you can take my WhatsApps from my cold dead hands

          The law enforcement agencies in Australia already have those powers, they have the ability to subpoena call information, wire taps , transcripts of conversations and also subpoena information on accounts from all the big players.

          This legislation does not help the agencies one bit in identifying or capturing potential or known terrorists or any other type of criminal for that matter.

          Before you would want to know any encrypted messages from an individual. You will have a dossier on them. The only reason you would have a dossier on them is due to prior criminal activities, multiple sourced or a single strongly sourced intelligence report of their current activities Criminal History and affiliations. From there you build an association network, using physical and electronic interactions (All currently available via existing laws and processes) .You start probing those associations looking for additional intelligence and information on the person. ( this can take anywhere from 3 weeks to 3 years) depending on the focus you need to devote to that one individual.

          At this point it tells you whether the person you are looking at is a player or not.. If so then the big boys kick in, targeted intelligence gathering, physical surveillance, electronic monitoring, etc. Again all available under existing laws.

          So I ask you the same question I posed to my local Member ( political that is).

          "If this is all possible now why are they trying to introduce a law that will effectively enable Big Brother monitoring on every single person. Without checks and balances, without recourse , without oversight. Every one. including you?"

        6. Michael Wojcik Silver badge

          Re: You can read my SMSs but you can take my WhatsApps from my cold dead hands

          1. Are we ok with lawful intercept?

          Not under the current regime (in the US), with its secrecy, lack of due process, and widespread abuse.

          2a. If not, why is nobody saying this in these discussions?

          In which discussions? It comes up pretty frequently in my experience.

          2b. If yes, why should one messaging format be privileged and another not (ie why should we accept interception on one and not the other)?

          Because you fight the battle you're in today, not yesterday's or tomorrow's.

    2. cosmogoblin

      Re: You can read my SMSs but you can take my WhatsApps from my cold dead hands

      "are we really saying how we send messages affects whether or not we’re ok with them being read by big G?"

      Exactly the opposite. Whether I'm okay with messages being intercepted affects how I send them.

      For messages needing security, I make sure to use a secure method. WhatsApp's introduction of end-to-end encryption simply adds another method to my list, and takes away one that I had to worry about.

    3. JohnFen

      Re: You can read my SMSs but you can take my WhatsApps from my cold dead hands

      "Am I right to think we’re all perfectly ok with big G sniffing our SMS messages, but Lord forbid they see our WhatsApps?"

      No, I don't think you're right. There are plenty of people who strongly object to both of those things.

    4. TimMaher Silver badge

      Re: You can read my SMSs but you can take my WhatsApps from my cold dead hands

      Apparently, if they buy their software from NSO-Group, they can also monitor your WhatsApp stuff.

      Check out the Amnesty International case.

      Codes, cyphers, invisible ink. All were around long before SMS or telephony or general postal services. They were all used by not only miscreants but also business folk, eloping lovers etc.

      This perhaps is why we should always roll our own for maximum secrecy... if not security.

      1. JohnFen

        Re: You can read my SMSs but you can take my WhatsApps from my cold dead hands

        "This perhaps is why we should always roll our own for maximum secrecy."

        If by "roll your own" you mean "apply your own encryption and don't rely on that built into applications", then I agree.

        If you mean "invent your own encryption", then I don't agree at all. That would be foolish. Strong crypto is really, really hard to get right (and very, very hard to tell if you've gotten it right or not). Unless you're a mathematician with a focus on cryptography, you really are much better off using crypto that's already been vetted.

  10. Voland's right hand Silver badge

    Well, we have seen this already

    Russians tried to suppress Telegram which refused to comply and got where? Nowhere.

    They quietly stopped. The conflict also left enough arms lying around which can be picked up by people without the technical acumen and R&D budget of Telegram and use again.

    So in the next country and place where this will happen the crypto side will not start from scratch.

    Bootnote: It is not "Bouncy Crypto" by the way. It is "Guardians of the Bouncy Castle" and the actual packages go under "Bouncy Castle" name. They are the most common replacement for Sun's crypto libraries in Java. The install base is HUGE. So as far as implementing crypto the guy knows what he is talking about.

    I usually get a massive toothache the moment I see it. The reason is that it has implemented every single crypto algo under sun and then some including things that have like only one paper ever published in some obscure magazine.

    That gives developers interesting "ideas" like for example using a totally unproven stream cypher which has never been evaluated for the production of pseudorandom values as a random number generator (Hello Apache, recognize that java ssh implementation of yours?).

  11. Christoph

    "He later accused international tech of holding the view that “Australian law doesn't apply to them”."

    And he holds the view that Physical and Mathematical law doesn't apply to Australia?

    1. AIBailey

      Lots of laws don't apply to Australia, physics being just one of them. They're upside down, yet don't don't float down towards the sky. It's madness, or at the very least, witchcraft.

      1. tfewster
        Joke

        Of course, they're upside down, so the blood rushes to their heads rather than their dicks! Hmm, maybe they DO know more about mathematics than people in the northern hemisphere?

  12. Christoph

    They want this in place before the next election.

    They are making it illegal to reveal the existence of interceptions.

    Will they be able to prove that they are not intercepting the communications of the opposing parties?

    Since they have deliberately made it impossible to prove that they are doing such interception, the burden of proof falls on them to show that they are not doing so.

    1. Spazturtle Silver badge

      I have just checked and surprisingly this bill does not contain an exemption for MPs like most surveillance bills do, so yes they can use it to spy on the opposition.

      1. kartstar

        Apparently the Labor party amendments will exclude state-based anti-corruption bodies from being able to access these powers (and probably the new federal one that is threatening to be setup will be excluded too). Typical. If they have nothing to hide, they have nothing to fear. Clearly they have plenty to hide.

        1. ivan5

          Clearly they have plenty to hide

          But we have always known that. Now it will just leave the hackers to find the backdoors and leak the info on social media for all to see.

    2. John Brown (no body) Silver badge

      "They are making it illegal to reveal the existence of interceptions."

      "Revealing the existence of a TCN can get you up to five years in prison."

      January: This company has not received any TCNs this month.

      February: This company has not received any TCNs this month.

      March: This company has not received any TCNs this month.

      April:

      May: This company has not received any TCNs this month.

      1. MrXavia

        A canary..

  13. Anonymous Coward
    Anonymous Coward

    Xmas threat!

    Some dude crawling around roofs and chimneys looking to get into people's homes and their kids stockings!

    On Dasher, Dancer, Prancer, Vixen, Comet, Cupid and Blunder!

  14. alain williams Silver badge

    Who appoints & pays the 'experts' ?

    Ie those who make up the judge-and-expert panels.

    Well, the government of course!

    I fully expect that if the expert does not come to a conclusion that the government wants they s/he will not be appointed again. Everyone likes continuity of income, so what is the pressure to give the ''right'' opinion ?

    Conflict of interest anyone ?

    Some will, inconveniently, do the right thing, but they will be quickly purged from the system.

    1. bigtreeman

      Re: Who appoints & pays the 'experts' ?

      The retired judge, probably over 70 years old, tech aware and able to make a useful judgement.

      At last someone questioning the pay, how much will this ballsup cost ?

      1. LucreLout

        Re: Who appoints & pays the 'experts' ?

        probably over 70 years old, tech aware

        Age has nothing to do with awareness of tech or otherwise. Who is it the millennials think invented the tech they take for granted?

  15. Pascal Monett Silver badge
    FAIL

    And so it starts

    I was wondering which English-speaking country would be the first to exact this mind-bending stupidity. With the repeated, heavy hinting from the FBI and UK government, I was expecting the UK to be first to bat, but no, it's Australia.

    I'm guessing that now the UK and USA and going to observe what happens to see if it's worth following in these steps.

    In any case, the ball is now clearly rolling in the sense of forcing programmers via threat of jail to cripple their encryption. You can't do it ? Jail.

    They think that is going to reverse the laws of Mathematics in their favor. The only thing they're actually going to get is a lot of companies putting "This application cannot be used in (list of stupid countries)" and washing their hands of the problem.

    1. Natasha Live

      Re: And so it starts

      It already kind of exists in the UK. The RIP Act 2000 gives the government the right to demand your passwords to any system. You are not allowed to tell anyone that you have done so (lawyer is OK). You could lose your job from sharing your passwords but can use the defense that you were following lawful direction from the government. If you don't had them over you can get prison time.

      UK doesn't need back doors. They just take the keys they need to open any doors and windows available.

      Of course it wasn't properly locked down so local councils were using it to find out if you were eligible for school places and to track down the owners who don't clean up their dog poop.

      1. Pascal Monett Silver badge

        Yeah, but that is not the same. The police are in your face, demanding your passwords. They've already decided to spoil your day and you know it.

        That is not the same as listening in on your conversations via backdooring the encryption. You won't know about that until they come and arrest you, if it ever comes to that.

      2. TechDrone

        Re: And so it starts

        Councils and anyone else with a regulatory role has to follow RIPA (Regulation of Investigatory Powers Act) and the clue is in the name. It sets out how they have to perform investigations and that it doesn't matter if they're investigating fraud in school admissions, contaminated food, dodgy builders, fly-tippers, rogue landlords putting people at risk or some of the nasty stuff childrens services have to deal with. There is a surprising amount of enforcement/regulatory/legal work that is not actually the responsibility of the police, and the police don't have the expertise to deal with either.

        They also have to follow the PACE (Police and Criminal Evidence Act) for properly collecting evidence that may be used in court, plus 100's of different bits of legislation that dictate how councils do things. If they fail to follow the law in how they do this not only do they lose when prosecutions go to court, they can be prosecuted themselves.

        Or would you prefer a dozen lads on overtime from the bin collector team to turn up at your door at 0400 to extract evidence because somebody claims they were poisoned by one of your sausages-inna-bun?

        1. Patrician
          Pint

          Re: And so it starts

          Have a beer for the Discworld reference .....

      3. MrXavia

        Re: And so it starts

        "UK doesn't need back doors. They just take the keys they need to open any doors and windows available."

        Which is the way it should be, police should be able to get a warrant and then force you to open the door..

    2. John Brown (no body) Silver badge

      Re: And so it starts

      "I was expecting the UK to be first to bat, but no, it's Australia."

      The UK is still part of the EU, and may well be still subject to EU rules for some time to come. The UK has already had surveillance laws ruled illegal by the ECJ. Certain parts of the EU have too much relatively recent experience of surveillance societies. I'm not surprised at all that the Aussies are the test case. It might have been New Zealand, but the US and Canada both seem to be better at grass roots protests than our antipodean friends.

  16. Matthew 3

    "Not available in this country"

    I predict tech companies will just withdraw their software from Australian sale or distribution as the simplest way to comply with the new law.

    That has the benefit of not requiring any reprogramming effort, doesn't compromise security, and makes the Australian government directly responsible for end users' anger. Everybody wins. Except the Aussie government of course, but they don't deserve to.

    1. John Brown (no body) Silver badge

      Re: "Not available in this country"

      "I predict tech companies will just withdraw their software from Australian sale or distribution as the simplest way to comply with the new law."

      I wonder who will blink first? It'll be a balance "can we do this for less than the loss in profit if we pull out of the market?" This must be balanced against, "if we pull out, will our competition stay and make a killing by taking our market?". Whoever pulls out first leaves a larger market for the remaining players, who might then find it worth while to create a special back-doored version for a suddenly enlarged market. Or the big boys will do it anyway, at a loss, until the smaller fry give up or go bust.

    2. JohnFen

      Re: "Not available in this country"

      "I predict tech companies will just withdraw their software from Australian sale or distribution as the simplest way to comply with the new law."

      The smaller ones, sure. The Googles, Microsofts, etc.? There's not a chance that they'll leave money on the table in Australia.

      What I predict is that sophisticated criminals and people who are concerned about privacy will just use their own encryption and stop relying on the crypto built into comms applications (as they should have been doing all along, anyway).

      1. Barrie Shepherd

        Re: "Not available in this country"

        "What I predict is that sophisticated criminals and people who are concerned about privacy will just use their own encryption and stop relying on the crypto built into comms applications"

        That wont help if Android and iOS have been required to provide an access portal to the devices keyboard and screen. Qualcomm could be building such a door in its 5G chips right now ready for the AUS TCN to arrive.

        As for Aus backdoor'ing encryption I shall not be using Apple Pay or Google pay (not that I do) in Australia any day soon. It will probably soon be a requirement to switch your phone on at the Arrivals desk so that the carriers can 'update' your phone for "Australian Networks".

        I'm off to start a One Time pads company!

        1. JohnFen

          Re: "Not available in this country"

          "That wont help if Android and iOS have been required to provide an access portal to the devices keyboard and screen."

          That's true (although there would be ways to mitigate it), but that's not what the legislation requires.

          "I'm off to start a One Time pads company!"

          If you can solve the major problem with one-time pads (key exchange), then you'll be a billionaire.

          1. MachDiamond Silver badge

            Re: "Not available in this country"

            "If you can solve the major problem with one-time pads (key exchange), then you'll be a billionaire."

            If you are traveling, it's not a problem. Your OTP's are exchanged before you travel down under.

            An additional tactic is to get a burner phone on arrival instead of using one you have had for some time. Use a Linux powered tablet/laptop and not an IOS or Android/Chrome device and do a fresh wipe beforehand.

            1. JohnFen

              Re: "Not available in this country"

              "If you are traveling, it's not a problem. Your OTP's are exchanged before you travel down under."

              One time pads are awesome -- Properly done, it's the only truly unbreakable encryption we have. However, they can only be properly done if you already have a secure means of distributing the pads.

              As you note, this is no problem if the parties that want to communicate start off all physically in the same room together, and they have generated in advance enough numbers to cover all the communications that they may want to engage in later (since you should never use the same sequence twice, as Germany found out in WW2 when their inability to generate and distribute enough random numbers later in the war caused them to reuse pads, which led directly to the encryption being broken).

              In any other circumstance, though, this key exchange is a very serious weakness. That's the entire problem that PKE was invented to address and is why, even though it isn't technically unbreakable, it is widely used. Any weaknesses inherent in PKE pale (outside of specific and uncommon circumstances) in comparison to the key exchange problem with other methods.

  17. Anonymous Coward
    Anonymous Coward

    As a wise man once said: "Pausing to consider constitutional implications means the terrorists win"

    "The only way to defeat evil is precipitate and ill-considered action. A morally and legally coherent approach is the handmaiden of anarchy. Haste averts waste. You've never had it so good."

    Come to think of it, it wasn't a wise man. Actually it was a politico twat looking for the next sound bite, amid the ongoing absence of parliamentary grown-ups.

  18. Doctor Syntax Silver badge

    Step 1. Start rumours that the govt is spying on the public's $stuff, e.g. turning on everyone's Echoes etc.

    Step 2. Govt starts taking serious public heat and discovered it's been courageous (as in Yes Minister).

    Step 3. Govt appeals to telecoms companies to deny the existence of such TCNs

    Step 4. Telecoms companies point out they have to keep shtum about TCNs and can't possibly confirm or deny they exist.

    Step 5. What was that about an election?

  19. Anonymous Coward
    Anonymous Coward

    remarkable similarity to the recently proposed "crocodile clips" idea by British intelligence

    This is a TOTAL coincidence, and so are secret meetings (that surely never happened) on how to coordinate the efforts by the spooks from the 5 eyeses to get what they deem "indispensable in the everlasting fight against terrorism" (and keeping tabs on the plebs, cause you never know what ideas and when enter their little heads).

  20. Anonymous Coward
    Anonymous Coward

    they're “beyond the reach not just of the law

    ah yeah, call them "terror friends", it will surely help to win "public support" for - anything (and I'm not being sarcastic)

  21. Herby

    It's not encrypted...

    ...its just random numbers. I have no idea what it is.

    In the USA, we can exercise our 5th amendment privilege, thankfully.

    As for not revealing TCN's, one can every day say "We haven't seen any TCN's", and when they stop, we can draw conclusions.

    1. DCFusor

      Re: It's not encrypted...

      Sorry, Herby, it's worse than you think:

      https://www.theguardian.com/technology/2017/mar/23/francis-rawls-philadelphia-police-child-abuse-encryption

      Now this guy is probably guilty and of some really bad stuff. But the 5th isn't keeping him out of jail for contempt of court for refusing to decrypt what is almost surely evidence against him.

      That ship sailed awhile back. And in this case it's been going years and no time limit.

    2. Barrie Shepherd

      Re: It's not encrypted...

      "In the USA, we can exercise our 5th amendment privilege, thankfully."

      You can but that won't stop the Australian government sharing what they know about you with the US government - they have been sharing like this for years. Nor will it stop the Australian government 'accidentally' issuing a TCN for your phone to be 'compromised' even if you are not in Australia.

      And I would not expect you would ever know nor, if you did, get any assistance from the US government.

    3. JohnFen

      Re: It's not encrypted...

      "In the USA, we can exercise our 5th amendment privilege, thankfully"

      Yeah, probably not. I'm not sure if the Supreme Court has ruled on this or not, but I've seen a few cases in lower courts where the court ruled that being forced to provide a password is not a 5th amendment violation, as the password itself is not incriminating testimony.

      1. ROC

        Re: It's not encrypted...

        I just read of a recent case ruling determined that biometric keys such as fingerprints could be used to unlock a phone, but NOT passwords.

        https://www.techrepublic.com/article/biometrics-and-the-law-police-try-to-unlock-phone-with-dead-mans-fingerprint/

        This is still being argued case-by-case (more for living suspects) in various US jurisdictions (state and national courts). it does seem to be more acceptable in cases of immediate aftermath of a crime with high likelihood of probable cause.

        But then there is also the 4th Amendment protecting from "unreasonable" search/seizure of private papers, but that does allow "reasonable" (for a warrant), so that could be argued case-by-case as to what's reasonable I suppose.

    4. MachDiamond Silver badge

      Re: It's not encrypted...

      "As for not revealing TCN's, one can every day say "We haven't seen any TCN's", and when they stop, we can draw conclusions."

      That doesn't help very much unless the Canary is watching your account. It will be highly unlikely that any telco with millions of customers is going to go very long without getting a TCN.

  22. Anonymous Coward
    Anonymous Coward

    They don't need to break communication software, they just need John McClane. He's your best bet at sorting out terrorists at Christmas.

  23. phuzz Silver badge
    Facepalm

    Australian Government: Put backdoors in everything.

    Also the Australian Government: Don't use Huawei kit, it's got backdoors.

    I'm sure they'll be able to use legislation to stop bad people from using the backdoors. That's bound to work, right?

  24. Terje

    The main issue with all the escalating surveillance nonsense is that it will have negligible effect on stopping terrorism, and when they realize that they will ask for even more powers. There have never in the history of police organisations been one that said that it didn't need more powers.

    The fact that the politicians that are supposed to say NO to them seems to be losing IQ points at an even more alarming rate must just be a side effect.

    1. Brewster's Angle Grinder Silver badge

      I have a smidgen of sympathy for the politicians. Who wants to be confronted by the parent of a dead child (or child of a dead parent) claiming their loved one would have been alive but for the politician's decision to stop law enforcement snooping.

      1. Teiwaz

        Politicians and Sympathy???

        claiming their loved one would have been alive but for the politician's decision to stop law enforcement snooping.

        Perhaps, but it a lot of recent terror cases, it's usually quickly revealed that the guilty party was already known to the system (through snooping or merely sticking up like a sore thumb) but no action was taken.

        OR

        Person was able to do it anyway because lone nuts often don't need to communicated with anyone else in order to go nuts (I presume all the voices or at least negative dialogue goes in (for now at least) the privacy of their own heads).

    2. JohnFen

      "it will have negligible effect on stopping terrorism"

      Despite what they say, I don't for a moment believe that's really the reason they want these powers.

  25. Anonymous Coward
    Anonymous Coward

    Options...dear boy...options

    My mum always told me to say nothing, if you can't say something good...….so what I would do, is set up a Swiss based trust to hold elements of the key (split that key)...make sure you are not a trustee and then make them access it via a German court...…...ie create a legal chain that they have to follow...….

  26. Anonymous Coward
    Anonymous Coward

    Democracy, we can't destroy it fast enough

    In a democracy people must be able to not only vote as they see fit but also be free to discuss issues without reprisals and they must have a transparent government that isn't spying on them.

    What this government and most Western Governments are doing is creating the ability to have full, easy and automated surveillance over all citizens. That should not exist, even if they "promise" they would never use such power.

    The reason is obvious, this government believes they should have and look at everything, there is nothing that should be hidden from them.

    In the world they are trying to create there will be no truth. All communications could and would be monitored. Lying will be the only defense left to people. Everybody will be lying all the time.

    We don't need Facebook to destroy democracy, our "leaders" those in power are already creating a future in which democracy will not be possible.

  27. Destroy All Monsters Silver badge

    Is it time for "Gilets Jaunes" downunder?

    Why not?

    1. synique

      Re: Is it time for "Gilets Jaunes" downunder?

      We're too lazy to organise something like that...

  28. Graham Cobb Silver badge

    Visibility

    The most scary thing about this is not the legal ability to force companies to assist (I can easily get around that by creating my own crypto -- and non-corporate tools with no one to serve the TCN to will soon be widely available); it is the lack of visibility.

    It should be essential that we, the voters, can track how much these powers are being used. Instead of being secret, every company should be required to announce when they receive a TCN, and the full details (including the list of who's communications were intercepted) should be published within one year (extended only on authorisation by a court, and only for individual affected accounts).

    We know that powers such as these get misused (often with the best of intentions). Just look back at the history of cases of police infiltration of trade unions, campaign groups, human rights groups, anti-war or anti-bomb activists, etc. All with abuse of powers intended only to save lives.

    I can understand the Australian opposition being weak and naive enough to be convinced that these (ultimately ineffective) powers are important. I can't understand them not requiring the removal of the secrecy as their price for approval.

    1. Barrie Shepherd

      Re: Visibility

      "I can understand the Australian opposition being weak and naive enough to be convinced that these (ultimately ineffective) powers are important. I can't understand them not requiring the removal of the secrecy as their price for approval."

      It's simple the opposition will most likely be in power soon so will benefit from secrecy.

    2. MachDiamond Silver badge

      Re: Visibility

      Being on a list of people who's comms have been the subject of a TCN is not likely going to be a good thing.

  29. Patrician

    Are there any Australian native software that uses encryption? Surely the vast majority aren't and will just ignore any requests this bill generates because they're not subject to Australian law?

  30. Mike 16

    Systemic?

    So, if a backdoor does not affect _all_ applications on _all_ systems (e.g. has no effect on at least one flashlight app, or doesn't work on an iPhone 3), then it's all good?

  31. JohnFen

    "Double-lock"? Hahahaha

    I love their creative invention of a term that implies strong security but in fact has nothing whatsoever to do with strong security. "Double-lock" just means two entities have to sign off on the order. It means nothing.

    If they pass this legislation, I predict booming "black market" crypto sales in Australia!

  32. Anonymous Coward
    Anonymous Coward

    Politicians only do things so as to benefit only themselves and screw the man in the street.

  33. Someone Else Silver badge
    Holmes

    Well then...

    [...] “will ensure there is better oversight and limitation of the powers in this bill, and better safeguards against potential unintended consequences”.

    Well then, that should rightly scupper the whole thing, as the primary unintended consequence of this bill would be that everybody can (and will) have access to the backdoor.

    Unless, of course, that is really an intended consequence of the bill....

  34. FooCrypt

    The cryptopocalypse is here

    In conjunction with FooCrypt’s Parliamentary Joint Committee on Intelligence and Security, Case Study [ 897316929176464ebc9ad085f31e7284 ] submission on the Telecommunication and Other Legislation Amendment (Assistance and Access) Bill 2018 [ https://pjcis.foocrypt.net ]

    FooCrypt,0.0.1,Core has been released with a Demonstration Expiration date of 20190131235959, to enable all encryption users to download / try / buy before the impending legislative changes are brought into effect.

    https://store.foocrypt.net/product-category/cryptology/897316929176464ebc9ad085f31e7284

    Be Protected, Get ….…..

  35. Anonymous Coward
    Anonymous Coward

    Hello One Time Pad, where have you been hiding, welcome back!

  36. The Central Scrutinizer

    The children are in charge

    Labor caves in. No shit. I predicted this days ago to laughter. Who's laughing now? Not me, that's for bloody sure. Goodbye, e-commerce, online banking and any remote sense of a slightly secure Internet.

  37. Anonymous Coward
    Anonymous Coward

    the 5 eyes business model

    crocodile clips.....requests for bespoke one off access to the keys :). the NSA / GCHQ model only works through trawling vast data sets, ie they want all comms data...….the keys for ever....so any request for keys from the Aus AG / Telecomms minister...will be an open ended warrant for 12 months, to all providers (we mat remember something similar with BT in the UK?). so.....hide the keys / IP in a non majority owned / beneficial trust in a jurisdiction, which is unlikely to play ball with 5 eyes - Germany / Switzerland.....and then tell the Judge...."sorry guv....really cant help you" ask the nice Swiss Trust owners if we can have the keys / re-engineer their IP....

  38. rnturn

    Terrorist threat?

    So the Australian government thinks that by passing a law in a hurry that the tech industry will have backdoors ready for use in time for a suspected Christmas terrorist attack? Glorisky... I thought we had stupid politicians here in the US.

  39. MachDiamond Silver badge

    No Aussie encryption companies

    When was the last time you went to a computer store and bought a piece of software? It's darn rare these days with nearly every publisher distributing directly or forcing customers to use highly dodgy "app stores" based on their OS. It means that encryption apps without backdoors will be purchased online from vendors based in other countries that have no company presence in Australia. Serious bad guys aren't going to be using compromised comms on a regular basis for anything that would be incriminating. Big companies will continue to use VPNs and secure encryption since a government could go broke trying to go after a company the size of Coca-Cola, Amazon or Apple and who would they put in jail? Certainly not a ranking C-level executive that signs off on political donations. Drug companies exchanging research information between divisions, companies working on transportation automation and other cutting edge industries can't risk having their information leak from a government organization or due to one of these backdoors.

    What happens when there is a data breach of personal information from a compromised backdoor? The company can't be held liable and any government is going to claim immunity even though the law required the compromised security. The software publisher can claim that their wares performed exactly as expected. It would just be that somebody guessed, reverse engineered or "obtained" a copy of the key. The likelihood of comm intercepts being useful in preventing a terrorist attack is far outweighed by the 100% likelihood of personal data and company trade secrets winding up for sale on the dark web. It's long past time that there is an educational requirement for those running for political office. Nobody can know everything, but politicians seem to not be able to understand even the simplest technical concepts. There's that newly elected representative in the US that doesn't even know the structure of the US government. That's downright scary.

POST COMMENT House rules

Not a member of The Register? Create a new account here.

  • Enter your comment

  • Add an icon

Anonymous cowards cannot choose their icon

Other stories you might like