back to article Oz opposition folds, agrees to give Australians coal in their stockings this Christmas

A backroom deal between two of Australia's government and opposition parties should mean local law enforcement can force firms to backdoor their communications by Christmas. The “Access and Assistance” bill allows designated law enforcement agencies to direct a wide range of technology providers – pretty much anybody who uses …

Codysydney

So this law gets a 2/10 for quality and a 1.5/10 for process discipline.

That'll improve this goverment's average!

Michael Wojcik
Silver badge

2/10 seems high to me.

the Jim bloke
Bronze badge
Big Brother

Australian Privacy

Defective by Design..

John Brown (no body)
Silver badge

Re: Australian Privacy

All the 5-eyes are pushing for this in their own jurisdictions. It looks like Australia is the test case so once implemented, the others can point to it in support of their own local laws and demand the same for themselves.

Danny 14
Silver badge

Re: Australian Privacy

more likely companies will just say fuck off. Australia doesnt have the same commercial weight as say Korea or USA.

Michael Wojcik
Silver badge

Re: Australian Privacy

Australia doesnt have the same commercial weight as say Korea or USA.

No, but passing this in Australia helps normalize the idea so that South Korea and the USA and other industrialized democracies can push equivalent legislation through. SIGINT agencies around the world have been begging for this sort of regulation for decades. "Australia did it, and the sky didn't fall" is a useful argument for them.

That it's tremendously foolish and profoundly vile holds no water with those types.

Anonymous Coward
Anonymous Coward

What do you call deliberately compromised security?

Don't know, but it ain't security.

JohnFen
Silver badge

Re: What do you call deliberately compromised security?

I call it "insecure".

martinusher
Silver badge

Its diffiuclt to explain what should be obvious so why bother?

Encryption is just an algorithm and its an openly published one because as we all know secrecy will not guarantee security, in fact its likely to compromise it. So the only way to attack encryption is through key distribution. What the Aussies are demanding is effectively a scheme where they hold the keys -- or the keys are made accessible to them -- which sort of works until someone figures it out (experience with Blu-Ray's uncrackable key scheme wasn't very encouraging -- it becomes a race to see who can crack it the fastest.)

I suppose ultimately what's going to happen is that the Aussies are going to get their keys, unlock the bad guy's communications -- only to discover that's its already been encrypted by something they don't have the keys to. There's no real point trying to explain this to politicians so I'd just shrug and walk away, let them find out at their own pace.

Anonymous Coward
Anonymous Coward

Re: Its diffiuclt to explain what should be obvious so why bother?

@martinusher

And not only that, but the ASSUMPTION is that the bad guys will use:

a) a service provider

b) a point-to-point communication scheme which identifies the end points

*

There are other ways which this legislation does not cover, such as posting messages on web sites (like The Register). The sender might be hard to identify, and the recipient also. Maybe the Australian government will be asking The Register for "the keys" to the book cipher message below.

*

Hint: https://en.wikipedia.org/wiki/Beale_ciphers

*

5491D4A6E5370DE11BE44A9AE184766F3FD0F07E

7076E0647E66C032502929A4B5DC7F02C810C238

52418114A5725AE5D0B45DF625D9F616DFE50B21

16B8C2BA905565906B3C2C81C5369629315381E3

4A9850FEE2380975B4734C6770959449B4C4B159

402E9444FD6890D4276B541EB4AFF4217FB

Oengus
Silver badge

Rubber stamp

The “double-lock authorisation” the ALP agreed to simply means the coercive Technical Capability Notices will need the sign-off of both the attorney-general and the communications minister.

The rubber stamp carrying both signatures is in the final stage of preparation. The delay was both of them deciding on which version of their signatures looked best. Mass production of the stamp will be completed by the end of the week with distribution to the different agencies expedited over the weekend.

Oengus
Silver badge
Black Helicopters

The BS is strong with this one

Dreyfus' statement continued: “This compromise will deliver security and enforcement agencies the powers they say they need over the Christmas period, and ensure adequate oversight and safeguards to prevent unintended consequences while ongoing work continues”.

The government had warned that the law had to pass before Christmas, because of the elevated risk of terrorism at this time of year, but MacGibbon agreed with AM presenter Sabra Lane that someone receiving a request had 28 days to respond. Make of that what you will.

How the F@*k will rushing this law through help with the "elevated risk of terrorism at this time of year"? The law won't receive Royal Ascent today. It will be lucky if it gets it this week. The "security" agencies will have to identify the individuals to be targeted, determine what encrypted messaging they are using, request the AG and communications minister (who will both be on Christmas break) for approval Oh!, wait, where is that rubber stamp, determine who to send the TCN to and then wait for the response.

The individual companies have 28 days to respond to the TCN by which time it will be January (or later depending on the speed of the previous steps). Even if the companies are feeling generous, they will have to find staff (who will probably be on Christmas break), make changes (assuming it is possible), test the changes (assuming companies bother to do this and not use the public as guinea pigs), roll out the changes to the apps, have the people update their apps. Anyone concerned about the agencies reading their messages will be turning off automatic updates so they don't get the compromised apps.

Only then will the Security agencies be able to look at the messages.

Time to find a new country.

Flocke Kroes
Silver badge

Re: The BS is strong with this one

This one is easy to understand. The actual deadline is before the next election.

tfewster
Silver badge
Facepalm

Gets popcorn

- Dec 2018: Australia becomes the first nation to nail its colours to the mast.

- Jan 2019: First TCNs issued?

- Apr 2019: First prosecutions for failure to change the laws of physics?

Oengus
Silver badge

Re: Gets popcorn

- Jan 2019: First TCNs issued?

Come on, They want to use this law to fight the terror threat at Christmas (or at least that was the BS reason for pushing it through in this sitting of Parliament)... The security agencies will be scrambling over each other to see who can be the first to issue a TCN and will race to have it out so they can justify the speed of passing of the legislation.

I reckon the first TCN will be out he door less than 1 hour after the law receives Royal Ascent.

- Apr 2019: First prosecutions for failure to change the laws of physics?

Now as to the prosecutions... I think that the chances of getting the prosecutions into court in 2019 at all is extremely optimistic. The legal process doesn't work that fast. Only the pseudo-legal processes, like the mass privacy invasion that these laws enable, work that fast.

Flocke Kroes
Silver badge

Re: Gets popcorn

Revealing the existence of a TCN is illegal. Prosecuting a company for failure to to comply with a TCN will reveal the existence of at least one. Presumably this is legal and the court's ruling and sentence will also be a matter of public record and will be required to show up in SEC filings.

Next year phone adverts will include "already fined for not complying with a TCN".

Steve K
Silver badge
Coat

Re: Gets popcorn

...receives Royal Ascent.

Yes - that's definitely one-upmanship (or womanship?) described here

Wellyboot
Silver badge

Re: Gets popcorn

The reply to the first TCN may well contain the line-

"All our kit comes from China, ask them for the keys"

BebopWeBop
Silver badge
Thumb Up

Re: Gets popcorn

Well the laws of mathematics (as we understand them) anyway

ivan5

Re: Gets popcorn

- Dec 2018: Australia becomes the first nation to nail its colours to the mast.

- Jan 2019: First TCNs issued?

-March 2019 First secret communication of the PM published on social media.

Don't they realise that if there are backdoors anyone can read their private communications - a back door will let anyone in.

JohnFen
Silver badge

Re: Gets popcorn

"Don't they realise that if there are backdoors anyone can read their private communications - a back door will let anyone in."

I really wonder if they realize that or not. Maybe they do and they just don't care.

I'm reminded of the US' "TSA approved" locks for luggage. Those locks all take one of 8 (IIRC) master keys to open them. All of those keys are readily available for purchase -- or even by 3D printing -- by anybody. The TSA is fully aware of this, and their official stance is that they don't care because that flaw does not have national security implications. It only sucks for the travelers.

JimJimmyJimson

Re: Gets popcorn

To be fair the 'TSA Key set' was based on the 8 most common luggage keys that were in use. Baggage handlers and other airport workers had already made their own bunches of these keys long before they were identified as the 'TSA Standard'. Only one of them is even remotely secure. So this quite a lot different to that...

JohnFen
Silver badge

Re: Gets popcorn

"So this quite a lot different to that."

It's not really so different, because travelers are required to use the insecure locks.

Anonymous Coward
Anonymous Coward

Re: Gets popcorn

I'm reminded of the US' "TSA approved" locks for luggage. Those locks all take one of 8 (IIRC) master keys to open them. All of those keys are readily available for purchase -- or even by 3D printing -- by anybody. The TSA is fully aware of this, and their official stance is that they don't care because that flaw does not have national security implications. It only sucks for the travelers.

---------------------------------------------------------------------------------------------------------------------------

Nonsense. Those keys are tightly controlled, and only in the hands of trusted and trustworthy government or approved agents. There aren't more than several million sets in circulation, probably.

JohnFen
Silver badge
Black Helicopters

Re: Gets popcorn

"Those keys are tightly controlled, and only in the hands of trusted and trustworthy government or approved agents."

Oh, no! That means the hobbyist lockpicking community in my area consists of nothing but government agents!

Anonymous Coward
Anonymous Coward

possible terrorist threat this Christmas

I for one hope they catch that elf on a shelf. There's also that fat man that keeps breaking into peoples houses and I'm not sure if Cliff is planning on releasing a record.

Seriously though, is this just going to be a case of passing capability down from the spy agencies to local enforcement?

Flocke Kroes
Silver badge

Re: possible terrorist threat this Christmas

FISC: What!?

NSA: Santa Claus is a person of interest and a terrorist. Every year he violates US airspace, causes financial mayhem to our economy, drops packages containing god only knows what and ...

FISC: Yes?

NSA: He's got a list... we want it.

Pier Reviewer

You can read my SMSs but you can take my WhatsApps from my cold dead hands

Clearly this particular piece of legislation is an appalling mess. Particularly the failure to specify the differences between a TCN and a TAN given the looser (almost non-existent) controls over issuing TANs. That’s never going to be abused...

I am in no way surprised. What I am surprised by is that world+dog-intel agencies invariably cries foul at every such story, but never once mention lawful intercept (as in telephone “tapping”).

Am I right to think we’re all perfectly ok with big G sniffing our SMS messages, but Lord forbid they see our WhatsApps? Seems weird to me.

Why the apparent discord over what is basically the same thing. Yes, there are technological differences, but are we really saying how we send messages affects whether or not we’re ok with them being read by big G?

I understand the tech companies not folding. They’re in it for the money. Saying “no can do’s ville baby doll” keeps customers. Bending over likely loses them customers. But why do *we* the consumer care about the difference? Or do we just forget about lawful intercept?

The media appear to be failing in their job here to bring LI into the discussion. Assuming their job is to educate and create discussion rather than sell ads...

I honestly don’t know the answer to this. Any ideas?

I understand that some ppl require encryption for their safety, and aren’t stupid enough to send sensitive info over SMS/phone call. But generally speaking the states involved in that kind of behaviour don’t need a technological solution beyond an angle grinder. They’re not affected by any of this one way or another.

kartstar

Re: You can read my SMSs but you can take my WhatsApps from my cold dead hands

The difference is that Google, Facebook, etc can't throw you in jail for that torrent you downloaded 3 years ago, or that time you texted while driving. The analogy between the way people used SMS and the way they use modern day technology (such as WhatsApp) is incredibly dull.

On the other end of the spectrum, one could ponder what implications the law would have were a mind reading device to be invented. Realistically, our technological capabilities are somewhere in between SMS and a mind reading device, perhaps more-so on the SMS side but only time will tell.

Using SMS and phone calls as a reason to be able to use any and all technology as a bugging/trojan device should have outlived its use for anyone giving serious intellectual thought to the issue about 5 years ago.

stiine
Black Helicopters

Re: You can read my SMSs but you can take my WhatsApps from my cold dead hands

35 years ago. At least that's when I heard the not-so-funny-now joke of applying for a job at the NSA by calling your grandmother and asking for an application.

Pier Reviewer

Re: You can read my SMSs but you can take my WhatsApps from my cold dead hands

You misunderstand. I’m simply asking two questions:

1. Are we ok with lawful intercept?

2a. If not, why is nobody saying this in these discussions?

2b. If yes, why should one messaging format be privileged and another not (ie why should we accept interception on one and not the other)?

I’m not saying there’s an argument for interception (or against it). I simply want to know if LI even crosses people’s minds in these discussions, and their opinions are on the area as a whole.

whitepines
Bronze badge
Boffin

Re: You can read my SMSs but you can take my WhatsApps from my cold dead hands

Lawful intercept is a fluke from an older era where people routinely sent plain text communications written on paper or talked on a public phone. I also seem to remember that the Ne'er-do-wells tended to use various ciphers (ranging from weak to strong) since they were very much aware of the possibility of interception.

Lawful intercept itself is of dubious use, but also not exactly harmful (as has been pointed out, any LI methods are also generally available to crooks, so smart IT folks now routinely use this newfangled technology called "end to end encryption" when sending valuable / trade secret / etc. data over public wires).

The real danger here is that this bill goes beyond LI and tries to criminalize encryption, to varying effectiveness. What happens, for instance, if two people that want to keep their newfangled invention secret before applying for a patent (remember, first to file, not first to invent like the US used to have, so secrecy is vital) decide to use open source encryption (GPG?) on their client PCs. Is that legal? What happens to the two end users and/or the service provider(s) if the Aussie government or a well-endowed corporation with Aussie gov't ties wants to capitalize on the inventor's hard work and file first?

Anonymous Coward
Anonymous Coward

Re: You can read my SMSs but you can take my WhatsApps from my cold dead hands

@Pier_Reviewer

Define "lawful".

*

What most people worry about is "lawful" trawling of ALL COMMUNICATIONS in some particular channel. Again, most people would have few problems with targeted intercepts, backed by evidence and authorised by a court order, against some very limited number of named individuals.

*

But, as the Snowden papers reveal, when governments talk about "lawful intercepts", what they mean is spying on everyone. ....so let's hear your definition of "lawful".

Cuddles
Silver badge

Re: You can read my SMSs but you can take my WhatsApps from my cold dead hands

"1. Are we ok with lawful intercept?

2a. If not, why is nobody saying this in these discussions?"

They are. The problem is that some technologies are inherently insecure, so there's very little point making a fuss about it. Not all that long ago, the only way to send communications beyond shouting distance was to write it down and give it to someone to carry for you. Complain all you like about whether they should be able to, but there's absolutely nothing you can do to stop anyone from reading that letter, so for the most part people simply didn't bother complaining about it. Similarly, intercepting telegraph and radio signals was not particularly difficult (with broadcast radio, potentially much easier), so if the government says they reserve the right to snoop, why bother complaining? They're going to do it anyway, and there's simply no such thing as a secure alternative.

The arguments about encryption are all coming up now because there's actually an argument to be had. The development of things like public key cryptography and the spread of powerful computers means that people now have the option to have truly secure communications. And not only do they have that option, but since these things have spread before laws regulating them have been made, they've become used to actually using that option. It's similar to how people were willing to buy hilariously overpriced albums because that was the only way to get music, then Napster came along and suddenly there was an argument to be had about how things should work. No matter what your thoughts on ethics and such, once you've shown people a way of doing things that they like, taking it away from them again is not an easy task. Hence Amazon and iTunes and Spotify and so on.

Communications are in essentially the same position now. All communications used to be open to easy snooping, so there didn't used to be much point worrying about it (although some still did; see for example protests about censorship of letters during WWI and II). Now we have some secure methods of communication, but some people want to take them away from us.

As for why some formats should be privileged and others not, see above. There's absolutely nothing you can do to stop someone reading your letters, so complaining that they shouldn't is just wasting your breath. As the British government has demonstrated recently, spy agencies are going to snoop on everything they can whether it's legal or not, and they'll make it retroactively legal if they think it's worth the bother. Since I can't, in practice, protect my letters, I'm willing to accept that they are not protected. But since I can and currently do protect my Whatapp messages, encrypted emails, and so on, I'm willing to fight not to lose access to such things.

whitepines
Bronze badge
Flame

Re: You can read my SMSs but you can take my WhatsApps from my cold dead hands

While you're mostly correct above, bear in mind ciphers and encryptions existed before the mail service even did. If you didn't want someone to know what you were saying to a friend, you might write something that would be either unintelligible or downright misleading.

This practice continued well into the 20th century. Those Chicago gangsters from the movies certainly weren't wanting to warm their cold hands with their "heaters" etc. after all...

At some point computer-based encryption allowed people to conveniently communicate in plain text without worrying about such codes and ciphers, since the machine would encrypt the communications for them. The larger battle that needs to be won, immediately, is to enshrine the use of client-based encryption (e.g. open source) as a fundamental human right. After all, encryption was available for use for the past several centuries, there is a strong argument to be made that it cannot be banned without a reworking of the entire social contract (and simultaneously plunging the nation into an agrarian dark age).

As far as information going dark, that's been a problem since written records started. Fire and paper don't get along very well, and human memory is so ... fickle.

cosmogoblin

Re: You can read my SMSs but you can take my WhatsApps from my cold dead hands

"are we really saying how we send messages affects whether or not we’re ok with them being read by big G?"

Exactly the opposite. Whether I'm okay with messages being intercepted affects how I send them.

For messages needing security, I make sure to use a secure method. WhatsApp's introduction of end-to-end encryption simply adds another method to my list, and takes away one that I had to worry about.

Pier Reviewer

Re: You can read my SMSs but you can take my WhatsApps from my cold dead hands

“But, as the Snowden papers reveal, when governments talk about "lawful intercepts", what they mean is spying on everyone. ....so let's hear your definition of "lawful".”

Ah, I understand now. People don’t know what Lawful Intercept actually is :/ That’s a tad scary.

You are incorrect in that quote. LI has a particular meaning. Get your Venn diagrams out folks. All LI is communication interception but not all communication interception is LI.

LI specifically refers to the capability that telcos are *legally mandated* to provide to the state to give effect to court orders that require interception to take place.

The state doesn’t “tap” your phone. Your telco does. It has equipment in its core network for the task, and is legally required to have that equipment.

Sound familiar? That’s because that’s what various states want WhatsApp et al to be required to have.

Forget whether you agree or not. I know it’s not easy, but everyone (on both sides) needs to leave the dogma alone. The fact is, the model proposed already exists in the telco industry. Simple question - should it?

PS I’m interested by Cuddles argument (“LI is here so we accept it”). Scary that we care so much more about the rights we have and might lose than those we’ve already lost...

whitepines
Bronze badge

Re: You can read my SMSs but you can take my WhatsApps from my cold dead hands

And if I decide to plug a scrambler into the phone line, that tap won't get very much. This new law seems to be going after encryption and specifically backdooring end user devices, which in the telco analogy is a much wider reach (basically making plugging a non-backdoored device into the network impossible due to the way these services are designed).

JohnFen
Silver badge

Re: You can read my SMSs but you can take my WhatsApps from my cold dead hands

"Am I right to think we’re all perfectly ok with big G sniffing our SMS messages, but Lord forbid they see our WhatsApps?"

No, I don't think you're right. There are plenty of people who strongly object to both of those things.

JohnFen
Silver badge

Re: You can read my SMSs but you can take my WhatsApps from my cold dead hands

Here are my personal answers:

"1. Are we ok with lawful intercept?"

Yes.

"2b. If yes, why should one messaging format be privileged and another not (ie why should we accept interception on one and not the other)?"

It's not a matter of being OK with one and not the other, it's a matter of whether or not the government actively prevents you from protecting yourself. That's the part that I don't think is OK. I don't really have a problem with lawful intercept of any communications, WhatsApp or otherwise, but I have a big problem with the government requiring the weakening of defenses. Let's look at telephone tapping -- that's allowed, but but it's also permissible for you and I to use voice scramblers in our calls. If, as these people keep asserting, they just want to maintain the same ability that they have with phone calls -- well, they have that right now. What they really want is much more than that.

FozzyBear
Silver badge
Black Helicopters

Re: You can read my SMSs but you can take my WhatsApps from my cold dead hands

The law enforcement agencies in Australia already have those powers, they have the ability to subpoena call information, wire taps , transcripts of conversations and also subpoena information on accounts from all the big players.

This legislation does not help the agencies one bit in identifying or capturing potential or known terrorists or any other type of criminal for that matter.

Before you would want to know any encrypted messages from an individual. You will have a dossier on them. The only reason you would have a dossier on them is due to prior criminal activities, multiple sourced or a single strongly sourced intelligence report of their current activities Criminal History and affiliations. From there you build an association network, using physical and electronic interactions (All currently available via existing laws and processes) .You start probing those associations looking for additional intelligence and information on the person. ( this can take anywhere from 3 weeks to 3 years) depending on the focus you need to devote to that one individual.

At this point it tells you whether the person you are looking at is a player or not.. If so then the big boys kick in, targeted intelligence gathering, physical surveillance, electronic monitoring, etc. Again all available under existing laws.

So I ask you the same question I posed to my local Member ( political that is).

"If this is all possible now why are they trying to introduce a law that will effectively enable Big Brother monitoring on every single person. Without checks and balances, without recourse , without oversight. Every one. including you?"

TimMaher

Re: You can read my SMSs but you can take my WhatsApps from my cold dead hands

Apparently, if they buy their software from NSO-Group, they can also monitor your WhatsApp stuff.

Check out the Amnesty International case.

Codes, cyphers, invisible ink. All were around long before SMS or telephony or general postal services. They were all used by not only miscreants but also business folk, eloping lovers etc.

This perhaps is why we should always roll our own for maximum secrecy... if not security.

JohnFen
Silver badge

Re: You can read my SMSs but you can take my WhatsApps from my cold dead hands

"The state doesn’t “tap” your phone. Your telco does. It has equipment in its core network for the task, and is legally required to have that equipment."

Why do you think people here don't understand what LI is? I suspect most do.

I would note, though that when it comes to things like CALEA in the US, that's the state tapping not just your phone, but everyone's. The state is just using the telco as its agent.

JohnFen
Silver badge

Re: You can read my SMSs but you can take my WhatsApps from my cold dead hands

"This perhaps is why we should always roll our own for maximum secrecy."

If by "roll your own" you mean "apply your own encryption and don't rely on that built into applications", then I agree.

If you mean "invent your own encryption", then I don't agree at all. That would be foolish. Strong crypto is really, really hard to get right (and very, very hard to tell if you've gotten it right or not). Unless you're a mathematician with a focus on cryptography, you really are much better off using crypto that's already been vetted.

Michael Wojcik
Silver badge

Re: You can read my SMSs but you can take my WhatsApps from my cold dead hands

1. Are we ok with lawful intercept?

Not under the current regime (in the US), with its secrecy, lack of due process, and widespread abuse.

2a. If not, why is nobody saying this in these discussions?

In which discussions? It comes up pretty frequently in my experience.

2b. If yes, why should one messaging format be privileged and another not (ie why should we accept interception on one and not the other)?

Because you fight the battle you're in today, not yesterday's or tomorrow's.

Voland's right hand
Silver badge

Well, we have seen this already

Russians tried to suppress Telegram which refused to comply and got where? Nowhere.

They quietly stopped. The conflict also left enough arms lying around which can be picked up by people without the technical acumen and R&D budget of Telegram and use again.

So in the next country and place where this will happen the crypto side will not start from scratch.

Bootnote: It is not "Bouncy Crypto" by the way. It is "Guardians of the Bouncy Castle" and the actual packages go under "Bouncy Castle" name. They are the most common replacement for Sun's crypto libraries in Java. The install base is HUGE. So as far as implementing crypto the guy knows what he is talking about.

I usually get a massive toothache the moment I see it. The reason is that it has implemented every single crypto algo under sun and then some including things that have like only one paper ever published in some obscure magazine.

That gives developers interesting "ideas" like for example using a totally unproven stream cypher which has never been evaluated for the production of pseudorandom values as a random number generator (Hello Apache, recognize that java ssh implementation of yours?).

Christoph
Silver badge

"He later accused international tech of holding the view that “Australian law doesn't apply to them”."

And he holds the view that Physical and Mathematical law doesn't apply to Australia?

AIBailey

Lots of laws don't apply to Australia, physics being just one of them. They're upside down, yet don't don't float down towards the sky. It's madness, or at the very least, witchcraft.

tfewster
Silver badge
Joke

Of course, they're upside down, so the blood rushes to their heads rather than their dicks! Hmm, maybe they DO know more about mathematics than people in the northern hemisphere?

Christoph
Silver badge

They want this in place before the next election.

They are making it illegal to reveal the existence of interceptions.

Will they be able to prove that they are not intercepting the communications of the opposing parties?

Since they have deliberately made it impossible to prove that they are doing such interception, the burden of proof falls on them to show that they are not doing so.

Page:

POST COMMENT House rules

Not a member of The Register? Create a new account here.

  • Enter your comment

  • Add an icon

Anonymous cowards cannot choose their icon

Biting the hand that feeds IT © 1998–2018