Domain: homeaffairs.gov.au
Stories and comments across the archive that link to homeaffairs.gov.au.
Comments · 4
-
Access and Assistance Bill 2018
If you are in one of the five eyes nations the new class of Access and Assistance Bills our Attorney Generals are negotiating will mean data generated by your car can be legally taken without your knowledge and used as evidence against you.
You had better not unknowingly go anywhere or be around someone you should not.
-
Re:Government is not Absolute
They merely have to legally mandate back doors in devices before your laws of mathematics get hold of the data.
The federal government in Australia (I'm Australian) has a bill on the table ready to be passed by parliament. And yes, you have pretty much nailed it - they want legally mandated back doors. They make a token effort to hide by wrapping it in in thousands of words and using includes
:This includes accessing communications at points where it is not encrypted.
They know to get at the data they will need to download bugs (as in listening devices - but if they weren't from the government they would be called malware or viruses) to the phone or whatever. They also know those bugs will be detected pretty quickly by Apple, Google and friends, so to work around that the bill includes a provision to legally force them to provide Technical Assistance. The definition Technical Assistance it left conveniently open end, so it includes everything up to and including writing the bug for them.
But writing the bug is not scary bit. The bill includes specifically says technical assistances includes:
installing, maintaining, testing or using software or equipment as an act or thing that may be specified in a technical assistance request
.... The Bill will allow law enforcement agencies to collect evidence from electronic devices under an overt warrant remotely.So they explicitly saying they can demand the manufacturer install their bug remotely. In case it isn't obvious: what they are planning is to hijack the auto install / upgrade feature of phones, TV's, routers, WiFi camera, robot vacuum's and so on so they can press a button and a bug will be downloaded to all of them. The bug will be undetectable because the manufacturer will be forced to collude with them to hide it. All data will be available on the device because it is unlocked: and yes that includes stuff stored in Apples secure enclave because you can replace it's firmware too. The bug could also do active snooping, like switching on the GPS, microphone and cameras.
This is going to make the sort of world portrayed by tv shows like Person of Interest a reality. They must almost be wetting themselves with excitement over how wonderful it will all be. The lives of all citizens will be an open books to their governments - all they have to do is push a hidden button in a dark room somewhere, and data will start flowing from anywhere.
They don't have a clue about the monster they are creating. I'm sure they will tell us that central button will be most of the most heavily guarded things on the planet. But in that button they have created the one key to rule us all: banking passwords, stock holdings, emails discussing billion dollar takeovers all become amenable to creating silent copies. Corrupt just a few people, and the $100M Russian banking heists will look like peanuts. That key will unlock the wallets of entire nations.
-
Re:Great ...
Ten years for forgetting my pin number.
That's not what they are proposing. The article got it completely wrong - the bill isn't targeting end users at all. I guess that's not entirely surprising given the articles rush to have the First Post on the department of Home Affairs explanatory document for the Assistance and Access Bill 2018 . The ironic thing is, in their rush to get the most click baity article the could think out out, the managed to understate what the government is planning. By a lot. This isn't a bill to get your PIN out of you. The goal of this bill is to ensure they don't need your PIN.
Here are some extracts from the above explanatory document, followed by the de-spinned translation:
accessing communications at points where it is not encrypted.
What the are actually thinking: With the advent of the internet we thought we had it all. The Telecommunications (Interception and Access) Act 1979 (TIA) allows us to compel phone companies to install taps on any phone line. Back then of course that involved the Telecom company creating a work order, the work order winding it's way down levels of management until a work was directed to install a listening device in a pit somewhere. Then a marvellous thing happened: the profit driven Telecom companies automated the process, so that instead of someone having to physically do something they just needed to press a button and the telephone exchange would start sending a copy of of all data flowing through the target device to our office in Canberra. Then an even more marvellous thing happen: everybody started sending everything over the internet - letters became emails, photos, signed documents, even short personal messages. The TIA gave us the power to direct the Telecom companies to direct all of it to us! By the time the NBN came along no one raised an eye brow and we asked for provision for LEA Racks (Law Enforcement Agency Racks) to be installed into every NBN POI (point of interconnect).
Then, disaster. The NSA was sprung snooping Googles international links. The tech companies got the shits with us, and started encrypted everything. Unbelievably the pricks managed to convince the entire world to start using HTTPS. Suddenly the TIA goldmine became useless!
We tried to get encrypted banned, then tried to plant crypto backdoors, but no go. Those bloody tech companies raised the spectre of us spying everyones banking passwords and dick picks to turn the world against us. But there is a work around - extend the existing TIA act so we can bug the devices used to access the data when it's unencrypted. It's just extending a existing capability, so hopefully it will look innocuous enough to get under their radar.
317E(1)(c) provides installing, maintaining, testing or using software or equipment as an act or thing that may be specified in a technical assistance request, technical assistance notice or technical capability notice. Assistance of a kind contemplated by 317E(1)(c) includes installing, maintain, testing or using software or equipment given to a provider by, or on behalf, of an agency. The deployment of agency procured or developed software or equipment within an existing network owned or operated by a provider can achieve law enforcement objectives without requiring providers to develop technology secondary to their core business.
Translation: But this is going to be hard, real hard. We are trying to install a virus on stuff controlled by the the biggest tech companies on the planet. They employ the best and brightest people, and their internet security is second to none. North Korea may have taken out Sony after they hired a top security expert from the CIA, but no one has put a serious dent in these guys. We are gonna have to force them to cooperate, but shit, we don't ev
-
The real situation
This story says 'Australia to pass bill'. No, the bill is scheduled for debate and the government will hope to pass a bill, but they have a weak majority. It's likely to be contentious, I would not bet on it passing at all.
Secondly, there's the implication of a encryption backdoor. This is lifted from the TFA which is an opinion piece. So far the only real source is a political speech made by Angus Taylor (minister for law enforcement and cyber security) in June. The Register (TFA) implies encryption backdoor, despite the minister's own words ("This Government is committed to no 'backdoors'
... We simply don’t need to weaken encryption in order to get what we need.").That said, the TFA is right to be concerned because elsewhere Taylor says "We need access to digital networks and devices, and to the data on them", which does imply an attack on encryption. Now, I'm no fan of our current government, or regressive right-wing government in general, but I have to say, the speech demonstrates a fair bit more understanding than previous efforts in Australia, the UK and recently the US, aimed squarely at encryption. There's only one group arguing for golden keys, and that's the spooks. If a government listens to spooks *and* industry, they usually come to understand why it's not practical. Angus comes out and says industry has moved towards encryption, and that's good, that tech giants oppose weakening encryption, and that's not what they government wants to do. He spends more time talking about that, than the clumsily worded line that implies he's lying in all the other bits.
I find myself in the unlikely position of defending the government in this narrow sense because miscategorising their position makes it harder to present a reasoned opposition when it is needed.
The Register has, I think, the right of the real goal here. To ensure that end devices are breakable. Of course they dog whistle about phones shipping with 'root kits', but before we all get hysterical... this is what law enforcement already does. When they nab crooks, they break into their phones. I suppose if I was an American I'd be worried because it's pretty clear the US gov will want to systematically break into everyone's phone when they enter the country... but most of the industrialised world isn't there yet. We all worry about law enforcement overreach, we all know breaking or weakening encryption is impractical, regardless of what any one nation state desires (barring nuclear options available to systems like China's GFW).
There are, however, probably some reasonable cases when you want law enforcement to be able to break into stuff. I don't know where the line is, I guess we'll be worrying about this for decades but it'd be nice if it wasn't categorised as a binary proposition. We get enough of that in politics.