Slashdot Mirror
Australians Who Won't Unlock Their Phones Could Face 10 Years In Jail (sophos.com)
An anonymous reader quotes the Sophos security blog:
The Australian government wants to force companies to help it get at suspected criminals' data. If they can't, it would jail people for up to a decade if they refuse to unlock their phones. The country's Assistance and Access Bill, introduced this week for public consultation, strengthens the penalties for people who refuse to unlock their phones for the police. Under Australia's existing Crimes Act, judges could jail a person for two years for not handing over their data. The proposed Bill extends that to up to ten years, arguing that the existing penalty wasn't strong enough...
[C]ompanies would be subject to two kinds of government order that would compel them to help retrieve a suspect's information. The first of these is a "technical assistance notice" that requires telcos to hand over any decryption keys they hold. This notice would help the government in end-to-end encryption cases where the target lets a service provider hold their own encryption keys. But what if the suspect stores the keys themselves? In that case, the government would pull out the big guns with a second kind of order called a technical capability notice. It forces communications providers to build new capabilities that would help the government access a target's information where possible. In short, the government asks companies whether they can access the data. If they can't, then the second order asks them to figure out a way....
The government's explanatory note says that the Bill could force a manufacturer to hand over detailed specs of a device, install government software on it, help agencies develop their own "systems and capabilities", and notify agencies of major changes to their systems.
"[T]he proposed legislation also creates a new class of access warrant that lets police officers get evidence from devices in secret before the device encrypts it, including intercepting communications and using other computers to access the data. It also amends existing search and seizure warrants, allowing the cops to access data remotely, including online accounts."
[C]ompanies would be subject to two kinds of government order that would compel them to help retrieve a suspect's information. The first of these is a "technical assistance notice" that requires telcos to hand over any decryption keys they hold. This notice would help the government in end-to-end encryption cases where the target lets a service provider hold their own encryption keys. But what if the suspect stores the keys themselves? In that case, the government would pull out the big guns with a second kind of order called a technical capability notice. It forces communications providers to build new capabilities that would help the government access a target's information where possible. In short, the government asks companies whether they can access the data. If they can't, then the second order asks them to figure out a way....
The government's explanatory note says that the Bill could force a manufacturer to hand over detailed specs of a device, install government software on it, help agencies develop their own "systems and capabilities", and notify agencies of major changes to their systems.
"[T]he proposed legislation also creates a new class of access warrant that lets police officers get evidence from devices in secret before the device encrypts it, including intercepting communications and using other computers to access the data. It also amends existing search and seizure warrants, allowing the cops to access data remotely, including online accounts."
Ten years for forgetting my pin number. I have done that.
They might just as well lock everyone up in advance, just in case.
"We mustn't be caught by surprise by our own advancing technology" -- Aldous Huxley
"[T]he proposed legislation also creates a new class of access warrant that lets police officers get evidence from devices in secret before the device encrypts it, including intercepting communications and using other computers to access the data. It also amends existing search and seizure warrants, allowing the cops to access data remotely, including online accounts."
With such capabilities, how could the courts prove the evidence was not tampered with, invented whole-cloth, planted by the police, or merely stored on the target device by a third party for purposes of framing or obfuscation?
This is fucking awful.
I bet they wouldn't like it the public got access to THEIR phones, but its ok for them to get access to ours?
Fuckers.
Imagine a function built in to Android or IOS which re-encrypts the storage with a transient key which it then throws away.
It could be triggered by entering a special pin code or something similar.
Then imagine another ten years in jail for tampering with the evidence.
Sig ?
Or more subtly than that... the second key just wipes any data marked "sensitive". That way, the authorities won't have an obvious cause to go after you for destroying evidence. They won't know what was there before you unlocked it with the second key, yet they'll still see a normal, functioning device.