Australian Industry and Tech Groups Unite To Fight Encryption-Busting Bill

A new encryption bill that's expected to be passed in Australia is facing strong opposition from tech heavyweights. A new group called "Alliance for a Safe and Secure Internet" has been formed by Australian industry, technology, and human rights groups to persuade the country from passing the bill, reports ZDNet. "The membership of the new alliance consists of Australian Communications Consumer Action Network, Access Now, Ai Group, Australian Information Industry Association, Amnesty International Australia, AMTA, Blueprint for Free Speech, members of Communications Alliance sans NBN, DIGI, Digital Rights Watch, Future Wise, Hack for Privacy, Human Rights Law Centre, Internet Australia, IoT Alliance Australia, and Liberty Victoria." The Guardian also notes that Google and Facebook are part of the group. From the report: The Bill is currently before the Parliamentary Joint Committee on Intelligence and Security, with a minuscule three-week window for submissions closing on Friday, October 12 and a hearing set for Friday, October 19. The proposed legislation would allow the nation's police and anti-corruption forces to ask, before forcing, internet companies, telcos, messaging providers, or anyone deemed necessary, to break into whatever content interception agencies want access to.

"This Bill stands to have a huge impact on millions of Australians, so it is crucial that lawmakers reject this proposal in its present form before we sleepwalk into a digital dystopia," said board member of Digital Rights Watch and alliance spokesperson Lizzie O'Shea. "The rushed processes coupled with the lack of transparency can only mean that expert opinions from Australia and abroad are being disregarded, and deep concerns about privacy erosion and lack of judicial review have simply been tossed aside."

Critique of The Assistance and Access Bill 2018

[MrKaos]

I submitted the following critique of the proposed Bill during the feedback period:

Greetings Honourable Members,

I am a active professional in the Information Technology industry for 30 years, I offer a critique of the The Assistance and Access Bill 2018 herein "this Bill".

The first and most obvious contradiction is that this bill cannot achieve its intended objection of monitoring paedophiles and terrorists because there is nothing to stop these parties from writing their own software. There is nothing extra-ordinary about exchanging media and messages and this is not difficult software to create. This would also apply to organised crime, there is very little from stopping them from developing their own software to exchange messages. Attempting to police this act is effectively a limitation on the innovative engines of our economy that drives business, the creation of software.

So whilst it is clear the Bill is attempting to enable access to communications for law enforcement and intelligence agencies, there is questionable benefit if it is unenforceable or ineffective for its legislative purpose.

The premise for not introducing "backdoors" and vectors for attacking systems is very shallow. Instead it is clear from 317C and 317D that any and all computer infrastructure deployed in Australia will have to have governmental monitoring subsystems installed in them, possibly by multiple government agencies. None of these clauses will stop, capture or decode messages by anyone determined enough to send them.

Consequently, criminal actors will now have a well defined target that they know exists and only has to be found for it to be used, making their task of covertly capturing data on average Australian citizens much easier. Criminals certainly won't be concerned about breaking laws if they already are. For those reasons once the infrastructure this Bill implies is established and deployed it will put the honest person and businesses at a disadvantage when they comply because the governmental monitoring subsystems will be a known target within their infrastructure.

Cyber crime, identity theft and other fraud against Australians are more likely to succeed with the taxation dollars from ordinary Australians used to build the means to defraud them of assets and income. I am very concerned that passing this Bill will lead to increased fraud against the average everyday Australia who is trying to use the internet to do everyday tasks and save time. No one will be spared, the Honourable Members themselves still have to interact in our society and will be exposed at some level.

There are much better ways for achieving law enforcement's objectives than with obtuse and overt access clauses as the main issue with deploying any kind of technology is unexpected side effects. The obvious unexpected side-effect of the government's proposed initiative is how they will be used against those companies who co-operate. If deployed world wide, which I see is something our government is championing, I cannot help but seeing it lead the world to some sort of digital feudalism broken down into virtual fifedoms.

I urge the government and all honourable members not to hand organised crime a weapon against our citizenry as powerful as this one. The intention of these laws is clearly for gathering data, which is exactly the goal of cyber-criminals. Instead the government could seek to protect its citizens by implementing technology laws that protect us from cyber-crime and fraud, in ways that lead to intelligence outcomes. Laws that use encryption technology to reduce opportunities for fraud against Australians as opposed to increasing them.

Thank you for taking the time to read this.

Regards

From my notes reviewing this bill

[MrKaos]

Either that, or the tech heavyweights know perfectly well that if they can bypass someone's encryption, so can the bad guys. Which means no more online purchases, or bill payment, or anything like that.

I think they can see this will collapse the online purchases paradigm. If the govt can get in, black hats can too. Everyone knows this except the general public and government.

The Bill intentionally says "No backdoors" however what it means is that govt wants front door access to be designed into what-ever software and infrastructure is produced which allowed prescribed agencies to trample all existing efforts to secure infrastructure.

TAN's "Technical Assistance Notices" are disruptive under 317MA. If business doesn't drop what they are doing and assist the government before the expiry period, you are assessed as non compliant and exposed to civil liability from the govts activities. Under clause 317G, if you are a coder or a sysadmin and you refuse to help with a "TCN" or Technical Capabilities Notice, you are labeled as "un-cooperative" and exposed to any civil liability arising from the govts activities.

To put the cherry on the cake, under 317R, they tell *you* what is technically feasible on your infrastructure. More so 317T allows govt to install software and infrastructure which business must maintain to remain compliant. 317X govt can vary scope, specification and responsibilities connected with "eligible activities". 317ZF make individuals personally responsible for any unauthorised disclosure and makes it a criminal offense for IT professionals to disclose anything even to their colleagues. Even on you're own infrastructure, it's a diabolical double bind, psychologically.

I could go on, I'm just picking random notes from the exposure draft I have beside me. There just isn't anything good anywhere in this bill if you are in IT. You either spy on your users or they have the option to destroy your entire business. Everything I've pointed to here is in the first 50 pages of a 176 page bill.

I've been analysing these Bills for over 20 years, this is the worst Bill I've ever seen. If you can, please help raise awareness, politely write to your representatives and tell them you object to this incursion to your free speech rights. Consider that this Bill imposes criminal liability for pretty much the entire audience of slashdot if you do not co-operate. Tell your friends, social media - whatever you think is appropriate, just do something. My critique of the Bill is elsewhere in this thread - feel free to copy it and use it.

Have no doubt, this is heading to the UK/US/Canada and NZ. Australia's Attorney General is in international consultations *right now* about implementing this in all five eyes countries.

So this is heading your way.

Re:I am not seeing the crypto issue

[currently_awake]

It means you must also block end-to-end encryption, as that means you don't have the encryption keys to decode the conversation. CALEA was written in the age of landline phones: Adding encryption to a landline phone is difficult (requires hardware modification), where adding encryption to your Email is just a software update.