Slashdot Mirror
Apple Rebukes Australia's 'Dangerously Ambiguous' Anti-Encryption Bill (techcrunch.com)
Apple has strongly criticized Australia's anti-encryption bill, calling it "dangerously ambiguous" and "alarming to every Australian." From a report: The Australian government's draft law -- known as the Access and Assistance Bill -- would compel tech companies operating in the country, like Apple, to provide "assistance" to law enforcement and intelligence agencies in accessing electronic data. The government claims that encrypted communications are "increasingly being used by terrorist groups and organized criminals to avoid detection and disruption," without citing evidence. But critics say that the bill's "broad authorities that would undermine cybersecurity and human rights, including the right to privacy" by forcing companies to build backdoors and hand over user data -- even when it's encrypted. Now, Apple is the latest company after Google and Facebook joined civil and digital rights groups -- including Amnesty International -- to oppose the bill, amid fears that the government will rush through the bill before the end of the year. In a seven-page letter to the Australian parliament, Apple said that it "would be wrong to weaken security for millions of law-abiding customers in order to investigate the very few who pose a threat." The company adds, "We appreciate the government's outreach to Apple and other companies during the drafting of this bill. While we are pleased that some of the suggestions incorporated improve the legislation, the unfortunate fact is that the draft legislation remains dangerously ambiguous with respect to encryption and security. This is no time to weaken encryption. Rather than serving the interests of Australian law enforcement, it will just weaken the security and privacy of regular customers while pushing criminals further off the grid."
Either everyone is secure, or nobody is.
#DeleteFacebook
Or just an aspiring police state like everywhere else?
yet you will roll over for China. I guess the market there is bigger.
At least they gave us the wonder of the world that is Margot Robbie.
I have a general concern or worry that the existing powerful institutions in our nation aren't accepting the democratic decisions of the nation when we tell them that their plan to break encryption is butt-fucking stupid. That they're simply take another approach and get it in passed elsewhere, so they can utalize Parrallel Construction with their allies to effectively violate the 4th admendment. Case point, both Australia and the USA are part of the 5 eyes intelligence community alliance. This sort of disregard for the existing power structure, our democracy, lends weight to the argument that they no longer have the best interests of the masses at heart and that they're simply doing it to expand their own power. You know, if they really did help their Australian counter-parts to come up with this bill. But how would we ever know?
ECHELON turned out to be a real thing. It had good intentions. Hey, I'm all for our cops working together to catch bad guys. Thwarting Soviet Russia was, you know, a good thing. Their system sucked and if they took over we'd all likely starve. But it evolved past that initial purpose into a global surveillance of private and commercial communications. Power corrupts. And this sort of power can't be trusted with anyone. We need to cast it into mt. Doom.
The encryption libraries are easy to get and just a pinky swear will get you unlimited key length libraries.
They just need to hint that they'll stop selling iPhones in Australia, and the people will start making phone calls to government people
"The quality of life is determined by its activites."--Aristotle
Key escrow would result in each device having 2 keys: 1 unique key for you, and 1 unique key held by the device manufacturer (e.g., Apple). Apple's key is different for each device, it's not some "master" key that decrypts all devices. Apple keeps the key in escrow.
If Apple is served with a lawful court order, Apple would provide its key for your device to law enforcement, who would then decrypt your device. Or law enforcement could turn the device over to Apple and Apple could perform the decryption. That's irrelevant to the discussion however.
At that point, it should be considered game over for your device and you would need to rekey or replace the device if you wanted to keep using it.
> The government claims that encrypted communications are "increasingly being used by terrorist groups and organized criminals to avoid detection and disruption," without citing evidence
I know it isn't popular to say that a claim should be accepted without evidence, but I think it would be ignorant to assume that more and more terrorist groups and organized criminals are not using encrypted communications.
I'll tell you what's sad. It's sad that Apple hasn't got the balls to say "if you do this, we will no longer make or sell any products subject to these insecurities in your country."
If politicians are not prevented by economic and other (legal, not suggesting otherwise) means from destroying liberty, they will do so - because they are, for the most part, powerful and often rich, and this kind of behavior inevitably makes them more so.
Either we prevent that result, or we prevent the action that leads to that result — otherwise our liberties will continue to erode in favor of benefits for the rich and/or powerful.
I've fallen off your lawn, and I can't get up.
Nice cherry picking there. Us Whites take the lead in almost every other category (go us!). Using the statistics you provided, there were about 5k murders attributed to Black people, and literally over a million other violent crimes committed by White people. Sounds like we're actually safer with Black people!
Try correlating with economic level or other relevant factors if you want accurate answers- if you just want data that supports your conclusions, keep doing what you're doing so well.
We should organise a mass boycott of banking apps in protest.
To pay for anything turn up at you bank and use up the bank's employee's time to make payments.
That should get the message across by proxy.
Governments (five eyes anyway) don't listen to tech companies or the public. They do listen to the money men though.
As much grandstanding and high handedness they try to do the fact of the matter is that Australia is the bitch of the United States. It's been a known and open fact since the US bent Whitlam over their knee and gave him a spanking.
Australians take it up the ass from the US and their holier than thou attitude is just another shit-scam to try to comfort themselves.
apple does not do the same in china
After my initial submission to parliament I've continued to analyze this Bill. My friends are interested in this however many of them didn't know what they could do, so I wrote this for them, detailing progress so far. I hope this helps anyone else trying to fight this really bad law.
Greetings Friends,
Thank you all for your good will and support in replying to my first email. Thank you for tolerating a mass email. Considering some of the question I got back I thought I would update you all about how this bad law is progressing. I'll attempt to answer your questions so that everyone is kept informed.
Questions
One friend suggested that he left the Communist states to escape this kind of surveillance.
Where it differs is that the Stasi only had capability to monitor 40 phone calls at a time. With modern technology it is quite easy to monitor every person by adapting the apps on our phones we use, when we talk to an AI (like Siri) or, friends on them.
Another friend pointed out that our Attorney General is making representations to the UK,US,NZ and Canadian Governments to pass these laws.
The issue for us is that corporate information technology has no interest in investing in countries that can potentially interfere with their operations. This is a direct attack on employment opportunities in Australia and will drive a lot of investment in Australia's economy to Singapore. This is a direct attack on employment opportunities in Australia.
https://www.zdnet.com/article/...
What can these guys do with this law?
Well I haven't completed all of the analysis however this is what I've learned so far. Your phone, computer, tablet, home router and any vehicle computers can all be utilised to gather data on an individual. The telecommunications providers, the companies behind the websites you use can all be compelled to spy on you. Everything you do can be monitored. These are Front Door security holes, intended and by design.
This law also exposes Australian citizens to the laws from other countries, I've still getting my head around to how far it goes.
How will this affect my business?
Your business can be compelled to cooperate with the government to monitor individual. If you take a position where you protect privacy of your clients you are exposed to the liability for the government's actions. The govt can compel you to alter project deployments and comply with in a deadline. They can alter scope at will and your business is responsible for maintaining govt infrastructure until they no longer need it. Penalties exceed $250,000 per instance in addition to liability.
Is anyone else involved in this?
Yes, to my relief more and more people and organisations are becoming aware of this. Privacy focused organisations have started shifting their attention, which attracted the attention of some companies like Google and Apple. To my surprise Telstra, the NBN joined in the fight so that gives you some idea about the level of interference they anticipate. Some State government departments also starting to raise objections. I was in among the other private citizens that wrote objections to this bill. We need all the help we can get.
What can I do?
I think the best description is with Digital Rights Watch:
https://digitalrightswatch.org...
They provide a short script on how you can interact with Labor Senators and voice your concerns. Feel free to use any of the information I've provided.
Youtube:
https://www.youtube.com/watch?
My ism, it's full of beliefs.
I'm sure that Apple, like Google, has more than one set of master keys. However under this law Apple would be compelled to comply which would then result in law enforcement is all five eyes countries having access to that "key group" under the Echelon agreement. Over time, intelligence agencies would continue to gather and share those keys.
Under this law if an American comes to Australia, the US can request an investigation of that individual and secure keys for key groups in the states. An American citizen can be jailed until they co-operate and Apple fined repeatedly until they do as well.
The stakes are high, if this law is passed in Australia, it will affect all western countries signed to intelligence sharing agreement.
My ism, it's full of beliefs.
How long do you really think it will take before someone with access to the escrow store decides to sell a bunch of keys?
No doubt China would have a list of all the keys they wanted inside a year - and probably not illegally, either.
This is precisely the point that government miss. Fraud committed against ordinary citizens in pursuit of their intelligence objective. Fraud has no impact on the government and they don't care if you are defrauded.
My ism, it's full of beliefs.
So instead of having to break into 1 million devices most of which contain nothing of value to get a million keys, just break one extremely high value target (Apple's keystore) and get millions of keys.
Keep in mind, apple got law enforcement requests for data from 500,000 devices just last year, even without the ability to get into many of their devices. And would then have to keep track of, and keep secure the device keys for the 200 million iphones it sells each year.
The more access they have, you would then expect even more requests.
It's full title is "Telecommunications and Other Legislation Amendment (Assistance and Access) Bill". The "other legislation" bit means that, in the future, other online services can be forced to install a back-door.
I've read most of the legislation draft, and if you read division 7 it says:
Division 7 — Limitations 317ZG Designated communications provider must not be required to implement or build a systemic weakness or systemic vulnerability etc.
(1) A technical assistance notice or technical capability notice must not have the effect of:
a requiring a designated communications provider to implement or build a systemic weakness, or a systemic vulnerability, into a form of electronic protection; or
b preventing a designated communications provider from rectifying a systemic weakness, or a systemic vulnerability, in a form of electronic protection.
(2) The reference in paragraph 1 a to implement or build a systemic weakness, or a systemic vulnerability, into a form of electronic protection includes a reference to implement or build a new decryption capability in relation to a form of electronic protection.
(3) The reference in paragraph 1 a to implement or build a systemic weakness, or a systemic vulnerability, into a form of electronic protection includes a reference to one or more actions that would render systemic methods of authentication or encryption less effective.
(4) Subsections (2) and (3) are enacted for the avoidance of doubt.
(5) A technical assistance notice or technical capability notice has no effect to the extent (if any) to which it would have an effect covered by paragraph
Wouldn't that mean that they cannot ask companies to build backdoors as that would weaken their systems?
Please use fewer 'junk' characters?? I've had to remove a lot of parenthesis from the legislation, so that's why it looks a little "off".
Actually, there is a third option: unbreakable and useless. And that is the one the Australian Government is going for. They don't want Apple to break encryption. The bill allows the government to force Apple to download spyware to the phone via the autoupgrades, so said spyware can send the data back while it's unencrypted.
The only mystery is why Apple says the bill is ambiguous. It outright says the expect to be able to silently download the app, they expect Apple to provide them with the mechanism will hide it from the user (and that includes up to and including writing the app for them), they expect the app will send whatever data it collects (keystrokes, phone calls, GPS position, photos) silently and in real time back to the cops offices. And it doesn't just cover phones - it covers all devices like Apple TV's, Macbooks, and watches. This is all laid out in relatively simple terms in the explanatory notes they released with the bill.
If Apple thinks it's ambiguous and could somehow be worse, I've love to know what could be worse than what they have already asked for.
Even the government appointed overseer of the government is concerned.
https://www.itnews.com.au/news...
Here is mine... pity I sent it before Krebs wrote https://krebsonsecurity.com/20...
This is a submission to the Parliamentary Joint Committee on Intelligence and Security (PJCIS) review of the Telecommunication and Other Legislation Amendment (Assistance and Access) Bill 2018 [0].
Chinese surveillance society [1] offers a chilling vision of a society I never want to live in.
Just as Apple differentiates itself [2] clearly from Google and Facebook by saying we will never sell your data (you aren't the product), I think Western democracies ought to clearly differentiate themselves from China.
Currently we're heading towards a local optima that will look more and more like China. Because of certain problems (paedophiles, drug dealers, terrorists), government wants weak encryption. Then in large part because of weak encryption, we can't use Chinese components in our networks [3].
Well, the truth is that paedophiles/drug dealers/terrorists will all wake up to the fact that comms on common services can be intercepted, and will use their own encryption (routed over TOR or similar, so you can't tell who the endpoints are). Phantom Secure is evidence that this horse has already bolted[4]. Though I guess you might make any private encryption technology illegal? Why not?!!
The net result being that only people with "nothing to hide" will be using services that you can surveil.
Thinking more broadly, if drugs such as marijuana and MDMA were legal, then probably 95% of the so-called encryption problem goes away. And lots of other problems as well... Count on certain relatively benign recreational drugs being legalized soon after self-driving cars become common.
And then I'd argue that you catch the paedophiles and terrorists with creative policing[5]. You don't absolutely need this kind of legislation to then get into their phones [6].
In summary, a much better approach would be to support strong encryption (the global optimum), and say clearly we don't want to follow China. With strong encyption right across our telecomms networks, we'd be able to source equipment from Huwaie and ZTE ... Of course, there's the additional concern that the Chinese could stop packet transmission entirely (ie a kill switch), or make it unreliable, but that's a different problem to "they might read our stuff".
The real concern would then be any laptop server[7] or phone made in China (ie most of them) - the terminal devices where stuff must be decrypted for the user to see.
Of course, the problem is that embracing "strong encryption" is anathema to the received wisdom from the rest of the Five Eyes [8], and you need to take a broader perspective to realise it is the right choice for an open society.
[0] https://www.aph.gov.au/Parliam...
[1] http://www.abc.net.au/news/201...
[2] https://www.washingtonpost.com...
[3] https://www.itnews.com.au/news... https://www.itnews.com.au/news...
[4] http://www.abc.net.au/news/201... https://www.theregister.co.uk/...
[5]
Wouldn't that mean that they cannot ask companies to build backdoors as that would weaken their systems?
No. First of all they don't want back door access through flaws, the law is essentially demand individuals and business to give them front door access designed into the hardware and software stack. It is blatant stupidity because it will be impossible for them to protect their systems from being compromised by black hats and eventually organised crime. The Government is proposing powers of such gargantuan scope it will be impossible for them to keep it under control, how imposing and intrusive it is, how utterly lazy the government is to even ask for these powers. Essentially this what I see that is relevant to what you are asking:
Division 1 Items list the entire OSI stack and the hardware stack. Whoever was advising them on the law had enough technical know how to include everything. There were no gaps in either hardware or software stack were the govt is demanding powers. No manufacturer or software supplier escapes. They can get access to the keyboard hardware if they wish, but they want it easy. All O.S vendors will have to comply.
No website escapes if you interact with any mass group of people or a customer base that the govt wants information about if you are a designated communications communications provider.
In terms of actions business will have to comply with if they have eligible activities every part of the supply chain is covered from creating components to installers. They can all be issues with a Technical assistance request or Technical Capability Notice. In the "Listed acts or things" Govt can demand removal of encryption, proprietary design information about your software and how it works, demand you install their servers, force data formats and integration assistance finally leaving business to maintain their servers. After that the business is then responsible for maintaining access to intercept equipment whilst hiding it and concealing access.
Jail time, heavy fines and exposure to liability for businesses and individuals who don't co-operate.
Division 2 discusses exactly how government will disrupt the businesses who co-operate and the specific steps that have to executed to comply. They can change the specification, the scope and responsibilities of those assigned, demands assistance and has anti by-pass clauses. The fine imposed are quite high as I go through my notes, this is only 40 pages in around 317ZB.
So in essence it doesn't matter what Limitations 317ZG has because all it is asking you to do is not do something that you wouldn't do in the first place: Knowingly design a weakness into your hardware or software. They don't want backdoor access, they want to be completely integrated into your software and hardware stack. Orwellian isn't enough to describe it.
Onto the AC's point.
As you start to get to the end of the legislation you will find the hooks where the other four eyes can request access to these powers and exert them over business under intelligence sharing agreements where other Acts are modified. It goes like this.
As Australia does not have a Bill of Human Rights it has traditionally relied on the activism of its populace to not slip into a police state as a consequence of being a participatory democracy. This has allowed the Australian Government to pass laws that could not constitutionally pass in the US,UK,NZ or Canada, thus gradually chipping away at the intrinsic rights Australians had.
So, the way those other countries can access those powers is by requesting A
My ism, it's full of beliefs.
Even the government appointed overseer of the government is concerned. https://www.itnews.com.au/news...
Thank you!
My ism, it's full of beliefs.