Slashdot Mirror
Australia Set To Spy on WhatsApp Messages With Encryption Law (bloomberg.com)
Australia is set to give its police and intelligence agencies the power to access encrypted messages on platforms such as WhatsApp, becoming the latest country to face down privacy concerns in the name of public safety. From a report: Amid protests from companies such as Facebook and Google, the government and main opposition struck a deal on Tuesday that should see the legislation passed by parliament this week. Under the proposed powers, technology companies could be forced to help decrypt communications on popular messaging apps, or even build new functionality to help police access data.
Prime Minister Scott Morrison has said the legislation is needed to help foil terrorist attacks and organized crime. Critics say it is flawed and could undermine security across the Internet, jeopardizing activities from online voting to market trading and data storage.
Prime Minister Scott Morrison has said the legislation is needed to help foil terrorist attacks and organized crime. Critics say it is flawed and could undermine security across the Internet, jeopardizing activities from online voting to market trading and data storage.
I have always been suspicious of those Aussie's with their long knives and funny accents. What exactly are they up to down under there? They must be plotting something.
Do these legislative entities not realize that the bad guys can write their own encrypted apps?
Or send coded messages through existing apps that still won't help law enforcement?
Wouldn't it be easier for these people if they just declared secrets unlawful? Anyone who does not provide copies of any and all correspondence they send and receive are executed (both sender and receiver must provide, so they can double check, and check for authenticity!) - What is this? 1984?
Which applications does not provide copies of your correspondence to anyone who ask for it?
*all* the messages from whatsapp worldwide encoded in such a way that you need all the messages to determine the content of any message.
To Russian and Chinese hackers are part of the deal? - What is the price for an election system these days?
As usual, such spying will affect only normies.
Government is not your friend; government is your ruler.
What's to stop nefarious people from using that same functionality? If police can use it, even if you give them the benefit of all doubt that they would never do anything harmful with it, then the bad guys can use it too.... either because of leaks or hacking or what have you... and because the technology has to accommodate being decrypted in this way by legitimate law enforcement, how does the technology tell the difference, and recognize when it is being accessed by legitimate law enforcement and when it is not? And if (when) it cannot, then what extra measures are law enforcement going to take to protect the general public from such eventuality?
It seems to me that this is going to make law enforcement's job harder, not easier.
Australian lawmakers are idiots.... and that's being complimentary to actual idiots.
File under 'M' for 'Manic ranting'
I suspect the Aussies will probably have to make do without Whatsapp etc, rather than these removed from reality politicians getting what they want.
This is stupid. Encryption is mathematics, and mathematics has no built in back-doors for illiterate politicians who don't understand how encryption works.
If you poke holes in it, then another motivated actor can find those holes and exploit them. Period.
Tell you what, politicians who demand broken encryption should be forced to use any such system for their own security. They'll cry loudly how their stuff is too important to use broken encryption.
Any encryption method which has back doors is, by definition, no longer secure. This will impact literally everything which uses encryption -- which these days is pretty much everything, including financial transactions.
You can't legislate that Pi is 3, and you can't legislate that encryption can be bypassed without understanding that if you can bypass it, someone else can and will also bypass it.
This is like mandating that all locks have a law enforcement button which opens the lock, and then saying nobody else will ever use that button because they're not supposed to -- it simply doesn't work that way in real life. Once you break it, it's broken for good.
These companies can't deploy once means of encryption in one place, and another means for Australia. So, yeah, TFS is right, this could undermine all network security.
Fucking idiot politicians.
Do you guys really think the corporations aren't reading your messages? They aren't giving this stuff away for free.
There are so many phones and so many computers, any secret sauce 'update' will be discovered and exploited - just like the 8 year old CIA ones that were not fixed, that are now public knowledge.
Slipping in a signed module will be gold when some journalists honeypot gets audited - which is how some people earn good money. The AssAccess plan won't work.
The companies could say "Sure, we're gonna help you decrypt this by dedicating one CPU to bruteforcing the keyspace starting from the beginning. You guys can bruteforce starting from the end to avoid replicating effort."
Even if they are all outlawed, outlaws will still use them to get around these laws. And if deep packet inspection starts getting used to crack down on them, they will just move to steganography and sending streams of cat memes with hidden messages in the low order bits :)
Sometimes, they are. We know this because sometimes someone takes the software apart with reverse-engineering tools, then tells everyone.
That kind of universal verifiability is the basis of integrity. I've been pushing it for voting. Current electronic voting machines use secret software reviewed by some people under NDA and loaded on the machines before the election, so you can't verify any of it. For an electronic voting machine to be usable during an election, you need to publish the software image, and then prove that image is the image loaded at the beginning of polling--achievable, but brutally-stringent on exact procedures for opening and closing the polling day.
I've suggested the same about things like Single Transferable Vote and other voting rules: the state must publish the full ballot sets (which must be traceable to polling centers or marked as non-traceable mail-in absentee ballots) and the algorithm used to compute the results.
It's not that everyone has the tools and knowledge to verify the election; it's that we've made it impossible to get rid of the kid pointing out that the Emperor has no clothes. He won't stop telling everyone.
How long do you think we could hide code in WhatsApp to parallel-encrypt with another public key and send to another server?
How long could we hide code that downloads additional code and adds it to the application?
How would we keep people from dumping the memory space to find out what exactly that additional code does?
How quickly will Google start screaming that Facebook is doing something shady? What about RMS? Peter Gutmann?
Support my political activism on Patreon.
Your "stupid" politicians are only relevant because voters vote for them. If they didn't have the overwhelming support of the country, you never would have heard of them.
Voters hear stupid shit and say "I love stupid shit but I want things to become more stupid" and they vote for them, hoping that today's stupidity is the seed for tomorrow's super-stupidity.
The voters insist. Either legislate Pi==3 or be replaced by someone who will do what The People demand.
Whatâ(TM)s the chance that as soon as this is inacted some corporations will simply geo block Australia?
Unlocking the vault could be a slippery slope to anyone wanting to get in.
Jumpstart the tartan drive.
It's far easier to strip rights when that's purported "Will of the People"; democracy is a Tyrant's dream.
How long do you think we could hide code in WhatsApp to parallel-encrypt with another public key and send to another server?
Not very long, given that WhatsApp messages are encrypted using the Signal protocol which is open and easy to verify. In fact the German c'T magazine did verify operation using ARP spoofing.
const int one = 65536; (Silvermoon, Texture.cs)
SJW, n: "Someone I don't like, and by the way I'm a fuckwit" - AC
Sure you can access the messages, they're encrypted still but you got them. Oh yes, they'll force the tech companies to provide access even though it doesn't work like that so job's a good'un then, right?
Wanna buy a shirt?
https://www.redbubble.com/people/stealthfinger/shop?asc=u
It's not just that the protocol is open. You can disassemble the binary into code, dump the running process, and do other things to check out what's going on with it. With several billion people, some subset is both capable and interested in doing so.
Support my political activism on Patreon.
Any company caught inserting back doors to E2E encryption becomes instantly irrelevant. It would be corporate suicide!
This is the same government which last year forced ISP's to block access to popular bittorrent sites such as piratebay.org by blocking DNS lookups. So what did everyone do? They just changed their DNS to 8.8.8.8 and everything returned to normal.
*sigh*
in Australia. If they've got it in one country then they've got it everywhere.
Hi! I make Firefox Plug-ins. Check 'em out @ https://addons.mozilla.org/en-US/firefox/addon/youtube-mp3-podcaster/
if they have any. If that law passes we know that any encrypted transaction in Australian software is backdoored, as is every TLS encrypted connection to eg. a bank.
Just put that your application is not supported to run in Australia. As long as there is no business presence in the country the law should have no impact.
I'm looking forward to Apple turning off iMessage in Australia to make a point.
Can't wait for the first round of Australian politicians and law enforcement to be compromised by this.
"Privacy and security is in our DNA, which is why we have end-to-end encryption. When end-to-end encrypted, your messages, photos, videos, voice messages, documents, status updates and calls are secured from falling into the wrong hands.
WhatsApp end-to-end encryption ensures only you and the person you're communicating with can read what's sent, and nobody in between, not even WhatsApp. "
So what does this announcement mean? Pick one:
a) That whatsapp will turn off end to end encryption for Australian customers?
b) Whatsapp will cease operations in Australia because e-to-e contravenes Australian law?
c) The encryption scheme is already broken and we just don't realize it?
Where are we going and why are we in a handbasket?
WhatsApp data is stored in a manner accessible by Facebook, same domain as Facebook data sitting at rest on your ios phone. They just have to slurp it, and you know they already want to. Google it.
because none of these incidents produced terror.
Of course, all access to this system will be recorded and stored on multiple sites with no way to delete or alter the records, for later review by elected officials to ensure no funny business like spying on political opponents.
What? No?
Huh.
(-1: Post disagrees with my already-settled worldview) is not a valid mod option.
Cancel the dinner.
Where are we going and why are we in a handbasket?
It's the law.
Except in Australia I guess. I always wondered about that, them being on the bottom side of the globe and all.
Where are we going and why are we in a handbasket?
Similar to the recommendations to use PGP, I always preferred to use this:
https://silence.im/
Unfortunately, Google pulled it from the play store, but an open app that uses standard sms and layers encryption basically eliminates the central authority to spy on everything. Use SMS. Encrypt it. Why bother trusting the centralized systems like Whatsapp. Of course they get your meta data, but how much can you really hide that anyway?
The sledgehammer is a "technical capability notice (TCN)": The company must build a new function to help police get at a suspect's data, or face fines.
I guess they tell Apple (ios) and Google (android) to add keystroke loggers and/or the equivalent at the other end when the E2E encrypted message is displayed on the screen. Job done.
Ultimate target of this isn't "dumb terrorists" like the clowns who tried to smuggle a "bomb" onto a plane in Melbourne but forgot to check their luggage limits, or paedophiles (think of the children), but the war on drugs (message to small time dealer "can i get a couple of pills for Saturday"), and later, everyone.
Politicians are either gutless (who wants to be told by the security agencies that we would have prevented a stabbing/shooting/drug deal but you didn't pass an enabling law) or ignorant (haven't read 1984, aren't aware of what's happening in China) or not ignorant but power hungry (have read 1984 and are watching China, and love it). But the security agency submissions aren't public, so who knows what story they were told.
What they really mean is they want to be in CONTROL of yet another aspect of your lives.
Remember, power corrupts and absolute power corrupts absolutely.
So, Facebook / WhatsApp should just geoblock jurisdictions that implement such a Law. On their site, explain that such geoblocks are mandated by the Law of the jurisdiction - and politely suggest that many available vpn solutions allow the user to choose alternative jurisdictions to access the service from.
It is worth knowing that this proposal emerged fully formed from the security agencies. This probably means that it was cooked up by the five eyes collective led by the USA and Australia was chosen as the country most likely to support it's introduction.
As many people have pointed out there is no way of implementing this without fundamentally violating the security of encrypted message applications and the impacts would flow on across the world. The assumption is that doing this would be undesirable.
Once in place, and proven to work other countries will rush to "catch up" with similar laws. Until this occurs the five eyes nations can all utilize the Australian back doors via existing intelligence sharing agreements.
The government mandates it.
If you can read this message, you'll know what to do.
The Bill is being debated right now. This is the live stream link at the time of posting.
My ism, it's full of beliefs.
To be fair they are more concerned about the average low tech criminal having easy access to powerful encryption tools.
I have read the entire Bill and wrote a two part 80 page analysis on it and can say to you that they are far more concerned in providing an avenue to all five eye countries a means to by-pass telecommunication encryption on all types of technology.
If they wanted to go full 1984 they could simply make the use of unbreakable encryption for messaging a crime and charge anyone found to be using it.
They have gone beyond that by subverting the use of encryption and allowed means to coerce IT professionals to co-operate or face liability for security flaws, fines and jail terms of up to ten years for not cooperating.
Apple and Google would block such apps in their app stores, and most criminals would not have the skills to write their own (and even if they did would be convicted if discovered).
Apple, Google, IBM and many other all made submissions on this bill. None of them had anything good to say about it.
So actually this law can be quite effective if they are willing to take it far enough. If not the best they can hope for is deterrent.
They have taken it way too far and there is no judicial oversight.
And of course either way it's a really terrible thing to do to your country and the citizens you are supposed to be serving.
They are extending the power of the state in the grossest form.
My ism, it's full of beliefs.
Do you guys really think the corporations aren't reading your messages? They aren't giving this stuff away for free.
This Bill forces those companies to act as a proxy for intelligence services whilst giving the government dictatorial powers over those corporations internal infrastructure.
My ism, it's full of beliefs.
It is annoying that politicians think they can actually pass laws to block encryption. At the end of the day encryption is just maths and passing laws is not going to change how maths works. Currently politicians seem to think that government laws can override the fundamental laws of the universe.
I would love to see Apple and Google team up and point that out, then back it up by showing that since they can't change maths then they can not longer offer their services in Australia. Simply block the whole country from using any iOS or Android product. I suspect a few hours of the whole country without such modern technology would help the politicians understand what they are really asking for.
The closest that happened before was when Google was required by law to pay news companies for links in a European country, so Google simply stopped linking at all and the news companies not only got no money they lost the follow on traffic, effective shooting themselves in the foot.
And yet police and other agencies hide their communications on state run government radio networks with encryption. All because they didn't want anyone listening to them with scanners.
Can't have it one way Australia, I'm looking forward to backdoors to everything the government uses.
All TLS connections will have to terminate at the great firewall of OZ now.
So will there now be special versions of self-encrypting SSD for sale in Australia? Will apple / ms have a special branch of iOS / windows with weakened encryption?
Or will there be backdoors in everything for everyone now, even in the less stupid countries?
Can an Australian be a kernel maintainer?
Is there any job where an Australian software developer is not toxic now?
What happens when someone writes an app that simply encrypts the contents of the message using a pre shared key?
Exactly...
Yes Francis, the world has gone crazy.
If whatsapp doesn't have any servers in Australia (if they did, they'd best shut them down), then the Aussie's "phrankencryption" law does not apply and can not be enforced.
Sorry Igor, you cannot have those keys.
Based on their blithering idiocy, I expect most companies that rely on technology to start moving out of Australia because of this "unsafe" law, that when "enforced" causes said companies to violate privacy laws worldwide.