70 comments

[ 3.0 ms ] story [ 148 ms ] thread
This could be a silly question but how does this:

>> In the second half of 2017 alone Apple received 2,601 requests for access to devices from Australian law enforcement agencies and granted them in 87% of cases.

…align with the famed Apple refusal to comply with the request to unlock an iPhone in the US a while back. Is the jurisdictional context different (re: the 4th amendment) or is this something different to unlocking a device?

There are no constitutional protections of rights in Australia (particularly related to excesses of the police and legal system), so there was probably very little legal basis for Apple to refuse.
Australia's Constitution does have some explicit rights and protections: right to jury trial (s80), religious freedom (s116), right to trade freely between states (s92), acquisition only made on "just terms" (s51(xxxi)) and protection from discrimination by the laws of a state other than their own (s117).

Probably more notable is the implied rights built up by the High Court. The most important of these are a right to vote and freedom of political communication.

But nothing as sweeping as the US Bill of Rights.

Probably worth chasing a constitutional amendment for the right to privacy
Constitutional amendments are very difficult to get up, the majority of attempts have failed. If either major political party opposes an amendment, it's essentially dead in the water. On current form the Coalition would drumbeat against it and Labor would do the bigger-badder-tougher-meanie-poo dance to try and neutralise the wedge.

Consider the fact that we are in the middle of an ongoing constitutional crisis, for which the political class knows an amendment is the only effective solution, but nobody in either major party wants to even try.

I'm Australian but left in 2008 (for what should be obvious reasons as we're discussing this on HN). What's the constitutional crisis?
I believe your parent is referring to the 'citizenship saga'.

This isn't a constitutional crisis in the 'dismissal' sense.

It's just the operation of s44 of the constitution causing a headache for parliament. Its been found that many of the parliamentarians are dual citizens, which is forbidden, and their seats in parliament have been nullified by the high court.

Australia's Constitution is very different from the American. It likely isn't the right place for such laws. (It requires a national referendum to make changes, it may predate independence, depending on how you date that).

However, there are other laws with constitutional significance. The Statute of Westminster, and the Australia Act.

But, most rights are guaranteed by Common Law, that is, any precedent or judicial opinion in any Commonwealth nation can be used for grounds that a right should be preserved when a decision is being examined by the High Court.

It's the constitution, it's Mabo, it's justice, it's law, it's the vibe and... no that's it, it's the vibe.
I have called on this scene several times since moving to the US.
> The most important of these are a right to vote

As an Australian, I would love the Government to take this one step further and also give us the right to not vote.

It is my understanding you actually do have that right. But it's a bit of rigmarole. It is only compulsory to vote if you are on the electoral roll and you can actually disenroll.
I think the article mis-stated the numbers. It's 2,601 requests for access to data (i.e. iCloud data), not devices.
This is mostly requests to Apple as a service provider. "What IP registered, and logged into suspect@icloud.com on 1/1/2018? And what are the registered users details?"

They don't have your iphone passcode on file so they can't provide it to law enforcement.

This is what I thought, too, but they explicitly state "access to devices", not "access to data".

Could also very well be that the author didn't distinct between the two sufficiently.

Or that older devices (that have outdated hardware security) are more prevalent in Australia for which Apple can decrypt.
Would be surprising; even the iPhone 5s from Fall 2013 is equipped with the Secure Enclave and is getting iOS 12. Including the feature to disable USB communication pins after 1 hour without the user's passcode. A feature aimed squarely at disabling Cellebrite from uploading their brute-force firmware.
Truly, Australia is governed by morons. Would it be asking too much for a highly paid minister of the crown, who supposedly is supposed to lead government policy in an area, to have substantial knowledge of it?

Instead, we have these lawyers who treat maths, science and technology with contempt, who legislate for us, and don't understand what the fuck they're even talking about.

The tech portfolios are a regular dumping ground for dunderheads who are too well-connected to drive to the outer ministry, but too stupid to be entrusted with ... well ... anything.

I remind people here that they should join a political party and consider seeking preselection, or at least influencing policy.

It's important that you join the party you otherwise most agree with. At different times, different parties will hold Government. Concentrating expertise on any topic in one party is a solid-gold guarantee that the other party will reject that expertise.

> Would it be asking too much for a highly paid minister of the crown, who supposedly is supposed to lead government policy in an area, to have substantial knowledge of it?

Apparently yes, and it's not just Australia. When Amber Rudd was Home Secretary in the UK she only opened her mouth to put her foot in it technically speaking. She came out with a hugely comical technical point after pretty much every incident, like the NHS virus a couple of years back, or when the government, iirc, "needed people with the necessary hastags".

Needless to say she was of the view mere citizens should not have encryption and that encryption needs backdoors for the good guys.

You get the same dangerous lack of awareness for science, environment and energy ministries as well as tech. Which makes me think the others, that I know less about, are much the same.

People keep saying "We need more scientists in government", but I think that trying to make that happen is running into a brick wall: those scientists will also need to be lawyers and there just aren't that many people who are competently both. Without an understanding of the law, they'll end up drafting laws without basic things like mens rea requirements. We live in a highly specialized world; Can anyone here can butcher a hog, design a building, and plan an invasion with a rock-solid level of competence? No. So stop looking for a unicorn who is able to:

* Sell themselves to a wide and fickle audience of stangers

* Manage a campaign staff

* Understand problems in the context of history

* Read and write legislation in a way that avoids unintended consequences or misaligned incentives

* Negotiate against people with whom they have fundamental philosophical differences

* Complete a PhD program in science or engineering

That last one isn't necessary for our actual goal... and it doesn't even help when you consider that this person will also need to be an expert on military grand strategy, healthcare administration, procurement, urban design, and agriculture. We don't need a congress full of subject-matter experts. What we need are people who respect and can work effectively with subject-matter experts.

So what is it that Senator Ron Wyden and Judge Aslup do that others should copy?

I would be happy with a politician who can accomplish even one of these things.
I'll take the first two for granted. Otherwise they wouldn't be in charge, isn't it?
* Sell themselves to a wide and fickle audience of stangers

* Manage a campaign staff

It is not necessary that politicians can do either / both, it is just that they appear to be the least worst option for at least a brief moment in the past.

I'm often reminded of that single panel comic where small child says "Dad, I'm considering a career in organised crime" and the father, holding a news paper, says "Government or private sector?".

Need to be lawyers? Vast numbers of politicians nowadays have done nothing but be a professional politician. Many were lobbyists, or in PR before politics. In the UK under 15% have done any law. Not sure about Australia.

The key point is really only "Sell themselves to a wide and fickle audience of strangers"

That's really the only skill our unicorn needs to stand for and win election.

The policy or manifesto is set in party HQ outside of scientific or any other expert advice or specialist knowledge. In the hope it'll win votes. Then a series of staged interviews, sound bites and dog whistles seek to move the Overton window to their policy and preferred direction of travel. Nothing to do with competence, truth, Civil Service advice or the presence or otherwise of a PhD in the Ministry. Politicians get promoted and senior roles because of ability to control a debate, and their media friendly features and abilities.

The better laws on the books often come from hard won experience, case law and Select Committee recommendations. Those tend not to be the laws of policy headlines, manifestos and high profile Ministry interviews.

Hence we get ridiculous policies and political grandstanding on a whole range of topics. Climate change and Brexit being just two examples where fact and consensus are irrelevant.

Government members don't need to be expert legislative drafters.

They have career public servants who are specialists in drafting legislation to work with them on writing legislation that faithfully implements their policies (eg. in Australia, the subject of the article, there is the Office of Parliamentary Counsel).

Politicians, at least in the US, are not he ones that write the laws. They have teams of aids that are given direction and then do that for them. In other cases laws can even be written by private firms and our politicians then have their teams look over it. Politicians spend the vast majority of their time fund raising for their next election.

Though maybe a more fundamental point is that our legal system is quite broken. The legalese is intended to ensure clarity, yet when it results in a system where fewer people than ever have any clue about what the law actually says, in anything beyond the most broad meaningless strokes, one must wonder whether it has actually achieved its purpose or not.

We don't need a congress full of subject-matter experts. What we need are people who respect and can work effectively with subject-matter experts.

I agree with the spirit of this argument, but there is a clear downside to not giving subject matter experts a vote at all. Ultimately there is then nothing to stop political expediency overriding facts and understanding, and the elected representatives are free to discard the opinions of the SMEs no matter how valid or correct they might be.

Obviously most representatives still couldn't be true experts all the different subjects that lawmakers vote on. You'd only ever have a limited number of representatives who were voting fully informed on any given issue. Still, at least that number would be greater than zero, and if you're a politician voting for a "health" law that 100% of the qualified medical practitioners among your colleagues are voting against on the same record, that tells everyone something.

> Ultimately there is then nothing to stop political expediency overriding facts and understanding, and the elected representatives are free to discard the opinions of the SMEs no matter how valid or correct they might be.

Sadly, I've "seen" this (first- and second-hand) happen even with private-sector managers. When it happens to me, I always wonder, why did they bother to hire us (relatively expensive) experts in the first place?

I've heard tell on HN of "engineering first" company cultures where decisions are supposedly made based (exclusively, when possible) on objective criteria, but I have yet to see it at companies above a certain size.

You created a bit of a false dichotomy here. In practice a parliamentary body needs a mix of competencies, rather than a monoculture of law students turned political staffers turned politicians.

> We don't need a congress full of subject-matter experts. What we need are people who respect and can work effectively with subject-matter experts.

In practice, you need experts inside the tent. There is a trust gradient in politics, with a sharp drop-off for anyone "outside" of the party room.

Especially if one side picks up an issue and uses that expertise to bash the other side. In that situation their opponent can either beat a retreat (followed by triumphalism) or they can deny the expertise. Especially if you don't trust the motives of the experts.

This is less likely to happen if all sides are seeded with expertise.

Banning CFCs is the best example of this dynamic. Reagan didn't understand the problem and it went against his policy instincts. But without the USA's involvement, any ban was pointless.

It was Thatcher -- someone nearby on the trust gradient, with a background in chemistry -- who convinced Reagan that it was a real problem. He still didn't understand it, but he had a trusted source to rely on.

Unfortunately tech policy in Australia seems to have a history of being poorly thought out and this doesn't appear to be an exception to the trend. The thing I find so disconcerting is just how little expertise seems to be present in the legislative space around tech in Australia compared with other countries, how did this come to be? It's not as though there's a complete lack of legislative skill either, in other areas things seem to be a whole lot better.
I think that this government knows exactly what it is doing with regards to tech laws in Australia, but the current government is serving needs other than the economic success of the tech industry in Australia.

An example of this is the monopoly internet infrastructure project that was gutted: This project is an existential threat to the television and news media organisations that enabled the current government to be elected.

Another example of this was the introduction of DNS filters to block sites that are commonly used for piracy: These sites are an existential threat to the television and news media organisations that enabled the current government to be elected.

Given the history, it is fairly likely that this legislation is also being made to satify some third party interest.

The Australian government is trailing badly in the polls, they also just announced some of the biggest income tax cuts in history after campaigning on a platform of dramatically reducing the budget deficit.

Policy in the Western world has become about what focus groups like rather than evidence.

>The thing I find so disconcerting is just how little expertise seems to be present in the legislative space around tech in Australia

There is expertise. Our Prime Minister knows tech, Turnbull is a millionaire from seeing the potential of the internet in the 90s and heavily invested in an ISP and took on role of chairman. Half a decade later he'd turned 500k into $50 million when Ozemail was acquired.

The policies aren't because of incompetence, they're actively malicious against the publics best interest in favour of the elite set to make bank.

While Turnbull can at least claim entrepreneurial success in the tech space, is he not an exception? I can't think of another prominent politician with a background in computer science, IT, or even technology entrepreneurship.
I don't believe Turnbull had anything to do with the technical side of Ozemail (which was only ever a dial-up network and mail provider), he was just on the business side.

Clearly when he became the communications minister I think he demonstrated that while he was willing to ignore experts and destroy things maliciously for political gain, I believe he also demonstrated he didn't actually understand recent tech or broadband networks much at all through a lot of it either. There were things that I think he actually believed that were rubbish.

In WhatsApp: Australia has joined the conversation
That would be a hell of a way to get people aware of the law and lobby against it. Just have that pop up for all users in Australia.
“The key point here is that we need to modernise our laws and get access to information for holding criminals and terrorists to account for investigations and gathering evidence,” he said.

great, now you might catch the dumb ones, but is there a shortage of secure communication channels? :)

> "The laws of Australia prevail in Australia, I can assure you of that," he said on Friday. "The laws of mathematics are very commendable, but the only law that applies in Australia is the law of Australia." - Prime Minister, Malcolm Turnbull

I'm not certain that they understand what they're asking for, can't be done. That is, there are politicians who believe math can be bent to fit the law.

It was a throwaway joke comment - Turnbull is much smarter than that.

Worth noting that Malcolm Turnbull made part of his money from investing in the internet sector in the early 90s. He invested $500,000 in OzEMail (one of Australia's first internet service providers) back in 1994, and sold his stake for $57 Million to Worldcom in 1999. He's not an engineer, but he's not entirely ignorant on these matters.

However, it is representative of his backers. And the comment wasn't given in jest, but to reopen the backdoor debate. I'm not worried he doesn't understand, but the rest of the party?
Yet he butchered the NBN and keeps passing laws to hurt internet commerce.
He might not be ignorant, but this whole request couldn't be more vague, and to an outsider makes no sense.

I mean asking Facebook to reveal encrypted data? What even is that? The data is stored readable on both the device and presumably facebook's servers, and is only encrypted in-transit if a user enables that.

Are they asking that the data not be secure in-transit?

It's a nonsense request, until they clarify what exactly it is they want.

People always seem to miss the point of that joke, which is that the physical enforcement of the law can be readily used to persuade people into surrendering encryption keys.
They can mandate to make working encryption illegal if they want. It might mean its impossible to conduct any form of secure technological communication in or with Australia, but they can legislate electricity to be illegal too.

If this ruins them economically, maybe the world needs a proper example of what happens when politicians don't understand science.

You’re more optimistic than me if you think a proper example will stop this sort of thing. How much hyperinflation happened since the Weimar Republic?

(On the other hand, didn’t the first crypto wars end around the time someone put the RSA equations onto a T-shirt to circumvent export rules?)

I think I still have at least one "This shirt is a munition" T-shirt with machine readable (barcode) RSA code (in C?) on it. That might be what you're thinking of. The point wasn't to circumvent anything but to draw attention to the absurdity of the rules, which persisted for quite some time after the shirt.

The equations themselves were never export restricted, nor was computer code printed in text in a book (since OCR wasn't considered good enough at the time yet).

It doesn't stand out as a great example of "on the other hand".

Huh, OK. I was a kid when it happened, so I guess it was misreported to me. Thanks for letting me know.
> But Nigel Phair, from the Centre for Internet Safety at the University of Canberra, said if the legislation avoided having to use a backdoor entry to encrypted data then it was likely that it would use a “frontdoor”, a means of accessing the information before it was encrypted.

...you mean a backdoor to the device, instead of a backdoor to the encryption?

Nice bit of spin there by Nigel.

Using the phrase 'frontdoor' sounds more 'legal' and appropriate. But in reality the implications of backdooring the device, ie "before encryption" happens, is actually a far, far worse invasion of privacy than purely server side decryption. Because it exposes the entire devices to surveillance, every app and piece of data flowing through the device is then exposed (and many times not just to the intended target, the police, but also evil black hoodie sunglasses wearing hackers). While a warrant for a server-side wiretap/search is just one single data source, narrowly focused on particular data and not easily exploited by hackers as it happens largely offline.

> Using the phrase 'frontdoor' sounds more 'legal' and appropriate.

It's also wrong, since there already is a "front door" on all devices: just use the normal password/fingerprint/face picture to unlock it.

(comment deleted)
I always wondered if we could steal every piece of private/personal data the politician demanding these laws has and expose it for all the whole world to see, what that might do to their attitude. We might even find some real criminals this way.
The people need the personal data and communications of the politician for there security
Similar things have happened in the past, in the vast majority of cases the politician doubles down and ends up spending more time and resources trying to prosecute the hacker, and use it as an example of why they need to go further with these kinds of laws so they can find these "hackers" before they can do damage.
The word ‘steal’ was used ironically. If I looked at you, and decided to write myself a law that allows me to monitor your every move and communication, and I charge you for that monitoring through unavoidable taxes, and I keep the accounting of the costs protected from public scrutiny, and I always remind you it’s done for your security, and me and my friends are making loads of money from the surveillance game, raising the prices and adding more security and justifying more reasons to do so, how do you know it’s not stealing?
Yeah... good luck with that.

Our Government cant get a simple census, fibre broadband or even site blocking right.

Annoyingly bipartisan efforts, I completely forgot about that ridiculous filter.
The source of this story is a 10-minute interview on ABC Radio this morning [1]. Unfortunately, there’s no transcript, but it’s a more reliable source than the second-hand summary in the article.

Despite the headline, it’s not clear that any bill has actually been drafted and certainly nothing has been introduced to Parliament. According to the minister, what will be proposed is a law that is ‘completely consistent in principle with the existing laws for telephone intercepts.’ While he ‘dodged multiple questions’ about whether the laws would authorise the use of ‘surveillance codes’ (whatever that means), he denied that there was any proposal to introduce laws requiring the use of backdoored encryption algorithms.

It would be consistent with the existing telephone intercept laws in Australia [2] (and most other developed countries) to require service providers to surveil users upon production of a warrant. In Australia, judges must consider the seriousness of the offence being investigated, and the impact on privacy, before issuing a warrant [3]. Warrants can also be obtained to install covert surveillance devices (ie. bugs) [4] if a telephone intercept or search warrant is unlikely to produce evidence.

Contrary to the comments suggesting that the legislators are completely uninformed, an Australian parliamentary committee has been conducting a public inquiry into the ‘impact of new and emerging information and communications technology’ since October 2017 [5]. Any member of the public may make a submission [6] to the inquiry and advocacy groups such as Electronic Frontiers Australia and the Law Council of Australia have done so. Relevant experts have also appeared before the committee in public hearings. It is likely that any draft legislation would be informed by the committee’s findings.

Given that the government recognises the efficacy and importance of strong encryption, the proposed new laws may look more like the US All Writs Act at the centre of the FBI–Apple encryption dispute [7]. It might not be practical to backdoor the ciphers used to encrypt data at rest on an iOS device, or in flight in a WhatsApp message. But it would be consistent with the principles of the existing telephone intercept powers (which are targeted and subject to judicial, parliamentary and ombudsman scrutiny) to require publishers like Apple to push out backdoored OS updates or apps to targeted users (or physically seized devices, as in the San Bernardino case). Perhaps the ability to obtain such targeted warrants would be less socially harmful than increased use of the existing, but more intrusive, surveillance powers.

[1]: http://www.abc.net.au/radionational/programs/breakfast/new-e...

[2]: http://www.austlii.edu.au/au/legis/cth/consol_act/taaa197941...

[3]: http://www.austlii.edu.au/au/legis/cth/consol_act/taaa197941...

[4]: https://www.homeaffairs.gov.au/about/national-security/telec...

[5]: https://www.aph.gov.au/Parliamentary_Business/Committees/Joi...

[6]:

> [...] to require publishers like Apple to push out backdoored OS updates or apps to targeted users (or physically seized devices, as in the San Bernardino case). Perhaps the ability to obtain such targeted warrants would be less socially harmful than increased use of the existing, but more intrusive, surveillance powers.

We've seen in the push to Windows 10 that, when automated updates are used in a harmful manner, people disable automated updates. The same would happen here: once it's been shown that the automated updated mechanism has been used to purposefully push a harmful update, people will start disabling automated updates.

Which means that Apple and Google have a good reason for opposing such requests.

(And that's before getting to the "elephant in the room": the same mechanism created for these requests can, and probably will, also be used by malicious actors.)

Can malicious actors issue Windows 10 updates? I heard this for (improperly implemented) application updates but not for Windows 10 updates. Microsoft has strong incentives to prevent this and done a good job so far. I agree with you if MS would push a bad update it would be a PR desaster for MS.
Well, the other issue is that if the public lose trust in first-party updates, they're also potentially skipping security patches, making everyone more vulnerable on the whole. Obviously this might work in favour of one government's agenda, but equally opens those devices up to exploiting by anyone else (including foreign actors.)
Windows rejects updates that aren't signed by known keys.

Those keys are probably some of the most valuable 1s and 0s in the world.

I'll say it no one else will...

Yeah and all is well and good until some faceless stalker tracks down, stalks, molests, brutalizes and finally murders some 'important/high muckety mucks' 11yr old daughter and posts it all over the net. Then the the gov have no choice but to enforce 'real' protection of your security.

A house has two doors, frontdoor and backdoor. Either one gives you access to the contents you're trying to protect.

It's time public/gov wises up and demands REAl security.