Fortunately, in Australia, mathematical laws are trumped by Australian law, so there will be no pesky mathematical laws about the impossibility of decryption getting in the way!
For those who do not know, the above is a quote by our current Prime Minister, who said “The laws of Math are very commendable, but they are not higher than the laws of Australia”
This is the same muppet who claimed that nobody needs more than 25 Mbps of network bandwidth.
Except the guy beating you with the wrench (more likely bankrupting and imprisoning you) is doing it with full legal authority, and zero recourse to you (though the Australian police certainly isn't shy about getting in a few shots while they're doing the bankrupting and imprisoning stuff [1], and I seriously doubt that in prisons, where you're totally at their mercy, they behave better).
Parliaments think they're omnipotent, and any company that doesn't want to run the above risk (Just ask Kim Dotcom), has to comply.
Oh and no worries, if the company itself is safe, are you sure all it's employees and family members of those employees are safe from that government too ? [2] "But it can't happen here, our police is better". [3] (is a link to police officers threatening entire families of immigrants, for years, and when they are finally found out, the government protected them from prosecution, instead simply asking them to resign ...)
I doubt much would come from that. The Department of Home Affairs is run by some pretty dodgy characters (i.e Peter Dutton)...
I plan to send letters to key opposition members and crossbench senators, might have a bit more chance of something coming out of that.
Unfortunately Labor has been in lockstep with the LNP in voting for these kind of acts so far (our slow descent into authoritarianism) but we can always hope...
It looks like they want to be able to selectively install backdoored software for individual targets. [1]
I.e. they could force apple to deliver a patched whatsapp that disables encryption on the device or sends information to a third party.
That's how it could work for other app developers, but in WhatsApp's case, WhatsApp is already capable of replacing users' encryption key with its own.
It's a shame much of the crypto community was "skeptical" at the time that WhatsApp would use this capability for anything other than sending users "lost messages", because it's exactly the kind of thing I would expect companies that want to comply with secret (or otherwise) government orders to implement, while having a "reasonable" public excuse for implementing such a feature.
They're not allowed to ask for a "systemic" change, which I think is how they're trying to get around the impossibility of an app providing stuff it doesn't have. They can ask/demand that whatsapp delivers an app update that only targets a particular person or persons, with some sort of backdoor, but not one that is a backdoor for all users.
Of course, there's a whole cost thing there as well as whether an overseas corporation is required to co-operate with AU law enforcement.
So theoretically, they could say "Whatsapp, give us a backdoored app. Telstra, push this app to these phones."
Or course, Whatsapp could argue that releasing a backdoored app is creating a "systemic vulnerability" which is specifically carved out of the requirements to co-operate.
Explained like that, it does just seem like a really hard to implement wiretap. Not necessarily the worst thing if it’s per user with the right warrants etc.
I wonder what this means for Atlassian's international clients.
Does the Australian government have unfretted access to any code hosted with Atlassian ?
Maybe if you are a small business in Australia you would not care about it - but big European, Chinese or American clients would definitely not be convinced by any assurances.
The most important thing is that kind of question should not be raised in the first place, the biggest threat is not the Australian govt or Australian rival companies, the biggest threat are rival companies in their own soil that can take advantage of such a backdoor - it could just be as easy as a cash transfer to a low level employee in the Australian govt.
All of these factors just means Australia is not a good place to invest when it comes to cloud infrastructure, data warehousing or intellectual property, that if is leaked could literally destroy your livelihood.
Atlassian may have been founded by Australians but its headquartered in the UK (for tax reasons I assume) and listed in the US, it's as exposed as any multinational to this sort of thing
While the idea that the laws of math can be revoked in Australia is silly, any company that trades with or sells services to Australians is liable under this proposed law if they are a designated provider.
So Atlassian is no less or more likely to be covered here than any other software house that sells to Australians.
In terms of communications provision, it's not that much different to CALEA in the US or equivalents in other countries. The troubling section is in section 317C that defines what a "designated communications provider" and "eligible activities" are.
The worrying items are 3-6 that basically say anyone who provides software/hardware or develops that software/hardware is part of either used for providing communications or "an electronic service" are subject to the notices.
So, are you a software house developing an app? You're providing an electronic service by running the app and its servers? You're liable under this law to assist as is "feasible".
Same if you develop software used by another "electronic service". So, writing some open source software? The library used by another app? You have to assist under one of these notices.
The only get out clause is 317ZG which says that a provider is not required to develop anything that introduces a "systemic" vulnerability. But I'm sure lawyers will have a fun time defining "systemic".
> The worrying items are 3-6 that basically say anyone who provides software/hardware or develops that software/hardware is part of either used for providing communications or "an electronic service" are subject to the notices.
This sounds like it would apply to Tor.
I can't imagine Tor is actually the biggest problem though, certainly compared to simple encrypted messaging services with hundreds of millions of users.
Yes, "thing" is effectively the word they're using to mean "task", "activity", "modification", etc etc. What word would you use instead?
A judge would interpret the word according to standard English usage. The judge would also interpret the words "reasonably incidental" in a... reasonable way.
Law is not code, it gets interpreted by lawyers and judges.
Yes, when it comes to the law, if they mean things they should say them. It seems like they have used these generic terms in order to ensure there is zero weight on individual rights and maximum weight on the side of those exercising the power. That is, they really can't be bothered thinking through what powers they actually need and under what circumestances those are warranted, so let's just write "the government can do anything to accomplish the things" and put a story about a child rapist on the front of the legislation. It's lazy, imprecise and offensive to the idea of civil liberties.
Of course... this is the government led by an ex-merchant banker that said "Well, the laws of Australia prevail in Australia, I can assure you of that. The laws of mathematics are very commendable, but the only law that applies in Australia is the law of Australia."
Law is code, and the words used in legislation or case law do not mean the same thing as the same words used in everyday scenarios.
Entire cases are won or lost based on interpretation of “and” versus “or”, and even whether the presence or absence of an Oxford Comma changes the meaning of a law.
PS: code as in secret message, not code as in logical and prescriptive language for specifying tasks to a computer.
Which is why the section on systemic vulnerabilities (317GZ) is (IMHO) the most important to get clarified and expanded.
The other area that needs to get clarified is the definition of "designated communications provider" in 317C, particularly those related to software/hardware development and manufacture.
The fact is, this legislation will pass, because both the Liberals and Labor march in lock step on "national security".
So the fight becomes how to limit the scope to ensure that the requirement to "implement or build a systemic weakness or systemic vulnerability" is expanded out to exclude:
a) common security libraries that are shared across operating systems and applications
b) secure hardware (HSMs, SEPs, etc)
c) protections and procedures required under PCI/DSS, banking, medical, GPDR and equivalent laws
d) requests that make it likely that a provider's business will suffer due to loss of trust of the security of the information that a user/customer provides.
Maybe they need to go back to 'old fashioned' law enforcement - i.e. haul in the suspects for questioning, put out media adverts to urge victims to come forward, etc?
The example provided is pretty poor: "Enquiries showed that he was contacting these females and offering them drugs in return for sexual favours." - so their enquiries showed that and yet the only evidence that could secure a conviction is supposedly on the phone that law enforcement can't unlock? I call BS.
31 comments
[ 3.9 ms ] story [ 76.1 ms ] threadThis is the same muppet who claimed that nobody needs more than 25 Mbps of network bandwidth.
http://imgs.xkcd.com/comics/security.png
Except the guy beating you with the wrench (more likely bankrupting and imprisoning you) is doing it with full legal authority, and zero recourse to you (though the Australian police certainly isn't shy about getting in a few shots while they're doing the bankrupting and imprisoning stuff [1], and I seriously doubt that in prisons, where you're totally at their mercy, they behave better).
Parliaments think they're omnipotent, and any company that doesn't want to run the above risk (Just ask Kim Dotcom), has to comply.
Oh and no worries, if the company itself is safe, are you sure all it's employees and family members of those employees are safe from that government too ? [2] "But it can't happen here, our police is better". [3] (is a link to police officers threatening entire families of immigrants, for years, and when they are finally found out, the government protected them from prosecution, instead simply asking them to resign ...)
[1] https://www.youtube.com/watch?v=tJWeSh_aKLw
[2] https://www.meydan.tv/en/site/news/21238/
[3] https://www.smh.com.au/national/sydney-crime-arrests-the-ins...
I plan to send letters to key opposition members and crossbench senators, might have a bit more chance of something coming out of that.
Unfortunately Labor has been in lockstep with the LNP in voting for these kind of acts so far (our slow descent into authoritarianism) but we can always hope...
[1] https://www.homeaffairs.gov.au/consultations/Documents/expla... p. 8 and 9
https://www.theguardian.com/technology/2017/jan/13/whatsapp-...
It's a shame much of the crypto community was "skeptical" at the time that WhatsApp would use this capability for anything other than sending users "lost messages", because it's exactly the kind of thing I would expect companies that want to comply with secret (or otherwise) government orders to implement, while having a "reasonable" public excuse for implementing such a feature.
Of course, there's a whole cost thing there as well as whether an overseas corporation is required to co-operate with AU law enforcement.
So theoretically, they could say "Whatsapp, give us a backdoored app. Telstra, push this app to these phones."
Or course, Whatsapp could argue that releasing a backdoored app is creating a "systemic vulnerability" which is specifically carved out of the requirements to co-operate.
Does the Australian government have unfretted access to any code hosted with Atlassian ?
Maybe if you are a small business in Australia you would not care about it - but big European, Chinese or American clients would definitely not be convinced by any assurances.
The most important thing is that kind of question should not be raised in the first place, the biggest threat is not the Australian govt or Australian rival companies, the biggest threat are rival companies in their own soil that can take advantage of such a backdoor - it could just be as easy as a cash transfer to a low level employee in the Australian govt.
All of these factors just means Australia is not a good place to invest when it comes to cloud infrastructure, data warehousing or intellectual property, that if is leaked could literally destroy your livelihood.
So Atlassian is no less or more likely to be covered here than any other software house that sells to Australians.
The worrying items are 3-6 that basically say anyone who provides software/hardware or develops that software/hardware is part of either used for providing communications or "an electronic service" are subject to the notices.
So, are you a software house developing an app? You're providing an electronic service by running the app and its servers? You're liable under this law to assist as is "feasible".
Same if you develop software used by another "electronic service". So, writing some open source software? The library used by another app? You have to assist under one of these notices.
The only get out clause is 317ZG which says that a provider is not required to develop anything that introduces a "systemic" vulnerability. But I'm sure lawyers will have a fun time defining "systemic".
This sounds like it would apply to Tor.
I can't imagine Tor is actually the biggest problem though, certainly compared to simple encrypted messaging services with hundreds of millions of users.
> What can be done undera computer access warrant?
.... long list, then:
> any other thing reasonably incidental to the above things
So "thing" is now a legal concept and any "thing" that can be done if it happens to go along with the other "things" ...
A judge would interpret the word according to standard English usage. The judge would also interpret the words "reasonably incidental" in a... reasonable way.
Law is not code, it gets interpreted by lawyers and judges.
Entire cases are won or lost based on interpretation of “and” versus “or”, and even whether the presence or absence of an Oxford Comma changes the meaning of a law.
PS: code as in secret message, not code as in logical and prescriptive language for specifying tasks to a computer.
And that's the worrying part. As soon as that mechanism exists, all assumption of data safety goes out the window.
The other area that needs to get clarified is the definition of "designated communications provider" in 317C, particularly those related to software/hardware development and manufacture.
The fact is, this legislation will pass, because both the Liberals and Labor march in lock step on "national security".
So the fight becomes how to limit the scope to ensure that the requirement to "implement or build a systemic weakness or systemic vulnerability" is expanded out to exclude:
a) common security libraries that are shared across operating systems and applications b) secure hardware (HSMs, SEPs, etc) c) protections and procedures required under PCI/DSS, banking, medical, GPDR and equivalent laws d) requests that make it likely that a provider's business will suffer due to loss of trust of the security of the information that a user/customer provides.
The example provided is pretty poor: "Enquiries showed that he was contacting these females and offering them drugs in return for sexual favours." - so their enquiries showed that and yet the only evidence that could secure a conviction is supposedly on the phone that law enforcement can't unlock? I call BS.
Isn't that disobeying conditions of parole? Why not start there?