Signal would have to find a way to send a special app to you which does not encrypt or specially encrypts in order to funnel data to AU government. If it does not, it becomes illegal. Considering signal warns people if the key changes, it probably means Signal is now illegal as it might be physically/mathematically impossible to satisfy the law.
I haven't checked the text that passed but I think non-feasibility is a defense. Which might mean that this just inspires a new round of canarying and end-to-end encryption wrapping to defeat the bill. However presumably there are very few companies willing to die on that hill, and it may be too expensive to fight those battles.
They can only compel companies within (incorporated in?) Australia is my understanding, not foreign companies. This is a sad day for a government going out of control; I didn't elect representatives to be this over-reaching or to ignore the wishes of the people like this; again under that old chestnut guise of "Terror!". Doesn't even need a warrant, just a nod from an ex-magistrate, and I'm sure the right ones can always be found.
But I suspect this'll be a testbed for the other Five Eyes; if the public don't make a big noise, I'd expect to see this in the UK, US, NZ and Canada etc pretty soon.
Compromised version dropped onto phone of a target? Most people are reliant on App Stores for their apps, so that will be a likely vector. We don’t run checksums on desktop software, let alone software from App Stores.
How easy is it to target a play-store update? I doubt google allows binaries to be targeted to individuals, so you'd need to push the update to a rather large set, and have the update only activate for the target.
They’d probably try to compel app stores to support individual targeting as a first step. If the Australian versions haven’t shut down in the next few weeks, it’s a pretty sure bet that they’ll have been compromised.
Australia can't enforce its laws on a foreign company, especially considering Signal doesn't generate any revenue in Australia (afaik). Best they could do is find some way to block it (like the great firewall of China does with any sites/services that won't comply with their filter demands).
Maybe I don't understand all of the issues, but I'm gonna be as straightforward as I can: if you are a messaging platform doing explicit business in Australia under these rules, we have to assume you have or are willing to backdoor your software. It is a reasonable assumption that it will be hidden and that the backdoor is general enough for use outside of Australia (even if you don't explicitly deploy/enable it elsewhere, you wrote it, it exists). Therefore, if you do explicit business under these rules I have to assume you are compromised or are willing to be compromised.
Which drives home the point a lot of people are forgetting: it was never secure to begin with, unless you were going to the effort of encrypting all your own emails client-side before sending, and only communicating with others who did the same. Fastmail was never an end-to-end encrypted service, so they already could have been served orders from a government to hand over data, and if that government had jurisdiction and the orders were properly formed for that jurisdiction, they would've had to comply.
So as bad as this bill is, it doesn't really change things for Fastmail.
> "This bill is far from perfect and there are likely to be significant outstanding issues, but this compromise will deliver security and enforcement agencies the powers they say they need over the Christmas period, and ensure adequate oversight and safeguards," shadow attorney-general Mark Dreyfus said on Tuesday.
... shadow attorney-general? That sounds rather ominous.
In parliamentary systems, parties in opposition commonly appoint members of Parliament as "shadow ministers" who keep track of (and speak on) issues that the parties in government have ministers handling. They can present the opposition's official position on these portfolios.
I thought, from first glance, that the next news headline would be "Shadow Council Already Owns Your Secrets [And Your Souls]" if this trend continued.
> but this compromise will deliver security and enforcement agencies the powers they say they need over the Christmas period
"We need this bill to keep you safe over Christmas" is an obscenely cynical justification to rush this bill through, esp since it's obvious no implementation changes based on this bill would be made in time for the holiday.
It's a ludicrous thing to say because the parts of the bill people are concerned with (technical assistance orders, ie: forcing companies to backdoor products) have no possible way to be acted on in the time period they are suggesting. So it is pretty much bald faced lying. And then you have to ask, if they are straight up lying about this, what are the real motivations? If we are lucky it's pure petty politics with a benign obliviousness to the fact they have just breached a major waterline in how far Western democracies are willing to break the internet. Hopefully we are that lucky.
What does the law require, exactly? That service providers build in the ability to let law enforcement start monitoring specific communications? Or that they build in the ability to decrypt messages already sent, if requested to do so by law enforcement?
Bottom line, they can ask a technology manufacture to do anything (literally last time I looked the bill had the phrase "do a thing") and they have to do it. But the specific intent is to have the manufacture deliver targeted malware to people they want to monitor. A warrant is not required, but a crime with a jail term of 3 or more years must be involved ("involved" because you do not have to be a suspect, just useful to the investigation to receive the malware).
And all that is required from the agency making the claim is their word. This assertion of justification is untraceable, unverifiable, the tech employee can’t talk to anyone about it, and there are penalties in a secret court for refusing to perform as demanded.
Obviously this law and ones like it have no place in a modern, free society, but in regards to the risk with using business apps, it's just the same as before. You can not trust app's from companies incorporated in the five eyes [1]. If you are using a product made in any of the five eyes you are already compromised. By compromised, I mean you can be almost 100% sure that if the owner's of those countries want your data they will get it, and they will get it easily too. They do not need warrants, courts or judges to sign of on anything and haven't done for a long time.
To clarify my position on this. Whether a law like this is actually passed or not, you should assume that every company incorporated in these countries have been forced to place backdoors in their systems. I'm not saying that every company has done this. I'm saying you should assume they have.
It is utterly and completely incomprehensible and it offers little to no technical definitions of what exactly they want. There is a complete absence of technical concrete definitions of what they want and the memoranda seem to be highly conflicted. It reads as if some lawyers watched Mr. Robot and used it as inspiration for their creative writing paper that was due the next day.
Edit: this appears to signal the true intent of the bill
This would be a good opportunity for Apple to draw a line in the sand. They can afford to lose Australia, so they should just stop selling there. Better to battle now rather than waiting for a bigger fight.
As an Australian citizen who has spent many years in the US, I can say that this law is in line with the main ideology of the Australian government: extreme parentalism.
You run a red light: fine for $450 in the mail. No court date, no arguments. You exceed the speed limit by 5km/h: $200 fine in the mail. No arguments. It is brutal but it's hard to deny that it works. Australia has some of the lowest per capital road deaths in the OECD.
The problem is that the government wants to regulate the internet the say way they regulate road traffic. You can read up all the idiotic attempts here: https://en.wikipedia.org/wiki/Internet_censorship_in_Austral....
I wonder if this means Australia will have the ability to ban apps like Telegram from the app store?
31 comments
[ 0.18 ms ] story [ 60.8 ms ] threadSecure communication is now illegal in Australia.
Then it won't matter what Signal does or doesn't do, they can still get what they want.
One of many reasons you should not have your carrier control your OS update channel.
But I suspect this'll be a testbed for the other Five Eyes; if the public don't make a big noise, I'd expect to see this in the UK, US, NZ and Canada etc pretty soon.
That isnt very covert.
Why wouldn't you assume this about any company. They only exist as an creation of the state, you're obviously at their whims.
https://fastmail.blog/2018/09/10/access-and-assistance-bill/
Which drives home the point a lot of people are forgetting: it was never secure to begin with, unless you were going to the effort of encrypting all your own emails client-side before sending, and only communicating with others who did the same. Fastmail was never an end-to-end encrypted service, so they already could have been served orders from a government to hand over data, and if that government had jurisdiction and the orders were properly formed for that jurisdiction, they would've had to comply.
So as bad as this bill is, it doesn't really change things for Fastmail.
That is, is using pgp still allowed? How about something signal-like that is self-hosted / federated?
> "This bill is far from perfect and there are likely to be significant outstanding issues, but this compromise will deliver security and enforcement agencies the powers they say they need over the Christmas period, and ensure adequate oversight and safeguards," shadow attorney-general Mark Dreyfus said on Tuesday.
... shadow attorney-general? That sounds rather ominous.
https://en.wikipedia.org/wiki/Shadow_Cabinet
I thought, from first glance, that the next news headline would be "Shadow Council Already Owns Your Secrets [And Your Souls]" if this trend continued.
"We need this bill to keep you safe over Christmas" is an obscenely cynical justification to rush this bill through, esp since it's obvious no implementation changes based on this bill would be made in time for the holiday.
To clarify my position on this. Whether a law like this is actually passed or not, you should assume that every company incorporated in these countries have been forced to place backdoors in their systems. I'm not saying that every company has done this. I'm saying you should assume they have.
1. https://en.wikipedia.org/wiki/Five_Eyes
https://www.aph.gov.au/Parliamentary_Business/Bills_Legislat...
It is utterly and completely incomprehensible and it offers little to no technical definitions of what exactly they want. There is a complete absence of technical concrete definitions of what they want and the memoranda seem to be highly conflicted. It reads as if some lawyers watched Mr. Robot and used it as inspiration for their creative writing paper that was due the next day.
Edit: this appears to signal the true intent of the bill
https://parlinfo.aph.gov.au/parlInfo/download/legislation/bi...
It all seems to be one giant five eyes power play to make their jobs easier.