[AusNOG] Assistance and Access Bill moves to PJCIS

Paul Wilkins paulwilkins369 at gmail.com
Thu Dec 6 18:13:44 EST 2018 

"If "there is a need for these powers over the Christmas period," then that
ship has sailed. Too late, they needed to pass it in September."

Apparently change freezes also apply to national security :)

On Thu, 6 Dec 2018 at 17:33, Paul Wilkins <paulwilkins369 at gmail.com> wrote:

> Just checked, and cyber stalking qualifies as it has 3 year max sentence.
>
> On Thu, 6 Dec 2018 at 17:21, Paul Wilkins <paulwilkins369 at gmail.com>
> wrote:
>
>> To get a TAN approved, you'll need:
>>
>>    - to be an interception agency
>>    - to have your TAN approved by the AFP
>>    - the investigation must attach a 3 year sentence
>>    - there *may *need to also be a data / computer warrant. Then again
>>    there may not.
>>
>> So no TANs for councils.
>>
>> TARs I'm not sure. There's amendments to bring them into line with TANs
>> but I'd be guessing if their approval is 100% contiguous to TANs.
>>
>> Labor wanted to remove both ICACS and the state police, because when you
>> look at it, there is no Ombudsman oversite of powers exercised by states
>> under the Telecommunications Act. So it is a surprise to see state police
>> still will get TANs/TARs under the revised Bill, but they will need AFP
>> approval, which is definite improvement.
>>
>> I can see a need for state police to have Legal Intercept powers, but no
>> reason it should go as far as the right to modify data.
>>
>> Kind regards
>>
>> Paul Wilkins
>>
>> On Thu, 6 Dec 2018 at 17:00, Robert Hudson <hudrob at gmail.com> wrote:
>>
>>>
>>>
>>> On Thu, 6 Dec. 2018, 4:20 pm Paul Wilkins <paulwilkins369 at gmail.com
>>> wrote:
>>>
>>>> The original 172 page Bill was so obviously deficient in so many areas,
>>>> it was easier to just say the Bill should be thrown out in its entirety and
>>>> start over. Now, post 50 pages of amendments, there's still plenty of scope
>>>> for serious criticism, and the debate around getting the balance right
>>>> between citizens rights, and the right of the State to extend judicial writ
>>>> to cyberspace will continue, but this is in every way a very much improved
>>>> Bill over the original.
>>>>
>>>
>>> Is it? Have the amendments increased the likelyhood that it will
>>> actually help law enforcement? Have the amendments helped to ensure that
>>> criminals continue to use services that are subject to the reach of
>>> Australian law enforcement agencies?
>>>
>>> As Mark Newton pointed out in another forum recently, he was told, face
>>> to face, by a sitting MP, in that MPs office, that his concerns that the
>>> agencies that would have access to metadata would increase substantially
>>> were ill-founded, as were his concerns that the reasons to request metadata
>>> would increase dramatically. And now local councils have access to
>>> metadata, and there are close to 1,000 requests for metadata per day.
>>>
>>>>
>>>> I don't see on any of the grounds of criticism of the original Bill,
>>>> the amendments have gone as far as they need to, but on all the metrics
>>>> that matter this new Bill represents an honest attempt to accommodate
>>>> issues of privacy, accountability, and the need to maintain security and
>>>> protect service provider property rights against unnecessary or
>>>> disproportionate intrusion by Law Enforcement, and balance those against
>>>> the legitimate interests of the State to enforce the rule of law in
>>>> cyberspace.
>>>>
>>>
>>> I contend that the bill now represents an honest attempt to look like
>>> they're accomodating issues that aren't related to the core fact that the
>>> proposed laws won't actually reduce crime or increase security.
>>>
>>> How explicitly removing state (and potential future federal) ICACs as
>>> agencies able to utilise the powers of the bill is, in any way, reasonably
>>> associated with the phrase "honest attempt" is beyond me.
>>>
>>>>
>>>> From the definitions of systemic vulnerability and systemic weakness it
>>>> would seem to put it beyond question that back doors can only be deployed
>>>> against target devices, not deployed en masse. That said, there needs to be
>>>> a control plane function that allows access to the target device that
>>>> wasn't there before, which still constitutes a potential
>>>> weakness/vulnerability.
>>>>
>>>
>>> I am sure the bill will be successful in stopping the vulnerabilities it
>>> creates leaking. I mean, if (when, recall just how successfully the NSA
>>> managed to keep stuxnet under lock and key) the AFP manage to leak code
>>> that allows keylogger installs onto iPhones, no criminal group (or just
>>> obnoxious bunch of script kiddies posing as an online hacking group) would
>>> be able to take advantage of this - that's not a systemic vulnerability or
>>> weakness, right?
>>>
>>>
>>>> "systemic vulnerability means a vulnerability that affects a whole
>>>> class of technology, but does not include a vulnerability that is
>>>> selectively introduced to one or more target technologies that are
>>>> connected with a particular person. For this purpose, it is immaterial
>>>> whether the person can be identified."
>>>>
>>>> There's still obvious gaps around the powers and accountabilities of
>>>> state police.
>>>>
>>>> I have to say it looks dangerously like a sensible working position
>>>> from which to move forward from, while ensuring security services get the
>>>> powers they say they have an immediate need for.
>>>>
>>>
>>> When they prove the need beyond saying "We need this because we say we
>>> need it", and show that the intended targets won't simply sidestep it and
>>> move on, THEN we may have a working position from which to move forward.
>>>
>>> Until then, this is just massive over-reach.
>>>
>>> As Mark Newton previously noted, this has "The Four Horsemen of the
>>> Infocalypse" written all over it. In particular, the script to follow:
>>>
>>> "How to get what you want in 4 easy stages:
>>>
>>>
>>>    1. Have a target "thing" you wish to stop, yet lack any moral, or
>>>    practical reasons for doing so? *[We want to break encryption]*
>>>    2. Pick a fear common to lots of people, something that will evoke a
>>>    gut reaction: terrorists, pedophiles, serial killers. *[Terrorists,
>>>    natch.]*
>>>    3. Scream loudly to the media that "thing" is being used by
>>>    perpetrators. (Don't worry if this is true, or common to all other things,
>>>    or less common with "thing" than with other long established
>>>    systems—payphones, paper mail, private hotel rooms, lack of bugs in all
>>>    houses etc.) *[OMG, terrorists are using encryption (lets ignore the
>>>    fact that we're still stopping them without being able to break it, and we
>>>    still let the ones we know about stab people). Sure, its ubiquitous,  but
>>>    TERRORISTS!]*
>>>    4. Say that the only way to stop perpetrators is to close down
>>>    "thing", or to regulate it to death, or to have laws forcing en masse
>>>    tapability of all private communications on "thing". Don't worry if
>>>    communicating on "thing" is a constitutionally protected right, if you have
>>>    done a good job in choosing and publicising the horsemen in 2, no one will
>>>    notice, they will be too busy clamouring for you to save them from the
>>>    supposed evils. *[This whole debate - there are still people acting
>>>    on the assumption that this is needed, and that it will achieve the stated
>>>    goals. Bonus points for screaming at anyone who disagrees that they're only
>>>    doing so because they must support terrorism - yep, we've seen that.]*
>>>    "
>>>
>>>
>>> Just because they say they need it doesn't mean that they do, or that it
>>> will work.
>>>
>>>>
>>>> Kind regards
>>>>
>>>> Paul Wilkins
>>>>
>>>>
>>>> On Thu, 6 Dec 2018 at 13:48, Mark Newton <newton at atdot.dotat.org>
>>>> wrote:
>>>>
>>>>>
>>>>>
>>>>> On 12/05/2018 11:48 AM, Paul Wilkins wrote:
>>>>> > "If this passes I can see similar legislation being introduced in
>>>>> > other jurisdictions."
>>>>> >
>>>>> > I think this legislation and all its warts is going to be a
>>>>> > particularly Australian feature.
>>>>>
>>>>> Exported globally, though.
>>>>>
>>>>> A 5-eyes power who wants to surveil someone can come to Australia, get
>>>>> ASIO or ASD to land a TCN on the target's platform provider, and pass
>>>>> on
>>>>> the result.
>>>>>
>>>>> Example:
>>>>>
>>>>> CIA wants something from an iPhone user. They can't get it themselves.
>>>>> So they take the iPhone user's IMEI to ASD and ask for 5-eyes
>>>>> assistance.
>>>>>
>>>>> ASD screams "terrorist!" in a TCN sent to Apple, which demands
>>>>> production of a compromised version of iOS which keylogs and
>>>>> screenshots
>>>>> any encrypted messaging apps which happen to run, and pushed as a
>>>>> silent
>>>>> upgrade to that user's phone.
>>>>>
>>>>> Results flow from Apple to ASD, and ASD passes them back to the CIA.
>>>>>
>>>>> There is no need for any other 5-eyes nation to pass this law now that
>>>>> Australia has it. It's provided 5-eyes with a global capability.
>>>>>
>>>>>    - mark
>>>>>
>>>>>
>>>>> _______________________________________________
>>>> AusNOG mailing list
>>>> AusNOG at lists.ausnog.net
>>>> http://lists.ausnog.net/mailman/listinfo/ausnog
>>>>
>>>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.ausnog.net/pipermail/ausnog/attachments/20181206/bbaee0d0/attachment.html>

More information about the AusNOG mailing list