<html>
<head>
<meta http-equiv="Content-Type" content="text/html; charset=utf-8">
</head>
<body text="#000000" bgcolor="#FFFFFF">
<div class="moz-cite-prefix">On 3/09/2018 11:47 AM, Chris Ford
wrote:<br>
</div>
<blockquote type="cite"
cite="mid:SYXPR01MB1087617089C33468C6D2932FB10C0@SYXPR01MB1087.ausprd01.prod.outlook.com"><!-- Template generated by Exclaimer Mail Disclaimers on 11:47:36 Monday, 3 September 2018 -->
<meta http-equiv="Content-Type" content="text/html; charset=utf-8">
<style type="text/css" style="display:none;"><!-- P {margin-top:0;margin-bottom:0;} --></style>
<div id="divtagdefaultwrapper"
style="font-size:12pt;color:#000000;font-family:Calibri,Helvetica,sans-serif;"
dir="ltr">
<p style="margin-top:0;margin-bottom:0">Paul,</p>
<p style="margin-top:0;margin-bottom:0"><br>
</p>
<p style="margin-top:0;margin-bottom:0">I agree with you in
general as to the point that if we are happy with the premise
of the current TIA Act that LEAs should be able to intercept
communications with a duly authorised warrant, then extending
that to encrypted services seems a reasonable extension to
keep up with technology.</p>
<p style="margin-top:0;margin-bottom:0"><br>
</p>
<p style="margin-top:0;margin-bottom:0">However, the current
intercept regime is very difficult if not impossible for a bad
actor to exploit. The intercept points are within the Carrier
and CSP networks, out of reach of most people. When we move to
intercept end-to-end encrypted services you either need to
break the encryption (which thankfully does not seem to be the
path anybody is proposing), OR, you need to access the clear
text at the end point itself. The problem I have with this is
that the end point is out in user land, often accessible to
anyone on the internet, and now exposed to exploit by bad
actors.</p>
</div>
</blockquote>
..And this is it. The new legislation is NOT about encryption,
primarily, despite what we thought before the draft was released.<br>
They've explicitly acknowledged they can't 'break' encryption, and
do not want to weaken encryption. They want the sent and received
message text, stored in the device after/before the encrypted
transport.<br>
<br>
Its actually a 'device malware' bill - a bill to enable general
police forces to achieve things that previously only shadowy
four-letter agencies could do - implant malware and modify the
function of any end-user device, handset, modem, laptop, tablet,
printer, connected TV, Amazon Alexa/Google Home/etc. Actually it
goes further - rather than implant the malware themselves once
they've achieved physical access, this 'device malware' bill enables
them to ask nicely for assistance, and then to require, the device
suppliers and manufacturers to build and implant the exploit for
them. Why should AS** develop an exploit, when they can ask Apple or
Netgear or Samsung nicely to develop and install the exploit for
them.<br>
<br>
We've spent decades educating users that the green padlock on a
website means something, and that 'IOT devices' such as your average
Smart TV might be easily hijacked and be recording and watching the
home through its microphone and embedded webcam. This bill makes
government-authorised modified firmware with exploits that the
network and software industry have spent billions developing virus
scanning apps to detect and eradicate.<br>
<br>
Paul.<br>
<br>
<br>
<br>
<blockquote type="cite"
cite="mid:SYXPR01MB1087617089C33468C6D2932FB10C0@SYXPR01MB1087.ausprd01.prod.outlook.com">
<div id="divtagdefaultwrapper"
style="font-size:12pt;color:#000000;font-family:Calibri,Helvetica,sans-serif;"
dir="ltr">
<p style="margin-top:0;margin-bottom:0"><br>
</p>
<p style="margin-top:0;margin-bottom:0"><span
style="font-family: Calibri, Arial, Helvetica, sans-serif,
EmojiFont, "Apple Color Emoji", "Segoe UI
Emoji", NotoColorEmoji, "Segoe UI Symbol",
"Android Emoji", EmojiSymbols; font-size: 12pt;">--</span><br>
</p>
<div id="Signature">
<div id="divtagdefaultwrapper" style="font-size: 12pt; color:
rgb(0, 0, 0); background-color: rgb(255, 255, 255);
font-family: Calibri, Arial, Helvetica, sans-serif,
EmojiFont, "Apple Color Emoji", "Segoe UI
Emoji", NotoColorEmoji, "Segoe UI Symbol",
"Android Emoji", EmojiSymbols;">
<p>Chris Ford | CTO</p>
<p>Inabox Group Limited</p>
<p><br>
</p>
<p>Ph: + 61 2 8275 6871</p>
<p>Mb: +61 401 988 844</p>
<p>Em: <a class="moz-txt-link-abbreviated" href="mailto:chris.ford@inaboxgroup.com.au">chris.ford@inaboxgroup.com.au</a></p>
</div>
</div>
</div>
<hr style="display:inline-block;width:98%" tabindex="-1">
<div id="divRplyFwdMsg" dir="ltr"><font style="font-size:11pt"
face="Calibri, sans-serif" color="#000000"><b>From:</b> AusNOG
<a class="moz-txt-link-rfc2396E" href="mailto:ausnog-bounces@lists.ausnog.net"><ausnog-bounces@lists.ausnog.net></a> on behalf of Paul
Wilkins <a class="moz-txt-link-rfc2396E" href="mailto:paulwilkins369@gmail.com"><paulwilkins369@gmail.com></a><br>
<b>Sent:</b> Monday, 3 September 2018 11:31:14 AM<br>
<b>To:</b> <a class="moz-txt-link-abbreviated" href="mailto:AusNOG@lists.ausnog.net">AusNOG@lists.ausnog.net</a><br>
<b>Subject:</b> Re: [AusNOG] Dutton decryption bill</font>
<div> </div>
</div>
<meta content="text/html; charset=utf-8">
<div>
<div dir="ltr">
<div>Bradley,</div>
<div>The Common Law has always allowed judicial scrutiny of
our privacy. There's always been the right for judicial
search warrants to override what's considered one's private
domain. I'm supportive of this bill where it extends
judicial oversite to the cyber domain, which is a gap that
exists only because legislation/common law has lagged behind
technology. While at the same time realising that
conversations conducted over the internet, even if
encrypted, are more properly regarded as public
conversations, than say one you might have in your living
room. Whether government is going to regulate the internet,
the boat has sailed on this long ago. The hard line privacy
advocates are simply going to be left out of a conversation
democracy needs to have over not whether the internet should
be regulated, but how.<br>
</div>
<div><br>
</div>
<div>What's interesting in this bill is that it goes beyond
extending judicial writ, allowing law enforcement emergency
powers the right to surveil suspects. This will be
authorised by law enforcement, without judicial or
governmental oversite. I think this probably goes too far.
The best outcome for everyone, to protect privacy, and to
empower law enforcement to enforce laws and to protect
citizens rights, would be to limit the scope of these new
powers to judicial writ.</div>
<div><br>
</div>
<div>Kind regards</div>
<div><br>
</div>
<div>Paul Wilkins<br>
</div>
<div><br>
</div>
<div><br>
</div>
<div><br>
</div>
<div><br>
</div>
</div>
</div>
<br>
<fieldset class="mimeAttachmentHeader"></fieldset>
<br>
<pre wrap="">_______________________________________________
AusNOG mailing list
<a class="moz-txt-link-abbreviated" href="mailto:AusNOG@lists.ausnog.net">AusNOG@lists.ausnog.net</a>
<a class="moz-txt-link-freetext" href="http://lists.ausnog.net/mailman/listinfo/ausnog">http://lists.ausnog.net/mailman/listinfo/ausnog</a>
</pre>
</blockquote>
<p><br>
</p>
</body>
</html>