<div dir="ltr"><div>Paul,</div><div>Yes and no. 'The rights of service providers to manage their own
affairs' should be subject to the rule of law. With the important qualification that per the Dec'n Human Rights, any intrusion by the state of private property (both a service provider's code base and data centres are private property) must be necessary, proportionate, and subject to the rule of law. Service providers have a right to insist that any intrusion is specific, non arbitrary, and for due process, should not be subject to determination by Law Enforcement, but should be a question for, and appealable to, the judiciary. Service providers (and 3rd parties) should be adequately compensated for any damage done to their interests because of Law Enforcement malfeasance or misfeasance.<br></div><div><br></div><div>Much of what's considered legitimate activities in the Bill is subject to arbitrary interpretation by Law Enforcement, or sufficiently vague that Law Enforcement has an open license. A rule based system is predicated on everybody knowing what the rules are, a priori, and then going from there. The vague and open ended drafting of the Bill allows Law Enforcement ample scope to make it up as they go (to the point, illegally obtained evidence would still be admissable).</div><div><br></div><div>Kind regards</div><div><br></div><div>Paul Wilkins<br></div><div><br></div><div><br></div><div> </div></div><br><div class="gmail_quote"><div dir="ltr">On Wed, 28 Nov 2018 at 12:05, Paul Brooks <<a href="mailto:pbrooks-ausnog@layer10.com.au">pbrooks-ausnog@layer10.com.au</a>> wrote:<br></div><blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex">
<div text="#000000" bgcolor="#FFFFFF">
<div class="m_-3221766886054595876moz-cite-prefix">On 28/11/2018 10:27 am, Paul Wilkins
wrote:<br>
</div>
<blockquote type="cite">
<div dir="ltr">
<div dir="ltr">
<div dir="ltr">
<div dir="ltr">
<div dir="ltr">
<div dir="ltr"><br>
<div><br>
</div>
<div>I do think (and it's not a generally popular
position) that the internet does need to, and is
going to be, regulated. This doesn't however justify
measures that are unnecessarily invasive of
citizens' rights, such as right to privacy and the
right of service providers to manage their own
affairs. I support the need for law enforcement to
have powers to pursue terrrorists and serious crime
in the context of increasing use of encryption, but
this isn't that bill.</div>
</div>
</div>
</div>
</div>
</div>
</div>
</blockquote>
<p>Apart from 'the rights of service providers to manage their own
affairs', this is spot on. ('right of service providers to manage
their own affairs' has never been a thing, service providers have
always been subject to regulation and external management, and the
recent ACCC, ACMA and TIO crack-downs on RSPs in the name of
improving end-customer experience is more of this - much as the
current Banking Royal Commission has came from boards and
executives thinking there was 'rights of banks to manage their own
affairs' to the detriment of banking customers - but this is a
digression)</p>
<p>Worth looking through the most recent Paris Call for Trust and
Security in Cyberspace released at the IGF held earlier this
month.<br>
</p>
<p><a class="m_-3221766886054595876moz-txt-link-freetext" href="https://www.diplomatie.gouv.fr/en/french-foreign-policy/digital-diplomacy/france-and-cyber-security/article/cybersecurity-paris-call-of-12-november-2018-for-trust-and-security-in" target="_blank">https://www.diplomatie.gouv.fr/en/french-foreign-policy/digital-diplomacy/france-and-cyber-security/article/cybersecurity-paris-call-of-12-november-2018-for-trust-and-security-in</a><br>
</p>
<p><a class="m_-3221766886054595876moz-txt-link-freetext" href="https://www.diplomatie.gouv.fr/IMG/pdf/paris_call_text_-_en_cle06f918.pdf" target="_blank">https://www.diplomatie.gouv.fr/IMG/pdf/paris_call_text_-_en_cle06f918.pdf</a></p>
<p>and some words from Andrew Sullivan, President of the Internet
Society on the same topic:</p>
<p><a class="m_-3221766886054595876moz-txt-link-freetext" href="https://www.internetsociety.org/blog/2018/11/we-wont-save-the-internet-by-breaking-it/" target="_blank">https://www.internetsociety.org/blog/2018/11/we-wont-save-the-internet-by-breaking-it/</a></p>
<p>
<blockquote type="cite">"It is, of course, true that governments
should protect their citizens, and that they are the only ones
in a position to offer such protections. It does not follow that
every protective measure a government tries is one that will
work. Some of them may even do harm.</blockquote>
<br>
</p>
<p>.....</p>
<p>
<blockquote type="cite">None of this, of course, means that every
regulation that could possibly touch something connected to the
Internet is automatically wrong. Many services that we use on
the Internet (virtually every social media service, for
instance) are closed systems that really operate <em>on top of</em>
the Internet. It is possible that effective social responses to
some of the challenges arising from those systems can be
addressed in part through appropriate regulatory frameworks. But
hasty action, unilateral movement, and attempts to legislate
values along national lines are as likely to break the Internet
as they are to address social issues arising from Internet use.</blockquote>
<br>
</p>
<p>There is absolutely a place for national regulation of Internet
activities - nobody can expect the government to take a hands-off
approach. We have that now at the most fundamental level in the
way that IP addresses and domain names, as forms of electronic
addressing, are ultimately conducted under the authority of DOCA,
devolved to be operated by APNIC and auDA respectively under
license.</p>
<p>Similarly, governments will seek to regulate the things that
people do on top of the Internet, to protect the people say from
online bullying, posting revenge-porn photos, anti-SPAM measures -
much as they do for telephone services, such as the DoNotCall
Register. To expect otherwise is unrealistic. Some of it is
actually good to have.<br>
</p>
<p>The important thing is that this community helps the government
get the regulation, and level of regulation right - including of
course pointing out how and where they're getting it wrong, as in
this Bill, or when they try to propose a technology solution to a
social behaviour problem.</p>
<p>Paul.<br>
</p>
<p><br>
</p>
<p><br>
</p>
<p><br>
</p>
<p><br>
</p>
<p><br>
</p>
<p><br>
</p>
<p><br>
</p>
<p><br>
</p>
<p><br>
</p>
<p><br>
</p>
<p><br>
</p>
<p><br>
</p>
<blockquote type="cite">
<div dir="ltr">
<div dir="ltr">
<div dir="ltr">
<div dir="ltr">
<div dir="ltr">
<div dir="ltr">
<div> This Bill represents gross overreach, and has
grave deficiencies in its drafting across governance
and accountability for the use of police powers,
beyond the adverse economic impacts for Australia
consequent to undermining security. I'm fairly
certain too at some point it will be argued the
vague drafting grants law enforcement a <a href="https://www.aph.gov.au/DocumentStore.ashx?id=7dec86a0-3a58-4d53-b0b4-6df5c918335e&subId=660759" target="_blank">mandate to gather carrier
metadata</a> and establish mass surveillance.</div>
<div><br>
</div>
<div>The Bill should be set aside, but I fear the
PJCIS will try to stitch together some sort of
compromise leaving Australians with very diminished
citizen rights compared to Europe.<br>
</div>
<div><br>
</div>
<div>Kind regards</div>
<div><br>
</div>
<div>Paul Wilkins<br>
</div>
<div><br>
</div>
<div><br>
</div>
<div><br>
</div>
</div>
</div>
</div>
</div>
</div>
</div>
<br>
<div class="gmail_quote">
<div dir="ltr">On Wed, 28 Nov 2018 at 08:56, Mark Newton <<a href="mailto:newton@atdot.dotat.org" target="_blank">newton@atdot.dotat.org</a>>
wrote:<br>
</div>
<blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex">
<div style="word-wrap:break-word;line-break:after-white-space">Their
real target is the same as it was in the 2008-2010
censorware fight:
<div><br>
</div>
<div>They want to make it clear that this is not territory
which is unregulated; that they can and will interfere
with it if and when it suits them.</div>
<div><br>
</div>
<div>I doubt they even know how and when that interference
will happen at this stage. But that isn’t important. It’s
all about the agencies sticking their thumb onto an
industry segment and saying, “We’re in charge of this.”</div>
<div><br>
</div>
<div> - mark</div>
<div><br>
</div>
<div><br>
<div><br>
<blockquote type="cite">
<div>On 28 Nov 2018, at 8:25 AM, Robert Hudson <<a href="mailto:hudrob@gmail.com" target="_blank">hudrob@gmail.com</a>>
wrote:</div>
<br class="m_-3221766886054595876m_7064625225789057233Apple-interchange-newline">
<div>
<div dir="ltr"><br>
<br>
<div class="gmail_quote">
<div dir="ltr">On Tue, 27 Nov 2018 at 16:04,
Mark Newton <<a href="mailto:newton@atdot.dotat.org" target="_blank">newton@atdot.dotat.org</a>>
wrote:<br>
</div>
<blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex">
<div style="word-wrap:break-word;line-break:after-white-space"><br>
<div>On Nov 23, 2018, at 4:46 PM, Robert
Hudson <<a href="mailto:hudrob@gmail.com" target="_blank">hudrob@gmail.com</a>>
wrote:<br>
<blockquote type="cite"><br>
<div>
<div dir="ltr">
<div class="gmail_quote">
<div dir="ltr">On Fri, 23 Nov 2018
at 14:47, Paul Brooks <<a href="mailto:pbrooks-ausnog@layer10.com.au" target="_blank">pbrooks-ausnog@layer10.com.au</a>>
wrote:</div>
<blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex">
In theory no - this bill doesn't
weaken encryption, and
explicitly doesn't allow any<br>
changes that would weaken
encryption.<br>
</blockquote>
<div><br>
</div>
<div>They say that - but I don't
believe them. I don't think
they even understand what
they're suggesting (or if they
do understand, they're relying
on others not understanding, or
not caring). </div>
</div>
</div>
</div>
</blockquote>
<div><br>
</div>
</div>
<div>I think it’s dangerous to assume they
don’t know what they’re asking for.</div>
</div>
</blockquote>
<div><br>
</div>
<div>To clarify - I was speaking of the
politicians. </div>
<blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex">
<div style="word-wrap:break-word;line-break:after-white-space">
<div><br>
</div>
<div>MPs probably don’t know, that’s true.
But they aren’t the source of these Bills:
No has ever climbed out of bed in the
morning and thought, “Y’know what ASD
needs? Unencrypted access to SnapChat.
Let’s make it happen.”</div>
</div>
</blockquote>
<div><br>
</div>
<div>I agree entirely. </div>
<blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex">
<div style="word-wrap:break-word;line-break:after-white-space">
<div><br>
</div>
<div>MPs also aren’t in charge. PJCIS
reliably decides whatever the bloody-hell
ASIO and ASD want them to decide. The
belief that there are a bunch of
level-headed independent-minded
politicians <i>making decisions</i> is
crazy, there’s never been any evidence
that that’s true.</div>
</div>
</blockquote>
<div><br>
</div>
<div>I think you may have missed highlighting
the ludicrous notion of <i>level-headed
independent-minded politicians</i>. I'd put
a smiley there, but the current state of our
political leadership (if one could call it
that) is so abysmal that it's no laughing
matter.</div>
<blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex">
<div style="word-wrap:break-word;line-break:after-white-space">
<div><br>
</div>
<div>These Bills are drafted by the
intelligence agencies themselves, and they
know precisely what they’re demanding,
they know precisely what the flow-on
effects will be, and they’ve judged that
for their own purposes, the cost/benefit
analysis works in their favor.</div>
</div>
</blockquote>
<div><br>
</div>
<div>This is the bit that I don't get.</div>
<div><br>
</div>
<div>They *must* know the effective outcomes of
the TAN/TCN/TAR activities is to introduce
systemic weakness in the encryption processes
they touch. The attack vectors against
encryption (be it data at rest or data in
flight) are so narrow (given that they're
asking for this, we can, I believe, safely
assume that they're not able to brute force
things at this stage) as to effectively mean
"a way to retrieve the keys" or "a back door"
- both processes, once established,
immediately introduce exactly the kind of
weaknesses the proposed bill supposedly
protects against (noting the incredibly low
standard of proof that needs to be produced
here).</div>
<div><br>
</div>
<div>And even when they manage to convince
Apple, Google, Samsung, etc to hand over
unlock keys to phones, and convince Facebook
et al to either introduce back doors or
back-channels into their messaging apps (they
must know the folly of asking a carrier to do
anything with an encrypted bit-stream - maybe
the focus on carriers is to try to get them to
inject unlock code into the bloatware they
load on phones), they *must* know that they
simply won't magically gain access to
communications between criminals (by whatever
measure you define criminal, be it terrorist,
paedophile, organised crime, etc - anyone who
is rightfully the focus of legitimate
law-enforcement activity) because any of them
with the ability to tie their own shoes will
immediately switch to communications processes
and systems that are not subject to this bill.</div>
<div><br>
</div>
<div>The net result of this bill, like previous
thought bubbles as the Internet paedophile
filter ("oh noes, Australians can't consume
child porn any more, oh well, we'd best wind
up our little industry now, without the tiny
market that is Australia, we're clearly no
longer viable"), will be to send the real
criminals, the ones smart enough to do real
damage, deeper into the places they're hard to
find - they will just be driven further
underground, with no material impact on their
ability to carry out their goals.</div>
<div><br>
</div>
<div>So, what benefit to the intelligence
agencies get? The power to track terrorists
not capable of finding the safety switch on an
AK-47? We seem to be able to do that already,
so I'm not sure that's something we can accuse
them of wanting. Do they want to spy on
law-abiding citizens (which is contrary to the
scope of their operational focus for some of
them) - Is this their real target?</div>
<div><br>
</div>
<blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex">
<div style="word-wrap:break-word;line-break:after-white-space">
<div><br>
</div>
<div>The possibility that the cost/benefit
analysis works against other people is
also well understood, but they choose to
not distract the argument by engaging on
that point. Bring it up as much as you
like, they just ignore it and talk past
it.</div>
<div><br>
</div>
<div>For the last decade, there have been
arguments about this stuff that have been
based on the belief that the Government is
too dumb to know what it’s asking for, and
that reason will prevail if we just
explain it to them with the facts.</div>
<div><br>
</div>
<div>In case nobody’s noticed, that approach
hasn’t worked, and there’s no indication
that it will ever work.</div>
</div>
</blockquote>
<div><br>
</div>
<div>I only carry this point because I believe
it helps to highlight what the REAL desired
end-state may be. Because of the technical
detail, this won't help to catch competent
criminals. It won't help to catch incompetent
ones either (because they largely already give
themselves up through stupidity and shithouse
OpSec). So who is left as the target?</div>
<blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex">
<div style="word-wrap:break-word;line-break:after-white-space">
<div><br>
</div>
<div>This community has spent years wasting
its time by communicating facts to them
that they already know, and don’t care
about.</div>
</div>
</blockquote>
<div><br>
</div>
<div>I still don't think the politicians really
get it - but I do take the point that faced
with taking advice from the departments they
preside over, or the public and/or industry
associations, when there's simply no negative
to ignoring the latter groups, means that
we're not going to get listened to.</div>
<blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex">
<div style="word-wrap:break-word;line-break:after-white-space">
<div><br>
</div>
<div>They also don’t care about compromises:
If you give them 50% of what they want,
they’ll come back 18 months later and
demand the other 50%. That’s how they’ve
always worked (cf: data retention: The AA
Bill is the grab bag of stuff the A-G
couldn’t ask for last time. And if they
don’t get it all this time, they’ll be
back in 2021 for the next tranche)</div>
</div>
</blockquote>
<div><br>
</div>
<div>I totally agree with this. What the
agencies don't get now, they'll simply play
the long game and get later.</div>
<div> </div>
<blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex">
<div style="word-wrap:break-word;line-break:after-white-space">
<div><br>
</div>
<div>Victory on these matters will never be
won by having an argument based on the
assumption that they need experts to
explain facts and technology to them. The
only way victory will be achieved is
politically: There needs to be blowback,
asking for more will need to cause them
pain before they’ll stop.</div>
</div>
</blockquote>
<div><br>
</div>
<div>So, this needs to become an election issue
- it's the only thing the politicians
understand. We either need to convince the
opposition or the (ever growing) cross-bench
that not only will supporting this legislation
lead to them not receiving votes in the next
election, or that, more specifically, opposing
it will result in more vaults (offer the
carrot, rather than the stick?). And make
them realise that changing their mind later
will result in us changing our minds.</div>
<div><br>
</div>
<div>Or we form a political party (or we
directly infiltrate an existing one) and push
a very specific agenda against this sort of
thing.</div>
<div><br>
</div>
<div>By all accounts, we have until May 2019.</div>
<div><br>
</div>
<blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex">
<div style="word-wrap:break-word;line-break:after-white-space">
<div><br>
</div>
<div> - mark</div>
<div><br>
</div>
<div><br>
</div>
</div>
</blockquote>
</div>
</div>
</div>
</blockquote>
</div>
<br>
</div>
</div>
_______________________________________________<br>
AusNOG mailing list<br>
<a href="mailto:AusNOG@lists.ausnog.net" target="_blank">AusNOG@lists.ausnog.net</a><br>
<a href="http://lists.ausnog.net/mailman/listinfo/ausnog" rel="noreferrer" target="_blank">http://lists.ausnog.net/mailman/listinfo/ausnog</a><br>
</blockquote>
</div>
<br>
<fieldset class="m_-3221766886054595876mimeAttachmentHeader"></fieldset>
<pre class="m_-3221766886054595876moz-quote-pre">_______________________________________________
AusNOG mailing list
<a class="m_-3221766886054595876moz-txt-link-abbreviated" href="mailto:AusNOG@lists.ausnog.net" target="_blank">AusNOG@lists.ausnog.net</a>
<a class="m_-3221766886054595876moz-txt-link-freetext" href="http://lists.ausnog.net/mailman/listinfo/ausnog" target="_blank">http://lists.ausnog.net/mailman/listinfo/ausnog</a>
</pre>
</blockquote>
<p><br>
</p>
</div>
_______________________________________________<br>
AusNOG mailing list<br>
<a href="mailto:AusNOG@lists.ausnog.net" target="_blank">AusNOG@lists.ausnog.net</a><br>
<a href="http://lists.ausnog.net/mailman/listinfo/ausnog" rel="noreferrer" target="_blank">http://lists.ausnog.net/mailman/listinfo/ausnog</a><br>
</blockquote></div>