<div dir="ltr"><div>Paul,</div><div>Yes and no. 'The rights of service providers to manage their own
      affairs' should be subject to the rule of law. With the important qualification that per the Dec'n Human Rights, any intrusion by the state of private property (both a service provider's code base and data centres are private property) must be necessary, proportionate, and subject to the rule of law. Service providers have a right to insist that any intrusion is specific, non arbitrary, and for due process, should not be subject to determination by Law Enforcement, but should be a question for, and appealable to, the judiciary. Service providers (and 3rd parties) should be adequately compensated for any damage done to their interests because of Law Enforcement malfeasance or misfeasance.<br></div><div><br></div><div>Much of what's considered legitimate activities in the Bill is subject to arbitrary interpretation by Law Enforcement, or sufficiently vague that Law Enforcement has an open license. A rule based system is predicated on everybody knowing what the rules are, a priori, and then going from there. The vague and open ended drafting of the Bill allows Law Enforcement ample scope to make it up as they go (to the point, illegally obtained evidence would still be admissable).</div><div><br></div><div>Kind regards</div><div><br></div><div>Paul Wilkins<br></div><div><br></div><div><br></div><div> </div></div><br><div class="gmail_quote"><div dir="ltr">On Wed, 28 Nov 2018 at 12:05, Paul Brooks <<a href="mailto:pbrooks-ausnog@layer10.com.au">pbrooks-ausnog@layer10.com.au</a>> wrote:<br></div><blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex">
  
    
  
  <div text="#000000" bgcolor="#FFFFFF">
    <div class="m_-3221766886054595876moz-cite-prefix">On 28/11/2018 10:27 am, Paul Wilkins
      wrote:<br>
    </div>
    <blockquote type="cite">
      
      <div dir="ltr">
        <div dir="ltr">
          <div dir="ltr">
            <div dir="ltr">
              <div dir="ltr">
                <div dir="ltr"><br>
                  <div><br>
                  </div>
                  <div>I do think (and it's not a generally popular
                    position) that the internet does need to, and is
                    going to be, regulated. This doesn't however justify
                    measures that are unnecessarily invasive of
                    citizens' rights, such as right to privacy and the
                    right of service providers to manage their own
                    affairs. I support the need for law enforcement to
                    have powers to pursue terrrorists and serious crime
                    in the context of increasing use of encryption, but
                    this isn't that bill.</div>
                </div>
              </div>
            </div>
          </div>
        </div>
      </div>
    </blockquote>
    <p>Apart from 'the rights of service providers to manage their own
      affairs', this is spot on. ('right of service providers to manage
      their own affairs' has never been a thing, service providers have
      always been subject to regulation and external management, and the
      recent ACCC, ACMA and TIO crack-downs on RSPs in the name of
      improving end-customer experience is more of this - much as the
      current Banking Royal Commission has came from boards and
      executives thinking there was 'rights of banks to manage their own
      affairs' to the detriment of banking customers - but this is a
      digression)</p>
    <p>Worth looking through the most recent Paris Call for Trust and
      Security in Cyberspace released at the IGF held earlier this
      month.<br>
    </p>
    <p><a class="m_-3221766886054595876moz-txt-link-freetext" href="https://www.diplomatie.gouv.fr/en/french-foreign-policy/digital-diplomacy/france-and-cyber-security/article/cybersecurity-paris-call-of-12-november-2018-for-trust-and-security-in" target="_blank">https://www.diplomatie.gouv.fr/en/french-foreign-policy/digital-diplomacy/france-and-cyber-security/article/cybersecurity-paris-call-of-12-november-2018-for-trust-and-security-in</a><br>
    </p>
    <p><a class="m_-3221766886054595876moz-txt-link-freetext" href="https://www.diplomatie.gouv.fr/IMG/pdf/paris_call_text_-_en_cle06f918.pdf" target="_blank">https://www.diplomatie.gouv.fr/IMG/pdf/paris_call_text_-_en_cle06f918.pdf</a></p>
    <p>and some words from Andrew Sullivan, President of the Internet
      Society on the same topic:</p>
    <p><a class="m_-3221766886054595876moz-txt-link-freetext" href="https://www.internetsociety.org/blog/2018/11/we-wont-save-the-internet-by-breaking-it/" target="_blank">https://www.internetsociety.org/blog/2018/11/we-wont-save-the-internet-by-breaking-it/</a></p>
    <p>
      <blockquote type="cite">"It is, of course, true that governments
        should protect their citizens, and that they are the only ones
        in a position to offer such protections. It does not follow that
        every protective measure a government tries is one that will
        work. Some of them may even do harm.</blockquote>
      <br>
    </p>
    <p>.....</p>
    <p>
      <blockquote type="cite">None of this, of course, means that every
        regulation that could possibly touch something connected to the
        Internet is automatically wrong. Many services that we use on
        the Internet (virtually every social media service, for
        instance) are closed systems that really operate <em>on top of</em>
        the Internet. It is possible that effective social responses to
        some of the challenges arising from those systems can be
        addressed in part through appropriate regulatory frameworks. But
        hasty action, unilateral movement, and attempts to legislate
        values along national lines are as likely to break the Internet
        as they are to address social issues arising from Internet use.</blockquote>
      <br>
    </p>
    <p>There is absolutely a place for national regulation of Internet
      activities - nobody can expect the government to take a hands-off
      approach. We have that now at the most fundamental level in the
      way that IP addresses and domain names, as forms of electronic
      addressing, are ultimately conducted under the authority of DOCA,
      devolved to be operated by APNIC and auDA respectively under
      license.</p>
    <p>Similarly, governments will seek to regulate the things that
      people do on top of the Internet, to protect the people say from
      online bullying, posting revenge-porn photos, anti-SPAM measures -
      much as they do for telephone services, such as the DoNotCall
      Register. To expect otherwise is unrealistic. Some of it is
      actually good to have.<br>
    </p>
    <p>The important thing is that this community helps the government
      get the regulation, and level of regulation right - including of
      course pointing out how and where they're getting it wrong, as in
      this Bill, or when they try to propose a technology solution to a
      social behaviour problem.</p>
    <p>Paul.<br>
    </p>
    <p><br>
    </p>
    <p><br>
    </p>
    <p><br>
    </p>
    <p><br>
    </p>
    <p><br>
    </p>
    <p><br>
    </p>
    <p><br>
    </p>
    <p><br>
    </p>
    <p><br>
    </p>
    <p><br>
    </p>
    <p><br>
    </p>
    <p><br>
    </p>
    <blockquote type="cite">
      <div dir="ltr">
        <div dir="ltr">
          <div dir="ltr">
            <div dir="ltr">
              <div dir="ltr">
                <div dir="ltr">
                  <div> This Bill represents gross overreach, and has
                    grave deficiencies in its drafting across governance
                    and accountability for the use of police powers,
                    beyond the adverse economic impacts for Australia
                    consequent to undermining security. I'm fairly
                    certain too at some point it will be argued the
                    vague drafting grants law enforcement a <a href="https://www.aph.gov.au/DocumentStore.ashx?id=7dec86a0-3a58-4d53-b0b4-6df5c918335e&subId=660759" target="_blank">mandate to gather carrier
                      metadata</a> and establish mass surveillance.</div>
                  <div><br>
                  </div>
                  <div>The Bill should be set aside, but I fear the
                    PJCIS will try to stitch together some sort of
                    compromise leaving Australians with very diminished
                    citizen rights compared to Europe.<br>
                  </div>
                  <div><br>
                  </div>
                  <div>Kind regards</div>
                  <div><br>
                  </div>
                  <div>Paul Wilkins<br>
                  </div>
                  <div><br>
                  </div>
                  <div><br>
                  </div>
                  <div><br>
                  </div>
                </div>
              </div>
            </div>
          </div>
        </div>
      </div>
      <br>
      <div class="gmail_quote">
        <div dir="ltr">On Wed, 28 Nov 2018 at 08:56, Mark Newton <<a href="mailto:newton@atdot.dotat.org" target="_blank">newton@atdot.dotat.org</a>>
          wrote:<br>
        </div>
        <blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex">
          <div style="word-wrap:break-word;line-break:after-white-space">Their
            real target is the same as it was in the 2008-2010
            censorware fight:
            <div><br>
            </div>
            <div>They want to make it clear that this is not territory
              which is unregulated; that they can and will interfere
              with it if and when it suits them.</div>
            <div><br>
            </div>
            <div>I doubt they even know how and when that interference
              will happen at this stage. But that isn’t important. It’s
              all about the agencies sticking their thumb onto an
              industry segment and saying, “We’re in charge of this.”</div>
            <div><br>
            </div>
            <div>   - mark</div>
            <div><br>
            </div>
            <div><br>
              <div><br>
                <blockquote type="cite">
                  <div>On 28 Nov 2018, at 8:25 AM, Robert Hudson <<a href="mailto:hudrob@gmail.com" target="_blank">hudrob@gmail.com</a>>
                    wrote:</div>
                  <br class="m_-3221766886054595876m_7064625225789057233Apple-interchange-newline">
                  <div>
                    <div dir="ltr"><br>
                      <br>
                      <div class="gmail_quote">
                        <div dir="ltr">On Tue, 27 Nov 2018 at 16:04,
                          Mark Newton <<a href="mailto:newton@atdot.dotat.org" target="_blank">newton@atdot.dotat.org</a>>
                          wrote:<br>
                        </div>
                        <blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex">
                          <div style="word-wrap:break-word;line-break:after-white-space"><br>
                            <div>On Nov 23, 2018, at 4:46 PM, Robert
                              Hudson <<a href="mailto:hudrob@gmail.com" target="_blank">hudrob@gmail.com</a>>
                              wrote:<br>
                              <blockquote type="cite"><br>
                                <div>
                                  <div dir="ltr">
                                    <div class="gmail_quote">
                                      <div dir="ltr">On Fri, 23 Nov 2018
                                        at 14:47, Paul Brooks <<a href="mailto:pbrooks-ausnog@layer10.com.au" target="_blank">pbrooks-ausnog@layer10.com.au</a>>
                                        wrote:</div>
                                      <blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex">
                                        In theory no - this bill doesn't
                                        weaken encryption, and
                                        explicitly doesn't allow any<br>
                                        changes that would weaken
                                        encryption.<br>
                                      </blockquote>
                                      <div><br>
                                      </div>
                                      <div>They say that - but I don't
                                        believe them.  I don't think
                                        they even understand what
                                        they're suggesting (or if they
                                        do understand, they're relying
                                        on others not understanding, or
                                        not caring). </div>
                                    </div>
                                  </div>
                                </div>
                              </blockquote>
                              <div><br>
                              </div>
                            </div>
                            <div>I think it’s dangerous to assume they
                              don’t know what they’re asking for.</div>
                          </div>
                        </blockquote>
                        <div><br>
                        </div>
                        <div>To clarify - I was speaking of the
                          politicians. </div>
                        <blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex">
                          <div style="word-wrap:break-word;line-break:after-white-space">
                            <div><br>
                            </div>
                            <div>MPs probably don’t know, that’s true.
                              But they aren’t the source of these Bills:
                              No has ever climbed out of bed in the
                              morning and thought, “Y’know what ASD
                              needs? Unencrypted access to SnapChat.
                              Let’s make it happen.”</div>
                          </div>
                        </blockquote>
                        <div><br>
                        </div>
                        <div>I agree entirely. </div>
                        <blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex">
                          <div style="word-wrap:break-word;line-break:after-white-space">
                            <div><br>
                            </div>
                            <div>MPs also aren’t in charge. PJCIS
                              reliably decides whatever the bloody-hell
                              ASIO and ASD want them to decide. The
                              belief that there are a bunch of
                              level-headed independent-minded
                              politicians <i>making decisions</i> is
                              crazy, there’s never been any evidence
                              that that’s true.</div>
                          </div>
                        </blockquote>
                        <div><br>
                        </div>
                        <div>I think you may have missed highlighting
                          the ludicrous notion of <i>level-headed
                            independent-minded politicians</i>.  I'd put
                          a smiley there, but the current state of our
                          political leadership (if one could call it
                          that) is so abysmal that it's no laughing
                          matter.</div>
                        <blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex">
                          <div style="word-wrap:break-word;line-break:after-white-space">
                            <div><br>
                            </div>
                            <div>These Bills are drafted by the
                              intelligence agencies themselves, and they
                              know precisely what they’re demanding,
                              they know precisely what the flow-on
                              effects will be, and they’ve judged that
                              for their own purposes, the cost/benefit
                              analysis works in their favor.</div>
                          </div>
                        </blockquote>
                        <div><br>
                        </div>
                        <div>This is the bit that I don't get.</div>
                        <div><br>
                        </div>
                        <div>They *must* know the effective outcomes of
                          the TAN/TCN/TAR activities is to introduce
                          systemic weakness in the encryption processes
                          they touch.  The attack vectors against
                          encryption (be it data at rest or data in
                          flight) are so narrow (given that they're
                          asking for this, we can, I believe, safely
                          assume that they're not able to brute force
                          things at this stage) as to effectively mean
                          "a way to retrieve the keys" or "a back door"
                          - both processes, once established,
                          immediately introduce exactly the kind of
                          weaknesses the proposed bill supposedly
                          protects against (noting the incredibly low
                          standard of proof that needs to be produced
                          here).</div>
                        <div><br>
                        </div>
                        <div>And even when they manage to convince
                          Apple, Google, Samsung, etc to hand over
                          unlock keys to phones, and convince Facebook
                          et al to either introduce back doors or
                          back-channels into their messaging apps (they
                          must know the folly of asking a carrier to do
                          anything with an encrypted bit-stream - maybe
                          the focus on carriers is to try to get them to
                          inject unlock code into the bloatware they
                          load on phones), they *must* know that they
                          simply won't magically gain access to
                          communications between criminals (by whatever
                          measure you define criminal, be it terrorist,
                          paedophile, organised crime, etc - anyone who
                          is rightfully the focus of legitimate
                          law-enforcement activity) because any of them
                          with the ability to tie their own shoes will
                          immediately switch to communications processes
                          and systems that are not subject to this bill.</div>
                        <div><br>
                        </div>
                        <div>The net result of this bill, like previous
                          thought bubbles as the Internet paedophile
                          filter ("oh noes, Australians can't consume
                          child porn any more, oh well, we'd best wind
                          up our little industry now, without the tiny
                          market that is Australia, we're clearly no
                          longer viable"), will be to send the real
                          criminals, the ones smart enough to do real
                          damage, deeper into the places they're hard to
                          find - they will just be driven further
                          underground, with no material impact on their
                          ability to carry out their goals.</div>
                        <div><br>
                        </div>
                        <div>So, what benefit to the intelligence
                          agencies get?  The power to track terrorists
                          not capable of finding the safety switch on an
                          AK-47?  We seem to be able to do that already,
                          so I'm not sure that's something we can accuse
                          them of wanting.  Do they want to spy on
                          law-abiding citizens (which is contrary to the
                          scope of their operational focus for some of
                          them) - Is this their real target?</div>
                        <div><br>
                        </div>
                        <blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex">
                          <div style="word-wrap:break-word;line-break:after-white-space">
                            <div><br>
                            </div>
                            <div>The possibility that the cost/benefit
                              analysis works against other people is
                              also well understood, but they choose to
                              not distract the argument by engaging on
                              that point. Bring it up as much as you
                              like, they just ignore it and talk past
                              it.</div>
                            <div><br>
                            </div>
                            <div>For the last decade, there have been
                              arguments about this stuff that have been
                              based on the belief that the Government is
                              too dumb to know what it’s asking for, and
                              that reason will prevail if we just
                              explain it to them with the facts.</div>
                            <div><br>
                            </div>
                            <div>In case nobody’s noticed, that approach
                              hasn’t worked, and there’s no indication
                              that it will ever work.</div>
                          </div>
                        </blockquote>
                        <div><br>
                        </div>
                        <div>I only carry this point because I believe
                          it helps to highlight what the REAL desired
                          end-state may be.  Because of the technical
                          detail, this won't help to catch competent
                          criminals.  It won't help to catch incompetent
                          ones either (because they largely already give
                          themselves up through stupidity and shithouse
                          OpSec).  So who is left as the target?</div>
                        <blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex">
                          <div style="word-wrap:break-word;line-break:after-white-space">
                            <div><br>
                            </div>
                            <div>This community has spent years wasting
                              its time by communicating facts to them
                              that they already know, and don’t care
                              about.</div>
                          </div>
                        </blockquote>
                        <div><br>
                        </div>
                        <div>I still don't think the politicians really
                          get it - but I do take the point that faced
                          with taking advice from the departments they
                          preside over, or the public and/or industry
                          associations, when there's simply no negative
                          to ignoring the latter groups, means that
                          we're not going to get listened to.</div>
                        <blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex">
                          <div style="word-wrap:break-word;line-break:after-white-space">
                            <div><br>
                            </div>
                            <div>They also don’t care about compromises:
                              If you give them 50% of what they want,
                              they’ll come back 18 months later and
                              demand the other 50%. That’s how they’ve
                              always worked (cf: data retention: The AA
                              Bill is the grab bag of stuff the A-G
                              couldn’t ask for last time. And if they
                              don’t get it all this time, they’ll be
                              back in 2021 for the next tranche)</div>
                          </div>
                        </blockquote>
                        <div><br>
                        </div>
                        <div>I totally agree with this.  What the
                          agencies don't get now, they'll simply play
                          the long game and get later.</div>
                        <div> </div>
                        <blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex">
                          <div style="word-wrap:break-word;line-break:after-white-space">
                            <div><br>
                            </div>
                            <div>Victory on these matters will never be
                              won by having an argument based on the
                              assumption that they need experts to
                              explain facts and technology to them. The
                              only way victory will be achieved is
                              politically: There needs to be blowback,
                              asking for more will need to cause them
                              pain before they’ll stop.</div>
                          </div>
                        </blockquote>
                        <div><br>
                        </div>
                        <div>So, this needs to become an election issue
                          - it's the only thing the politicians
                          understand.  We either need to convince the
                          opposition or the (ever growing) cross-bench
                          that not only will supporting this legislation
                          lead to them not receiving votes in the next
                          election, or that, more specifically, opposing
                          it will result in more vaults (offer the
                          carrot, rather than the stick?).  And make
                          them realise that changing their mind later
                          will result in us changing our minds.</div>
                        <div><br>
                        </div>
                        <div>Or we form a political party (or we
                          directly infiltrate an existing one) and push
                          a very specific agenda against this sort of
                          thing.</div>
                        <div><br>
                        </div>
                        <div>By all accounts, we have until May 2019.</div>
                        <div><br>
                        </div>
                        <blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex">
                          <div style="word-wrap:break-word;line-break:after-white-space">
                            <div><br>
                            </div>
                            <div>  - mark</div>
                            <div><br>
                            </div>
                            <div><br>
                            </div>
                          </div>
                        </blockquote>
                      </div>
                    </div>
                  </div>
                </blockquote>
              </div>
              <br>
            </div>
          </div>
          _______________________________________________<br>
          AusNOG mailing list<br>
          <a href="mailto:AusNOG@lists.ausnog.net" target="_blank">AusNOG@lists.ausnog.net</a><br>
          <a href="http://lists.ausnog.net/mailman/listinfo/ausnog" rel="noreferrer" target="_blank">http://lists.ausnog.net/mailman/listinfo/ausnog</a><br>
        </blockquote>
      </div>
      <br>
      <fieldset class="m_-3221766886054595876mimeAttachmentHeader"></fieldset>
      <pre class="m_-3221766886054595876moz-quote-pre">_______________________________________________
AusNOG mailing list
<a class="m_-3221766886054595876moz-txt-link-abbreviated" href="mailto:AusNOG@lists.ausnog.net" target="_blank">AusNOG@lists.ausnog.net</a>
<a class="m_-3221766886054595876moz-txt-link-freetext" href="http://lists.ausnog.net/mailman/listinfo/ausnog" target="_blank">http://lists.ausnog.net/mailman/listinfo/ausnog</a>
</pre>
    </blockquote>
    <p><br>
    </p>
  </div>

_______________________________________________<br>
AusNOG mailing list<br>
<a href="mailto:AusNOG@lists.ausnog.net" target="_blank">AusNOG@lists.ausnog.net</a><br>
<a href="http://lists.ausnog.net/mailman/listinfo/ausnog" rel="noreferrer" target="_blank">http://lists.ausnog.net/mailman/listinfo/ausnog</a><br>
</blockquote></div>