<div dir="ltr"><div dir="ltr">The original 172 page Bill was so obviously deficient in so many areas, it was easier to just say the Bill should be thrown out in its entirety and start over. Now, post 50 pages of amendments, there's still plenty of scope for serious criticism, and the debate around getting the balance right between citizens rights, and the right of the State to extend judicial writ to cyberspace will continue, but this is in every way a very much improved Bill over the original. <br><br>I don't see on any of the grounds of criticism of the original Bill, the amendments have gone as far as they need to, but on all the metrics that matter this new Bill represents an honest attempt to accommodate issues of privacy, accountability, and the need to maintain security and protect service provider property rights against unnecessary or disproportionate intrusion by Law Enforcement, and balance those against the legitimate interests of the State to enforce the rule of law in cyberspace. <br><br>From the definitions of systemic vulnerability and systemic weakness it would seem to put it beyond question that back doors can only be deployed against target devices, not deployed en masse. That said, there needs to be a control plane function that allows access to the target device that wasn't there before, which still constitutes a potential weakness/vulnerability.<br><br><div style="margin-left:40px">"systemic vulnerability means a vulnerability that affects a whole class of technology, but does not include a vulnerability that is selectively introduced to one or more target technologies that are connected with a particular person. For this purpose, it is immaterial whether the person can be identified."<br></div><br>There's still obvious gaps around the powers and accountabilities of state police.<br><br>I have to say it looks dangerously like a sensible working position from which to move forward from, while ensuring security services get the powers they say they have an immediate need for.<br><br>Kind regards<br><br>Paul Wilkins<br><br></div></div><br><div class="gmail_quote"><div dir="ltr">On Thu, 6 Dec 2018 at 13:48, Mark Newton <<a href="mailto:newton@atdot.dotat.org">newton@atdot.dotat.org</a>> wrote:<br></div><blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex"><br>
<br>
On 12/05/2018 11:48 AM, Paul Wilkins wrote:<br>
> "If this passes I can see similar legislation being introduced in <br>
> other jurisdictions."<br>
><br>
> I think this legislation and all its warts is going to be a <br>
> particularly Australian feature.<br>
<br>
Exported globally, though.<br>
<br>
A 5-eyes power who wants to surveil someone can come to Australia, get <br>
ASIO or ASD to land a TCN on the target's platform provider, and pass on <br>
the result.<br>
<br>
Example:<br>
<br>
CIA wants something from an iPhone user. They can't get it themselves. <br>
So they take the iPhone user's IMEI to ASD and ask for 5-eyes assistance.<br>
<br>
ASD screams "terrorist!" in a TCN sent to Apple, which demands <br>
production of a compromised version of iOS which keylogs and screenshots <br>
any encrypted messaging apps which happen to run, and pushed as a silent <br>
upgrade to that user's phone.<br>
<br>
Results flow from Apple to ASD, and ASD passes them back to the CIA.<br>
<br>
There is no need for any other 5-eyes nation to pass this law now that <br>
Australia has it. It's provided 5-eyes with a global capability.<br>
<br>
- mark<br>
<br>
<br>
</blockquote></div>