<div dir="ltr"><div dir="ltr"><div dir="ltr">When I go through my list of concerns with the Bill, I'm gratified to see where the amendments tend to ameliorate original concerns, but without going so far as the concerns no longer exist.<br><br>A series of open questions to consider in assessing Bill</div><div dir="ltr"><br></div><div dir="ltr"><b>1 - Why is there no judicial oversite of these sweeping police powers?</b><br><br>Now a TAN needs approval by the AFP. Also, the decision of the AFP is subject to judicial appeal.<br><br>TCN now needs approval by both AG and Minister for Comms. Also service providers can appeal to a panel of a tech expert and a retired judge, who assess necessity and proportionality.<br><br>However, for citizens or journalists who are the subject of TANs, there is no appeal. This includes journalists, while they found the time to make an exception for parliamentary privilege. There's still a public interest argument that government documents be leaked into the public domain if it's in the public interest.<br><br><b>2 - Scope of powers go beyond terrorism and serious crime when it's not supposed to.</b><br><br>The amendments set the bar at 3 years. This seems low, for terrorism and serious crimes offences. While 3 years ensures cyber stalking clears the bar.<br><br>The problem is that there should be a different test and different powers for intelligence/security services and the state police. It'd be ok to have the bar at 3 years for police Legal Intercept, while restricting the more extensive "do anything" powers to ASIO/AFP, but with a higher bar, that limits their application to terrorism/serious crime offences, say 20 years to life.<br><br><b>3 - It supports the establishment of the machinery of mass surveillance when it's not supposed to.</b><br><br>Not so easy now to claim that access to metadata streams is necessary, as you don't have a police task force signing off on the TAN. You need also to have the AFP concur. Which is not to say it's still not a situation that could arise.<br><br><b>4 - It weakens the Internet's security, when it's not supposed to.</b><br><br>The limiting of systemic vulnerability to targeting of specific devices is obviously a very significant reduction in the scope of the original Bill.<br><br>This is obviously going to need further debate. On the one hand, you have 5 Eyes saying they need to be able to be able to enter target devices. On the other hand, you have IAB, saying any and all EA mechanisms weaken the internet's security and user confidence.<br><br>I think where the current Bill can still be tightened, is removing such security weaknesses as are unnecessary. Eg: state police need only legal intercept, not EA.<br><br>The Act still allows a dozen different agencies access to warrant data and confidential service provider details, which can leak from any of those dozen agencies.<br><br><b>5 - Why are there no limits to ensure issue of TCNs/TANs/TARs are necessary and proportionate to the human right to privacy, unrevokeable per the Declaration of Human Rights.</b><br><br>There are now specific provisions for necessity and proportionality. Though the standard lies with the decision maker, which is not a standard subject to judicial review.<br><br><b>6 - Why the deliberate exclusion/incompatibility of the provisions of the Privacy Act 1988?</b><br><br>Obviously the privacy NGOs are better qualified to pursue this continuing debate. There are protections under the amendments for intrusion to privacy to be necessary and proportionate.<br><br><b>7 - Why are there no limits to ensure issue of TCNs/TANs/TARs are necessary and proportionate to service providers rights to private property, unrevokeable per the Declaration of Human Rights?</b><br><br>There are new provisions that TCNs/TANs/TARs take the interests of service providers into consideration. Again the standard lies with the decision maker, which is not a standard subject to judicial review.<br><br><b>8 - When Police Powers lie with the States, what constitutional head of power supports the Bill's scope, without enabling legislation from the States conferring power? The Constitution confers national security powers, but the scope of the Bill's police powers exceeds this remit.</b><br><br>Oversite of state police is something that needs further looking at.<br><br><b>9 - Why has the Bill overlooked the obvious alternative of powers spread across a dozen Law Enforcement Agencies, which is to centralise in one single agency, providing for greater data security, governance, efficiency, and accountability?</b><br><br>The amendments pose the Minister of Comms as responsible for liaising TCNs with industry.<br><br><b>10 - Why the lack of provisions for accountability for the exercise of police powers, and checks and balances commensurate to the reach of sweeping police powers, quite incompatible with the democratic institutions and traditions of Liberal Democracy?</b><br><br>Still a concern, but in view of the great reduction in intrusiveness due to the amendments, not such a concern as previously.<br><br><b>11 - Why the deliberately curtailed public consultation process and attempt to ambush both the public and government with this Bill by Dep't Home Affairs, and representations of public and industry consultations as being timely and adequate, incompatible with the facts on the public record and the express concerns of the public, human rights groups, and industry?</b><br><br>I assume debate will now continue for the PJCIS to complete its work in April 2019, though I can't see where this is made explicit in the Act.<br><br><b>12 - Why the absence of recompense for injury to reputation or to service providers' business, or other injury consequent to police malfeasance or misfeasance? The Bill's protections are not comprehensive, and where they make provision, go only as far as to establish lack of liability for unlawful disclosures.</b><br><br>There have been amendments, but still don't go far enough to recompense those injured by ill considered or ill executed State intervention.<br><br><b>13 - Why has the government of the day referred this deeply flawed Bill to the PJCIS, PJCHR, and the SSCSB, for review wasting public time and money, rather than sending it back to Dep't Home Affairs for a complete overhaul of it's scope and objectives?</b><br><br>Mostly because of Dep't Home Affairs intransigence, and of course, the only reason we've been fortunate to have the Bill amended at all, let's not forget, is due to the Liberals losing control of the Reps.<br><br><br>Kind regards<br><br>Paul Wilkins<br><br></div></div></div><br><div class="gmail_quote"><div dir="ltr">On Thu, 6 Dec 2018 at 18:13, Paul Wilkins <<a href="mailto:paulwilkins369@gmail.com">paulwilkins369@gmail.com</a>> wrote:<br></div><blockquote class="gmail_quote" style="margin:0px 0px 0px 0.8ex;border-left:1px solid rgb(204,204,204);padding-left:1ex"><div dir="ltr"><div dir="ltr"><div style="margin-left:40px">"If "there is a need for these powers over the Christmas period,"
then that ship has sailed. Too late, they needed to pass it in
September."</div><div><br></div><div>Apparently change freezes also apply to national security :)<br></div></div></div><br><div class="gmail_quote"><div dir="ltr">On Thu, 6 Dec 2018 at 17:33, Paul Wilkins <<a href="mailto:paulwilkins369@gmail.com" target="_blank">paulwilkins369@gmail.com</a>> wrote:<br></div><blockquote class="gmail_quote" style="margin:0px 0px 0px 0.8ex;border-left:1px solid rgb(204,204,204);padding-left:1ex"><div dir="ltr"><div dir="ltr">Just checked, and cyber stalking qualifies as it has 3 year max sentence.<br></div></div><br><div class="gmail_quote"><div dir="ltr">On Thu, 6 Dec 2018 at 17:21, Paul Wilkins <<a href="mailto:paulwilkins369@gmail.com" target="_blank">paulwilkins369@gmail.com</a>> wrote:<br></div><blockquote class="gmail_quote" style="margin:0px 0px 0px 0.8ex;border-left:1px solid rgb(204,204,204);padding-left:1ex"><div dir="ltr"><div><div>To get a TAN approved, you'll need:</div><ul><li>to be an interception agency</li><li>to have your TAN approved by the AFP</li><li>the investigation must attach a 3 year sentence</li><li>there <i>may </i>need to also be a data / computer warrant. Then again there may not.<br></li></ul></div><div>So no TANs for councils.</div><div><br></div><div>TARs I'm not sure. There's amendments to bring them into line with TANs but I'd be guessing if their approval is 100% contiguous to TANs.<br></div><div><br></div><div>Labor wanted to remove both ICACS and the state police, because when you look at it, there is no Ombudsman oversite of powers exercised by states under the Telecommunications Act. So it is a surprise to see state police still will get TANs/TARs under the revised Bill, but they will need AFP approval, which is definite improvement.<br></div><div><br></div><div>I can see a need for state police to have Legal Intercept powers, but no reason it should go as far as the right to modify data.<br></div><div><br></div><div>Kind regards</div><div><br></div><div>Paul Wilkins<br></div></div><br><div class="gmail_quote"><div dir="ltr">On Thu, 6 Dec 2018 at 17:00, Robert Hudson <<a href="mailto:hudrob@gmail.com" target="_blank">hudrob@gmail.com</a>> wrote:<br></div><blockquote class="gmail_quote" style="margin:0px 0px 0px 0.8ex;border-left:1px solid rgb(204,204,204);padding-left:1ex"><div dir="auto"><div><br><br><div class="gmail_quote"><div dir="ltr">On Thu, 6 Dec. 2018, 4:20 pm Paul Wilkins <<a href="mailto:paulwilkins369@gmail.com" target="_blank">paulwilkins369@gmail.com</a> wrote:<br></div><blockquote class="gmail_quote" style="margin:0px 0px 0px 0.8ex;border-left:1px solid rgb(204,204,204);padding-left:1ex"><div dir="ltr"><div dir="ltr">The original 172 page Bill was so obviously deficient in so many areas, it was easier to just say the Bill should be thrown out in its entirety and start over. Now, post 50 pages of amendments, there's still plenty of scope for serious criticism, and the debate around getting the balance right between citizens rights, and the right of the State to extend judicial writ to cyberspace will continue, but this is in every way a very much improved Bill over the original.<br></div></div></blockquote></div></div><div dir="auto"><br></div><div dir="auto">Is it? Have the amendments increased the likelyhood that it will actually help law enforcement? Have the amendments helped to ensure that criminals continue to use services that are subject to the reach of Australian law enforcement agencies?</div><div dir="auto"><br></div><div dir="auto">As Mark Newton pointed out in another forum recently, he was told, face to face, by a sitting MP, in that MPs office, that his concerns that the agencies that would have access to metadata would increase substantially were ill-founded, as were his concerns that the reasons to request metadata would increase dramatically. And now local councils have access to metadata, and there are close to 1,000 requests for metadata per day.</div><div dir="auto"><div class="gmail_quote"><blockquote class="gmail_quote" style="margin:0px 0px 0px 0.8ex;border-left:1px solid rgb(204,204,204);padding-left:1ex"><div dir="ltr"><div dir="ltr"><br>I don't see on any of the grounds of criticism of the original Bill, the amendments have gone as far as they need to, but on all the metrics that matter this new Bill represents an honest attempt to accommodate issues of privacy, accountability, and the need to maintain security and protect service provider property rights against unnecessary or disproportionate intrusion by Law Enforcement, and balance those against the legitimate interests of the State to enforce the rule of law in cyberspace. <br></div></div></blockquote></div></div><div dir="auto"><br></div><div dir="auto">I contend that the bill now represents an honest attempt to look like they're accomodating issues that aren't related to the core fact that the proposed laws won't actually reduce crime or increase security.</div><div dir="auto"><br></div><div dir="auto">How explicitly removing state (and potential future federal) ICACs as agencies able to utilise the powers of the bill is, in any way, reasonably associated with the phrase "honest attempt" is beyond me.</div><div dir="auto"><div class="gmail_quote"><blockquote class="gmail_quote" style="margin:0px 0px 0px 0.8ex;border-left:1px solid rgb(204,204,204);padding-left:1ex"><div dir="ltr"><div dir="ltr"><br>From the definitions of systemic vulnerability and systemic weakness it would seem to put it beyond question that back doors can only be deployed against target devices, not deployed en masse. That said, there needs to be a control plane function that allows access to the target device that wasn't there before, which still constitutes a potential weakness/vulnerability.<br></div></div></blockquote></div></div><div dir="auto"><br></div><div dir="auto">I am sure the bill will be successful in stopping the vulnerabilities it creates leaking. I mean, if (when, recall just how successfully the NSA managed to keep stuxnet under lock and key) the AFP manage to leak code that allows keylogger installs onto iPhones, no criminal group (or just obnoxious bunch of script kiddies posing as an online hacking group) would be able to take advantage of this - that's not a systemic vulnerability or weakness, right?</div><div dir="auto"><br></div><div dir="auto"><div class="gmail_quote"><blockquote class="gmail_quote" style="margin:0px 0px 0px 0.8ex;border-left:1px solid rgb(204,204,204);padding-left:1ex"><div dir="ltr"><div dir="ltr"><br><div style="margin-left:40px">"systemic vulnerability means a vulnerability that affects a whole class of technology, but does not include a vulnerability that is selectively introduced to one or more target technologies that are connected with a particular person. For this purpose, it is immaterial whether the person can be identified."<br></div><br>There's still obvious gaps around the powers and accountabilities of state police.<br><br>I have to say it looks dangerously like a sensible working position from which to move forward from, while ensuring security services get the powers they say they have an immediate need for.<br></div></div></blockquote></div></div><div dir="auto"><br></div><div dir="auto">When they prove the need beyond saying "We need this because we say we need it", and show that the intended targets won't simply sidestep it and move on, THEN we may have a working position from which to move forward.</div><div dir="auto"><br></div><div dir="auto">Until then, this is just massive over-reach.</div><div dir="auto"><br></div><div dir="auto">As Mark Newton previously noted, this has "The Four Horsemen of the Infocalypse" written all over it. In particular, the script to follow:</div><div dir="auto"><br></div><div dir="auto">"<span style="background-color:rgb(255,255,255);color:rgb(34,34,34);font-family:"linux libertine",georgia,times,serif;font-size:17.6px">How to get what you want in 4 easy stages:</span></div><div dir="auto"><span style="background-color:rgb(255,255,255);color:rgb(34,34,34);font-family:"linux libertine",georgia,times,serif;font-size:17.6px"><br></span></div><div dir="auto"><ol style="margin:0px;padding:0px;border:0px none;line-height:inherit;font-family:"linux libertine",georgia,times,serif;font-size:17.6px;vertical-align:baseline;background:rgb(255,255,255) none repeat scroll 0% 0%;list-style-position:inside"><li style="margin:0px 0px 10px;padding:0px;border:0px none;font-style:inherit;font-variant:inherit;line-height:inherit;font-family:inherit;vertical-align:baseline;background:rgba(0,0,0,0) none repeat scroll 0% 0%"><font style="font-weight:inherit" color="#222222">Have a target "thing" you wish to stop, yet lack any moral, or practical reasons for doing so? </font><font color="#f44336"><b>[We want to break encryption]</b></font></li><li style="margin:0px 0px 10px;padding:0px;border:0px none;font-style:inherit;font-variant:inherit;line-height:inherit;font-family:inherit;vertical-align:baseline;background:rgba(0,0,0,0) none repeat scroll 0% 0%"><span style="color:rgb(34,34,34);font-weight:inherit">Pick a fear common to lots of people, something that will evoke a gut reaction: terrorists, pedophiles, serial killers. </span><b><font color="#f44336">[Terrorists, natch.]</font></b></li><li style="margin:0px 0px 10px;padding:0px;border:0px none;font-style:inherit;font-variant:inherit;line-height:inherit;font-family:inherit;vertical-align:baseline;background:rgba(0,0,0,0) none repeat scroll 0% 0%"><span style="color:rgb(34,34,34);font-weight:inherit">Scream loudly to the media that "thing" is being used by perpetrators. (Don't worry if this is true, or common to all other things, or less common with "thing" than with other long established systems—payphones, paper mail, private hotel rooms, lack of bugs in all houses etc.) </span><b><font color="#f44336">[OMG, terrorists are using encryption (lets ignore the fact that we're still stopping them without being able to break it, and we still let the ones we know about stab people). Sure, its ubiquitous, but TERRORISTS!]</font></b></li><li style="margin-top:0px;margin-right:0px;margin-bottom:inherit;margin-left:0px;padding:0px;border:0px none;font-style:inherit;font-variant:inherit;line-height:inherit;font-family:inherit;vertical-align:baseline;background:rgba(0,0,0,0) none repeat scroll 0% 0%"><span style="color:rgb(34,34,34);font-weight:inherit">Say that the only way to stop perpetrators is to close down "thing", or to regulate it to death, or to have laws forcing en masse tapability of all private communications on "thing". Don't worry if communicating on "thing" is a constitutionally protected right, if you have done a good job in choosing and publicising the horsemen in 2, no one will notice, they will be too busy clamouring for you to save them from the supposed evils. </span><b><font color="#f44336">[This whole debate - there are still people acting on the assumption that this is needed, and that it will achieve the stated goals. Bonus points for screaming at anyone who disagrees that they're only doing so because they must support terrorism - yep, we've seen that.]</font></b><span style="color:rgb(34,34,34);font-weight:inherit">"</span></li></ol></div><div dir="auto"><br></div><div dir="auto">Just because they say they need it doesn't mean that they do, or that it will work.</div><div dir="auto"><div class="gmail_quote"><blockquote class="gmail_quote" style="margin:0px 0px 0px 0.8ex;border-left:1px solid rgb(204,204,204);padding-left:1ex"><div dir="ltr"><div dir="ltr"><br>Kind regards<br><br>Paul Wilkins<br><br></div></div><br><div class="gmail_quote"><div dir="ltr">On Thu, 6 Dec 2018 at 13:48, Mark Newton <<a href="mailto:newton@atdot.dotat.org" rel="noreferrer" target="_blank">newton@atdot.dotat.org</a>> wrote:<br></div><blockquote class="gmail_quote" style="margin:0px 0px 0px 0.8ex;border-left:1px solid rgb(204,204,204);padding-left:1ex"><br>
<br>
On 12/05/2018 11:48 AM, Paul Wilkins wrote:<br>
> "If this passes I can see similar legislation being introduced in <br>
> other jurisdictions."<br>
><br>
> I think this legislation and all its warts is going to be a <br>
> particularly Australian feature.<br>
<br>
Exported globally, though.<br>
<br>
A 5-eyes power who wants to surveil someone can come to Australia, get <br>
ASIO or ASD to land a TCN on the target's platform provider, and pass on <br>
the result.<br>
<br>
Example:<br>
<br>
CIA wants something from an iPhone user. They can't get it themselves. <br>
So they take the iPhone user's IMEI to ASD and ask for 5-eyes assistance.<br>
<br>
ASD screams "terrorist!" in a TCN sent to Apple, which demands <br>
production of a compromised version of iOS which keylogs and screenshots <br>
any encrypted messaging apps which happen to run, and pushed as a silent <br>
upgrade to that user's phone.<br>
<br>
Results flow from Apple to ASD, and ASD passes them back to the CIA.<br>
<br>
There is no need for any other 5-eyes nation to pass this law now that <br>
Australia has it. It's provided 5-eyes with a global capability.<br>
<br>
- mark<br>
<br>
<br>
</blockquote></div>
_______________________________________________<br>
AusNOG mailing list<br>
<a href="mailto:AusNOG@lists.ausnog.net" rel="noreferrer" target="_blank">AusNOG@lists.ausnog.net</a><br>
<a href="http://lists.ausnog.net/mailman/listinfo/ausnog" rel="noreferrer noreferrer" target="_blank">http://lists.ausnog.net/mailman/listinfo/ausnog</a><br>
</blockquote></div></div></div>
</blockquote></div>
</blockquote></div>
</blockquote></div>
</blockquote></div>