[AusNOG] Assistance and Access Bill moves to PJCIS

Thu Dec 6 16:19:46 EST 2018

The original 172 page Bill was so obviously deficient in so many areas, it
was easier to just say the Bill should be thrown out in its entirety and
start over. Now, post 50 pages of amendments, there's still plenty of scope
for serious criticism, and the debate around getting the balance right
between citizens rights, and the right of the State to extend judicial writ
to cyberspace will continue, but this is in every way a very much improved
Bill over the original.

I don't see on any of the grounds of criticism of the original Bill, the
amendments have gone as far as they need to, but on all the metrics that
matter this new Bill represents an honest attempt to accommodate issues of
privacy, accountability, and the need to maintain security and protect
service provider property rights against unnecessary or disproportionate
intrusion by Law Enforcement, and balance those against the legitimate
interests of the State to enforce the rule of law in cyberspace.

>From the definitions of systemic vulnerability and systemic weakness it
would seem to put it beyond question that back doors can only be deployed
against target devices, not deployed en masse. That said, there needs to be
a control plane function that allows access to the target device that
wasn't there before, which still constitutes a potential
weakness/vulnerability.

"systemic vulnerability means a vulnerability that affects a whole class of
technology, but does not include a vulnerability that is selectively
introduced to one or more target technologies that are connected with a
particular person. For this purpose, it is immaterial whether the person
can be identified."

There's still obvious gaps around the powers and accountabilities of state
police.

I have to say it looks dangerously like a sensible working position from
which to move forward from, while ensuring security services get the powers
they say they have an immediate need for.

Kind regards

Paul Wilkins

On Thu, 6 Dec 2018 at 13:48, Mark Newton <newton at atdot.dotat.org> wrote:

>
>
> On 12/05/2018 11:48 AM, Paul Wilkins wrote:
> > "If this passes I can see similar legislation being introduced in
> > other jurisdictions."
> >
> > I think this legislation and all its warts is going to be a
> > particularly Australian feature.
>
> Exported globally, though.
>
> A 5-eyes power who wants to surveil someone can come to Australia, get
> ASIO or ASD to land a TCN on the target's platform provider, and pass on
> the result.
>
> Example:
>
> CIA wants something from an iPhone user. They can't get it themselves.
> So they take the iPhone user's IMEI to ASD and ask for 5-eyes assistance.
>
> ASD screams "terrorist!" in a TCN sent to Apple, which demands
> production of a compromised version of iOS which keylogs and screenshots
> any encrypted messaging apps which happen to run, and pushed as a silent
> upgrade to that user's phone.
>
> Results flow from Apple to ASD, and ASD passes them back to the CIA.
>
> There is no need for any other 5-eyes nation to pass this law now that
> Australia has it. It's provided 5-eyes with a global capability.
>
>    - mark
>
>
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.ausnog.net/pipermail/ausnog/attachments/20181206/9e3621b8/attachment.html>