[AusNOG] Assistance and Access Bill moves to PJCIS

Paul Wilkins paulwilkins369 at gmail.com
Thu Dec 6 17:21:59 EST 2018


To get a TAN approved, you'll need:

   - to be an interception agency
   - to have your TAN approved by the AFP
   - the investigation must attach a 3 year sentence
   - there *may *need to also be a data / computer warrant. Then again
   there may not.

So no TANs for councils.

TARs I'm not sure. There's amendments to bring them into line with TANs but
I'd be guessing if their approval is 100% contiguous to TANs.

Labor wanted to remove both ICACS and the state police, because when you
look at it, there is no Ombudsman oversite of powers exercised by states
under the Telecommunications Act. So it is a surprise to see state police
still will get TANs/TARs under the revised Bill, but they will need AFP
approval, which is definite improvement.

I can see a need for state police to have Legal Intercept powers, but no
reason it should go as far as the right to modify data.

Kind regards

Paul Wilkins

On Thu, 6 Dec 2018 at 17:00, Robert Hudson <hudrob at gmail.com> wrote:

>
>
> On Thu, 6 Dec. 2018, 4:20 pm Paul Wilkins <paulwilkins369 at gmail.com wrote:
>
>> The original 172 page Bill was so obviously deficient in so many areas,
>> it was easier to just say the Bill should be thrown out in its entirety and
>> start over. Now, post 50 pages of amendments, there's still plenty of scope
>> for serious criticism, and the debate around getting the balance right
>> between citizens rights, and the right of the State to extend judicial writ
>> to cyberspace will continue, but this is in every way a very much improved
>> Bill over the original.
>>
>
> Is it? Have the amendments increased the likelyhood that it will actually
> help law enforcement? Have the amendments helped to ensure that criminals
> continue to use services that are subject to the reach of Australian law
> enforcement agencies?
>
> As Mark Newton pointed out in another forum recently, he was told, face to
> face, by a sitting MP, in that MPs office, that his concerns that the
> agencies that would have access to metadata would increase substantially
> were ill-founded, as were his concerns that the reasons to request metadata
> would increase dramatically. And now local councils have access to
> metadata, and there are close to 1,000 requests for metadata per day.
>
>>
>> I don't see on any of the grounds of criticism of the original Bill, the
>> amendments have gone as far as they need to, but on all the metrics that
>> matter this new Bill represents an honest attempt to accommodate issues of
>> privacy, accountability, and the need to maintain security and protect
>> service provider property rights against unnecessary or disproportionate
>> intrusion by Law Enforcement, and balance those against the legitimate
>> interests of the State to enforce the rule of law in cyberspace.
>>
>
> I contend that the bill now represents an honest attempt to look like
> they're accomodating issues that aren't related to the core fact that the
> proposed laws won't actually reduce crime or increase security.
>
> How explicitly removing state (and potential future federal) ICACs as
> agencies able to utilise the powers of the bill is, in any way, reasonably
> associated with the phrase "honest attempt" is beyond me.
>
>>
>> From the definitions of systemic vulnerability and systemic weakness it
>> would seem to put it beyond question that back doors can only be deployed
>> against target devices, not deployed en masse. That said, there needs to be
>> a control plane function that allows access to the target device that
>> wasn't there before, which still constitutes a potential
>> weakness/vulnerability.
>>
>
> I am sure the bill will be successful in stopping the vulnerabilities it
> creates leaking. I mean, if (when, recall just how successfully the NSA
> managed to keep stuxnet under lock and key) the AFP manage to leak code
> that allows keylogger installs onto iPhones, no criminal group (or just
> obnoxious bunch of script kiddies posing as an online hacking group) would
> be able to take advantage of this - that's not a systemic vulnerability or
> weakness, right?
>
>
>> "systemic vulnerability means a vulnerability that affects a whole class
>> of technology, but does not include a vulnerability that is selectively
>> introduced to one or more target technologies that are connected with a
>> particular person. For this purpose, it is immaterial whether the person
>> can be identified."
>>
>> There's still obvious gaps around the powers and accountabilities of
>> state police.
>>
>> I have to say it looks dangerously like a sensible working position from
>> which to move forward from, while ensuring security services get the powers
>> they say they have an immediate need for.
>>
>
> When they prove the need beyond saying "We need this because we say we
> need it", and show that the intended targets won't simply sidestep it and
> move on, THEN we may have a working position from which to move forward.
>
> Until then, this is just massive over-reach.
>
> As Mark Newton previously noted, this has "The Four Horsemen of the
> Infocalypse" written all over it. In particular, the script to follow:
>
> "How to get what you want in 4 easy stages:
>
>
>    1. Have a target "thing" you wish to stop, yet lack any moral, or
>    practical reasons for doing so? *[We want to break encryption]*
>    2. Pick a fear common to lots of people, something that will evoke a
>    gut reaction: terrorists, pedophiles, serial killers. *[Terrorists,
>    natch.]*
>    3. Scream loudly to the media that "thing" is being used by
>    perpetrators. (Don't worry if this is true, or common to all other things,
>    or less common with "thing" than with other long established
>    systems—payphones, paper mail, private hotel rooms, lack of bugs in all
>    houses etc.) *[OMG, terrorists are using encryption (lets ignore the
>    fact that we're still stopping them without being able to break it, and we
>    still let the ones we know about stab people). Sure, its ubiquitous,  but
>    TERRORISTS!]*
>    4. Say that the only way to stop perpetrators is to close down
>    "thing", or to regulate it to death, or to have laws forcing en masse
>    tapability of all private communications on "thing". Don't worry if
>    communicating on "thing" is a constitutionally protected right, if you have
>    done a good job in choosing and publicising the horsemen in 2, no one will
>    notice, they will be too busy clamouring for you to save them from the
>    supposed evils. *[This whole debate - there are still people acting on
>    the assumption that this is needed, and that it will achieve the stated
>    goals. Bonus points for screaming at anyone who disagrees that they're only
>    doing so because they must support terrorism - yep, we've seen that.]*"
>
>
> Just because they say they need it doesn't mean that they do, or that it
> will work.
>
>>
>> Kind regards
>>
>> Paul Wilkins
>>
>>
>> On Thu, 6 Dec 2018 at 13:48, Mark Newton <newton at atdot.dotat.org> wrote:
>>
>>>
>>>
>>> On 12/05/2018 11:48 AM, Paul Wilkins wrote:
>>> > "If this passes I can see similar legislation being introduced in
>>> > other jurisdictions."
>>> >
>>> > I think this legislation and all its warts is going to be a
>>> > particularly Australian feature.
>>>
>>> Exported globally, though.
>>>
>>> A 5-eyes power who wants to surveil someone can come to Australia, get
>>> ASIO or ASD to land a TCN on the target's platform provider, and pass on
>>> the result.
>>>
>>> Example:
>>>
>>> CIA wants something from an iPhone user. They can't get it themselves.
>>> So they take the iPhone user's IMEI to ASD and ask for 5-eyes assistance.
>>>
>>> ASD screams "terrorist!" in a TCN sent to Apple, which demands
>>> production of a compromised version of iOS which keylogs and screenshots
>>> any encrypted messaging apps which happen to run, and pushed as a silent
>>> upgrade to that user's phone.
>>>
>>> Results flow from Apple to ASD, and ASD passes them back to the CIA.
>>>
>>> There is no need for any other 5-eyes nation to pass this law now that
>>> Australia has it. It's provided 5-eyes with a global capability.
>>>
>>>    - mark
>>>
>>>
>>> _______________________________________________
>> AusNOG mailing list
>> AusNOG at lists.ausnog.net
>> http://lists.ausnog.net/mailman/listinfo/ausnog
>>
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.ausnog.net/pipermail/ausnog/attachments/20181206/54bbc498/attachment.html>


More information about the AusNOG mailing list