[AusNOG] Assistance and Access Bill moves to PJCIS
Paul Wilkins
paulwilkins369 at gmail.com
Fri Dec 7 13:48:21 EST 2018
When I go through my list of concerns with the Bill, I'm gratified to see
where the amendments tend to ameliorate original concerns, but without
going so far as the concerns no longer exist.
A series of open questions to consider in assessing Bill
*1 - Why is there no judicial oversite of these sweeping police powers?*
Now a TAN needs approval by the AFP. Also, the decision of the AFP is
subject to judicial appeal.
TCN now needs approval by both AG and Minister for Comms. Also service
providers can appeal to a panel of a tech expert and a retired judge, who
assess necessity and proportionality.
However, for citizens or journalists who are the subject of TANs, there is
no appeal. This includes journalists, while they found the time to make an
exception for parliamentary privilege. There's still a public interest
argument that government documents be leaked into the public domain if it's
in the public interest.
*2 - Scope of powers go beyond terrorism and serious crime when it's not
supposed to.*
The amendments set the bar at 3 years. This seems low, for terrorism and
serious crimes offences. While 3 years ensures cyber stalking clears the
bar.
The problem is that there should be a different test and different powers
for intelligence/security services and the state police. It'd be ok to have
the bar at 3 years for police Legal Intercept, while restricting the more
extensive "do anything" powers to ASIO/AFP, but with a higher bar, that
limits their application to terrorism/serious crime offences, say 20 years
to life.
*3 - It supports the establishment of the machinery of mass surveillance
when it's not supposed to.*
Not so easy now to claim that access to metadata streams is necessary, as
you don't have a police task force signing off on the TAN. You need also to
have the AFP concur. Which is not to say it's still not a situation that
could arise.
*4 - It weakens the Internet's security, when it's not supposed to.*
The limiting of systemic vulnerability to targeting of specific devices is
obviously a very significant reduction in the scope of the original Bill.
This is obviously going to need further debate. On the one hand, you have
5 Eyes saying they need to be able to be able to enter target devices. On
the other hand, you have IAB, saying any and all EA mechanisms weaken the
internet's security and user confidence.
I think where the current Bill can still be tightened, is removing such
security weaknesses as are unnecessary. Eg: state police need only legal
intercept, not EA.
The Act still allows a dozen different agencies access to warrant data and
confidential service provider details, which can leak from any of those
dozen agencies.
*5 - Why are there no limits to ensure issue of TCNs/TANs/TARs are
necessary and proportionate to the human right to privacy, unrevokeable per
the Declaration of Human Rights.*
There are now specific provisions for necessity and proportionality. Though
the standard lies with the decision maker, which is not a standard subject
to judicial review.
*6 - Why the deliberate exclusion/incompatibility of the provisions of the
Privacy Act 1988?*
Obviously the privacy NGOs are better qualified to pursue this continuing
debate. There are protections under the amendments for intrusion to privacy
to be necessary and proportionate.
*7 - Why are there no limits to ensure issue of TCNs/TANs/TARs are
necessary and proportionate to service providers rights to private
property, unrevokeable per the Declaration of Human Rights?*
There are new provisions that TCNs/TANs/TARs take the interests of service
providers into consideration. Again the standard lies with the decision
maker, which is not a standard subject to judicial review.
*8 - When Police Powers lie with the States, what constitutional head of
power supports the Bill's scope, without enabling legislation from the
States conferring power? The Constitution confers national security powers,
but the scope of the Bill's police powers exceeds this remit.*
Oversite of state police is something that needs further looking at.
*9 - Why has the Bill overlooked the obvious alternative of powers spread
across a dozen Law Enforcement Agencies, which is to centralise in one
single agency, providing for greater data security, governance, efficiency,
and accountability?*
The amendments pose the Minister of Comms as responsible for liaising TCNs
with industry.
*10 - Why the lack of provisions for accountability for the exercise of
police powers, and checks and balances commensurate to the reach of
sweeping police powers, quite incompatible with the democratic institutions
and traditions of Liberal Democracy?*
Still a concern, but in view of the great reduction in intrusiveness due to
the amendments, not such a concern as previously.
*11 - Why the deliberately curtailed public consultation process and
attempt to ambush both the public and government with this Bill by Dep't
Home Affairs, and representations of public and industry consultations as
being timely and adequate, incompatible with the facts on the public record
and the express concerns of the public, human rights groups, and industry?*
I assume debate will now continue for the PJCIS to complete its work in
April 2019, though I can't see where this is made explicit in the Act.
*12 - Why the absence of recompense for injury to reputation or to service
providers' business, or other injury consequent to police malfeasance or
misfeasance? The Bill's protections are not comprehensive, and where they
make provision, go only as far as to establish lack of liability for
unlawful disclosures.*
There have been amendments, but still don't go far enough to recompense
those injured by ill considered or ill executed State intervention.
*13 - Why has the government of the day referred this deeply flawed Bill to
the PJCIS, PJCHR, and the SSCSB, for review wasting public time and money,
rather than sending it back to Dep't Home Affairs for a complete overhaul
of it's scope and objectives?*
Mostly because of Dep't Home Affairs intransigence, and of course, the only
reason we've been fortunate to have the Bill amended at all, let's not
forget, is due to the Liberals losing control of the Reps.
Kind regards
Paul Wilkins
On Thu, 6 Dec 2018 at 18:13, Paul Wilkins <paulwilkins369 at gmail.com> wrote:
> "If "there is a need for these powers over the Christmas period," then
> that ship has sailed. Too late, they needed to pass it in September."
>
> Apparently change freezes also apply to national security :)
>
> On Thu, 6 Dec 2018 at 17:33, Paul Wilkins <paulwilkins369 at gmail.com>
> wrote:
>
>> Just checked, and cyber stalking qualifies as it has 3 year max sentence.
>>
>> On Thu, 6 Dec 2018 at 17:21, Paul Wilkins <paulwilkins369 at gmail.com>
>> wrote:
>>
>>> To get a TAN approved, you'll need:
>>>
>>> - to be an interception agency
>>> - to have your TAN approved by the AFP
>>> - the investigation must attach a 3 year sentence
>>> - there *may *need to also be a data / computer warrant. Then again
>>> there may not.
>>>
>>> So no TANs for councils.
>>>
>>> TARs I'm not sure. There's amendments to bring them into line with TANs
>>> but I'd be guessing if their approval is 100% contiguous to TANs.
>>>
>>> Labor wanted to remove both ICACS and the state police, because when you
>>> look at it, there is no Ombudsman oversite of powers exercised by states
>>> under the Telecommunications Act. So it is a surprise to see state police
>>> still will get TANs/TARs under the revised Bill, but they will need AFP
>>> approval, which is definite improvement.
>>>
>>> I can see a need for state police to have Legal Intercept powers, but no
>>> reason it should go as far as the right to modify data.
>>>
>>> Kind regards
>>>
>>> Paul Wilkins
>>>
>>> On Thu, 6 Dec 2018 at 17:00, Robert Hudson <hudrob at gmail.com> wrote:
>>>
>>>>
>>>>
>>>> On Thu, 6 Dec. 2018, 4:20 pm Paul Wilkins <paulwilkins369 at gmail.com
>>>> wrote:
>>>>
>>>>> The original 172 page Bill was so obviously deficient in so many
>>>>> areas, it was easier to just say the Bill should be thrown out in its
>>>>> entirety and start over. Now, post 50 pages of amendments, there's still
>>>>> plenty of scope for serious criticism, and the debate around getting the
>>>>> balance right between citizens rights, and the right of the State to extend
>>>>> judicial writ to cyberspace will continue, but this is in every way a very
>>>>> much improved Bill over the original.
>>>>>
>>>>
>>>> Is it? Have the amendments increased the likelyhood that it will
>>>> actually help law enforcement? Have the amendments helped to ensure that
>>>> criminals continue to use services that are subject to the reach of
>>>> Australian law enforcement agencies?
>>>>
>>>> As Mark Newton pointed out in another forum recently, he was told, face
>>>> to face, by a sitting MP, in that MPs office, that his concerns that the
>>>> agencies that would have access to metadata would increase substantially
>>>> were ill-founded, as were his concerns that the reasons to request metadata
>>>> would increase dramatically. And now local councils have access to
>>>> metadata, and there are close to 1,000 requests for metadata per day.
>>>>
>>>>>
>>>>> I don't see on any of the grounds of criticism of the original Bill,
>>>>> the amendments have gone as far as they need to, but on all the metrics
>>>>> that matter this new Bill represents an honest attempt to accommodate
>>>>> issues of privacy, accountability, and the need to maintain security and
>>>>> protect service provider property rights against unnecessary or
>>>>> disproportionate intrusion by Law Enforcement, and balance those against
>>>>> the legitimate interests of the State to enforce the rule of law in
>>>>> cyberspace.
>>>>>
>>>>
>>>> I contend that the bill now represents an honest attempt to look like
>>>> they're accomodating issues that aren't related to the core fact that the
>>>> proposed laws won't actually reduce crime or increase security.
>>>>
>>>> How explicitly removing state (and potential future federal) ICACs as
>>>> agencies able to utilise the powers of the bill is, in any way, reasonably
>>>> associated with the phrase "honest attempt" is beyond me.
>>>>
>>>>>
>>>>> From the definitions of systemic vulnerability and systemic weakness
>>>>> it would seem to put it beyond question that back doors can only be
>>>>> deployed against target devices, not deployed en masse. That said, there
>>>>> needs to be a control plane function that allows access to the target
>>>>> device that wasn't there before, which still constitutes a potential
>>>>> weakness/vulnerability.
>>>>>
>>>>
>>>> I am sure the bill will be successful in stopping the vulnerabilities
>>>> it creates leaking. I mean, if (when, recall just how successfully the NSA
>>>> managed to keep stuxnet under lock and key) the AFP manage to leak code
>>>> that allows keylogger installs onto iPhones, no criminal group (or just
>>>> obnoxious bunch of script kiddies posing as an online hacking group) would
>>>> be able to take advantage of this - that's not a systemic vulnerability or
>>>> weakness, right?
>>>>
>>>>
>>>>> "systemic vulnerability means a vulnerability that affects a whole
>>>>> class of technology, but does not include a vulnerability that is
>>>>> selectively introduced to one or more target technologies that are
>>>>> connected with a particular person. For this purpose, it is immaterial
>>>>> whether the person can be identified."
>>>>>
>>>>> There's still obvious gaps around the powers and accountabilities of
>>>>> state police.
>>>>>
>>>>> I have to say it looks dangerously like a sensible working position
>>>>> from which to move forward from, while ensuring security services get the
>>>>> powers they say they have an immediate need for.
>>>>>
>>>>
>>>> When they prove the need beyond saying "We need this because we say we
>>>> need it", and show that the intended targets won't simply sidestep it and
>>>> move on, THEN we may have a working position from which to move forward.
>>>>
>>>> Until then, this is just massive over-reach.
>>>>
>>>> As Mark Newton previously noted, this has "The Four Horsemen of the
>>>> Infocalypse" written all over it. In particular, the script to follow:
>>>>
>>>> "How to get what you want in 4 easy stages:
>>>>
>>>>
>>>> 1. Have a target "thing" you wish to stop, yet lack any moral, or
>>>> practical reasons for doing so? *[We want to break encryption]*
>>>> 2. Pick a fear common to lots of people, something that will evoke
>>>> a gut reaction: terrorists, pedophiles, serial killers. *[Terrorists,
>>>> natch.]*
>>>> 3. Scream loudly to the media that "thing" is being used by
>>>> perpetrators. (Don't worry if this is true, or common to all other things,
>>>> or less common with "thing" than with other long established
>>>> systems—payphones, paper mail, private hotel rooms, lack of bugs in all
>>>> houses etc.) *[OMG, terrorists are using encryption (lets ignore
>>>> the fact that we're still stopping them without being able to break it, and
>>>> we still let the ones we know about stab people). Sure, its ubiquitous,
>>>> but TERRORISTS!]*
>>>> 4. Say that the only way to stop perpetrators is to close down
>>>> "thing", or to regulate it to death, or to have laws forcing en masse
>>>> tapability of all private communications on "thing". Don't worry if
>>>> communicating on "thing" is a constitutionally protected right, if you have
>>>> done a good job in choosing and publicising the horsemen in 2, no one will
>>>> notice, they will be too busy clamouring for you to save them from the
>>>> supposed evils. *[This whole debate - there are still people acting
>>>> on the assumption that this is needed, and that it will achieve the stated
>>>> goals. Bonus points for screaming at anyone who disagrees that they're only
>>>> doing so because they must support terrorism - yep, we've seen that.]*
>>>> "
>>>>
>>>>
>>>> Just because they say they need it doesn't mean that they do, or that
>>>> it will work.
>>>>
>>>>>
>>>>> Kind regards
>>>>>
>>>>> Paul Wilkins
>>>>>
>>>>>
>>>>> On Thu, 6 Dec 2018 at 13:48, Mark Newton <newton at atdot.dotat.org>
>>>>> wrote:
>>>>>
>>>>>>
>>>>>>
>>>>>> On 12/05/2018 11:48 AM, Paul Wilkins wrote:
>>>>>> > "If this passes I can see similar legislation being introduced in
>>>>>> > other jurisdictions."
>>>>>> >
>>>>>> > I think this legislation and all its warts is going to be a
>>>>>> > particularly Australian feature.
>>>>>>
>>>>>> Exported globally, though.
>>>>>>
>>>>>> A 5-eyes power who wants to surveil someone can come to Australia,
>>>>>> get
>>>>>> ASIO or ASD to land a TCN on the target's platform provider, and pass
>>>>>> on
>>>>>> the result.
>>>>>>
>>>>>> Example:
>>>>>>
>>>>>> CIA wants something from an iPhone user. They can't get it
>>>>>> themselves.
>>>>>> So they take the iPhone user's IMEI to ASD and ask for 5-eyes
>>>>>> assistance.
>>>>>>
>>>>>> ASD screams "terrorist!" in a TCN sent to Apple, which demands
>>>>>> production of a compromised version of iOS which keylogs and
>>>>>> screenshots
>>>>>> any encrypted messaging apps which happen to run, and pushed as a
>>>>>> silent
>>>>>> upgrade to that user's phone.
>>>>>>
>>>>>> Results flow from Apple to ASD, and ASD passes them back to the CIA.
>>>>>>
>>>>>> There is no need for any other 5-eyes nation to pass this law now
>>>>>> that
>>>>>> Australia has it. It's provided 5-eyes with a global capability.
>>>>>>
>>>>>> - mark
>>>>>>
>>>>>>
>>>>>> _______________________________________________
>>>>> AusNOG mailing list
>>>>> AusNOG at lists.ausnog.net
>>>>> http://lists.ausnog.net/mailman/listinfo/ausnog
>>>>>
>>>>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.ausnog.net/pipermail/ausnog/attachments/20181207/1ad18789/attachment.html>
More information about the AusNOG
mailing list