[AusNOG] Dutton decryption bill

Robert Hudson hudrob at gmail.com
Wed Sep 12 09:07:07 EST 2018 

As per my comments in August, ITPA put forward the following comment on the
draft bill within the offiicial public comment window:

"To whom it may concern,

On behalf of the Information Technology Professionals Association (ITPA)
and its members, I am writing today to express a lack of support for "The
Access and Assistance Bill, 2018" as it currently stands.  This bill should
not be introduced to Parliament in its current form, and certainly should
not be voted into law.

ITPA and its members recognise the fact that encrypted communication is one
tool used by criminals to make it harder for law enforcement agencies to
discover and track their whereabouts, plans, and other details of crimes
they may have or be able to commit.  We appreciate the fact that the
government is seeking ways to increase its ability to better prevent and
prosecute crime.  But it is ITPA's position that the only real-life outcome
of "The Access and Assistance Bill 2018" will be a negative impact to the
individual privacy of Australian citizens, and that the proposed benefits
(allowing law-enforcement to prevent or prosecute crimes) will not be
realised.

"The Access and Assistance Bill 2018" will not only fail to achieve its
stated aim (criminals will simply move to using encryption  products not
covered by this bill - most of the tools currently used in this area are
not written by companies which are bound by this bill, and those which are
will simply be traded for tools produced outside of Australia's
jurisdiction), but it will result in a significant reduction of individual
privacy for law-abiding citizens.

In addition to failing to achieve the desired goals, tools created under
this legislation to break or bypass the encryption created by commonly used
applications will almost certainly be misused by individuals in positions
of power within law-enforcement agencies, as we have already seen happen in
other areas of surveillance legislation such as the mandatory metadata
retention scheme.

Further, it is certain that these tools will also become available to
people outside of legitimate law-enforcement agencies, and will be used as
a weapon against law-abiding citizens - the leaking of the list of
"blocked" sites under Internet filtering regimes of the past (
https://www.smh.com.au/national/dentists-website-on-leaked-blacklist-20090319-93cl.html)
shows that secrets and artifacts (such as lists of websites, or access to
tools) can and do get leaked beyond the approved area of usage).

"The Access and Assistance Bill 2018" also has issues of governance and
oversight which require adjustment before it could be supported.  Although
there is still a requirement for warrants to be issued and a level of
judicial oversight, a political appointment (The Attorney General) holds
significant (and ultimate for short-term activities with post-activity
oversight) power within this legislation.  It would be preferable to have a
politically independent body (an individual or organisation) to provide the
level of oversight and authority carried by the Attorney General in this
legislation to ensure that decisions are not made under the authority of
this bill for political purposes.

If the government really wants to achieve better levels of policing and
crime prevention in areas of technology, we implore the government to
consult with the technology industry during the drafting phases of
legislation, rather than after the draft has been put together in such a
fashion as to be technically infeasible.  ITPA would be more than willing
to be part of a consultation process to resolve issues with the currently
proposed legislation, or for any other legislation which requires technical
expertise to achieve success."

On Wed, 15 Aug 2018 at 13:48, Robert Hudson <hudrob at gmail.com> wrote:

> Hi Paul,
>
> On Wed, 15 Aug 2018 at 13:31, Paul Brooks <pbrooks-ausnog at layer10.com.au>
> wrote:
>
>> Thanks Aftab for the plug - this is something that IA has been tracking
>> and meeting in Canberra with various Minister-types down over the past 6-9
>> months, trying to determine what they were looking to do, and educate them
>> on the concerns.
>> This is data retention all over again. On one hand, as an ISP, if you
>> don't actually supply end-user devices and all the OTT messaging apps pass
>> through your network, there may not be much in this to concern.  This Bill
>> is aimed at Samsung/Google/HTC/Oppo, and OTT service providers like Apple
>> iMessage, WhatsApp, Google Hangouts, etc.
>> They were quite insistent they would not be seeking to back-door
>> encryption, and as it happens, they were right! They just want to back-door
>> the entire device. And website, which is classed in there too.
>>
>
> The legislation is sufficiently vague as to allow pretty much anything the
> A-G thinks is reasonable at the time the A-G makes a request.
>
>>
>> If you're in Canberra on Monday night, we've got a number of people from
>> MIT Computer Science and Artificial Inelligence Labs (CSAIL) and other
>> experts that talk to USA's people, and tickets still available - From
>> 4:30pm, with free drinks provided afterwards.
>>
>>
>> https://www.eventbrite.com.au/e/encryption-experts-session-evening-in-canberra-tickets-48911717263
>>
>
> Canberra could be hard to attend from Sydney, but this one may be
> important enough for me to make the trip.
>
>>
>>
>> They're taking feedback/submissions/comments for 4 weeks only - is anyone
>> planning to submit some comment?
>>
>
> ITPA is looking to provide feedback.  We'd be happy to work with other
> parties (individuals or organisations) to put up a joint response.
>
> Regards,
>
> Robert
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.ausnog.net/pipermail/ausnog/attachments/20180912/912418c2/attachment.html>

More information about the AusNOG mailing list