I'm sure the Chinese, their largest trading partner, will approve of this and take a keen interest in all the compromised-by-design technology the Australians will use to "protect" their business interests. They'll probably end up supplying most of that technology anyway. The Australians should be worrying about the backdoors they haven't been told about yet by the Chinese.
This. I wonder why everyone in the security apparatus acts as if they will never be affected by these kind of requests. I can only imagine two possible answers:
1. They trust in legal exceptions for themselves (look at EU chat control exceptions), which implies a thinking closer to the Soviet Union than a real republic.
2. They think they're already compromised by "the Chinese" or any other state actor and just feel incompetent themselves.
When a reporter asked [ex] Australian Prime Minister Malcolm Turnbull about encryption:
“Won’t the laws of mathematics trump the laws of Australia?”
Mr. Turnbull reportedly responded:
“Well the laws of Australia prevail in Australia, I can assure you of that. The laws of mathematics are very commendable, but the only law that applies in Australia is the law of Australia.”
Malcolm Turnbull is the Minister of Technology who canceled a brand new fiber broadband network to reuse rusty copper to roll out more expensive VDSL2 to give Rupert Murdoch a few more years of cable TV sales. Doublespeak is his native tongue.
Like all his LNP cronies, he should be in prison for treason.
This news is completely within the country's character and doesn't come as a surprise when you've been following Australian news. Their government can already legally coerce citizens who work for foreign companies into compromising their employer while gaging them from informing said companies.
I'd go as far to say that this is a good thing. This law makes the risk of using Australian products more explicit.
Coming at it both ways, from the people that bought us ΛNØM Phones | Operation Trojan Shield.
Need a secure phone for your next shipping container sized cocaine and cash exchange? Want something so secure you can only get it from a made guy who knows a guy who knows a guy?
Why not get yours fourth hand from a joint five eyes task force?
Clipper chips are now all in software. It's called Mobile Services Manager on Android and it's probably installed on your phone. Carriers can push any executable to your device and run it, all in the background. That's not to mention who knows what your fully integrated Qualcomm SoC CPU and baseband is capable of internally.
> An editorial in the Washington Post argued that "smartphone users must accept that they cannot be above the law if there is a valid search warrant", and after claiming to agree that backdoors would be undesirable, then suggested implementing a "golden key" backdoor which would unlock the data with a warrant.
What if there WAS a golden key of sorts, but it was split up (like "Shamir secret sharing") among several entities so that all of them would be necessary to decrypt the data (while also allowing for due process in cases of disagreement)? Obviously great care would have to be used when choosing the right entities and whom do not have any conflicts of interest or ulterior motives, as well as finding a way to prevent all the keys or whatnot from ever being in the same place at the same time, so that the golden key could never be stolen in its entirety.
I know that's not ideal and could still likely be compromised, but what other options are there for "tech companies to do more" in assisting law enforcement? I know CALEA/FISA/etc. is a thing in the US, but I'm talking about a possible "accountable encryption" implementation, which while may be impossible to be bulletproof, might be "good enough"?
The problem is not a technologic one, it's societal.
It doesn't matter if you give a piece of the key to the ACLU, one to the EFF or whatever other entities one might think as "impartial" or "without conflict of interest".
As long as there is a law that allows the governnent to send Men With Guns® to these entities, they can and will be coerced.
FISA is the prime example. You can have all the laws you want, but as long as "they" have things like NSLs which prevent you from even having a lawyer without clearance to defend yourself, you are royally fscked.
(This case is in Australia so they might not have FISA or similar, but the point is the same)
Different branches of the same government means there’s only a single entity with all the keys. Pretending otherwise is maliciously naive.
Every entity or group of entities I can think of you suggesting has a pretty well documented history of undermining the legal rights their countries ostensibly provide.
Before you of course get to the elephant in the room: governments are notoriously bad at keeping super critical shit like this under wraps, and once it inevitably leaks literally everyone is fucked.
My suggestion for any nonsense laws like this would be: if the keys are ever leaked, misused, shared with any other entity, the country shall be required to pay full cost of replacement of every impacted device. They shall be liable for all downstream costs. The management and directors of every agency that had access to the material are personally liable for costs as well, as is every elected official that supported or approved the legislation. Claiming that they can’t be responsible for the mistakes of others is not permitted as a defense: there is already a defense against mass invasion of privacy and these incompetent fuck ups are constantly trying to pass legislation like this that removes that defense.
This kinda already happened for Telcos, LE got convenient backdoors and portals they can access.
Surveillance capabilities are IMHO, absolutely a slipperly slope.
If you build this multi-key thing and there is capability for direct access without going through company legal and staff for each request, the next thing that happens is they write policy or legislation so access requires 2 keys, theirs and a judge or oversight officer - who rubber stamps every request.
You can't really trust them, because they can change the rules.
I have always thought the best solution is strong encryption, plus weak encryption.
Every user has their data encrypted with a unique, zero-knowledge, weak key. Then it's encrypted again by the service provider with a strong key.
When the government shows up with a warrant, they get the strong key. But the weak key is known only to the user, not the service provider. So now the government has to go spend CPU time to brute force the weak key.
Economics enforces good behavior. Governments with lots of resources can afford to break into any single user's data. But they can't afford to break into EVERYONE'S data and go fishing. It's the same as hiring detective to do a stakeout... you can follow anyone but you can't follow everyone.
There's a funny/sad story about the first person in the UK to be jailed for not giving up his password under new at the time laws in the UK. He was a person crossing the channel with mental health problems. He was stopped and he had some este model rocktry rockets. He was found to have a couple of micrograms of an explosive on him that could have come out of the search dogs fur. He refused to give up his passwords and so he was jailed. He did give up one password to a truecrypt volume, but it had another encrypted truecrypt volume inside it. He was jailed for a year for that.
You can do whatever you want when you are the only player on encrypting data. The problem is interoperability and I imagine "backdoor" that cops want as a way to decrypt tls (which is quite doable, with reasonable safety in mind, to each request you add symmetric key used in data encryption, encrypted with supercop-public-key, distributed on daily bases).
Some surveillance may be unavoidable but disproportional surveillance is not. Surveillance in one direction is by design.
The agenda and expectation of modern governments is that the most possible surveillance be deployed outward, toward us - while obfuscating every possible avenue to peer back (and hold them accountable).
Gov officials (especially LEO) never, ever voluntarily submit to being viewed, monitored and examined. That demand is placed exclusively upon us.
Accountability is everything. They talk about accountability but they don't even want that for themselves.
Here in the Netherlands, I was caught in the crossfile of unaccountability way against marijuana. My neighbor was arrested, procesecuted and convicted for growing weed in 2005, unknown to me the authorities were using my other neighbor to harrass and spy on him even after he was convicted. Because I complained I was then also targetted for more than 10 years. The authorities told the police not to respond to any of my calls and they trashed all of my police reports, allowing this guy to steal from me, vandalise my property and more. It only stopped when I started protesting at the town hall.
Then... after it stopped, they perverted the course of justice all of the way to the courts when a prosecutor who was involved with the stalker together with the other prosecutor he worked with made sure that the stalking case failed (By lying to the judge, withholding evidence etc). Then he retired, but the other prosecutor is now the president of the court of Maastricht and implicated in another case for sending 9 innocent people to jail.
And guess what. I tried like hell to sue the government, this is only viable through your legal insurance. They said no chance. No second opinion lawyer said decent chance. The insurer said again I can't make a case, they are allowed to do all this. The government lied and published that this was a neighbor conflict but I've seen police files that show he was involved and letters from the government that prove the involvment.
But I still haven't been able to get any journalist to publish my story. Without journalists wanting to publish stories, democracy doesn't have a chance in hell.
The chief editor of the New York times came to the Netherlands to do a talk about how journalism was the savior of Democracy. I told her my story, but she ignored it. So much for that then.
This country is screwed if a six part documentary can be broadcast showing how 9 people were framed for something they didn't do, a young one committed suicide and they can even publish the name of the responsible prosecutor and still nothing happens and that prosecutor becomes the president of the court of Maastricht. That's how much the government of the Netherlands act with impunity facilitating years long criminal offences against innocent people not involved in any crimes.
Oh dear, there is no such a thing as accountable backdoor. Encryption is there for a good reason, and its whole purpose is to prevent unauthorized 3rd party access. Adding backdoor will defeat the purpose as no one can guarantee it will only be used as intended to.
Readit News
1. They trust in legal exceptions for themselves (look at EU chat control exceptions), which implies a thinking closer to the Soviet Union than a real republic. 2. They think they're already compromised by "the Chinese" or any other state actor and just feel incompetent themselves.
“Won’t the laws of mathematics trump the laws of Australia?”
Mr. Turnbull reportedly responded:
“Well the laws of Australia prevail in Australia, I can assure you of that. The laws of mathematics are very commendable, but the only law that applies in Australia is the law of Australia.”
Like all his LNP cronies, he should be in prison for treason.
Like, Abbot would have given Telstra and Murdoch the house regardless.
https://www.independent.co.uk/news/malcolm-turnbull-prime-mi...
I'd go as far to say that this is a good thing. This law makes the risk of using Australian products more explicit.
Does Australian law permit something like "warrant canaries"?
https://en.wikipedia.org/wiki/Warrant_canary
Need a secure phone for your next shipping container sized cocaine and cash exchange? Want something so secure you can only get it from a made guy who knows a guy who knows a guy?
Why not get yours fourth hand from a joint five eyes task force?
https://en.wikipedia.org/wiki/Operation_Trojan_Shield
https://www.theguardian.com/australia-news/2021/sep/11/insid...
https://en.wikipedia.org/wiki/Clipper_chip#Technical_vulnera...
https://androidsrc.net/mobile-services-manager/
https://www.reddit.com/r/GalaxyS9/comments/o03pnx/what_is_mo...
https://www.androidpolice.com/what-is-mobile-services-manage...
https://www.reddit.com/r/lgv20/comments/6u0wnf/what_is_mobil...
Only for those that opt in, which is most automatically even if they are not aware of it.
What if there WAS a golden key of sorts, but it was split up (like "Shamir secret sharing") among several entities so that all of them would be necessary to decrypt the data (while also allowing for due process in cases of disagreement)? Obviously great care would have to be used when choosing the right entities and whom do not have any conflicts of interest or ulterior motives, as well as finding a way to prevent all the keys or whatnot from ever being in the same place at the same time, so that the golden key could never be stolen in its entirety.
I know that's not ideal and could still likely be compromised, but what other options are there for "tech companies to do more" in assisting law enforcement? I know CALEA/FISA/etc. is a thing in the US, but I'm talking about a possible "accountable encryption" implementation, which while may be impossible to be bulletproof, might be "good enough"?
It doesn't matter if you give a piece of the key to the ACLU, one to the EFF or whatever other entities one might think as "impartial" or "without conflict of interest".
As long as there is a law that allows the governnent to send Men With Guns® to these entities, they can and will be coerced.
FISA is the prime example. You can have all the laws you want, but as long as "they" have things like NSLs which prevent you from even having a lawyer without clearance to defend yourself, you are royally fscked.
(This case is in Australia so they might not have FISA or similar, but the point is the same)
Different branches of the same government means there’s only a single entity with all the keys. Pretending otherwise is maliciously naive.
Every entity or group of entities I can think of you suggesting has a pretty well documented history of undermining the legal rights their countries ostensibly provide.
Before you of course get to the elephant in the room: governments are notoriously bad at keeping super critical shit like this under wraps, and once it inevitably leaks literally everyone is fucked.
My suggestion for any nonsense laws like this would be: if the keys are ever leaked, misused, shared with any other entity, the country shall be required to pay full cost of replacement of every impacted device. They shall be liable for all downstream costs. The management and directors of every agency that had access to the material are personally liable for costs as well, as is every elected official that supported or approved the legislation. Claiming that they can’t be responsible for the mistakes of others is not permitted as a defense: there is already a defense against mass invasion of privacy and these incompetent fuck ups are constantly trying to pass legislation like this that removes that defense.
Surveillance capabilities are IMHO, absolutely a slipperly slope.
If you build this multi-key thing and there is capability for direct access without going through company legal and staff for each request, the next thing that happens is they write policy or legislation so access requires 2 keys, theirs and a judge or oversight officer - who rubber stamps every request.
You can't really trust them, because they can change the rules.
Every user has their data encrypted with a unique, zero-knowledge, weak key. Then it's encrypted again by the service provider with a strong key.
When the government shows up with a warrant, they get the strong key. But the weak key is known only to the user, not the service provider. So now the government has to go spend CPU time to brute force the weak key.
Economics enforces good behavior. Governments with lots of resources can afford to break into any single user's data. But they can't afford to break into EVERYONE'S data and go fishing. It's the same as hiring detective to do a stakeout... you can follow anyone but you can't follow everyone.
The agenda and expectation of modern governments is that the most possible surveillance be deployed outward, toward us - while obfuscating every possible avenue to peer back (and hold them accountable).
Gov officials (especially LEO) never, ever voluntarily submit to being viewed, monitored and examined. That demand is placed exclusively upon us.
This is not ethical.
Here in the Netherlands, I was caught in the crossfile of unaccountability way against marijuana. My neighbor was arrested, procesecuted and convicted for growing weed in 2005, unknown to me the authorities were using my other neighbor to harrass and spy on him even after he was convicted. Because I complained I was then also targetted for more than 10 years. The authorities told the police not to respond to any of my calls and they trashed all of my police reports, allowing this guy to steal from me, vandalise my property and more. It only stopped when I started protesting at the town hall.
Then... after it stopped, they perverted the course of justice all of the way to the courts when a prosecutor who was involved with the stalker together with the other prosecutor he worked with made sure that the stalking case failed (By lying to the judge, withholding evidence etc). Then he retired, but the other prosecutor is now the president of the court of Maastricht and implicated in another case for sending 9 innocent people to jail.
https://www.1limburg.nl/boze-families-verstoren-raadsvergade...
https://www.limburger.nl/cnt/dmf20180221_00056384/weigering-...
https://www.limburger.nl/cnt/dmf20180522_00062344/twintig-uu...
https://www.1limburg.nl/leegloop-bij-justitie-zeven-officier...
Here below scandals that the two prosecutors were involved in
https://www.telegraaf.nl/nieuws/1039807/liegende-officieren-...
https://kro-ncrv.nl/programmas/villamoord
But I still haven't been able to get any journalist to publish my story. Without journalists wanting to publish stories, democracy doesn't have a chance in hell.
The chief editor of the New York times came to the Netherlands to do a talk about how journalism was the savior of Democracy. I told her my story, but she ignored it. So much for that then.
This country is screwed if a six part documentary can be broadcast showing how 9 people were framed for something they didn't do, a young one committed suicide and they can even publish the name of the responsible prosecutor and still nothing happens and that prosecutor becomes the president of the court of Maastricht. That's how much the government of the Netherlands act with impunity facilitating years long criminal offences against innocent people not involved in any crimes.
Viva la democracy de la Netherlands!