Australian Government Proposing Laws to enable the police to gain access to encrypted mobile phones.

[overlord360]

Source: http://www.abc.net.au/news/2018-08-14/tech-surveillance-laws-less-of-a-back-door-and-more-a-side-gate/10114534

 

The Australian government is proposing new laws that would enable the australian police force to gain access to encrypted messages, GPS data, etc, if they have a valid search warrant.

The proposed law is not meant to be a "back door" but rather a "side gate". This would mean that rather than breaking the encryption during the transit of the message the police would be able to read, delete and copy messages at the end user's phone.

 

The Law proposes three levels of request that the police can make.

1. The first level is voluntary, where the police ask if the company is willing to hand over the data from a user.
2. The second stage is mandatory where the police demand that the company hand's over the data and will face a $10 million (AUD) fine for companies or $50,000 for individuals
3. "The third stage is not only compulsory for a company or individual to abide by, but also means they may have to work to build their own systems to help monitor activity." ~ Source

In other words the third stage would entail that the company or individual has to make a serious attempt to comply with the request.

 

" if you use an app to send a message to your friend, it's encrypted as it travels between the two phones or devices.

When it arrives, it's decrypted for your friend to read.

Under the proposed changes, if law enforcement agencies have a valid search warrant to monitor your phone, they could read the decrypted message at the same time as your friend does."

~ Source

 

IMO this is a terrible idea due to the inability to create a "back door" without giving access to the wrong people. If a single government demands access to data for legitimate reasons then there would be no issues, however other governments can also demand that same data for nefarious purposes by threatening the company with, increased taxes or other fines. If a backdoor exists then it can also be discovered by hackers and exploited. Both of these events have already happened (see WannaCry). 

 

 

Edited August 15, 2018 by overlord360
Align post with guidelines

[handymanshandle]

Seems perfectly fine to me /s

It still seems too much like a back door to me even if it's not.
I dont know enough of cryptography and cyber security to know if there's any way that could make LEAs able to conduct real investigations and not spy and still respect the privacy of everyone.

[sazrocks]

This is like asking a lock company to give master keys for all of the locks that they make to law enforcement, but law enforcement promises to keep those keys safe; except of course this is far worse.

As usual I'll link to Tom Scott's excellent video on the topic:

 

[Bensemus]

I don’t see how this isn’t asking for a back door. Using Apple, the police could ask for all the iMessage data but it will be encrypted if it’s just pulled from the storage and useless I’m assumng. The only way to use it would be to decrypt it which requires access to the Secure Enclave I would assume as that’s the only place the key(s) are stored.

 

How is this any different then what the FBI asked? 

[overlord360]

7 minutes ago, Bensemus said:

I don’t see how this isn’t asking for a back door. Using Apple, the police could ask for all the iMessage data but it will be encrypted if it’s just pulled from the storage and useless I’m assumng. The only way to use it would be to decrypt it which requires access to the Secure Enclave I would assume as that’s the only place the key(s) are stored.

 

How is this any different then what the FBI asked? 

"

Think of it this way: if you use an app to send a message to your friend, it's encrypted as it travels between the two phones or devices.

When it arrives, it's decrypted for your friend to read.

Under the proposed changes, if law enforcement agencies have a valid search warrant to monitor your phone, they could read the decrypted message at the same time as your friend does." ~ Source

 

I believe they aren't asking the break the encryption between the two phones but have the ability to gather data from the end user. Whether or not this is possible is something i do not know.

[Drak3]

This is literally just a modernized search warrant.

 

Nothing close to what people think it is.

18 minutes ago, Bensemus said:

How is this any different then what the FBI asked?

The FBI wanted a backdoor that they can access sans warrant.

 

This is Australlia modernizing laws so that encrypted devices are subject to search warrants, the same way that a locked car or shed would be.

[sazrocks]

23 minutes ago, Drak3 said:

This is Australlia modernizing laws so that encrypted devices are subject to search warrants, the same way that a locked car or shed would be.

That's exactly the same as what happened with the FBI in the case of the san bernandino shooter's iPhone. The Australian government wants tech companies to be legally obligated to assist in circumvention of the encryption on their devices when presented with a warrant. The problem is that those tech companies are currently literally unable to do this because the encryption keys are (as any sane developer would do) located on the device in question and thus irretrievable without a passcode.

That's where the third stage comes in:

Quote

The third stage is not only compulsory for a company or individual to abide by, but also means they may have to work to build their own systems to help monitor activity.

This literally means building a back door, which in the least consists of the manufacturer (or government) keeping possession of a a key that can at will decrypt the contents of a particular device, if not all devices from that company.

 

 

To relate this to your analogy, this would be like forcing the company to keep copies of keys to all the sheds that they sell so that law enforcement can look inside when they want.

[vanished]

This is the same government that said that the laws of mathematics don't apply to them, and only the laws they make apply, right?  When I read that headline I legitimately thought they were just mandating that it would now be breakable as if it was a magical incantation

[Drak3]

34 minutes ago, sazrocks said:

That's exactly the same as what happened with the FBI in the case of the san bernandino shooter's iPhone. The Australian government wants tech companies to be legally obligated to assist in circumvention of the encryption on their devices when presented with a warrant. The problem is that those tech companies are currently literally unable to do this because the encryption keys are (as any sane developer would do) located on the device in question and thus irretrievable without a passcode.

That's where the third stage comes in:

This literally means building a back door, which in the least consists of the manufacturer (or government) keeping possession of a a key that can at will decrypt the contents of a particular device, if not all devices from that company.

 

 

To relate this to your analogy, this would be like forcing the company to keep copies of keys to all the sheds that they sell so that law enforcement can look inside when they want.

Read the actual article. The australian govt. isn't being unreasonable with it atm.

[Arika]

1 hour ago, sazrocks said:

This is like asking a lock company to give master keys for all of the locks that they make to law enforcement, but law enforcement promises to keep those keys safe

well, i mean, technically law enforcement does have a master key,

 

 

 

[Drak3]

1 minute ago, Arika S said:

well, i mean, technically law enforcement does have a master key,

 

 

 

Alternative masterkey.

 

Fun fact, I can retro fit my $500 pump with that same style of barrel for $200, and have my own master key as well.

[Arika]

1 minute ago, Drak3 said:

Alternative masterkey.

 

Fun fact, I can retro fit my $500 pump with that same style of barrel for $200, and have my own master key as well.

and for when law enforcement comes up against door enforcement

 

[kirashi]

2 hours ago, overlord360 said:

1. The first level is voluntary, where the police ask if the company is willing to hand over the data from a user.
2. The second stage is mandatory where the police demand that the company hand's over the data and will face a $10 million (AUD) fine for companies or $50,000 for individuals
3. "The third stage is not only compulsory for a company or individual to abide by, but also means they may have to work to build their own systems to help monitor activity." ~ Source

1. Voluntary - companies decline to hand over the data.
2. Fine for non-compliance - companies provide fully encrypted data.
3. Backdoors - Society overthrows the government for attempting to create a Brave New World.

I can't possibly see how this could go wrong. Oh well. ¯\_(ツ)_/¯

 

[LAwLz]

Don't let them fool you with "alternative terms". This is by definition a backdoor. There is no such thing in cryptography as a "side-door". It's just them trying to avoid using the word backdoor because it is very stigmatized (for good reasons).

 

It's like how thieves can say "I didn't steal from him, I just borrowed without asking".

It's just playing around with words to make their actions sound less bad than they are.

 

 

59 minutes ago, Ryan_Vickers said:

This is the same government that said that the laws of mathematics don't apply to them, and only the laws they make apply, right?  When I read that headline I legitimately thought they were just mandating that it would now be breakable as if it was a magical incantation

Haha I had forgotten about that.

Direct quote from the prime minister:

Quote

Well the laws of Australia prevail in Australia, I can assure you of that. The laws of mathematics are very commendable, but the only law that applies in Australia is the law of Australia.

 

 

 

40 minutes ago, Drak3 said:

Read the actual article. The australian govt. isn't being unreasonable with it atm.

They are most certainly being unreasonable. They are asking companies to make huge compromises in their security, which will puts people at risk.

Remember that government tools have been leaked before, quite often in fact.

Remember that stolen government tools has been weaponized before, such as WannaCry.

 

If you think WannaCry was bad, this is basically a law which says companies must agree to help the development of vulnerabilities, and they aren't allowed to patch them.

[sazrocks]

29 minutes ago, Drak3 said:

Read the actual article.

I did. And here's a quote from the Actual article:

Quote

The third stage is not only compulsory for a company or individual to abide by, but also means they may have to work to build their own systems to help monitor activity.

Let's look at this part:

Quote

they may have to work to build their own systems to help monitor activity.

This essentially means that companies must compulsorily make their systems easier for the government to access. Now, unless the companies decide to just make it easier for everyone in the world to access those devices out of fairness, this is literally a backdoor.

[asus killer]

seems perfectly reasonable to me that a country can enforce a company to comply with a search warrant in prevention or fight against crime.

[sazrocks]

Just now, asus killer said:

seems perfectly reasonable to me that a country can enforce a company to comply with a search warrant in prevention or fight against crime.

No, this is horrible. Please see these two posts:

 

[LAwLz]

1 minute ago, asus killer said:

seems perfectly reasonable to me that a country can enforce a company to comply with a search warrant in prevention or fight against crime.

The problem is that it's kind of like saying "it's perfectly reasonable that a country demands that knives me manufactured in a way where they can only stab bad people, not good ones".

Sounds good in theory, but it can't be done in practice.

 

If you allow the police to enter your devices, then you simultaneously allow everyone else too, including Russia, China, ISIS, North Korea etc.

Remember, WannaCry was a tool developed by the NSA which leaked. The same thing will inevitably happen with these mandatory backdoors. Except these backdoors will most likely have far more privileges than WannaCry.

[asus killer]

1 minute ago, sazrocks said:

No, this is horrible. Please see these two posts:

 

i like my privacy like anyone else, but i don't put privacy above anything else, police should have access to someones phone as long as there is a legal process involved and a search warrant issued by a judge. That's like saying we shouldn't have license plates as it defeats our privacy on the road. Besides before smart phones police could listen to someones calls with a search warrant and this privacy at all cost nonsense was never an issue.

[overlord360]

1 minute ago, asus killer said:

Besides before smart phones police could listen to someones calls with a search warrant and this privacy at all cost nonsense was never an issue.

The issue with a "back door" is that it's not listening to the current conversation but listening to every conversation you've ever had on this particular platform.

[asus killer]

1 minute ago, LAwLz said:

The problem is that it's kind of like saying "it's perfectly reasonable that a country demands that knives me manufactured in a way where they can only stab bad people, not good ones".

Sounds good in theory, but it can't be done in practice.

 

If you allow the police to enter your devices, then you simultaneously allow everyone else too, including Russia, China, ISIS, North Korea etc.

Remember, WannaCry was a tool developed by the NSA which leaked. The same thing will inevitably happen with these mandatory backdoors. Except these backdoors will most likely have far more privileges than WannaCry.

don't you have to make hard choices in life every day?

You are basically saying crime get's a "all you can eat" pass just because the system can abuse it, bad guys can use it. Seems fair and unreasonable at the same time. You just have to measure the consequences of both. I'm going with not giving crime this tool unchecked even if it cost a bit of my privacy. You have always the option to not use a phone or use it with extra care to not reveal what you want to be private.

[LAwLz]

6 minutes ago, asus killer said:

i like my privacy like anyone else, but i don't put privacy above anything else, police should have access to someones phone as long as there is a legal process involved and a search warrant issued by a judge. That's like saying we shouldn't have license plates as it defeats our privacy on the road. Besides before smart phones police could listen to someones calls with a search warrant and this privacy at all cost nonsense was never an issue.

No, it's not like saying we shouldn't have license plates.

It's like saying we shouldn't have mandatory remote controlled bombs in every car because the police want to remotely be able to neutralize a potential threat.

 

Even if you don't give a damn about privacy it's still extremely bad from a security standpoint.

Again, look at WannaCry. That would be a small attack compared to the attack that would happen using these mandatory backdoors.

 

Then there is also the issue of what the backdoors would be used for. The Australian government might say they only want to use it for terrorist investigations, but Russia or China might demand access to the same backdoor. What are they going to use it for? Maybe crack down on people who has the "wrong" political views. And no, it is not possible to create a backdoor that only the Australian government can use, and only for the "right" purposes.

 

 

1 minute ago, asus killer said:

don't you have to make hard choices in life every day?

You are basically saying crime get's a "all you can eat" pass just because the system can abuse it, bad guys can use it. Seems fair and unreasonable at the same time. You just have to measure the consequences of both. I'm going with not giving crime this tool unchecked even if it cost a bit of my privacy. You have always the option to not use a phone or use it with extra care to not reveal what you want to be private.

I don't have to make that many hard choices, no. Even if I had, mandatory backdoors is to me a very simple choice. They should not exist.

Again, this is not about privacy. It's just bad from a security standpoint. As soon as one of these tools leaks or gets discovered, which they will, everyone with a backdoored device is at risk. You think the alleged attacks from North Korea, China and Russia have been bad? They will be tiny in comparison.

 

Also, there are several open source encryption tools out there. If these backdoors became mandatory people would just use those.

Even if we ignore the fact that a lot of terrorist attacks are organized through face-to-face conversations and burner phones, terrorists could just add another layer of encryption and the entire backdoor would be pointless.

[Arika]

1 minute ago, asus killer said:

don't you have to make hard choices in life every day?

You are basically saying crime get's a "all you can eat" pass just because the system can abuse it, bad guys can use it. Seems fair and unreasonable at the same time. You just have to measure the consequences of both. I'm going with not giving crime this tool unchecked even if it cost a bit of my privacy. You have always the option to not use a phone or use it with extra care to not reveal what you want to be private.

Agreed

 

I put safety above privacy

[Drak3]

32 minutes ago, sazrocks said:

I did. And here's a quote from the Actual article:

Let's look at this part:

This essentially means that companies must compulsorily make their systems easier for the government to access. Now, unless the companies decide to just make it easier for everyone in the world to access those devices out of fairness, this is literally a backdoor.

Monitoring activity =/=backdoor into devices. Scanning traffic over one's servers is just that. It's not scanning the contents of a device. It's not forcing someone to decrypt their device arbitrarily.

 

And any international telecom company, Google, Facebook, Twitter, etc. is already doing this, partially because it does help investigators.

[asus killer]

4 minutes ago, overlord360 said:

The issue with a "back door" is that it's not listening to the current conversation but listening to every conversation you've ever had on this particular platform.

like them getting a search warrant to your house and even knowing the color of your underwear, of reading someones diary?