Australia passes laws compelling companies to offer up encryption master keys *facepalm*

[Master Disaster]

As discussed here...

 

Australia has been looking at these laws recently. Well on the final day of Australian parliament the laws have been passed.

Quote

Australia has passed controversial laws designed to compel technology companies to grant police and security agencies access to encrypted messages.

 

The government says the laws, a world first, are necessary to help combat terrorism and crime.

 

However critics have listed wide-ranging concerns, including that the laws could undermine the overall security and privacy of users.

The laws were rushed through parliament on its final day of the year.

 

The Labor opposition said it had reluctantly supported the laws to help protect Australians during the Christmas period, but on Friday it said that "legitimate concerns" about them remained.

 

Cyber-security experts have warned the laws could now create a "global weak point" for companies such as Facebook and Apple.

Unlike in China, Russia & Turkey where E2E encryption is outright banned, in Australia the technology will be allowed to exist but the Aussie government now has the power to force tech companies to either decrypt data or create a method by which the government can decrypt data.

Quote

It differs from laws in China, Russia and Turkey, where services offering end-to-end encryption are banned.

 

Under Australia's legislation, police can force companies to create a technical function that would give them access to encrypted messages without the user's knowledge.

 

"This ensures that our national security and law enforcement agencies have the modern tools they need, with appropriate authority and oversight, to access the encrypted conversations of those who seek to do us harm," Attorney-General Christian Porter said.

Obviously security experts are pointing out the glaring floor, it's impossible to create a targeted backdoor, any system of access opens up everyone's data to be viewed. If the backdoor is leaked, well I'm sure you can all guess the rest.

Quote

However, cyber-security experts say it's not possible to create a "back door" decryption that would safely target just one person.

 

"Any vulnerability would just weaken the existing encryption scheme, affecting security overall for innocent people," said Dr Chris Culnane from the University of Melbourne.

 

Such a "security hole" could then be abused or exploited by criminals, he said.

 

In a bid to address these concerns, Australia's law offers a safeguard which says decryptions won't go ahead if they create a "systemic weakness".

 

However critics say the definition of "systemic weakness" is vague, meaning it is unclear how it may be applied.

A range of other concerns have been raised.

Quote

Digital rights advocates are highly critical of Australia's move, saying it lacks sufficient checks and balances.

 

The Electronic Frontier Foundation has said police could order individual IT developers to create technical functions without their company's knowledge.

 

"This has the potential for Australian tech firms to have no clue whether they were even subject to an order," the foundation's Nate Cardozo told the BBC.

 

There is also criticism over how fast the laws were passed. A draft bill was presented only in August.

 

A parliamentary committee examining the legislation did not release its report until late on Wednesday.

 

Labor initially proposed 173 amendments to the bill, but agreed to drop them on Thursday so that the law would be passed this year.

In return, the government pledged to debate possible amendments next year.

 

But the nation's top legal society, the Law Council of Australia, said on Friday that the laws had been "rammed" through the parliament with inadequate consideration.

The reality of this means many multinational companies might simply withdraw from Australia entirely rather than comply with these rules.

Quote

If companies don't comply with the laws, they risk being fined.

 

That's led to speculation that some global firms which have vocally opposed the laws could withdraw from the Australian market.

 

However, Dr Culnane said that most companies are likely to comply - partly because users won't be aware if their messages have been accessed.

 

However, experts say the full implications are unclear and much uncertainty remains. Some firms have already suggested that they may not be subject to Australian law.

 

Experts add that, given the debate involves national security, many aspects may play out behind closed doors.

https://www.bbc.co.uk/news/world-australia-46463029

 

 

This is what happens when you let luddites control laws surrounding technology. RIP any and all privacy in Australia, I only hope this stays over there and doesn't spread.

 

I suppose the good take from this is it doesn't appear to be finalised yet, it sounds like it's still open to change.

[Ashleyyyy]

and people wonder why their stuff can get hacked. this is why. any strong encryption gets broken by governments. 

[ravenshrike]

About 2 seconds after this is actually implemented, every major country on earth will have access to all of Australia's private encryption.

[RuffRuffmcgruff]

How to paint a massive target on your back 101

[Master Disaster]

11 minutes ago, ravenshrike said:

About 2 seconds after this is actually implemented, every major country on earth will have access to all of Australia's private encryption.

You know what going to happen? (I won't advocate it but I'll laugh when it does). Some group like Anonymous will crack the system, use it to target all the politicians behind this absurdity and dox every single one of them.

[MrJoosh]

This is the most absurd, poorly thought out shitshow I've ever seen... RIP privacy...

[yolosnail]

And if I were a tech company, I would tell Australia to shove it and block access to them. 

Same with the EU once they pass the absurd copyright law

[RejZoR]

I usually don't support criminal activity, but in this case, I hope everyone involved in this get hacked and doxed (preferably through their very own hole they demand to be created) so hard they won't even slightly consider such idiocy ever again. Because apparently only way to make these idiots understand the privacy is to make them learn it the hard way.

 

Btw, how are they planning on pulling this law off? Lets take ProtonMail or Tutanota as example, both prominent for E2E encryption of e-mails. One is located in Switzerland, the other in Germany. They do not follow Australian laws. Is Australia just gonna hard block them entirely because you can be assured they won't hand out any backdoors.

[ScratchCat]

1 hour ago, firelighter487 said:

and people wonder why their stuff can get hacked. this is why. any strong encryption gets broken by governments. 

The reason they are asking for the keys is because they can't crack the encryption, otherwise why let everyone know that you are snooping around?

 

The issue I have with this is not how ridiculously dangerous passing on these keys is but how easily it is circumvented. Bob the Gangster only needs to use PGP and this plan falls into the water, dragging the privacy of ordinary citizens with it.

[Master Disaster]

11 minutes ago, RejZoR said:

I usually don't support criminal activity, but in this case, I hope everyone involved in this get hacked and doxed (preferably through their very own hole they demand to be created) so hard they won't even slightly consider such idiocy ever again. Because apparently only way to make these idiots understand the privacy is to make them learn it the hard way.

 

Btw, how are they planning on pulling this law off? Lets take ProtonMail or Tutanota as example, both prominent for E2E encryption of e-mails. One is located in Switzerland, the other in Germany. They do not follow Australian laws. Is Australia just gonna hard block them entirely because you can be assured they won't hand out any backdoors.

We had this discussion in the previous thread. If a company operates in a territory outside of where they're based they are obligated to follow any and all laws that exist in any country they operate.

 

The companies can choose to withdraw from the territory entirely or change their business model (either locally or globally) to follow the laws but they must obey them.

 

The biggest spanner in the works is going to come when residents outside of Australia get caught up in all this. I can't imagine the EU will be happy if Gunther from Germany has his private emails read simply because hes had correspondence with Bruce from Australia who happens to have committed a crime on the other side of the world.

 

I think secretly the rest of the world's government's will be watching this and waiting to see how it turns out. The US & UK government's (as well as many others I'd imagine) would probably love to have laws like this in place too. It's only a matter of time now.

[Sfekke]

Great job Australia, this ain't ever gonna work.

Like OP mentioned, a targeted backdoor is bound to be found and abused.

[RejZoR]

5 minutes ago, Master Disaster said:

We had this discussion in the previous thread. If a company operates in a territory outside of where they're based they are obligated to follow any and all laws that exist in any country they operate.

 

The companies can choose to withdraw from the territory entirely or change their business model (either locally or globally) to follow the laws but they must obey them.

 

The biggest spanner in the works is going to come when residents outside of Australia get caught up in all this. I can't imagine the EU will be happy if Gunther from Germany has his private emails read simply because hes had correspondence with Bruce from Australia who happens to have committed a crime on the other side of the world.

 

I think secretly the rest of the world's government's will be watching this and waiting to see how it turns out. The US & UK government's (as well as many others I'd imagine) would probably love to have laws like this in place too. It's only a matter of time now.

How do you define "where they operate"? Internet doesn't work like that. They provide service, it's up to users to reach out to them. It's different if they had office in Australia. Which means for users to be denied their service, Australia would have to actively ban their service specifically. Basically, if you're a resident of Australia and would want to use ProtonMail, it would refuse to load because of this BS. There is no other way around it quite frankly.

[Master Disaster]

1 minute ago, RejZoR said:

How do you define "where they operate"? Internet doesn't work like that. They provide service, it's up to users to reach out to them. It's different if they had office in Australia. Which means for users to be denied their service, Australia would have to actively ban their service specifically. Basically, if you're a resident of Australia and would want to use ProtonMail, it would refuse to load because of this BS. There is no other way around it quite frankly.

Afaik if they offer a service to a resident of that country then they operate in that country.

 

Valve tried the whole "we're an American company"  thing when it came to the refund lawsuit and it didn't work out well for them.

[RejZoR]

If that's the case, then everyone has to either openly state that Australian government can at any time read any mail or entirely pull out of Australian market by actively preventing usage of their service. Imagine it's impossible to send an e-mail in Australia because providers refuse to follow this insane Aussie idea. I mean big ones as well like Google (GMail). Because while Google is a privacy nightmare, I don't think they'll go along with this idea despite all that.

[Sir Asvald]

People in government be like. How stupid can you be.. 

[Master Disaster]

6 minutes ago, RejZoR said:

If that's the case, then everyone has to either openly state that Australian government can at any time read any mail or entirely pull out of Australian market by actively preventing usage of their service. Imagine it's impossible to send an e-mail in Australia because providers refuse to follow this insane Aussie idea. I mean big ones as well like Google (GMail). Because while Google is a privacy nightmare, I don't think they'll go along with this idea despite all that.

I honestly don't think the politicians have considered the knock on effect of this. They're so single minded in achieving what they want that nothing else matters.

 

I'm still hopeful that once the sheer absurdity of these laws come out they'll back down. They might end up having to tbh because you're entirely correct, this is going to cause chaos for a great many people and companies around the world.

[RejZoR]

I hope companies pull that shit and drop Australia into dark ages without any e-mail communications (or any other type of communication means for that matter) for a short while and show what happens when you try to play god with people's privacy.

[Ashleyyyy]

38 minutes ago, ScratchCat said:

The reason they are asking for the keys is because they can't crack the encryption

yea, but other governments want company's to install backdoors. 

[seon123]

2 hours ago, Master Disaster said:

The reality of this means many multinational companies might simply withdraw from Australia entirely rather than comply with these rules

Please do that. It would be so much fun

[Trixanity]

Doubt this would cause any company exodus. Money is money. Companies give zeros fucks if they can make money.

 

In regards to backdoors I expect there to be bustling activity in the courts of Australia. Some companies will attempt to argue that any backdoor would be a systemic weakness and the government's lawyers will argue that security is like Schroedinger's cat: things can be secure while not being secure.

[Arika]

16 minutes ago, Trixanity said:

Doubt this would cause any company exodus. Money is money. Companies give zeros fucks if they can make money. 

i see this as going

 

Gov: give us your keys

tech companies: no

Gov: but you have to, it's the law

tech companies: then we'll pull out of Aus

Gov: oh...uh...no don't do that, sorry, we were just kidding

[Granular]

A predictably terrible 'security' measure from the country that has had judges issue search warrants for the entire internet.

[Granular]

What is a company running a simple HTTPS website supposed to do, when the koala police come knocking for a way to decrypt people's traffic to their website? Hand over their private keys?

[Master Disaster]

25 minutes ago, Trixanity said:

Doubt this would cause any company exodus. Money is money. Companies give zeros fucks if they can make money.

 

In regards to backdoors I expect there to be bustling activity in the courts of Australia. Some companies will attempt to argue that any backdoor would be a systemic weakness and the government's lawyers will argue that security is like Schroedinger's cat: things can be secure while not being secure.

Companies do give fucks about their own private affairs though, remember this doesn't just expose the public, all of Google, Facebook, Tesla, "insert greedy corporation name here" stand to have their personal data available to the Aussie government too.

[samcool55]

Yeah this is fine i can see absolutely no problem here

/s

 

We all know that this law will end up being reversed, and we also know when.

When shit hits the fan hard, which it will.

 

They are now collecting all the shit (the private keys) and the fan, well that's the hacker or hackers that are going to take the shit and throw it all over the place.

We KNOW it will happen, it just will, only a matter of time.

 

Also govs and security aren't a great match so i doubt it will take a long time.