Australian Surveillance Bill allows Law Enforcement to Add to, Modify, or Delete Anyone's Data, and Take Over Their Online Accounts

[avg123]

3 hours ago, leadeater said:

Like my CSAM example, right now police do not have the powers or are allowed to use evidence from planting digital tracking into a persons account yet they are allowed to plant a GPS tracker on your car. They are allowed to honey pot you with their own websites or accounts etc but that's not always that effective where as infiltrating a known person's account who is part of a CSAM group and planting digital tracking would be more effective but far as I know that isn't allowed until these amendments were passed.

Jesus christ what is up with this CSAM bullshit? Why is every sketchy law and policy related to CSAM. People are acting like there is an epidemic of children being abused going on. 

 Its a rare crime. Probably even lower in Australia since it is a low crime country.

 

 

[leadeater]

10 minutes ago, avg123 said:

Jesus christ what is up with this CSAM bullshit? Why is every sketchy law and policy related to CSAM. People are acting like there is an epidemic of children being abused going on. 

 Its a rare crime. Probably even lower in Australia since it is a low crime country.

Fine replace it with any other crime where you have dependency on computers and internet. I chose an example that is quite simple to explain, I'd rather not fill a topic with pointless examples of the problems with investigating crimes and evidence gathering online.

 

Also it's really not that rare, not as rare or really non existent as it should be and it's extremely serious.

 

https://www.theguardian.com/australia-news/2020/nov/11/australian-police-bust-online-child-abuse-ring-charging-14-men

https://www.bbc.com/news/world-australia-54897937

https://www.nzherald.co.nz/world/australian-federal-police-bust-huge-child-sex-abuse-ring/QVWVGOIPQZWOZWRELG5N55Y6WY/

 

And another different case

https://www.bbc.com/news/world-australia-54654645

 

Quote

The AFP said it had rescued 134 children from child exploitation this year, including 67 who were not in Australia.

And that 134 does not include the 46 from the month after this story.

 

Want to know why it's a good example and why laws are being asked to change, see above. Know the problem before you say it's not a problem.

Edited September 11, 2021 by leadeater

[wanderingfool2]

3 hours ago, Forbidden Wafer said:

Legally speaking, this is an aberration. They're literally allowing fabrication and tampering of the evidence. It is even worse as they're allowed to do so during the investigation.

Well I think the fabrication/tampering is only allowed in restricted scenarios (like my example above where if it's like an email calling for a hit).  It's also digital, so it will be fairly simple I think to have logs of the transaction (and be able to challenge such a thing in court...assuming it is revealed though).

 

3 hours ago, leadeater said:

Now of course there is plenty of historical examples of police corruption and evidence tampering or planting which has lead to tighter scrutiny and less of it, I mean even here in my country there was quite a big problem with that in the 80's but today, no. 

Sadly it is still happening (although, yea maybe less...although maybe they are just getting caught less) https://www.washingtonpost.com/nation/2019/07/11/florida-cop-meth-drugs-arrests-scandal/

IIRC with the 11 people who the officer framed, it was only one employee thinking something was weird (and after being told to not look into it they still looked into it and discovered it).  [I could be remembering another case, as it was around the same time as this one]

 

On a different note

I get it's always a slippery slope argument that people are trying to make, but at the same time I look at things like Singapore and wonder if some of the sensationalize is valid.

https://www.zdnet.com/article/singapore-police-can-access-covid-19-contact-tracing-data-for-criminal-investigations/

The covid tracking data (not GPS, as it wasnt collected) was suppose to be only for restricted access, but now they are saying law enforcement is able to access it for crimes not related to covid

[avg123]

8 minutes ago, leadeater said:

Fine replace it with any other crime where you have dependency on computers and internet. I chose an example that is quite simple to explain, I'd rather not fill a topic with pointless examples of the problems with investigating crimes and evidence gathering online.

 

Also it's really not that rare, not as rare or really non existent as it should be and it's extremely serious.

 

https://www.theguardian.com/australia-news/2020/nov/11/australian-police-bust-online-child-abuse-ring-charging-14-men

https://www.bbc.com/news/world-australia-54897937

https://www.nzherald.co.nz/world/australian-federal-police-bust-huge-child-sex-abuse-ring/QVWVGOIPQZWOZWRELG5N55Y6WY/

 

And another different case

https://www.bbc.com/news/world-australia-54654645

 

Want to know why it's a good example and why laws are being asked to change, see above. Know the problem before you say it's not a problem.

So whats next? we will have cameras installed inside our house monitoring us 24/7 because some men committed some crime somewhere?

Every one is a criminal now?

Because these laws are the digital equivalent of that being done to anyone.

 

 

 

[leadeater]

14 minutes ago, avg123 said:

Because these laws are the digital equivalent of that being done to anyone.

No they aren't but I've already accepted that a reasoned discussion with you about this is likely impossible so we can just leave it here.

[kuddlesworth9419]

"Modifying data" That one seems weird. Do they mean we can add data to yoru data to incriminate you? Because that is what it sounds like.

[wanderingfool2]

19 minutes ago, kuddlesworth9419 said:

"Modifying data" That one seems weird. Do they mean we can add data to yoru data to incriminate you? Because that is what it sounds like.

Yes and no.  In theory a rogue cop could do something like this, but realistically if it went to courts and you claimed it wasn't you then you could request the logs to prove you are innocent.  It's not akin to planting evidence on you, as in this case it is a lot easier of a trail.

 

Although, with the accessing of data and it being secretive...it could be that they "plant" something and then use it as justification to get a warrant for something else (and in this case you wouldn't know or be able to challenge it since there is a gag order kind of thing linked in the bill)

[LAwLz]

17 hours ago, avg123 said:

Australia is turning into a nightmare.

It already is. 

Did you know that Australian border control can demand that you hand over your devices (like laptops and smartphones) and passwords to them? Refusing to hand over your password can cost up to 5000 dollars, as well as other punishment. 

No warrant or even reasonable suspicion required. No info about why they want it or what they do with your device either. They can just go "hey, you need to give us your phone and passwords. We'll be in this other room for a while with your phone. You sit here and wait and we'll give it back to you sometime later". 

 

Australia is and has been a privacy nightmare for ages. 

 

 

Seems like this law is just aimed at making occurances like this one legal:

https://www.smh.com.au/national/nsw/legal-action-after-border-force-officer-secretly-texted-on-passengers-phone-20160219-gmy8c3.html

 

[Forbidden Wafer]

4 hours ago, wanderingfool2 said:

Yes and no.  In theory a rogue cop could do something like this, but realistically if it went to courts and you claimed it wasn't you then you could request the logs to prove you are innocent.  

Yeah, right. Considering our electoral tribunal got hacked, the voting machine codes and databases got modified and the logs were misteriously deleted due to a misconfiguration... I don't trust any government for that kind of stuff.

 

Seeing the data is ok. Deletion during investigation is evidence destruction. Modification, at any time, is criminal by itself.

[wanderingfool2]

3 hours ago, Forbidden Wafer said:

Seeing the data is ok. Deletion during investigation is evidence destruction. Modification, at any time, is criminal by itself.

That all depends really on context.  Again, image a scenario where it's a known terrorist and they receive an email detonate the bomb at noon.  Without this law, it would be "illegal" do delete the message.  This is one of the provisions that seems to actually require a full on judge to issue a warrant as well.

 

Also, looking through the law a bit more...it seems as though the modification is more limited to things like this.  You know a computer/user exists (but can't track), and they get a warrant to essentially hack into the computer (to presumably gather information).

 

3 hours ago, Forbidden Wafer said:

Yeah, right. Considering our electoral tribunal got hacked, the voting machine codes and databases got modified and the logs were misteriously deleted due to a misconfiguration... I don't trust any government for that kind of stuff.

We are talking about third parties, not the government who would be keeping logs (well I am sure there is paperwork on the government side as well).  The third parties would most undoubtedly protect themselves, because they could be liable if they make mistakes...and guess what, in court if you claim something was modified you could easily ask for the logs...if the logs were "deleted" then it would benefit you (in you can make claims the evidence is no longer sound)

 

6 hours ago, LAwLz said:

Did you know that Australian border control can demand that you hand over your devices (like laptops and smartphones) and passwords to them? Refusing to hand over your password can cost up to 5000 dollars, as well as other punishment.

A proper source....you do realize that pretty much any border agent can demand such a thing?  (Canada, US, NZ, Australia).  In most scenarios though, it's under "impeding an investigation" or something similar (like here in Canada I could claim it's a 50k fine).  From skimming the customs act, it seems more like as long as you give access (unlock and disable pin) it wouldn't be required to give the password.

 

[Zodiark1593]

8 hours ago, LAwLz said:

It already is. 

Did you know that Australian border control can demand that you hand over your devices (like laptops and smartphones) and passwords to them? Refusing to hand over your password can cost up to 5000 dollars, as well as other punishment. 

No warrant or even reasonable suspicion required. No info about why they want it or what they do with your device either. They can just go "hey, you need to give us your phone and passwords. We'll be in this other room for a while with your phone. You sit here and wait and we'll give it back to you sometime later". 

 

Australia is and has been a privacy nightmare for ages. 

 

 

Seems like this law is just aimed at making occurances like this one legal:

https://www.smh.com.au/national/nsw/legal-action-after-border-force-officer-secretly-texted-on-passengers-phone-20160219-gmy8c3.html

 

Pretty sure the US border agents had also been doing device searches for international travelers for some time too. To such extent that it is recommended that if you’ve sensitive data, to have it stored in the cloud for retrieval later, and keep devices on your person sanitized of said data. 
 

https://www.thelawforlawyerstoday.com/2018/10/border-searches-of-your-e-device-encryption-may-be-of-limited-value-in-protecting-client-data/

https://www.schneier.com/blog/archives/2008/05/crossing_border.html

 

(^^^this article is from 2008 btw)

 

 

https://www.dhs.gov/publication/border-searches-electronic-devices

 

 

[LAwLz]

5 hours ago, wanderingfool2 said:

A proper source....

What do you mean by "a proper source"? Are you asking me to provide a proper source? The news article wasn't enough?

Here is the specific law that has been cited to justify these actions:

http://www5.austlii.edu.au/au/legis/cth/consol_act/ca1901124/s186.html

 

As you can see, the law does not explicitly state "you must hand over your password if we ask you", obviously, but here is a word for word quote on how the authorities in Australia interprets the law:

 

Quote

Under Section 186 of the Customs Act 1901, Australian Border Force officers have the power to examine all goods at the border, including electronic documents and photos on mobile phones and other personal electronic devices.

 

If an individual refuses to comply with a request for an examination of their electronic device, that device may be held until the ABF is satisfied that the item does not present a risk to the border.

This article is a fairly good overview of the situation:

https://www.abc.net.au/news/2019-04-21/what-are-your-rights-when-being-searched-at-an-airport/11020392

 

 

5 hours ago, wanderingfool2 said:

you do realize that pretty much any border agent can demand such a thing?  (Canada, US, NZ, Australia).

Whataboutism isn't an argument.

 

 

5 hours ago, wanderingfool2 said:

In most scenarios though, it's under "impeding an investigation" or something similar (like here in Canada I could claim it's a 50k fine).

 What is your point? That in most cases it's only horrible and not absolutely atrocious? 

 

 

5 hours ago, wanderingfool2 said:

From skimming the customs act, it seems more like as long as you give access (unlock and disable pin) it wouldn't be required to give the password.

And that makes it okay in your mind?

Giving up your password or having to disable your password are essentially the same thing. Both are equally bad.

 

 

 

  

4 hours ago, Zodiark1593 said:

Pretty sure the US border agents had also been doing device searches for international travelers for some time too. To such extent that it is recommended that if you’ve sensitive data, to have it stored in the cloud for retrieval later, and keep devices on your person sanitized of said data.

Yeah, the US border control is also awful. Doesn't excuse the behavior of Australia though.

I was mostly aware of Australia because one of my colleagues went on holiday there once. Since he sometimes work for the Swedish military, he had to wipe his laptop before he left just to make sure no potentially confidential data could be forcefully seized by the Australian border control.

[YellowJersey]

On 9/10/2021 at 9:31 AM, tikker said:

Ummm, "modifying data as they see fit"? What does that include, both in terms of "data" and "modifying"? I don't know the details of the bill, but this sounds rather sensitive to fraud or framing people. Isn't this effectively like a moderator here now editing my comment to say something against the rules and banning me for that?

 

inb4 ban hammer landing

 

Said moderator adding incriminating evidence against @tikker /s (skiiwee29)

A similar phenomenon in Canada. Police are allowed to claim they have evidence that they don't have in order to get a suspect to confess, often to crimes they didn't commit.

[wanderingfool2]

8 hours ago, LAwLz said:

Whataboutism isn't an argument.

Well if you are using it as being a privacy nightmare, then it is an relevant argument that all major countries have very similar laws.  It's not my fault you used it as the "password" as the only argument to justify that it's a privacy nightmare (and singling out Australia).

 

8 hours ago, LAwLz said:

What do you mean by "a proper source"? Are you asking me to provide a proper source? The news article wasn't enough?

Well no your news article wasn't enough...first it only indirectly implies he gave the passcode (how do you know if he had a lock screen or not).

 

8 hours ago, LAwLz said:

As you can see, the law does not explicitly state "you must hand over your password if we ask you", obviously, but here is a word for word quote on how the authorities in Australia interprets the law:

I'll let what you just said sink in...followed by the second part of the law that you quoted. "If an individual refuses to comply with a request for an examination of their electronic device, that device may be held until the ABF is satisfied that the item does not present a risk to the border. "

 

That pretty much says it all..no you don't have to give the password, but if they so choose they can confiscate it until they can inspect the device.

 

It's like if you bring in a safe into a country, they can legally require to open it (or they can seize it and pry it open if you refuse).  Entering into a country, you have a lot less expectation of privacy.

[leadeater]

2 hours ago, wanderingfool2 said:

Entering into a country, you have a lot less expectation of privacy.

That also applies to leaving as well, you can be prevented from leaving your own country. Australia did that recently to a Neo-Nazi trying to fly to Europe to join a terror group to help fight and get trained and then come back and train other members of his group.

 

Another interesting factoid is that not too long ago Australian Federal investigations in to terror suspects, child exploitation and human trafficking were being directly blocked by encryption by around 50% of active cases. Last year that was 97%. Australia has what many would characterize as a hardon or vendetta against encryption and privacy however they have clear reasons as to why that is the case.

 

Many people will simply try and say that's just too bad, the problem is that is itself just a naïve point of view and is either pretending there isn't a problem or doesn't care there is a problem. It is these very groups of people that refuse to work with law enforcement and will not entertain in any way at all that laws need changing, in ways they might not like, to modernize them with current situation as it is today. The problem with the give nothing concede nothing approach is it is the direct cause of law enforcement abuse of powers, government level hacking and computer system breaches and all other manor of weaponized methods including getting other countries to do it for you.

 

I would far rather have laws in place that allow access when required and companies actually play ball and develop proper secure systems and processes for this and that high levels of auditing is required by these same laws with all breaches having mandatory jail time as minimum sentencing. All these "no log" VPNs and messaging services just scream to me "we have no way to prove your innocence" just in the same way people use it as "there is no way to prove your guilt".

 

The ability to have strong evidence with robust oversight, clear guidelines and codes of conduct along with meaningful punishment of breaches is in my opinion going to protect more people's privacy than not as I firmly believe continuing down the path of technology arms race will not lead to more privacy and it certainly won't be as easy to track it.

 

If there is one thing both sides of the debate will agree on is neither are going to back down, so either agree to mutually assured destruction or agree to compromise.

[mr moose]

2 hours ago, leadeater said:

That also applies to leaving as well, you can be prevented from leaving your own country. Australia did that recently to a Neo-Nazi trying to fly to Europe to join a terror group to help fight and get trained and then come back and train other members of his group.

 

Another interesting factoid is that not too long ago Australian Federal investigations in to terror suspects, child exploitation and human trafficking were being directly blocked by encryption by around 50% of active cases. Last year that was 97%. Australia has what many would characterize as a hardon or vendetta against encryption and privacy however they have clear reasons as to why that is the case.

 

Many people will simply try and say that's just too bad, the problem is that is itself just a naïve point of view and is either pretending there isn't a problem or doesn't care there is a problem. It is these very groups of people that refuse to work with law enforcement and will not entertain in any way at all that laws need changing, in ways they might not like, to modernize them with current situation as it is today. The problem with the give nothing concede nothing approach is it is the direct cause of law enforcement abuse of powers, government level hacking and computer system breaches and all other manor of weaponized methods including getting other countries to do it for you.

 

 

Which makes those who oppose said laws odd bed fellows.  Protecting people form having to hand over incriminating data only means that you become the victim of those who would abuse that freedom.   You don't become any freer when your 5yo daughter goes missing from the mall and the only thing that stands in the way of her safe return is lack of compelled access to private data.

 

2 hours ago, leadeater said:

The ability to have strong evidence with robust oversight, clear guidelines and codes of conduct along with meaningful punishment of breaches is in my opinion going to protect more people's privacy than not as I firmly believe continuing down the path of technology arms race will not lead to more privacy and it certainly won't be as easy to track it.

 

If there is one thing both sides of the debate will agree on is neither are going to back down, so either agree to mutually assured destruction or agree to compromise.

The only concern I have is that we don't have good due process,  I would not have any issues with government having more power int he digital world so long as we have good honest due process for everyone accused of anything.  

 

 

[LAwLz]

6 hours ago, wanderingfool2 said:

Well if you are using it as being a privacy nightmare, then it is an relevant argument that all major countries have very similar laws.  It's not my fault you used it as the "password" as the only argument to justify that it's a privacy nightmare (and singling out Australia).

Just because Australia is a "privacy nightmare" does not mean other countries aren't as well.

"others do it too" does not make what Australia does alright in my eyes.

 

As for why Australia is a privacy nightmare, I just used that as one example. There are plenty more, including you know, the news article posted in the first post of this thread. As for why I "singled out Australia", it's because this thread is about Australia and the person I responded to was talking about Australia.

 

Here is how the conversation went.

 

Someone: Wow, Australia did something really bad regarding privacy.

Someone else: Australia is turning into a privacy nightmare.

Me: Not turning into, it already is.

You: No, stop singling out Australia! Look at how bad other countries are as well! Let's all discuss how bad the US and Canada are instead. Let's completely change the subject of the thread and talk about how bad other countries are. We should all stop talking about the bad things Australia does!

 

I was being on-topic in a response to someone else, and you got mad that I said something bad about Australia and now wants to talk about the bad things other countries does. Stop it. Stick to the topic.

 

 

6 hours ago, wanderingfool2 said:

Well no your news article wasn't enough...first it only indirectly implies he gave the passcode (how do you know if he had a lock screen or not).

So the other links I posted where it explicitly states people have been forced to unlock their devices (not sure why you think it matters so much if they have to unlock the device or hand over their passwords, when the end result is exactly the same), aren't enough either? I can give you more sources if you want.

Seems to me like you're more interested in nitpicking stuff for no reason however, like trying to downplay how horrible it is that you may be forced to unlock your device and hand it over because in your mind that is less of a privacy violation that having to hand over your password, for some reason. 

 

 

6 hours ago, wanderingfool2 said:

I'll let what you just said sink in...followed by the second part of the law that you quoted. "If an individual refuses to comply with a request for an examination of their electronic device, that device may be held until the ABF is satisfied that the item does not present a risk to the border. "

 

That pretty much says it all..no you don't have to give the password, but if they so choose they can confiscate it until they can inspect the device.

 

It's like if you bring in a safe into a country, they can legally require to open it (or they can seize it and pry it open if you refuse).  Entering into a country, you have a lot less expectation of privacy.

Again, I don't see why you think that matters.

A safe is far more serious to bring into a country because a safe can contain things way more harmful than some data. This is such a ridiculous false equivalency I honestly think you're trolling. 

Also, I think you are interesting the law and thinking it is fine, when we have evidence of other people (the ones enforcing the law) interpreting it in a far worse way.

[LAwLz]

4 hours ago, leadeater said:

agree to compromise.

The problem is that you can not compromise with mathematics.

Either something is backdoored, or it isn't. If you have it backdoored then it can be used and abused however the one with access wants, with zero oversight.

 

Encryption is not something you can compromise with.

[leadeater]

31 minutes ago, LAwLz said:

The problem is that you can not compromise with mathematics.

Either something is backdoored, or it isn't. If you have it backdoored then it can be used and abused however the one with access wants, with zero oversight.

 

Encryption is not something you can compromise with.

Ah yes the only way to implement a system for data access or account access can only be called a backdoor and must always be flawed, good argument there, not. I guess 1 vote towards continuing mutually assured destruction it is then.

 

Interesting that systems already exist where disabling auditing itself is an audit event and only a single account can do it and that password is protected and unknown and requires a formal request to get it.

 

How about think before making rash points. Backdoor arguments can go right in to the bin of unacceptable responses due to zero effort and no thought being applied.

 

Edit:

P.S. Not even saying making actual encryption algorithms weaker. If you want to encrypt your files yourself and upload them to Google Drive then I'm not at all saying this should change or not be possible. This is about service and platform providers actually co-operating and keep proper audit and access records, giving access to those, giving access to the account or any number of infinite possibilities that all pretty much fundamentally comes back to the design and archecture of the service/platform itself and take these matters in to account.

[LAwLz]

22 minutes ago, leadeater said:

Ah yes the only way to implement a system for data access or account access can only be called a backdoor and must always be flawed, good argument there, not.

Unironically yes.

If there is a way for a third party to access data in an unauthorized (as in, not approved by everyone involved including the user) then it is a backdoor. That is literally the definition of a backdoor.

 

And yes, all backdoors are flawed, because a backdoor is in and of itself, by definition, a flaw in the security.

 

You're asking me to not call things by their actual names here.

 

Is there a way to circumvent the regular defensive mechanics of a system, such as view data that should be hidden? Then it's a backdoor by definition.

Is the system susceptible to an attack that breaks its defensive mechanisms, such as viewing data that should be encrypted? 

 

 

Can you come up with a bullet proof system where the government can access encrypted data which can't be exploited if desired? I can't. All of the systems I can think of leave the users at extremely high risks.

 

22 minutes ago, leadeater said:

I guess 1 vote towards continuing mutually assured destruction it is then.

That's what you are voting for. I do not want security holes in the systems I use. Do you not remember what happened with WannaCry? That's what happens when governments stockpile ways to access systems for their own needs. You can not seriously believe that we should give a government a way to look at encrypted data and then expect them to never abuse it and that such a tool never ends up leaking or in other ways falls in the wrong hands. Tools like that ALWAYS ends up in the wrong hands. It has happened so many times already and that's without stupid laws that mandates they exist. 

 

I am the one advocating against mutually assured destruction here because I am the one advocating for systems to be built in secure ways. You're the one who wants systems to be full of holes because "hopefully no bad person will find the holes and they will only ever be used for good things".

 

 

22 minutes ago, leadeater said:

Interesting that systems already exist where disabling auditing itself is an audit event and only a single account can do it and that password is protected and unknown and requires a formal request to get it.

Got an example of such a system? Got any evidence that such systems are actually secure and not just a ticking time bomb waiting to blow up one day?

 

 

22 minutes ago, leadeater said:

How about think before making rash points. Backdoor arguments can go right in to the bin of unacceptable responses due to zero effort and no thought being applied.

"Stop making arguments I don't like".

The only one not putting any mental effort into this are those who dismiss concerns and technical challenges with "nahh, it will probably only be used for intentions I agree with".

[leadeater]

1 hour ago, LAwLz said:

Can you come up with a bullet proof system where the government can access encrypted data which can't be exploited if desired? I can't. All of the systems I can think of leave the users at extremely high risks.

Think harder?

 

1 hour ago, LAwLz said:

And yes, all backdoors are flawed, because a backdoor is in and of itself, by definition, a flaw in the security.

 

You're asking me to not call things by their actual names here.

 

Quote

a feature or defect of a computer system that allows surreptitious unauthorized access to data

 

If the systems is designed for law enforcement access and such capability is disclosed to users then by definition it is not a backdoor. Such access would be authorized, sure not by the person under investigation but that doesn't make it unauthorized if there is a proper legal progress to go through for that access.

 

Come now your thinking around this topic is extremely narrow, to the point it's blinding you.

 

1 hour ago, LAwLz said:

You can not seriously believe that we should give a government a way to look at encrypted data and then expect them to never abuse it and that such a tool never ends up leaking or in other ways falls in the wrong hands. Tools like that ALWAYS ends up in the wrong hands. It has happened so many times already and that's without stupid laws that mandates they exist. 

Who said anything about giving them tools? I didn't, why are you assuming that "tools" are just going to be created and handed over? Who said law enforcement would ever get direct access to the system mechanism that either grants access to the account or retrieves the information, again I did not. Seems to be a lot of assumptions being made.

 

1 hour ago, LAwLz said:

Do you not remember what happened with WannaCry?

Yes, LITERALLY my point about what happens when YOU concede nothing. Reality check? Law enforcement and governments aren't going to give up, you know this, so instead of coming up with process to access information with accountability you want to continue as far as all evidence shows a losing battle with historically proven bad outcomes?

 

1 hour ago, LAwLz said:

I am the one advocating against mutually assured destruction here because I am the one advocating for systems to be built in secure ways.

Yet again a system can be secure (enough) and also have mechanism for data access. You say that isn't possible then you are just wrong. And for all the systems you think are secure just end up being the biggest targets and when they eventually fail the implications can be vast.

 

1 hour ago, LAwLz said:

Got an example of such a system? Got any evidence that such systems are actually secure and not just a ticking time bomb waiting to blow up one day?

I'm sorry but in what way does proper auditing of a system make it a ticking time bomb? Auditing and security are actually two different things, something can be woefully insecure but at the same time any access or data modification be impossible to not have logged.

 

1 hour ago, LAwLz said:

"Stop making arguments I don't like".

Back at you, I'm not hear to appease what you want to hear, don't like what I'm saying then it's too bad. My opinion, my points, and my real world examples as evidence.

 

I talk about cooperation with the service providers, strong oversight (on everyone involved) with notification to those investigated and meaningful punishment of breaches and you're just "nope going to ignore all that and assume it's completely give tools and stuff or w/e to government and law enforcement so they can just go do whatever" and then you have the audacity to say I'm not putting in mental effort? We're here having this conversation because of all the things you ignore in my initial posts and your own assumptions. If you don't like all the scary things you are thinking about when reading my posts then I suggest you stop thinking them and actually read the point.

 

I'm happy to start the conversation over again so long as you drop the assumptions and ignoring of what was said.

 

Edit:

Last time I processed an Official Information Act request for data at no point did I give those requesting their own direct access to a single thing. Those asking could not abuse the access they were given because they were given only copies of information and nothing more. Information from systems that are encrypted I might add, systems I have authorized access to read the encrypted data.

[LAwLz]

6 hours ago, leadeater said:

Think harder?

Why don't you, since you're the one for changing our current system.

 

You: Hey we should change this.

Me: Sorry but I can't think of a way of doing that without making things worse.

You: Then you should think harder, or else we go with this horrible change I have thought of.

 

Why don't you come up with a system that can not be abused or have any other serious issues that could jeopardize the security and privacy of innocent people?

 

 

6 hours ago, leadeater said:

If the systems is designed for law enforcement access and such capability is disclosed to users then by definition it is not a backdoor. Such access would be authorized, sure not by the person under investigation but that doesn't make it unauthorized if there is a proper legal progress to go through for that access.

 

Come now your thinking around this topic is extremely narrow, to the point it's blinding you.

The user did not authorize the access of their data, so therefore it is unauthorized. You're basically saying "I gave authorization to myself so therefore I am authorized to do what I want.

You're using a very strange definition of a backdoor, and is interpreting it in a very weird way. You might as well say no backdoors exist because even a security hole isn't a backdoor because "the exploit causes the hacker to be authorized, therefore it isn't a backdoor it's just a normal operation".

Your line of thinking is literally a joke in Parks and Rec:

 

 

6 hours ago, leadeater said:

Who said anything about giving them tools? I didn't, why are you assuming that "tools" are just going to be created and handed over? Who said law enforcement would ever get direct access to the system mechanism that either grants access to the account or retrieves the information, again I did not. Seems to be a lot of assumptions being made.

Even if it isn't handed over it can leak. The point is that as soon as you create a way in, that way can be exposed. It doesn't matter if it is handed over to the government or not. Just take Apple's new scan for child abuse images as an example. Once this tool is created and implemented, governments don't need access to the source code to exploit it. All they have to do is demand that Apple tweaks it to their liking. Russia might force Apple to scan for homosexual content and report it to them. China might demand Apple tweak it to scan for anti-government messages and report to them.

 

Also, what Australia wants can never be monitored. They want to be able to spy on users. Even if we buy the argument that they will only ever use it for good purposes, that they will never abuse it etc, no matter what they say or how they implement it, it will always require that it is done in secrecy because otherwise it defeats the purpose of spying. And if it's done in secret, then nobody but the people doing the spying will be able to gauge how much spying is happening, or that the spying is only being done against the group of people the government says is spied on.

 

 

6 hours ago, leadeater said:

Yet again a system can be secure (enough) and also have mechanism for data access. You say that isn't possible then you are just wrong. And for all the systems you think are secure just end up being the biggest targets and when they eventually fail the implications can be vast.

You keep saying it can be done but never propose a solution. If it can be done then please describe such a system to me and I will try and find holes in it. Stop just saying it can be done without actually explaining how you think it is possible. It's like talking to someone who keeps saying "we just need to design guns that can't shoot good people" and when I try to explain it can be done you just keep saying "yes it can. You just have to think harder to solve it".

 

 

 

6 hours ago, leadeater said:

Yes, LITERALLY my point about what happens when YOU concede nothing. Reality check? Law enforcement and governments aren't going to give up, you know this, so instead of coming up with process to access information with accountability you want to continue as far as all evidence shows a losing battle with historically proven bad outcomes?

"Wow, it sure was bad when the government had a way to manipulate a system. We better force companies to implement similar security issues into all products!"

Yeah, that surely won't make the situation worse.

 

6 hours ago, leadeater said:

Yet again a system can be secure (enough) and also have mechanism for data access.

Explain how. Stop saying it can be done without explaining how. If you think it can be done then surely you must be able to explain how you think it could be done.

 

 

 

6 hours ago, leadeater said:

I'm sorry but in what way does proper auditing of a system make it a ticking time bomb? Auditing and security are actually two different things, something can be woefully insecure but at the same time any access or data modification be impossible to not have logged.

Explain how. Also, having it logged means jack shit if those logs are kept a secret.

 

 

 

6 hours ago, leadeater said:

I talk about cooperation with the service providers, strong oversight (on everyone involved) with notification to those investigated and meaningful punishment of breaches and you're just "nope going to ignore all that and assume it's completely give tools and stuff or w/e to government and law enforcement so they can just go do whatever" and then you have the audacity to say I'm not putting in mental effort? We're here having this conversation because of all the things you ignore in my initial posts and your own assumptions. If you don't like all the scary things you are thinking about when reading my posts then I suggest you stop thinking them and actually read the point.

Okay, explain in detail how that would work and if I can't find any issues, potential loopholes or privacy violations then you win.

How do you think for example Signal or WhatsApp should implement what you described?

 

 

  

6 hours ago, leadeater said:

Edit:

Last time I processed an Official Information Act request for data at no point did I give those requesting their own direct access to a single thing. Those asking could not abuse the access they were given because they were given only copies of information and nothing more. Information from systems that are encrypted I might add, systems I have authorized access to read the encrypted data.

Okay, now give me a way to verify that you only gave out the info that was necessary, as well as a way for me to verify that you have not looked up any other information than what you needed to.

I don't want security to be based on trusting that some individual does the right thing. I want things to be verifiable. In the system you describe, I don't think there is a way for me to verify that you only provided the data necessary or that the transaction even happened. If I can't verify it, I have to just try your word. Encryption should not be based on trusting someone else.

 

Would you be okay with these laws and systems being proposed in Russia, China, India, or some other countries that you personally don't trust? If you answer no, then you shouldn't be for it in the country you trust either, because your trust might fade one day and when it does it will be too late.

[Zodiark1593]

15 hours ago, leadeater said:

Ah yes the only way to implement a system for data access or account access can only be called a backdoor and must always be flawed, good argument there, not. I guess 1 vote towards continuing mutually assured destruction it is then.

 

 

Out of curiosity, what would Mutually Assured Destruction look like in the event corporations refuse to cooperate, and criminals harden their security further?

 

Ultimately, in regards to illicit materials (in particular, CSAM), I don’t believe this is a problem that can be resolved via legal means, instead requiring technical methods. 
 

If I was looking to be doing something I probably don’t want a government to be privy to, the last thing I’d do is to place my trust in third parties, especially well-known corporations (Google, Microsoft, Facebook, Twitter, etc). This means relying on those services as little as possible for illicit activity, and when I absolutely have to, utilize a multi-prong approach to conceal my identity. This means a combination of VPNs, TOR, and open wifi points (device MAC addresses are spoofed by default nowadays, providing a means to dead-end an investigation) to obfuscate physical location, and encrypting illicit data before it touches a third party. Obviously, aliases are a given as well. 
 

Utilizing an encrypted peer-to-peer means of information transfer sidesteps any restrictions placed upon corporations, meaning that illicit material may not have to reach said corporations at all, rather information needed to facilitate a peer-to-peer connection. The array of tools available is pretty extensive. You can even rent fully anonymous servers (paid via bitcoin no less) to do the job to minimize or eliminate exposure on both ends. Given the ability to code and distribute literally anything, the possibilities to evade the law are limited only to ingenuity. 
 

Ultimately, while the lazier criminals will be caught, I don’t believe the laws imposed by Australia will have a meaningful overall impact in mitigating CSAM. 

[leadeater]

45 minutes ago, Zodiark1593 said:

Out of curiosity, what would Mutually Assured Destruction look like in the event corporations refuse to cooperate, and criminals harden their security further?

Continued events like EternalBlue and the enlistment of other nations to carry out acts on your behalf that isn't legal for themselves to carry out, which is already happening.

 

45 minutes ago, Zodiark1593 said:

Ultimately, in regards to illicit materials (in particular, CSAM), I don’t believe this is a problem that can be resolved via legal means, instead requiring technical methods.

My point is making those technical methods a requirement through laws otherwise they won't get implemented. As you may have noticed encrypted messaging apps and no log VPNs are quite popular irrespective of why one wants to use them and do you honestly think any of these companies are going to look in to any technical methods when their primary business is the complete opposite of that? Their business model lives and dies on that total privacy, breach of that trust is a death of the business.

 

I really do not think they have any interest in that at all.

 

Even for the businesses that are not the above the incentive without a legal requirement to have proper data retrieval processes with the necessary auditing and reporting requirements, in both directions, just isn't going to happen. Also if there isn't mandated reviews of these data access requests and auditing then it may as well not exist.

 

If you think technical methods can be developed that are effective that do not involve application and service providers I point you to the 97% of cases stalled due to inability to gather evidence and the efforts that go in to finding or creating tools like EternalBlue. Not saying those efforts will stop however reducing the dependency on law enforcement to go down those paths, by proxy or not, I believe is overall better and less damaging.

 

45 minutes ago, Zodiark1593 said:

Given the ability to code and distribute literally anything, the possibilities to evade the law are limited only to ingenuity. 
 

Ultimately, while the lazier criminals will be caught, I don’t believe the laws imposed by Australia will have a meaningful overall impact in mitigating CSAM. 

While both statements are true and I do agree with may I point out that even the smart criminals still almost exclusively rely on apps and services that they have had zero part in developing and are nothing more than mere users of them.

[wanderingfool2]

16 hours ago, LAwLz said:

Seems to me like you're more interested in nitpicking stuff for no reason however, like trying to downplay how horrible it is that you may be forced to unlock your device and hand it over because in your mind that is less of a privacy violation that having to hand over your password, for some reason. 

I am calling you out for spreading effectively lies.  You said they can demand passwords and fine you for not giving passwords.  That is inherently wrong; as stated by the law itself that you quoted.  It's not nitpicking, because there is a very very massive distinction between providing access vs providing a password.

 

16 hours ago, LAwLz said:

I was being on-topic in a response to someone else, and you got mad that I said something bad about Australia and now wants to talk about the bad things other countries does. Stop it. Stick to the topic.

You pointed out a factually wrong point; in a way that implies that other countries don't.  I'm not getting mad, I'm pointing out that you are wrong.

 

Let me say this again.  They can not force you to give your password.  You literally said they could.

 

I'll repeat what I also said earlier.  Entering a country, you have less reason to privacy.  An example being if they suspect you are entering the country to work without a green card (which happens frequently).  They access your phone, and see the correspondence that you are actually working...so they deny entry.  Or again, the concept of importing a safe full of unknown contents...are you saying they aren't allowed opening or inspecting things entering into a country?

 

As for what your said in regards to

On 9/11/2021 at 2:38 AM, LAwLz said:

Seems like this law is just aimed at making occurances like this one legal:

Prove it then.  Show where in the law it would make it legal...I'll give you a hint it doesn't (unless it's via warrant, which in that case they didn't pursue and requires a lot more paperwork as well)