Australian Surveillance Bill allows Law Enforcement to Add to, Modify, or Delete Anyone's Data, and Take Over Their Online Accounts

[LAwLz]

57 minutes ago, leadeater said:

Continued events like EternalBlue and the enlistment of other nations to carry out acts on your behalf that isn't legal for themselves to carry out, which is already happening.

And mandating that similar security holes be created on purpose will most likely result in more incidents like EternalBlue, not less.

What should happen if you ask me is that CIA and the likes should work to defend their citizens rather than attack them, and in order to do this they should find exploits and then report them so they can be fixed.

 

Your argument relies on the idea that if companies are forced to create vulnerabilities in their software it will be more controlled and thus less likely of being exploited. Personally I think that more vulnerabilities will result in more attacks. And yes, I would count being able to decrypt traffic as a vulnerability. 

If you don't think it is then please explain to me how someone like Signal or WhatsApp could implement this type of access without lowering the security of their products.

 

 

 

1 hour ago, wanderingfool2 said:

I am calling you out for spreading effectively lies.  You said they can demand passwords and fine you for not giving passwords.  That is inherently wrong; as stated by the law itself that you quoted.  It's not nitpicking, because there is a very very massive distinction between providing access vs providing a password.

1 hour ago, wanderingfool2 said:

You pointed out a factually wrong point; in a way that implies that other countries don't.  I'm not getting mad, I'm pointing out that you are wrong.

 

Let me say this again.  They can not force you to give your password.  You literally said they could.

Yep you're right, I was wrong. I got Australia mixed up with New Zealand. 

New Zealand has a law where they can actually demand you hand over your passwords. In Australia they don't appear to be able to force you to hand over your password. However, they do frequently ask people to unlock their devices or hand over passwords and if you happen to know the law and refuse, they can (and probably will) detain you and confiscate your devices. So it's not really a choice, is it?

 

Here is the law in New Zealand I was thinking of:

Quote

Powers with no threshold

(d) the power to make a full search of a stored value instrument (including power to require a user of the instrument to provide access information and other information or assistance that is reasonable and necessary to allow a person to access the instrument):

 

-snip-

 

access information includes codes, passwords, and encryption keys, and any related information that enables access to an electronic device

 

 

 

1 hour ago, wanderingfool2 said:

I'll repeat what I also said earlier.  Entering a country, you have less reason to privacy.  An example being if they suspect you are entering the country to work without a green card (which happens frequently).  They access your phone, and see the correspondence that you are actually working...so they deny entry.  Or again, the concept of importing a safe full of unknown contents...are you saying they aren't allowed opening or inspecting things entering into a country?

Again, there is a difference between bringing a physical goods into the country (such as a safe) which might contain very harmful things, and bringing data into the country.

One poses could potentially pose an imminent threat, and the other does at best pose an indirect threat. Also, with the phone, the search is far more granular than just opening a safe, and with the phone they can (and probably does) copy and store the data as well. So it's not like someone just checks to see if everything is OK. They also give themselves the power to do the check over and over again, whenever they feel like.

 

Searching a safe and searching a phone are two very different things. Stop pretending like they are the same.

 

 

1 hour ago, wanderingfool2 said:

Prove it then.  Show where in the law it would make it legal...I'll give you a hint it doesn't (unless it's via warrant, which in that case they didn't pursue and requires a lot more paperwork as well)

Did you not see the title of the thread, or the news article this thread is about? The new bill allows AFP and ACIC to modify, add, copy or delete data on your device.

Sure it requires a warrant but they still allow it. 

Also, I am not sure if you missed it but these types of warrants do not require the warrant to be from the judge of a superior court. The warrants are provided by members of the AAT. So the procedure is different from other types of warrants.

[wanderingfool2]

11 hours ago, LAwLz said:

Did you not see the title of the thread, or the news article this thread is about? The new bill allows AFP and ACIC to modify, add, copy or delete data on your device.

Sure it requires a warrant but they still allow it. 

Also, I am not sure if you missed it but these types of warrants do not require the warrant to be from the judge of a superior court. The warrants are provided by members of the AAT. So the procedure is different from other types of warrants.

Actually as @leadeater pointed out the media kind of misleads.  The only real way to say things more definitively is to actually read the bill (and also read the sections they are modifying).  I did read the title and article (and have glanced over the bill)...there is a lot of click-baity things going on.

 

From what I understand from glancing through the some 42 pages in regards to the modifying/adding/copy/deleting data on you device, is that is a lot more restrictive than lets say the seizing of an account.  Parts of it is literally written as though it was written specifically to pursue criminals who cannot be found through conventional means...e.g. someone distributing/downloading CSAM through proxies/VPN's/TOR, they could effectively modify the data to help identify the person doing so.  Or another example being, they pick up a drug dealer and want to get the supplier.  So they utilize the warrant to send a message to the supplier to deliver the goods at XYZ.

Quote

any steps that are proposed to be taken to avoid or minimise the extent to which the execution of the warrant is likely to impact on persons lawfully using a computer

This also includes the fact that it seems as though the officer that is requesting such a thing has to be endorsed by a chief officer, and there will need to be a follow up affidavit in regards to getting the warrant itself.

 

Like I've mentioned in a previous post though, I am not supporting this bill because from the sections I have seen I do see issues with it...but it's not nearly as bad as people are making it out to be.  From what I've seen (could be wrong as it was 42 pages I skimmed through), it's the "if this can be done by other reasonable means, then it has to be done by other reasonable means" kind of logic in.

 

 

[LAwLz]

2 hours ago, wanderingfool2 said:

Actually as @leadeater pointed out the media kind of misleads.

Yes, because politicians never mislead and can be 100% trusted at all times. The news on the other hand, reporting on things that has happened to people, that cite people directly involved with the bill etc, that should not be trusted...

Do you often scream fake news when you hear things you don't like?

[wanderingfool2]

31 minutes ago, LAwLz said:

Yes, because politicians never mislead and can be 100% trusted at all times. The news on the other hand, reporting on things that has happened to people, that cite people directly involved with the bill etc, that should not be trusted...

Do you often scream fake news when you hear things you don't like?

lol, and you were the one that was trying to accuse me of Whataboutism...look at what you are doing.  Did I say to trust politicians...NO.  I literally pointed out areas of the legislation that make it very concerning.  Need I remind you that it took how many posts for you to realize the law you quoted proved me right over yourself.

 

Guess what...I don't inherently trust news articles and I never trust politicians, I take things with a grain of salt and in case like this I glance over the legislation to see whether what is being said is accurate, or rather how accurate it is.  The fact is, the modifying/delete of data is in a lot more of limited scope than the article implies (for example they need to specifically spell out how they are going to modify the data and for what purpose).

 

Again, for anyone reading this later and believes the article.  No they can't go in an arbitrarily change data.  It is a lot more of a limited scope, that requires a warrant, it appears as they need to do an affidavit as well, and it's not a single person doing this (it involves a chief officer as well).  Could this eventually be abused somehow, maybe, but there will be a very documented string of custody per-se and I'm assuming the punishment for abuse will be quite high

[thorhammerz]

On 9/10/2021 at 4:35 AM, Taf the Ghost said:

Everyone be safe out there. We're entering a very ugly period in a lot of places.

Those who have surrendered freedom (however benevolently window-dressed) in the name of supposed safety (however temporary it may be).... ¯\_(ツ)_/¯

[LAwLz]

7 hours ago, wanderingfool2 said:

lol, and you were the one that was trying to accuse me of Whataboutism...look at what you are doing. 

I don't think you understand what "whataboutism" means. That's not what I am doing here.

Whataboutism is when resort to saying "but what about..." when you get criticism and points out that others do similar or worse things.

It's excusing shitty behavior by saying that others are worse therefore the shitty behavior you engage in is okay.

I guess you could say I made a strawman argument but in this case I don't even think I did that, because you keep screaming about how the news I link to are fake and should not be trusted.

 

 

7 hours ago, wanderingfool2 said:

Need I remind you that it took how many posts for you to realize the law you quoted proved me right over yourself.

Are you serious right now?

 

Me: In Australia, you can be forced to give up your password.

You: No you can't!

Me: Oh yeah you're right. They can just punish you for not giving them a way to access your devices.

You: Yep! I'm glad you realize how wrong you are!

 

Way to nitpick on specific words and missing the point. 

 

 

 

7 hours ago, wanderingfool2 said:

Again, for anyone reading this later and believes the article.  No they can't go in an arbitrarily change data.  It is a lot more of a limited scope, that requires a warrant, it appears as they need to do an affidavit as well, and it's not a single person doing this (it involves a chief officer as well).  Could this eventually be abused somehow, maybe, but there will be a very documented string of custody per-se and I'm assuming the punishment for abuse will be quite high

And to anyone reading this post later and believe it, here are some other things you should know about the bill:

1) The warrant is not granted by the usual warrant process. Instead of being provided by a court (like normal warrants) it is instead provided by an emergency authorization. That is to say, it is not actually a warrant because it is not obtained like any other warrant (requires the approval of a judge).

2) You do not need any evidence or suspicion of wrongdoing to get a "warrant". Although it probably helps to get it approved. 

3) These warrants are not a last-resort type of thing. In fact, the Australian Human Rights Law Centre recommended that precise thing be amended to the law, but that suggestion did not end up in the final bill. Even if they were, they would require the magistrate to actually understand the potentially very technical details of how these encryption systems work to determine if it is a last resort or not. Since not even most people on this forum understands how encryption works on a basic level, I don't think we should trust a politician to make decisions on whether or not a vulnerability has to be introduced into a security system.

4) The law state that it is only for "activity of the most serious nature", but there is no lower limit on punishment where this law can be applied. That is to say, it is up for interpretation what is a "serious nature". Is a crime that has a punishment of 2 months in prison serious? Is one that is punishable by 10 years serious? Where is the line? Again, this was another complaint the HRLC had and it was ignored. They wanted the crime to require a minimum of 3 years in prison as punishment. 

5) The "documentation" of these warrants are not made public so even if it is being documented, people will not be informed whether or not it is being abused. It's the classic "who watches the watchmen" issue.

6) There is no person involved in the warrant process that argues on the behalf of public interest. A recommendation was submitted that a public interest advocate would be part of the "warrant" approval process, but that suggestion was turned down.

7) Once one of these warrants are obtained, they are valid for up to 90 days. That is to say, an officer can be allowed to impersonate you for 90 days (extensions are available if more time is needed) without your knowledge.

8 ) These warrants can be issued even if the individual's identity is not know, and they also cover other devices that are "likely connected" to the suspected individual.

9) The bill includes a "network activity warrant" which allows for entire networks to be monitored. The bill defines a "criminal network" as a electronically linked group of individuals where one or more individuals in the group are, are or are likely to engage in a criminal manner. This definition is so broad that they can essentially say "someone using an Android phone are likely to engage in a criminal activity, so therefore we need a way to monitor all Android phones, and if Google does not comply we can put anyone who refuse in jail for up to 10 years".

 

Sources:

https://static1.squarespace.com/static/580025f66b8f5b2dabbe4291/t/60349b7a9f95cf2bdc3f4c8c/1614060411448/Sub+15+-+Human+Rights+Law+Centre.pdf

https://digitalrightswatch.org.au/2021/09/02/australias-new-mass-surveillance-mandate/

 

[leadeater]

55 minutes ago, LAwLz said:

I guess you could say I made a strawman argument but in this case I don't even think I did that, because you keep screaming about how the news I link to are fake and should not be trusted.

It's not that the news is fake it's that they over sensationalize, get facts wrong (often what appears to on purpose) and then make outrageous claims like a law like this could compel a person to commit a computers crimes law breach which is straight up ridiculous. These very types of reporting lead to massive misinformation that spread like crazy because it plays in to peoples fears or peoples desire to make things out to be more than which that they are.

 

A news article can both be about a real event and be unethically reported at the same time. Simply using the term fake news doesn't do justice to the actual problem.

 

I mean I dislike much of what Australia has done but I dislike the misinformation a great deal more.

 

And in terms Humans Rights Law Centre submission they aren't even asking for as much oversight as I've said there should be nor mandatory informing of those investigated that they have, what was done within a specific maximum time frame. If any person as been affected by these types of laws then they must be informed of that and they are entitled to know what, when and why. As I've said before it does no one any good to be able to use the Freedom of Information Act if you don't know you need to in the first place.

 

Neither as far as I've seen any submissions been made objecting to the need for expansion of powers, only when and how they can be used and oversight over the process.

 

One thing I would like to note is that restricting powers to crimes with minimum possible prison terms is not a good way to do it. Nothing stops amendments to the Crimes Act to increase prison terms for certain crimes to make those crimes now applicable to laws like this. They should be restricted to only Federal crimes by Federal Investigators and only for specific actual offences so it is impossible to expand the powers of one law by amendments to seemingly unrelated laws.

 

I fundamentally object to this general idea that law enforcement do not need increased powers when it comes to evidence gathering from electronic devices and computer systems and I've yet to see a single proposed solution being offered. Only going around saying no while not participating in a discussion about how to solve the problems or denying the problem doesn't exist is for me either not acceptable or really just more in general entirely unhelpful.

 

It's really easy to just go around saying no, very easy. It's much harder to actually participate in the discussion, propose solutions, be prepared to compromise especially when people such as yourself come in and act like because of things we say means we outright support this bill or any other number of unchecked expansion of powers and go do argument paths that simply were never raised.

 

P.S. I haven't read any of your replies on page 2 since it was very evident your views were to narrow for it to be worthwhile for either of us to continue that discussion line. Far as I could tell you honestly didn't read any of it and were too busy trying to argue your own point which actually had little to do with what I actually said.

[LAwLz]

1 hour ago, leadeater said:

I fundamentally object to this general idea that law enforcement do not need increased powers when it comes to evidence gathering from electronic devices and computer systems and I've yet to see a single proposed solution being offered. Only going around saying no while not participating in a discussion about how to solve the problems or denying the problem doesn't exist is for me either not acceptable or really just more in general entirely unhelpful.

It's not up to the people opposing change to come up with a good solution. It's the ones who are advocating for a change that needs to find a good solution.

You can't just say "this is a problem so therefore we should go with this solution". Let's roleplay a little.

 

Knives are a major source of injuries. Not only accidental but also on purpose. Therefore, I demand that we ban all knives. No kitchen knives. No table knives. No butter knives. Nothing.

If you can't find a solution that eliminates any types of damages that can be caused by knives then we go with my suggestion. 

 

See how ridiculous this logic is? I am the one who has a problem with knives, so it should be on me to find a solution that actually works and changes things for the better.

 

 

Also, I am not even convinced that encryption is an issue. Sure, a lot of crimes are probably committed with the help of encryption, but that's like saying we should amputate both arms on all babies because 99.99% of crimes committed are done with the help of hands and arms.

Would it result in fewer crimes? Yes! But it would also create far more issues than it causes, especially for innocent people.

The 99% of innocent people should not be put in danger just because they are trying to catch the 1% of people who are criminals (percentages pulled out of my ass to make a point).

 

The change being proposed has to actually change things for the better. You can't just come up with a propose change and then when people are concerned reply with "come up with something better or else we go with my suggestion".

 

 

1 hour ago, leadeater said:

It's really easy to just go around saying no, very easy. It's much harder to actually participate in the discussion, propose solutions, be prepared to compromise especially when people such as yourself come in and act like because of things we say means we outright support this bill or any other number of unchecked expansion of powers and go do argument paths that simply were never raised.

Yes, it is very hard to propose solutions because what the Australian government is after is impossible to do without putting innocent people at risk. Again, see my imaginary knife scenario above. Try and come up with a solution to that and if you can't then all knives should be banned. That's the position you put me in and then just say I am lazy or stupid when I can't come up with a solution.

 

I am willing to debate on what should be done, but you can't just dismiss concerns and go "come up with something better yourself". You have to also come with suggestions, and so far you don't seem to have done that.

You didn't even reply to this:

  

On 9/12/2021 at 11:29 PM, LAwLz said:

Quote

Last time I processed an Official Information Act request for data at no point did I give those requesting their own direct access to a single thing. Those asking could not abuse the access they were given because they were given only copies of information and nothing more. Information from systems that are encrypted I might add, systems I have authorized access to read the encrypted data.

Okay, now give me a way to verify that you only gave out the info that was necessary, as well as a way for me to verify that you have not looked up any other information than what you needed to.

I don't want security to be based on trusting that some individual does the right thing. I want things to be verifiable. In the system you describe, I don't think there is a way for me to verify that you only provided the data necessary or that the transaction even happened. If I can't verify it, I have to just try your word. Encryption should not be based on trusting someone else.

 

Would you be okay with these laws and systems being proposed in Russia, China, India, or some other countries that you personally don't trust? If you answer no, then you shouldn't be for it in the country you trust either, because your trust might fade one day and when it does it will be too late.

 

Can you give me a solution to this "encryption problem" that do not rely on trust? Because I don't want security to be based on trust. 

 

 

You didn't even respond to this very simple question:

Quote

 

Quote

I talk about cooperation with the service providers, strong oversight (on everyone involved) with notification to those investigated and meaningful punishment of breaches and you're just "nope going to ignore all that and assume it's completely give tools and stuff or w/e to government and law enforcement so they can just go do whatever" and then you have the audacity to say I'm not putting in mental effort? We're here having this conversation because of all the things you ignore in my initial posts and your own assumptions. If you don't like all the scary things you are thinking about when reading my posts then I suggest you stop thinking them and actually read the point.

Okay, explain in detail how that would work -snip-

How do you think for example Signal or WhatsApp should implement what you described?

 

[wanderingfool2]

9 hours ago, LAwLz said:

I don't think you understand what "whataboutism" means. That's not what I am doing here.

Whataboutism is when resort to saying "but what about..." when you get criticism and points out that others do similar or worse things.

It's excusing shitty behavior by saying that others are worse therefore the shitty behavior you engage in is okay.

I guess you could say I made a strawman argument but in this case I don't even think I did that, because you keep screaming about how the news I link to are fake and should not be trusted.

I'm not going to argue with you anymore, because you obviously are too biased and haven't even bothered skimming through things (instead relying on misleading news posts).  Or you lack the understand to be able to process what laws are saying.

 

And to be clear, you literally started by saying I was believing politicians over news outlets...which is exactly like "but what about politicians" they are worse.

 

9 hours ago, LAwLz said:

Are you serious right now?

 

Me: In Australia, you can be forced to give up your password.

You: No you can't!

Me: Oh yeah you're right. They can just punish you for not giving them a way to access your devices.

You: Yep! I'm glad you realize how wrong you are!

 

Way to nitpick on specific words and missing the point. 

  

On 9/13/2021 at 12:01 AM, LAwLz said:

Yep you're right, I was wrong. I got Australia mixed up with New Zealand. 

New Zealand has a law where they can actually demand you hand over your passwords. In Australia they don't appear to be able to force you to hand over your password. However, they do frequently ask people to unlock their devices or hand over passwords and if you happen to know the law and refuse, they can (and probably will) detain you and confiscate your devices. So it's not really a choice, is it?

You are the one who said they can demand a password...it's not my fault that they cannot demand a password...oh and your summarized quote missed the bit where you started quoted the law that proved they didn't require passwords.  Giving access is very very different than giving a password.  I can give access to the police to my home...but I'm sure as not going to hand over my key.  It also is key, because you are using things like that as justification, so if you literally quote a law that pretty much spells out that passwords aren't required followed by saying that it essentially requires passwords it calls into question your ability or your current bias that is blinding you to the truth.

 

9 hours ago, LAwLz said:

You do not need any evidence or suspicion of wrongdoing to get a "warrant". Although it probably helps to get it approved. 

I will say this again, since you don't seem to get it.  Read the bill [data disruption part]

The bill

Quote

that there are reasonable grounds for the suspicion founding the application for the warrant

Your so called without any evidence or suspicion of wrongdoing is malarkey.  It literally is spelled out there there needs to be reasonable grounds (and guess what, to prove reasonable grounds of suspicion you need evidence).

 

10 hours ago, LAwLz said:

The warrant is not granted by the usual warrant process. Instead of being provided by a court (like normal warrants) it is instead provided by an emergency authorization. That is to say, it is not actually a warrant because it is not obtained like any other warrant (requires the approval of a judge).

You can't even be bothered to read your own article that you posted correct.

There is a warrant, but also an emergency authorization measure that can be used to do it without a warrant...but like everything else the article doesn't go into the limitations for which emergency warrants can actually be used.

Guess what though, the emergency authorization is still requires a judge or nominated AAT member to approve it [but from what I've seen the nominated AAT members are already able to issue warrants]...let's take a look at what part of the law says about issuing an emergency authorization shall we

Quote

(a) There was a risk of serious violence to a person or substantial damage to property; and

(b) disruption of data held in the target computer mentioned in that subsection may have helped reduce the risk; and

(c) it was not practicable in the circumstances to apply for a data disruption warrant

So there you go, if you are able to get a warrant, then you can't use emergency authorization.  It's pretty much a similar measure that they use to allow a police officer to enter into a building that they suspect has a violent crime occurring.

 

I'm done responding to you, as you obviously won't read it or try looking at this with an unbiased eye.  Again, I've pointed out issues with the bill itself but from what I've seen (and the part people are jumping up and down about regarding the data disruption I didn't see the wishy washy bits that make you question the potential for abuse).

 

So read the bill (and the sections of law it's modifying), because the things you keep saying almost takes different parts of the bill and mash them together.  Data disruption and the seizing of an account are two different sections of this bill and need to be separated when discussing pitfalls in the language

[leadeater]

13 hours ago, LAwLz said:

You didn't even respond to this very simple question:

I already told you I haven't read those replies, and I still do not intend to. This post and that quote is the first I've seen of it and all I'm going to see of it. Like I said it's a waste of both our time. You're going to say no to literally everything so what is the point?

 

Yes I do have a proposed idea that will work and I 100% know you're going to shoot it down without a single bit of consideration for it.

 

And FYI you saying something is a bad solution doesn't make it a bad solution, it just makes you opposed to it. Being opposed to something doesn't make you right, neither does supporting something either. Saying no and offering nothing however is nothing but unhelpful.

 

As for all your examples, further proof that a reasonable conversation about this topic is impossible. If you going to go down the path of ridiculousness then don't be surprised that what you say gets ignored. You are literally being unhelpful to your own cause by doing it.

[Donut417]

On 9/9/2021 at 11:30 PM, Hyperspeed1313 said:

The warrants required to execute the powers of this law can be authorized outside of the judicial system, and can be circumvented altogether by an "emergency authorization".

So effectively this is their version of the Patriot Act. The biggest difference being the US has the FISA courts that hear classified and national secretly matters. So at least we have a judge who can do a bit of checks and balances. But reading the reasonings for this law is for the Children and Terrorism. Two big issues that they feel can justify such a law. 

 

Personally I see this as government over reach and I guarantee this will be abused. It would be different if the judicial system was involved in the process. 

[wanderingfool2]

For anyone who reads this.  "Emergency Authorization" part has it's limits (at least for the data disruption part)

Quote

(a) There was a risk of serious violence to a person or substantial damage to property; and

(b) disruption of data held in the target computer mentioned in that subsection may have helped reduce the risk; and

(c) it was not practicable in the circumstances to apply for a data disruption warrant

 

6 hours ago, Donut417 said:

Personally I see this as government over reach and I guarantee this will be abused. It would be different if the judicial system was involved in the process. 

Ultimately it does have oversight...but the issue is that everyone is just reading the article instead of looking at the law...and following the sensationalist headlines that make people click and share.

 

I have issues with the bill, and there are parts of it that I think will eventually be abused (in the sense they use it for fishing expeditions) but I don't think it will be abused for things like evidence tampering (as at that point they would undoubtedly be breaching the proposed law changes and it would be multiple people violating the law)