Current Events > Australian encryption-busting Bill would create backdoors: Cisco

(+) Yeah! (+)

So Cisco joined the growing number of tech companies coming out against this legislation.

Despite the Australian government repeatedly claiming that its Assistance and Access Bill would not involve the creation of backdoors, networking giant Cisco has accused Canberra of doing just that.

In a submission [PDF] to the Parliamentary Joint Committee on Intelligence and Security -- which is currently reviewing the legislation as the government attempts to ram it through Parliament -- Cisco called out Canberra for not allowing greater transparency on disclosing notices and requests from Australian authorities to access encrypted communications.

"We have defined a 'backdoor' to include any surveillance capability that is intentionally created and yet not transparently disclosed," Cisco said.

"To the extent that the Bill would require via a [Technical Capability Notice] the creation of a capability while simultaneously preventing the [communication providers] from documenting the existence of that capability, the law would result in the creation of backdoors."

Source/more reading
https://www.zdnet.com/article/australian-encryption-busting-bill-would-create-backdoors-cisco/
---

I promise I'm not going to break into your house. I just need an exact copy of your housekeys and a detailed itinerary of when you go to work and specifically when you won't be at home. But seriously there's no reason for any of this it's just a safety thing.

Anyone who buys that bullshit needs to have their head examined.
---

Australia is a paternalist hellhole so this will probably pass and fuck any tech companies that placate.
---

thank you daddy nanny state for doing all of my thinking for me
---

Just dont market to Australia then, problem solved.
---

Anarchy_Juiblex posted...

Australia is a paternalist hellhole so this will probably pass and fuck any tech companies that placate.

Agreed. That government seriously confuses me more than any other. My time in Australia led me to believe Australians are laidback, anti-legislation people, and yet their government is intent on burying all progress under 14 miles of conservative red tape.
---

The laws of mathematics are very commendable, but the only law that applies in Australia is the law of Australia.

RainblowDash posted...

Just dont market to Australia then, problem solved.

Unfortunately not. Other major nations--including the US--have signaled their desire to get legislation like this passed. Australia will just be the first.

Apple stood against the U.S federal govt. on unlocking a terrorist's iphone, I'm sure they're on the right side of things here. That sounded way more sarcastic than I meant it.
---

@Kombucha
Ack, you replied a minute before I deleted my post. I made that comment after seeing comments in another article claiming Apple basically supported the legislation. After I made my post, I thought to read it for myself and found they were lying. As you say, Apple opposes basically every part this legislation, and the only "good" thing they say basically amount to being smooth and making officials feel good about themselves.

Do you think the bill will die? Stuff like this gets proposed every now and again in the US, but it usually dies. Supposedly a number of nations are in favor of this kind of thing so it has me worried. I'd like for it to die and go away for couple of years. Is that unrealistic do you think?

darkmaian23 posted...

Do you think the bill will die? Stuff like this gets proposed every now and again in the US, but it usually dies. Supposedly a number of nations are in favor of this kind of thing so it has me worried. I'd like for it to die and go away for couple of years. Is that unrealistic do you think?

As long as the public is aware I don't think measures like this will pass. What is needed though is tech companies to pull together and recognize how legislation like this is not only a threat to user privacy but their dominance and perceived quality in the market by consumers/end users. I feel like the response was pretty slow in this case but it's nice to see it gathering steam finally. I mean, so far they've been getting a little better with this stuff but have slipped up on occasion. The problem is when they slip up privacy implications tend to compound quickly and irreversibly. Example: https://en.wikipedia.org/wiki/CLOUD_Act
---

The CLOUD Act was seen as beneficial to major tech companies because it reduced legal fees. I can't imagine any benefit for anyone other than law enforcement and government in terms of this new legislation.

@FLUFFYGERM looks like some good news

Canaries and steganography, in 3... 2...

I've seen the idea advanced that Australia is being pressured to come out with this legislation by other major powers like the US. Are tech companies throwing lobbying money behind killing it? Is there any realistic chance of it disappearing? With stuff like the EU copyright reform getting rammed through and with the speed at which Australia is trying to pass this, I feel very pessimistic.

I do wish someone could present some well-informed good news. I'd always hoped those on top would actually know stuff like this was evil and would just continue to make noise to get more from tech companies in the long term. Is there any good news? Any at all? ;.;

To be realistic about it I think the good news is nothing like this has passed yet, hopefully the status quo works in our favor.

Im not sure how Australian legislative bodies work and if the have a lobbying element to them or not. Ill probably see if I can find more about the proponents of this bill later today.
---

Looks like this thing is slowly moving forward without a hiccup

https://www.deepdotweb.com/2018/10/15/australian-anti-encryption-bill-moving-forward-despite-objections-from-tech-experts/

Just slightly over a week after the deadline for comments on the draft of the Assistance and Access bill, the Australian Minister of Home Affairs introduced a virtually unchanged version of the bill in the House of Representatives. It is not possible that the Australian government had read in excess of 15,000 comments in that time, so the Minister of Home Affairs obviously did not take into consideration any of the objections to provisions in the Assistance and Access bill. Nor did he consider the suggestions for ways the bill could have been improved to protect privacy and due process.

During the summer of last year, Australian Prime Minister Malcolm Turnbull had announced plans to introduce legislation that would require hardware manufacturers and service providers to assist law enforcement in gaining access to encrypted information.

---

Well, that's unbelievably depressing.

Kombucha posted...

Looks like this thing is slowly moving forward without a hiccup

Isn't this vote scheduled for Friday, which is already today in Australia? Or has it been delayed? Do you still think it might not pass?

@FLUFFYGERM looks like some good news

This should be considered treason and an attack on basic human rights.
---

The last press I've seen on this was by Washington Post on Oct 19th.

The increasingly vocal opposition deepens the divide between the tech industry and a coalition of governments, including the United States, pressuring companies to cooperate with law enforcement on requests for encrypted data.

Just weeks ago, the Five Eyes group of intelligence agencies which includes Britain, Canada, New Zealand, Australia and the United States issued a strongly worded joint statement threatening to crack down on companies if they dont start assisting investigators. Should governments continue to encounter impediments to lawful access to information necessary to aid the protection of the citizens of our countries, the coalition said, we may pursue technological, enforcement, legislative or other measures to achieve lawful access solutions.

U.S. officials will be watching closely how the debate unfolds in Canberra. The Justice Department has expressed a strong interest in passing legislation forcing companies to create encryption workarounds if they continue to resist calls to cooperate with law enforcement.

So far, efforts to move such a bill have stalled in Congress. But fallout from the FBIs epic legal battle with Apple over access to a terrorists encrypted cellphone has kept the issue on the radar, as has a recent court fight in which a judge ruled the government can't force Facebook to break the encryption on its popular Messenger voice app.

www.washingtonpost.com/news/powerpost/paloma/the-

cybersecurity-202/2018/10/19/the-cybersecurity-202-u-s-tech-firms-

slam-australian-bill-that-could-weaken-encryption/5bc8f0a71b326b7c8a8d1a7e/

had to break the URL, too long- here's the shortened version
https://is.gd/iX0em6

I don't think the writer will be updating this article as he has retired his analysis of cyber security issues and is moving on.

SIGNING OFF: Regretfully, todays newsletter is my final dispatch for the Cybersecurity 202. Its been an honor covering this fascinating space for The Post and I wish I could continue, but family obligations are taking me to New York for a new adventure.

Will be interesting to see where this goes. It's definitely not a coincidence that intelligence alliances called for legislative measures and this cropped up a few weeks later.
---

@Kombucha
Thanks for the update. I wish we could be certain it wouldn't pass. Each time a Western government has tried this sort of thing, it has faced incredible push back. The Australian bill is particularly odious, and if lobbying dollars and corporations have any say, I don't think it'll pass. The amount of labor tech companies of every size would be compelled to offer the government--simply to make their own products less secure--is too high.

I hate it when articles talk about the issue of encryption in terms of "assisting" and "cooperating" because such phrasing makes the position of law enforcement sound reasonable. To officials--whose only training and experience are with soft skills--it probably seems unreasonable that tech companies don't want to help them, and that they could if they wanted to. But about their own experts? Do they think they are lying? Do the experts simply lie and tell the bosses what they want to hear?

It's astonishing that the heads of law enforcement from so many Western nations remain so ignorant. You'd think the heads of security agencies would explain to them how bad of an idea it is to keep pushing for the logically impossible. Or the heads of security agencies non-technical people too? You'd think that if a technical solution exists government agencies would have developed it themselves and pushed for its adoption.

Lost in all of this too is the voice of big business. The weakening of encryption and the expansion of law enforcement powers to grab data could endanger sensitive business details and wealthy white collar criminals. Then there is the cost factor that I mentioned earlier which is bound to hit companies at all levels.

I couldnt have explained the insanity behind this better myself.
---

Thanks for the thread. It sounds like the reporter is getting out of dodge while he can. Good for him and glad he bravely reported all he safely could.
---

CreekCo posted...

Thanks for the thread. It sounds like the reporter is getting out of dodge while he can. Good for him and glad he bravely reported all he safely could.

np, i honestly don't want to go too conspiratorial about it (because it works to discredit the importance of this), but it is kinda weird that he dipped out like that as soon as he wrote what i would consider a pretty scathing piece.

i'm sure journalists will keep on the developments like they did with sopa and other bad legislation, considering all the high level interest this seems to have gathered from companies.
---

CreekCo posted...

Thanks for the thread. It sounds like the reporter is getting out of dodge while he can. Good for him and glad he bravely reported all he safely could.

Moving on to a different job, especially if there are family considerations, is hardly unusual. I don't think we are at the point where you need to start suspecting that reporters are getting threatened over reporting news like this (and his was a fairly neutral perspective based on the quoted portions of the article). If tech writers on other sites all start quitting, or if pieces on legislation like this start getting taken down, then worry.

I'm not very optimistic about the bill dying, and it's much worse than any I've ever heard of, but we've been down to the wire on bad legislation many times here in the US and opposition in Australia and outside of it is growing. If it passes, I would imagine a real fight between the government and tech companies would begin, and there would still be the matter of trying to get similar legislation passed in other Western countries, where the fight would begin anew.

As an outsider, it's hard for me to gauge whether this can pass or is even expected to, or if it is just hardcore political posturing from Australian officials who want to seem like leaders to other major Western powers.

Uh, have you been watching international news lately? It's NOT a good time to be an investigative reporter :(
---

australia sucks
---

implying that Cisco doesn't already kowtow to backdoor requirements in the US

CreekCo posted...

Uh, have you been watching international news lately? It's NOT a good time to be an investigative reporter :(

The death of the Saudi reporter and this don't seem connected in the slightest.

treewojima posted...

implying that Cisco doesn't already kowtow to backdoor requirements in the US

You should really read more about what the legislation requires, and about the current political climate surrounding "security". This is something new, sweeping, and dangerous.

^So what are you trying to say? You're logically all over the place. You aren't even really disagreeing with what Tree said... he's just sarcastically pointing out the same thing. Also, that you mentioned the Saudi guy and I didn't means you full well understood what I meant.
---

CreekCo posted...

^So what are you trying to say? You're logically all over the place. You aren't even really disagreeing with what Tree said... he's just sarcastically pointing out the same thing. Also, that you mentioned the Saudi guy and I didn't means you full well understood what I meant.

I apologize for being unclear. I thought treewojima might be dismissing the danger of the new legislation by thinking that the US government already has the powers this legislation seeks to grant, and that it's no big deal. That happens a lot in these kinds of discussions, so I wanted to encourage him to actually read more about the issue to be informed. I honestly didn't understand for sure what you meant.

It's all good :)
---

Some more news, nothing really too ground breaking here. Mainly ASIO trying to defend themselves by saying the bill wouldn't require monitoring through always on microphones.

https://www.zdnet.com/google-amp/article/asio-chief-says-encryption-busting-scheme-would-not-involve-persistent-monitoring/

The Director-General of Security at the Australian Security Intelligence Organisation (ASIO) Duncan Lewis told Senate Estimates on Monday that a persistent encryption workaround would not fall under the auspices of the proposed Assistance and Access Bill, which would allow the nation's interception agencies to request or demand access to encrypted content.

"In order to enable us to get through the encryption and understand what the content is behind the communication, it is very important we have the assistance of the company -- nobody would be better informed as to how the system operates than the company themselves -- but importantly it is not systemic, it doesn't have an enduring time, it doesn't have a breadth of -- it's not going to be ubiquitous across the community, it's quite specific," Lewis said.

Under the proposed law, Australian government agencies would be able to issue three kinds of notices:

Technical Assistance Notices (TAN), which are compulsory notices for a communication provider to use an interception capability they already have;
Technical Capability Notices (TCN), which are compulsory notices for a communication provider to build a new interception capability, so that it can meet subsequent Technical Assistance Notices; and
Technical Assistance Requests (TAR), which have been described by experts as the most dangerous of all.

---

@Kombucha
Thanks for the update. I read the article, and frankly what he is saying is at odds with the legislation says and what the technical experts seem to think it says. I would hope that officials and Australians in general know he's full of shit.

Do you happen to know the time table on the legislation? I thought it was getting voted on last Friday, but that was just a meeting.

I have no idea, I'm not seeing much about the time table online and I am mostly unfamiliar with the Australian political system.

Both of these Australian government pages provide a status on the legislation though.

https://www.aph.gov.au/Parliamentary_Business/Bills_Legislation/Bills_Search_Results/Result?bId=r6195

https://www.homeaffairs.gov.au/about/consultations/assistance-and-access-bill-2018

I did also notice another article mentioning a "Parliamentary hearing" here, so I guess the discussion is still ongoing..
https://www.businessinsider.com.au/here-are-1000-reasons-to-be-concerned-about-the-australian-federal-governments-proposed-encryption-laws-2018-10
---

We should've all learned our lesson from sopa

FLUFFYGERM posted...

This should be considered treason and an attack on basic human rights.

Yeah, even Cisco agrees

Is there a country that isn't trying to bend the Internet to their whims?
---

Imagine having your own world basically and being this cucked
---

isn't Australia already save and locked down enough? why do they need even more control
---

catboy0_0 posted...

isn't Australia already save and locked down enough? why do they need even more control

Australia is the proving grounds before they implement this shit in america/other western countries. If they havent already. And once its in place here, there is little other countries can do to stop it being implemented there. "It works so well in aus"...
---

I don't really understand what the fuck Australia is asking for by "a backdoor through encryption."

Like, I legitimately cannot comprehend what such a thing would even look like. Do they want all encryption to be multikey with one private key belonging to the government? How does that interact with symmetrical encryption? Do they want to be able to intercept https? Like, I don't fucking understand what they're asking for. They're asking for an answer to 2 + 2 = ? Where the answer isn't 4.
---

Tyranthraxus posted...

I don't really understand what the fuck Australia is asking for by "a backdoor through encryption."

Like, I legitimately cannot comprehend what such a thing would even look like. Do they want all encryption to be multikey with one private key belonging to the government? How does that interact with symmetrical encryption? Do they want to be able to intercept https? Like, I don't fucking understand what they're asking for. They're asking for an answer to 2 + 2 = ? Where the answer isn't 4.

@Tyranthraxus
The bill doesn't--strictly speaking--require creating back doors or breaking encryption. Instead, it asks for something far worse: the creation of new kinds of warrants that give the government and police the power to compel tech companies to develop software that allows them to gather any data they want. These capabilities can remain in place as long as the government wants and must be kept secret. So the government can compel Microsoft to create an update that will allow the police to remotely access a target's computer, and this will be pushed out quietly through Windows update. Or they can make Amazon turn Echo speakers into always-on listening devices. Is your suspect using encrypted messaging? No problem! Just serve a warrant to the company that makes the software or device and require that they capture the data before it is encrypted.

There are other ridiculous provisions too, like having staff to train police in the use of software the company will be forced to make, and trying to make this apply to foreign companies who make software and hardware products used by Australians. What is the justification for all of this? Law enforcement claims that criminals are increasingly using encryption to cover up their misdeeds, and that tech companies aren't providing enough assistance. When confronted about the obvious negative implications this bill has, the response has been lies about what it does, and claims that they will only be interested in a a small percentage of people's communications.

Several countries--including the US--have signaled that they intend to fight tech companies unless they voluntarily provide what law enforcement thinks they need. So don't think this is a problem just for Australia. There is no limit to the kinds of tech law enforcement might want access to build a case: routers, phones, web browsers, operating systems, maybe even things like office software. You can be sure there will be judges who just rubber stamp this shit just like they do over here for "security" reasons. But don't worry, they won't be capturing the data of any innocent people, right? Right?

darkmaian23 posted...

Tyranthraxus posted...

I don't really understand what the fuck Australia is asking for by "a backdoor through encryption."

Like, I legitimately cannot comprehend what such a thing would even look like. Do they want all encryption to be multikey with one private key belonging to the government? How does that interact with symmetrical encryption? Do they want to be able to intercept https? Like, I don't fucking understand what they're asking for. They're asking for an answer to 2 + 2 = ? Where the answer isn't 4.

@Tyranthraxus
The bill doesn't--strictly speaking--require creating back doors or breaking encryption. Instead, it asks for something far worse: the creation of new kinds of warrants that give the government and police the power to compel tech companies to develop software that allows them to gather any data they want. These capabilities can remain in place as long as the government wants and must be kept secret. So the government can compel Microsoft to create an update that will allow the police to remotely access a target's computer, and this will be pushed out quietly through Windows update. Or they can make Amazon turn Echo speakers into always-on listening devices. Is your suspect using encrypted messaging? No problem! Just serve a warrant to the company that makes the software or device and require that they capture the data before it is encrypted.

There are other ridiculous provisions too, like having staff to train police in the use of software the company will be forced to make, and trying to make this apply to foreign companies who make software and hardware products used by Australians. What is the justification for all of this? Law enforcement claims that criminals are increasingly using encryption to cover up their misdeeds, and that tech companies aren't providing enough assistance. When confronted about the obvious negative implications this bill has, the response has been lies about what it does, and claims that they will only be interested in a a small percentage of people's communications.

Several countries--including the US--have signaled that they intend to fight tech companies unless they voluntarily provide what law enforcement thinks they need. So don't think this is a problem just for Australia. There is no limit to the kinds of tech law enforcement might want access to build a case: routers, phones, web browsers, operating systems, maybe even things like office software. You can be sure there will be judges who just rubber stamp this shit just like they do over here for "security" reasons. But don't worry, they won't be capturing the data of any innocent people, right? Right?

This is a very good post. Describes the situation nicely.