On 28/11/2018 10:27 am, Paul Wilkins wrote:
>
>
> I do think (and it's not a generally popular position) that the internet does
> need
> to, and is going to be, regulated. This doesn't however justify measures that
> are
> unnecessarily invasive of citizens' rights, such as right to privacy and the
> right
> of service providers to manage their own affairs. I support the need for law
> enforcement to have powers to pursue terrrorists and serious crime in the
> context of
> increasing use of encryption, but this isn't that bill.
Apart from 'the rights of service providers to manage their own affairs', this
is spot
on. ('right of service providers to manage their own affairs' has never been a
thing,
service providers have always been subject to regulation and external
management, and
the recent ACCC, ACMA and TIO crack-downs on RSPs in the name of improving
end-customer experience is more of this - much as the current Banking Royal
Commission
has came from boards and executives thinking there was 'rights of banks to
manage
their own affairs' to the detriment of banking customers - but this is a
digression)
Worth looking through the most recent Paris Call for Trust and Security in
Cyberspace
released at the IGF held earlier this month.
https://www.diplomatie.gouv.fr/en/french-foreign-policy/digital-diplomacy/france-and-cyber-security/article/cybersecurity-paris-call-of-12-november-2018-for-trust-and-security-in
https://www.diplomatie.gouv.fr/IMG/pdf/paris_call_text_-_en_cle06f918.pdf
and some words from Andrew Sullivan, President of the Internet Society on the
same topic:
https://www.internetsociety.org/blog/2018/11/we-wont-save-the-internet-by-breaking-it/
> "It is, of course, true that governments should protect their citizens, and
> that
> they are the only ones in a position to offer such protections. It does not
> follow
> that every protective measure a government tries is one that will work. Some
> of them
> may even do harm.
.....
> None of this, of course, means that every regulation that could possibly touch
> something connected to the Internet is automatically wrong. Many services
> that we
> use on the Internet (virtually every social media service, for instance) are
> closed
> systems that really operate /on top of/ the Internet. It is possible that
> effective
> social responses to some of the challenges arising from those systems can be
> addressed in part through appropriate regulatory frameworks. But hasty action,
> unilateral movement, and attempts to legislate values along national lines
> are as
> likely to break the Internet as they are to address social issues arising from
> Internet use.
There is absolutely a place for national regulation of Internet activities -
nobody
can expect the government to take a hands-off approach. We have that now at the
most
fundamental level in the way that IP addresses and domain names, as forms of
electronic addressing, are ultimately conducted under the authority of DOCA,
devolved
to be operated by APNIC and auDA respectively under license.
Similarly, governments will seek to regulate the things that people do on top
of the
Internet, to protect the people say from online bullying, posting revenge-porn
photos,
anti-SPAM measures - much as they do for telephone services, such as the
DoNotCall
Register. To expect otherwise is unrealistic. Some of it is actually good to
have.
The important thing is that this community helps the government get the
regulation,
and level of regulation right - including of course pointing out how and where
they're
getting it wrong, as in this Bill, or when they try to propose a technology
solution
to a social behaviour problem.
Paul.
> This Bill represents gross overreach, and has grave deficiencies in its
> drafting
> across governance and accountability for the use of police powers, beyond the
> adverse economic impacts for Australia consequent to undermining security. I'm
> fairly certain too at some point it will be argued the vague drafting grants
> law
> enforcement a mandate to gather carrier metadata
> <https://www.aph.gov.au/DocumentStore.ashx?id=7dec86a0-3a58-4d53-b0b4-6df5c918335e&subId=660759>
> and establish mass surveillance.
>
> The Bill should be set aside, but I fear the PJCIS will try to stitch
> together some
> sort of compromise leaving Australians with very diminished citizen rights
> compared
> to Europe.
>
> Kind regards
>
> Paul Wilkins
>
>
>
>
> On Wed, 28 Nov 2018 at 08:56, Mark Newton <[email protected]
> <mailto:[email protected]>> wrote:
>
> Their real target is the same as it was in the 2008-2010 censorware fight:
>
> They want to make it clear that this is not territory which is
> unregulated; that
> they can and will interfere with it if and when it suits them.
>
> I doubt they even know how and when that interference will happen at this
> stage.
> But that isn’t important. It’s all about the agencies sticking their
> thumb onto
> an industry segment and saying, “We’re in charge of this.”
>
> - mark
>
>
>
>> On 28 Nov 2018, at 8:25 AM, Robert Hudson <[email protected]
>> <mailto:[email protected]>> wrote:
>>
>>
>>
>> On Tue, 27 Nov 2018 at 16:04, Mark Newton <[email protected]
>> <mailto:[email protected]>> wrote:
>>
>>
>> On Nov 23, 2018, at 4:46 PM, Robert Hudson <[email protected]
>> <mailto:[email protected]>> wrote:
>>>
>>> On Fri, 23 Nov 2018 at 14:47, Paul Brooks
>>> <[email protected]
>>> <mailto:[email protected]>> wrote:
>>>
>>> In theory no - this bill doesn't weaken encryption, and
>>> explicitly
>>> doesn't allow any
>>> changes that would weaken encryption.
>>>
>>>
>>> They say that - but I don't believe them. I don't think they even
>>> understand what they're suggesting (or if they do understand,
>>> they're
>>> relying on others not understanding, or not caring).
>>
>> I think it’s dangerous to assume they don’t know what they’re asking
>> for.
>>
>>
>> To clarify - I was speaking of the politicians.
>>
>>
>> MPs probably don’t know, that’s true. But they aren’t the source of
>> these
>> Bills: No has ever climbed out of bed in the morning and thought,
>> “Y’know
>> what ASD needs? Unencrypted access to SnapChat. Let’s make it
>> happen.”
>>
>>
>> I agree entirely.
>>
>>
>> MPs also aren’t in charge. PJCIS reliably decides whatever the
>> bloody-hell
>> ASIO and ASD want them to decide. The belief that there are a bunch
>> of
>> level-headed independent-minded politicians /making decisions/ is
>> crazy,
>> there’s never been any evidence that that’s true.
>>
>>
>> I think you may have missed highlighting the ludicrous notion of
>> /level-headed
>> independent-minded politicians/. I'd put a smiley there, but the
>> current state
>> of our political leadership (if one could call it that) is so abysmal
>> that it's
>> no laughing matter.
>>
>>
>> These Bills are drafted by the intelligence agencies themselves, and
>> they
>> know precisely what they’re demanding, they know precisely what the
>> flow-on
>> effects will be, and they’ve judged that for their own purposes, the
>> cost/benefit analysis works in their favor.
>>
>>
>> This is the bit that I don't get.
>>
>> They *must* know the effective outcomes of the TAN/TCN/TAR activities is
>> to
>> introduce systemic weakness in the encryption processes they touch. The
>> attack
>> vectors against encryption (be it data at rest or data in flight) are so
>> narrow
>> (given that they're asking for this, we can, I believe, safely assume
>> that
>> they're not able to brute force things at this stage) as to effectively
>> mean "a
>> way to retrieve the keys" or "a back door" - both processes, once
>> established,
>> immediately introduce exactly the kind of weaknesses the proposed bill
>> supposedly protects against (noting the incredibly low standard of proof
>> that
>> needs to be produced here).
>>
>> And even when they manage to convince Apple, Google, Samsung, etc to
>> hand over
>> unlock keys to phones, and convince Facebook et al to either introduce
>> back
>> doors or back-channels into their messaging apps (they must know the
>> folly of
>> asking a carrier to do anything with an encrypted bit-stream - maybe the
>> focus
>> on carriers is to try to get them to inject unlock code into the
>> bloatware they
>> load on phones), they *must* know that they simply won't magically gain
>> access
>> to communications between criminals (by whatever measure you define
>> criminal,
>> be it terrorist, paedophile, organised crime, etc - anyone who is
>> rightfully
>> the focus of legitimate law-enforcement activity) because any of them
>> with the
>> ability to tie their own shoes will immediately switch to communications
>> processes and systems that are not subject to this bill.
>>
>> The net result of this bill, like previous thought bubbles as the
>> Internet
>> paedophile filter ("oh noes, Australians can't consume child porn any
>> more, oh
>> well, we'd best wind up our little industry now, without the tiny market
>> that
>> is Australia, we're clearly no longer viable"), will be to send the real
>> criminals, the ones smart enough to do real damage, deeper into the
>> places
>> they're hard to find - they will just be driven further underground,
>> with no
>> material impact on their ability to carry out their goals.
>>
>> So, what benefit to the intelligence agencies get? The power to track
>> terrorists not capable of finding the safety switch on an AK-47? We
>> seem to be
>> able to do that already, so I'm not sure that's something we can accuse
>> them of
>> wanting. Do they want to spy on law-abiding citizens (which is contrary
>> to the
>> scope of their operational focus for some of them) - Is this their real
>> target?
>>
>>
>> The possibility that the cost/benefit analysis works against other
>> people
>> is also well understood, but they choose to not distract the
>> argument by
>> engaging on that point. Bring it up as much as you like, they just
>> ignore
>> it and talk past it.
>>
>> For the last decade, there have been arguments about this stuff that
>> have
>> been based on the belief that the Government is too dumb to know
>> what it’s
>> asking for, and that reason will prevail if we just explain it to
>> them with
>> the facts.
>>
>> In case nobody’s noticed, that approach hasn’t worked, and there’s no
>> indication that it will ever work.
>>
>>
>> I only carry this point because I believe it helps to highlight what the
>> REAL
>> desired end-state may be. Because of the technical detail, this won't
>> help to
>> catch competent criminals. It won't help to catch incompetent ones
>> either
>> (because they largely already give themselves up through stupidity and
>> shithouse OpSec). So who is left as the target?
>>
>>
>> This community has spent years wasting its time by communicating
>> facts to
>> them that they already know, and don’t care about.
>>
>>
>> I still don't think the politicians really get it - but I do take the
>> point
>> that faced with taking advice from the departments they preside over, or
>> the
>> public and/or industry associations, when there's simply no negative to
>> ignoring the latter groups, means that we're not going to get listened
>> to.
>>
>>
>> They also don’t care about compromises: If you give them 50% of what
>> they
>> want, they’ll come back 18 months later and demand the other 50%.
>> That’s
>> how they’ve always worked (cf: data retention: The AA Bill is the
>> grab bag
>> of stuff the A-G couldn’t ask for last time. And if they don’t get
>> it all
>> this time, they’ll be back in 2021 for the next tranche)
>>
>>
>> I totally agree with this. What the agencies don't get now, they'll
>> simply
>> play the long game and get later.
>>
>>
>>
>> Victory on these matters will never be won by having an argument
>> based on
>> the assumption that they need experts to explain facts and
>> technology to
>> them. The only way victory will be achieved is politically: There
>> needs to
>> be blowback, asking for more will need to cause them pain before
>> they’ll stop.
>>
>>
>> So, this needs to become an election issue - it's the only thing the
>> politicians understand. We either need to convince the opposition or
>> the (ever
>> growing) cross-bench that not only will supporting this legislation lead
>> to
>> them not receiving votes in the next election, or that, more
>> specifically,
>> opposing it will result in more vaults (offer the carrot, rather than the
>> stick?). And make them realise that changing their mind later will
>> result in
>> us changing our minds.
>>
>> Or we form a political party (or we directly infiltrate an existing one)
>> and
>> push a very specific agenda against this sort of thing.
>>
>> By all accounts, we have until May 2019.
>>
>>
>> - mark
>>
>>
>
> _______________________________________________
> AusNOG mailing list
> [email protected] <mailto:[email protected]>
> http://lists.ausnog.net/mailman/listinfo/ausnog
>
>
> _______________________________________________
> AusNOG mailing list
> [email protected]
> http://lists.ausnog.net/mailman/listinfo/ausnog
_______________________________________________
AusNOG mailing list
[email protected]
http://lists.ausnog.net/mailman/listinfo/ausnog
