It seems like they are just making it more explicit that companies must cooperate with the police. Isn't it already the case anyway if there is an appropriate court order?
At least they are not suggesting to compromise or limit encryption in any way.
What I fail to understand is how all this would help fighting crime. Criminals and terrorists can easily use end-to-end encryption for the communication. There is plenty of software for that and it's really easy to do nowadays.
Unfortunately it gives them the legal capability to require your startup/IT company/multinational to put development time in at their request to enable your software to give them the access they want.
For example-
get chats in real time
log IP addresses and pass them to gov
open containers stored on your infrastructure
get into the phone or device you have sold to a client previously
These are not interpretations of the legislation- these are the use cases they wrote it to solve.
As ex LEO I get it but the burden on organisations is going to bad for business, not to mention the insecure solutions that are going to get drummed up/coded on the fly to comply with these requests- security nightmare.
There is some reasonable paranoia that this might be a Trojan to enable access in the US. Can't pass legislation in the US? Easy, get your vassal state (AU) to pass it, then ask them to investigate your target and then force people to comply with your vassals state's request.
"yeh I know you can't do that in Texas but you can in Western Australia and we, the US, has a treaty with Australia so you're just going to hand over that data. We'll deliver it to the Aussies for you"
I may be paranoid, but I'm not the only one seeing this angle on it.
Big conspiracies- count me out. Gov is lazy and disorganised. Little conspiracies between gov-buddies ? Absolutely.
> sounds like asking a phone company to tap a phone, which is pretty well established?
That is exactly what they are asking for. In fact, the legalisation enabling them to gather the data and under what conditions (the authorisation required, like a court order) isn't being changed. This new piece of legislation just extends who they can force to collect it form them. It use to be the telco's, which was originally just phone taps but then extended to internet data. They are now extending that to software companies. (Also cloud providers like SpiderOak and "secure email" companies.)
In a few words this extension allows them to order a software company to (with suitable compensation of course):
1. Develop / assist in developing an undetectable tap / bug for them, and
2. Surreptitiously install it for them via an over the air update.
This extends their reach from phone calls to any device that auto-installed software updates / patches. Whether you consider the ability to install a "phone tap" into your phone, tv, car, router, wifi camera, pc, robot vacuum, modem, that can read all the data on there, enable the microphone and camera, monitor the GPS and other sensors, read keystrokes, fingerprints and other authentication data to be roughly as intrusive as someone monitoring your phone calls is I guess a mater of taste.
IIRC you're allowed to use any crypto you like and fix flaws that are found but you're also required to add flaws if asked to. Well they call it a "technical capability notice" but it includes such things as "Installing, maintaining, testing or using software or equipment given to a provider by an agency." and "Removing a form of electronic protection applied by the provider, if the provider has an existing
capability to remove this protection". You don't have to compromise your crypto you just need to install this black box library that does … something.
>Criminals and terrorists can easily use end-to-end encryption for the communication.
They use applications that take unencrypted plaintext, encrypt it, send it to the recipient's device, decrypt it, and show it as plaintext.
The law is designed to give a staggering amount of authority to use commercial resources to compromise a specific device or installed application in order to read off the plain text before encryption or after decryption and send it to the Australian government. So the "bad guys" would be using what appears to be, say, Signal, except the developers got a notice to send you an app update that swaps out actually encrypting things with "send a copy to the feds and then encrypt things".
Any company developing software or systems that ensures that you have installed what you think you have can be ordered to compromise their systems so that an Australian court order breaks the system. So if your copy of Windows is set up to reject push updates unless they've been signed by Microsoft, well, the Australians can order Microsoft to sign some binaries and push them to you.
At least they are not suggesting to compromise or limit encryption in any way.
What I fail to understand is how all this would help fighting crime. Criminals and terrorists can easily use end-to-end encryption for the communication. There is plenty of software for that and it's really easy to do nowadays.