Business

Policy

When's a backdoor not a backdoor? When the Oz government says it isn't

Draconian new proposals on data privacy from Australia

157 Got Tips?

Australia's promised “not-a-backdoor” crypto-busting bill is out and the government has kept its word - it doesn't want a backdoor, just the keys to your front one.

The draft of The Assistance and Access Bill 2018 calls for anyone using or selling communications services in Australia to be subject to police orders for access to private data.

That includes all vendors of computers, phones, apps, social media and cloud services in the Lucky Country, and anyone within national borders using them. These data-tapping orders will be enforced with fines of up to AU$10m (US$7.3m) for companies or $50,000 ($36,368) for individuals

The draft legislation also wants five years in prison for anyone who reveals a data-slurping investigation is going on. And while there's no explicit encryption backdoor requirements in the 110 page draft bill, our first look suggests there doesn't need to be.

Good cop, bad cop, what's a cop?

Here's how the government describes its intent: “The proposed changes are designed to help agencies access intelligible communications through a range of measures, including improved computer access warrants and enhanced obligations for industry to assist agencies in prescribed circumstances."

"This includes accessing communications at points where it is not encrypted. The safeguards and limitations in the Bill will ensure that communications providers cannot be compelled to build systemic weaknesses or vulnerabilities into their products that undermine the security of communications. Providers cannot be required to hand over telecommunications content and data.”

So: providers can't be compelled to create backdoors, and the government claims it wants to capture data at “points where it is not encrypted”.

Providers will, however, be subject to three tiers of requests for assistance. The first is the good cop routine; a request that makes technical assistance voluntary.

After that comes bad cop; a compulsory request, under which the Director-General of Security or the head of an interception agency issues a technical assistance notice that's enforced by the aforementioned fines.

Finally there's the bottom line; a technical capability notice. This requires companies covered by the regime to “build a new capability that will enable them to give assistance as specified in the legislation to ASIO and interception agencies”.

If a subject of a technical assistance notice or technical capability notice reveals blows the whistle the legislation recommends five years in jail. There's also a ten-year maximum sentence for individuals who refuse an order to hand over computers under the legislation.

The government's argument that the proposal doesn't mandate backdoors comes primarily from the limitation on technical capabilities notices, since they must not require companies to “implement or build a systemic weakness or systemic vulnerability” into their products.

The Register expects that the word “systemic” is going to get some scrutiny in the coming days.

Through the Looking Glass

The bill enlarges what Australia's laws consider a communications service provider, to include: "foreign and domestic communications providers, device manufacturers, component manufacturers, application providers, and traditional carriers and carriage service providers.”

In other words any ISP (whether or not it owns infrastructure); hardware vendors like Apple, Samsung, Huawei, Intel and Qualcomm; and anybody providing communications applications for games, social media or cloud services, would be subject to Oz government data orders. But it's not a secret backdoor.

Law enforcement agencies would get the right to provide software or equipment that providers would have to install in their networks or systems; and providers would have to facilitate “access to devices or services.” But it's not a secret backdoor.

Agencies would be able to ask the industry to help them develop their own “systems and capabilities”, and providers would have to tell agencies if they changed something in their systems. But it's not a secret backdoor.

If a provider is in control of a service, agencies could require them to modify or substitute the service to give them access to a device or individual's data. But it's not a secret backdoor.

And finally, providers would have to agree to stay quiet about agencies' covert operations, enforced by jail time and massive fines. But it's not a secret backdoor.

Cyber Security minister Angus Taylor this morning told Australian Broadcasting Corporation current affairs program AM that the powers would only be invoked for “serious crimes” involving sentences of three years or greater.

In spite of his saying the government wants to apprehend terrorists, paedophiles and organised crime, the law casts a much wider net, also covering helping other countries enforce their criminal law; protecting the public revenue; or protecting national security.

Australians have one month to comment on the proposals. We suspect somewhere in the Department of Home Affairs' server room there's an obscenity filtering moderation code that's going to be very active over the next 30 days. ®

Sign up to our NewsletterGet IT in your inbox daily

157 Comments

Keep Reading

Google and Cisco, sitting in a (spanning) tree, cloud N-E-T-W-O-R-K-I-N-G

Borg SD-WANS can now drive Chocolate Factory virty cloud networks and the workloads therein

Google Australia says government pulled pin on content-for-cash talks, hands in its homework anyway

And fires back with 'we do for free what meatspace distributors charge for' argument

Australia to force Google and Facebook to pay for news and reveal algorithm changes before they whack web traffic

And is willing to fine them hundreds of millions if they don't play nice

SecureX marks the spot: Cisco vows to make unified security control panel thingy generally available this month

Cisco Live And announces a bunch of other tweaks at today's virtual shindig

Resistance is futile: Some Cisco security appliances are ticking time bombs of fail thanks to faulty resistors

After 18 months, they can just fall over. The fix is asking Borgzilla for a new one

SecureX gon give it to ya: Cisco muscles into the integrated security game

Push to get punters inhaling one cloudy product

Concerns raised over privacy and security of UK Home Office's £842m biometrics programme

Updated Plans to aggregate it with other databases should be discussed, says ethics group

Australia sues Google over data collection practices that merged DoubleClick data to create single user profiles

Alleges opt-in that promised “more control” actually sent more data without informed consent. Google 'strongly disagrees'

'Tens of millions' of Cisco devices vulnerable to CDPwn flaws: Network segmentation blown apart by security bugs

Enterprises face fear of phone fragging fest as Doom spawns on IP phones

Ding-dong: Cisco delivers your Patch Tuesday warm-up with WebEx, IOS fixes for a few irritating security holes

The main event is next week

Tech Resources

Ransomware Playbook

Ransomware is a unique security threat where most of the security team’s effort is spent on prevention and response because once ransomware is detected, it's too late.

Simplifying Hybrid Cloud Flash Storage

According to industry analysts, a critical element for secure hybrid multicloud environments is the storage infrastructure.

Navigating the New Era of Cloud Computing

Hear from Steve Sibley, VP of Offering Management for IBM Power Systems about how IBM Power Systems can enable hybrid cloud environments that support “build once, deploy anywhere” options.

Why Data Growth is Not a Storage Problem

Storage capacity’s running out, backups lengthen, and budgets can’t keep up with the unstructured data deluge. Learn how Komprise's Intelligent Data Management can help you …