Wednesday, December 12, 2018

Australian Assistance and Access Act

Danny O’Brien:

With indecent speed, and after the barest nod to debate, the Australian Parliament has now passed the Assistance and Access Act, unopposed and unamended. The bill is a cousin to the United Kingdom’s Investigatory Powers Act, passed in 2016. The two laws vary in their details, but both now deliver a panoptic new power to their nation’s governments. Both countries now claim the right to secretly compel tech companies and individual technologists, including network administrators, sysadmins, and open source developers – to re-engineer software and hardware under their control, so that it can be used to spy on their users. Engineers can be penalized for refusing to comply with fines and prison; in Australia, even counseling a technologist to oppose these orders is a crime.


Levy explained that GCHQ wants secure messaging services, like WhatsApp, Signal, Wire, and iMessage, to create deceitful user interfaces that hide who private messages are being sent to.

In the case of Apple’s iMessage, Apple would be compelled to silently add new devices to the list apps think you own: when someone sends you a message, it will no longer just go to, say, your iPhone, your iPad, and your MacBook – it will go to those devices, and a new addition, a spying device owned by the government.

Via Jeffrey Goldberg:

One of the most disturbing things about the Assistance and Access Act is that it apparently authorizes the Australian government to compel someone subject to its laws to surreptitiously take actions that harm our customers’ privacy and security without revealing that to us. Would an Australian employee of 1Password be forced to lie to us and do something that we would definitely object to?

We do not, at this point, know whether it will be necessary or useful to place extra monitoring on people working for 1Password who may be subject to Australian laws. Our existing security and privacy design and internal controls may well be sufficient without adding additional controls on our people in Australia. Nor do we yet know to what extent we should consider Australian nationality in hiring decisions. It may be a long time before any such internal policies and practices go into place, if they ever do, but these are discussions we have been forced to have.

Update (2019-02-28): Jeff Johnson:

With Underpass, all of the app’s code is on your device. Your device is the chat server. Thus, nobody can secretly install a back door. Most chat services would be faced with the dilemma of installing a back door on their servers or shutting down service entirely in Australia. Since Underpass is peer-to-peer, it would not face this dilemma. The version of Underpass that you’ve already installed can’t ever be shut down, not by a government, not even by me. I intentionally designed it so that I can’t shut it down. Control over the app is entirely in the hands of the customers.

Bruce Schneier:

Last week, Australia passed a law giving the government the ability to demand backdoors in computers and communications systems. Details are still to be defined, but it’s really bad.

Note: Many people e-mailed me to ask why I haven’t blogged this yet. One, I was busy with other things. And two, there’s nothing I can say that I haven’t said many times before.

Previously: FBI Asks Apple for Secure Golden Key.

5 Comments RSS · Twitter

I hope when/if appeal process fails companies like Apple would just pull out of those countries.
Even a single concession to a law like that would mean an end to security and privacy. If Apple does not stand out to it, all their talk about importance of those values was an empty deceitful marketing talk.

What do you mean by this? That apple should close its stores in Australia? Shut off iCloud for Australian IP addresses? Close down it’s Australian support centers? If you were a customer living there, don’t you think this hardline stance would be more harmful in practice? What happens to the $2000 laptop you bought and can no longer get service for, or your business which depends on their devices which you can no longer get?

> Shut off iCloud for Australian IP addresses?

A common practice is to identify accounts by their credit card number. So one option might be for Apple to turn off all potentially offending services for people with Aussie card numbers. It seems unlikely to me that Apple would do something like this in this particular case, but this kind of geographic restriction is not uncommon for these types of services. This might be a foreign (heh) concept to Americans, but over here in Europe, it's somewhat common to encounter services that just aren't available in specific countries.

> What do you mean by this?

I mean Apple should try for as long as possible not to obey the new law,
but at some point it will be hard to do, and they will be forced to stop doing their business or obey.
I mean they should not obey the law, and when the moment comes stop doing business there, to the least degree necessary.
That might include legally fighting and maybe negotiating a possibility to service customers.
But even that will be outlawed then yes, all off.

Okay, but didn't Apple kind of, sort of cave to the Chinese government already? Since a bunch of stuff syncs via iCloud, Apple has the keys to iCloud, and now Chinese customers have their data stored in China…

The Australian law is not the same thing of course, but there's a small bit of precedent for Apple to cave. Also, remember when RIM caved to this kind of pressure years back? They were standing strong until multiple nations backed them into a corner.

Leave a Comment