Did Australia Poke a Hole in Your Phone's Security?

["Dave Farber" <farber () gmail com>]

Begin forwarded message:

> From: Dewayne Hendricks <dewayne () warpspeed com>
> Date: January 23, 2019 at 8:24:59 PM GMT+9
> To: Multiple recipients of Dewayne-Net <dewayne-net () warpspeed com>
> Subject: [Dewayne-Net] Did Australia Poke a Hole in Your Phone's Security?
> Reply-To: dewayne-net () warpspeed com
>
> Did Australia Poke a Hole in Your Phone’s Security?
> By Nellie Bowles
> Jan 22 2019
> <https://www.nytimes.com/2019/01/22/technology/australia-cellphone-encryption-security.html>
>
> SYDNEY, Australia — A new law in Australia gives law enforcement authorities the power to compel tech-industry giants 
> like Apple to create tools that would circumvent the encryption built into their products.
>
> The law, the Telecommunications and Other Legislation Amendment (Assistance and Access) Act 2018, applies only to 
> tech products used or sold in Australia. But its impact could be global: If Apple were to build a so-called back door 
> for iPhones sold in Australia, the authorities in other countries, including the United States, could force the 
> company to use that same tool to assist their investigations.
>
> The Australian law went into effect last month. It is one of the most assertive efforts by lawmakers to rein in tech 
> companies, which have argued for decades that unbreakable encryption is an imperative part of protecting the private 
> communications of their customers.
>
> In recent years, law enforcement officials have complained that tough encryption has made it impossible for them to 
> gain access to the online discussions of crime suspects, particularly in time-sensitive terror investigations.
>
> The tension between tech and law enforcement came to a head about four years ago when Apple resisted a federal 
> request to help investigators gain access to a locked iPhone that had belonged to a man who took part in a shooting 
> that killed 14 people in San Bernardino, Calif.
>
> The Federal Bureau of Investigation eventually found a way around the iPhone’s security without Apple’s help. But if 
> Apple had already created a workaround — a back door, in industry terms — to sell phones in Australia, the American 
> authorities could have simply ordered Apple to use the tool.
>
> “This may be an encryption back door for the U.S.,” said Sharon Bradford Franklin, director of surveillance and 
> cybersecurity policy for the New America think tank’s Open Technology Institute. “A back door to an encryption back 
> door.”
>
> The Australian law has limited oversight mechanisms. A notice sent to a company must be “reasonable and 
> proportionate,” and the authorities must have a warrant to gain access to a phone or service. But the agency issuing 
> the notice decides what is reasonable.
>
> There is an appeals process if a company is asked to build a new interception capability. A firm can ask an 
> independent assessment panel consisting of a technical expert and a former judicial officer to review the notice.
>
> The law says the Australian authorities cannot ask a company to build universal decryption capabilities or introduce 
> systemwide weaknesses. But security experts and tech companies like Apple said that did not reflect what they would 
> have to do to comply with an order. It is impossible, for example, to create a workaround for one iPhone’s encryption 
> without potentially introducing something that could work for all of them, they said.
>
> “All of Australian technology is tarnished by it,” said Mike Cannon-Brookes, one of the founders of Atlassian, a 
> business software company that is among Australia’s biggest tech companies.
>
> Australia is a member of the so-called Five Eyes intelligence alliance, and it is not the only country in the 
> alliance with a law like this. Britain passed the Investigatory Powers Act in 2016. For British law enforcement to 
> gain access to data, it must first ask a judicial approver.
>
> “We’re not the first,” said Michelle Price, chief executive of the nonprofit Australian Cyber Security Growth 
> Network. “But Australia’s version has gone much further.”
>
> Apple officials called the law “dangerously ambiguous” and “alarming.”
>
> “Encryption is simply math,” Apple wrote in a statement submitted to the Australian Parliament’s Joint Committee on 
> Intelligence and Security on Oct. 12. “Any process that weakens the mathematical models that protect user data for 
> anyone will by extension weaken the protections for everyone.”
>
> But politicians said the risk of encryption technology’s being used by terrorists was too significant. Prime Minister 
> Malcolm Turnbull of Australia said in July, “The laws of mathematics are very commendable, but the only law that 
> applies in Australia is the law of Australia.”
>
> Technology companies in the United States have argued that they cannot be compelled to create tools for breaking the 
> encryption in their products because computer code is a kind of free speech protected under the First Amendment. But 
> building tools to satisfy the Australian authorities would essentially make that argument moot. Countries around the 
> world could demand access to the tool.
>
> Apple is hardly the only tech company that could feel the impact of the Australian law. Anyone with a website is 
> considered a communications provider, subject to the law. Any company that “provides an electronic service that has 
> one or more end-users in Australia” is required to comply.
>
> A long list of companies meets that description, such as smartphone makers and Facebook and its WhatsApp messaging 
> service.
>
> [snip]
>
> Dewayne-Net RSS Feed: http://dewaynenet.wordpress.com/feed/
> Twitter: https://twitter.com/wa8dzp



-------------------------------------------
Archives: https://www.listbox.com/member/archive/247/=now
Modify Your Subscription: https://www.listbox.com/member/?member_id=18849915
Unsubscribe Now: 
https://www.listbox.com/unsubscribe/?member_id=18849915&id_secret=18849915-a538de84&post_id=20190123063137:6FEC8EFE-1F02-11E9-9AFA-E655F91D04B4
Powered by Listbox: https://www.listbox.com