2600 Australia response to 2nd Reading of Commonwealth Cybercrime Bill 2001

[Grant Bayley <gbayley () ausmac net>]

To all,

This is a "first response" to the second reading of the
Australian Commonwealth Cybercrime Bill, 2001 from 2600 Australia, a
self-described "hacker advocate group".  A full response to the bill
itself will be forthcoming, though this discussion sums up a large number
of the arguments against the proposed legislation.

Grant Bayley

-------------------------------------------------------
Grant Bayley                         gbayley () ausmac net
-Admin @ AusMac Archive, Wiretapped.net, 2600 Australia
 www.ausmac.net   www.wiretapped.net   www.2600.org.au
-------------------------------------------------------

References:

Explanatory Memoranda:
http://www.2600.org.au/misc/cybercrime/cybercrime-bill-2001-explanatory-memoranda.pdf

Cybercrime Bill, 2001 (at first reading):
http://www.2600.org.au/misc/cybercrime/cybercrime-bill-2001-firstreading.pdf

> House of Representatives Hansard 27 June 2001   P 27081
> CYBERCRIME BILL 2001
> First Reading
>
> Bill presented by Mr Williams, and read a first time.
>
> Second Reading
>
> Mr WILLIAMS (Tangney?Attorney-General)
> (9.57 a.m.)?I move:
>
> That the bill be now read a second time.
>
> More than three million Australian households and
> over one billion people worldwide are connected to
> the Internet. With the exponential growth in the
> Internet population and in electronic commerce over
> the last decade, the integrity, security and reliability
> of computer data and electronic communication is
> becoming increasingly important. Cybercrime activities,
> including hacking, virus propagation, ?denial of
> service? attacks and web site vandalism, pose a significant
> threat to the integrity and security of computer
> data. Indeed, according to recent estimates, cybercrime
> is costing companies worldwide approximately
> $3 trillion dollars a year.

First off, this figure is unsubstantiated.  It was not generated by an
organisation such as the Australian Bureau of Statistics or any recognised
authority on the matter, rather various commercial organisations whose
business depends on the existence of (or appearance of the existence of)
cybercrime.

This alone makes the basis on which this law is being proposed deceptive
and misleading at best.

Secondly, the term "cybercrime" is so poorly defined, even by the very
authorities that wish to pass laws regarding it, that almost any activity
that might be considered criminal in the context of a computer or
electronic equipment might qualify for prosecution under this law.

This is a dangerous precedent considering the lack of understanding
amongst legislators about the very activities they are wishing to outlaw.

> Updated laws are vital if authorities are to effectively
> detect, investigate and prosecute cybercrime
> activities. The proposed new computer offences and
> investigation powers in the Cybercrime Bill 2001 are
> a significant development in the fight against these
> activities and will place Australia at the forefront of
> international efforts to address the issue of cybercrime.

Indeed, they are, but not in this rough-riding, rights-restrictive
fashion.

> Computer offences
> The Cybercrime Bill 2001 proposes the enactment
> of seven new computer offences. The offences are
> based on the recommendations of the January 2001
> Model Criminal Code damage and computer offences
> report developed with the cooperation of the Commonwealth,
> states and territories. Implementation of
> the Model Criminal Code offences is an important
> step toward achieving national consistency and
> remedying deficiencies in the existing laws. The new,
> updated offences would replace the existing offences
> in the Crimes Act, which, although only 10 years old,
> are already seriously outdated.

Sadly, this is a common misconception.  Existing laws cover many, many
computer related offences, whether it be directly or indirectly.  Directly
in that they cover offences such as unauthorised access, unauthorised
insertion, modification and deletion of data, covers offences against
telecommunications carriers that may be used in the commission of an
offence, covers impairment of service offences carried out against
networks supplied by telecommunications carriers.  And indirectly relating
to such offences as false personation, obtaining credit by false pretences
and the like.

All are directly applicable to the type of situations that Justice
Minister Ellison and Attorney-General Williams crow about when attempting
to justify the creation of such laws as the Cybercrime Bill, 2001.

Yet, there have been very few cases where all of these existing components
of law have been applied to offenders.  In some cases, the offences simply
aren't easily traceable.  In others, the actual loss caused by the offence
pales in comparison to the time and effort of prosecuting an individual
for the offence.  In others, the offences alleged to have been carried out
by individuals have been grossly overstated, leading to short, suspended
sentences, good behaviour bonds and small fines.  None of these are
failures in the laws themselves, but the application of appropriate laws
to particular crimes.

Therfore, I ask the question - will this law make it any easier to trace
such crime?  Any less costly for individuals or companies or law
enforcement to bring actual, legitimate criminals to justice?  The answer
in both cases is no, because although the legislation seeks to bring a
number of these existing components of law together and extend them in
other cases to meet a perceived dire need, law enforcement simply aren't
any better equipped to deal with such cases than 5 or 10 years ago nor is
there any increased level of understanding in the judiciary to take into
account the horribly ill-defined phenomena of "cybercrime".

> All the proposed offences are supported by extended
> extraterritorial jurisdiction in recognition of
> the fact that computer crime is often perpetrated remotely
> from where it has effect. The proposed offences
> have been drafted in technology-neutral terms.
> The offences also dovetail with the terminology of
> the Electronic Transactions Act 1999, which has been
> an important vehicle for expanding electronic commerce.

Will extraterritorial jurisdiction bring about the prosecution of the
Phillipino creator of the so-called ILOVEYOU worm in this country,
considering it is alleged to have caused $7 billion by the Customs and
Justice Minister and the NSW Attorney-General, Mr Debus?

Lets not kid ourselves here.  It hasn't happened, and it won't.

> The first offence in the bill targets those who access
> or modify computer data or impair electronic
> communications to or from a computer that they are
> not authorised to access, modify or impair and who
> do so with the intention of committing a serious offence,
> punishable by five or more years imprisonment.
> The offence would attract a maximum penalty
> equal to the maximum penalty for the serious offence.
> For example, if a person hacked into a bank
> computer and accessed credit card details with the
> intention of using them to obtain money, the penalty
> would be equivalent to the fraud offence the person
> was intending to commit (10 years imprisonment).

How would this change if the bank's computer contained no access
protection, such as that which you mention three paragraphs below?

   "The offence relates only to unauthorised access or modification of
    data that is protected by a password or other security feature rather
    than any data."

If the bank's computer was not protected by a password or other security
feature and an attacker (as we prefer to call such people) accessed credit
card details with the intention of using them to obtain money but did not
in fact follow through and do this, how would they be treated?  By my
layperson's understanding, they may not be liable for punishment for any
crime, especially if they only thought to use the credit cards to obtain
money after having found them then decided against it prior to doing so.

Although each case would be decided on it's merits, I can supply
sufficient counter-examples for each and every situation that might be
raised in support of this proposed legislation.

It's sort-of a saying in computer security circles that nothing is
absolute.  For every possible security protection, there is a potential
misconfiguration or fault or failure that renders such protection useless,
null and void.  While this proposed legislation is "technology-neutral",
whether some things are in fact a "bad" thing at all (such as exposing a
misconfiguration in a security system by means of a controlled
demonstration) aren't even clearly agreed upon amongst the computer
security community, let alone the Council of Europe with its' Cybercrime
Treaty.  The Australian Government is way out on a limb claiming it has
the answers to these questions, embodied in this proposed legislation.

> It would be an offence for a person to cause any
> unauthorised modification of data in a computer
> where the person is reckless as to whether that modification
> will impair data. A maximum penalty of 10
> years imprisonment would apply. The offence covers
> a range of situations, including a hacker who obtains
> unauthorised access to a computer system and impairs
> data and a person who circulates a disk containing
> a computer virus which infects a Commonwealth
> computer.

Just out of interest, how does the Government approach the topic of
"benign" or "good" viruses.  They're certainly the exception to the rule,
but they indeed exist.

An example of a "benign" virus would be one written for demonstration
purposes to expose an insecurity in an operating system that might be used
at some point in the future as a propagation vector for a not-so-benign
virus.  The benign virus (or possibly a worm, something that spreads of
it's own accord) simply sits resident on the computer, using very
negligible memory, processor and disk space resources and does not impair
the normal usage of the computer.

An example of a "good" virus is one that propagates in much the same
fashion as above, but carries with it a payload capable of repairing a
misconfiguration, patching an insecure piece of software or otherwise
preventing further potential damage to machines it is transmitted to.
Arguably, such viruses enhance the security of the machine.  That is,
they're doing the exact opposite to impairing the operation of the
computer - they're fixing it.

None of these scenarios are accounted for in the proposed legislation.
Some would respond by saying "it doesn't have to account for them", but
I'd challenge that on the basis of "where do you draw the line between
impairment and enhancement?".  Nothing is absolute in the world of
computers, remember.

> The bill proposes an offence of causing an unauthorised
> impairment of electronic communications to
> or from a computer, carrying a maximum penalty of
> 10 years imprisonment. This offence is particularly
> designed to prohibit tactics such as ?denial of service
> attacks?, where a web site is inundated with a large
> volume of unwanted messages, thus crashing the
> computer server. The penalty for this offence recognises
> the importance of computer facilitated communication
> and the considerable damage that can result
> if that communication is impaired.

There's an obvious target here - people that generate such large volumes
of traffic.  As before and as always, there's examples where this fails to
pass muster.  What is the Government's opinion about "Hacktivism" actions
(misguided as the causes themselves may be) where a significant number of
computers each place a tiny and insignificant portion of load upon a
server, whether it be in the form of "hits" to a website or "emails" to an
email server.

Under the law, each of the participants in this action would, in theory be
subject to prosecution under this part of the Cybercrime Act, 2001, but
where things get murky is where we consider how such an action differs
from the ordinary operation of a busy web or email server - a large
number of clients each make a small, insignificant number of connections,
generating on the whole a significant and sometimes destructive load on
the web or email server.  The slang term for this is "Slashdotting", named
after a website that was so popular at one point in it's existance that
when any other site was linked from it it, the sheer number of visitors
innocently following the link brought many a server to its' knees.

The definition between such illegal impairment and high-load ordinary
operation is dangerously blurry.  Would an Australian site have reason and
recourse under the law to charge the operator of another site that
directed visitors to it with a crime?  How does this differ from the
"denial of service" examples provided?

> The proposed offence of causing unauthorised access
> to or modification of restricted data held in a
> computer carries a maximum penalty of two years
> imprisonment. The offence relates only to unauthorised
> access or modification of data that is protected
> by a password or other security feature rather than
> any data. The offence will target those who hack into
> a password protected computer system in order to
> access personal or commercial information or alter
> that information.

Okay, so anything that is not protected by a password or other
(functioning) security feature is fair game for open, unrestricted public
access?

Like the detailed network diagrams for internal Commonwealth networks
found on a public file server on the Internet several months ago?

> The bill proposes an offence of causing unauthorised
> impairment of the reliability, security or operation
> of any data held on a Commonwealth computer
> disk or credit card or other device. A maximum penalty
> of two years imprisonment would apply. This
> offence is particularly designed to cover impairment
> of data caused by actions such as passing a magnet
> over a credit card or cutting a computer disk in half.

So, correct me if I am wrong, but would it be an offence to "impair the
reliability" of an electronic service by exposing an obvious, repairable
security flaw in it?  It would certainly instill doubt in the present and
future customers of the service, but would bringing this to the attention
of the proprietors of the service and/or the public be an offence?  If so,
what is to gain by making this an offence?  Is it the aim of the
Government to reduce the security of electronic services by preventing
appropriate disclosure of security faults?

Anyone remember the GSTAssist site?  The site that had no security
protection at all, yet freely gave out people's personal information to
all and sundry?  Who gained from this situation?  The young man who
exposed the flaw (albeit in an odd fashion)?  I doubt it.  He was
investigated by the Federal Police and received scorn from members of
Federal Parliament, who were understandably scampering about to divert
blame from the inability of their staff to properly design the system.
The only people that gained from this situation were those that had their
personal information put in jeopardy by incompetent Government staff -
after all, once the problem was exposed and the security of the system was
put into doubt (the reliability of it was impaired), it could be resolved
appropriately.  I doubt that without the young man's disclosure, this
could have occurred.

Again, for every example, there's copious examples of where such proposed
legislative changes do not make sense.

And what's this about destruction of computer disks?  Of passing magnets
over a credit card?  What's the basis for these examples?  The
justification?  If I own a disk, surely I'm not prevented from doing
whatever I please with it?  Doesn't the same apply to my credit card?

> Lastly, the bill proposes two offences relating to
> the possession and supply of data or programs that
> are intended for use in the commission of a computer
> offence. Each offence would attract a maximum penalty
> of three years imprisonment. These offences are
> designed to cover persons who possess or trade in
> programs and technology designed to hack into or
> damage other people?s computer systems. For example,
> a person will commit an offence if he or she possesses
> a hacking program or a disk containing a computer
> virus with the intention of using it to access or
> damage data.

This is downright dangerous, firstly because of the "dual use" nature of
large types of computer hardware and software and secondly because it
establishes a unique branch of "thought crime" - storing information that
could be used to "hack into or damage other people's computer systems" in
one's own mind (the danger of this should be self-evident).

The "dual use" nature of large types of computer hardware and software
exists because the very tools that can be said to assist a user in
preparing to break into a computer system can be legitimately used to
test the security of one's own computer system against such break-in
attempts perpetrated by others.  In fact, it is the wide public
availability of such tools in the first place and their utilisation in
the protective role that reduces their effectiveness as tools for the
former of the two roles - the unauthorised and potentially destructive
one.

The obvious and oft-quoted example of such a tool is "nmap" - a network
mapping tool.  nmap allows a remote user to map out the availability of
services on a network-connected computer.  Nothing more.  Nothing less.
With such a map, a user could attempt to break into a computer, narrowing
down the potential means of entry on the basis of what information is
contained in the map.  At the same time, the owner of the computer could
use the map to evaluate what defences might need to be put into place,
what services are exposed to the outside world, possibly as the result of
a misconfiguration.  In other words, nmap is a dual-use technology.

For those that aren't aware, "dual-use" is a term usually reserved for
technologies such as encryption, which (as emotive as these sound) could
be used just as effectively by a paedophile to hide archives of illegal
material as by a human rights crusader hiding information that could
compromise their personal safety or those in their care.

And this leads us onto the next part of this dangerously flawed
legislation...

> Investigation powers
> The bill will enhance the criminal investigation
> powers in the Crimes Act 1914 and Customs Act
> 1901 relating to the search, seizure and copying of
> electronically stored data. The large amounts of data
> which can be stored on computer drives and disks
> and the complex security measures, such as encryption
> and passwords, which can be used to protect that
> information present particular problems for investigators.
> The proposed enhancement of search and seizure
> powers will assist law enforcement officers in
> surmounting those problems.

In short, and as expressed in the Walsh Report [1][2], Governments and
their Defence/Intelligence organisations have all but lost the crypto-war,
and they're really, really pissed off.

The upshot of this is that in the absence of intelligence ingenuity [3]
or mathematical assistance from quantum computing technologies, you'll now
be obliged by law to reveal any passwords, passphrases, keys, codes,
cryptographic and steganographic methods used to protect your information
from prying eyes.

Ignore the fact that you might be incriminating yourself in revealing
such passwords etc.  Ignore the fact that there will no doubt be
substantial criminal punishment for not disclosing such passwords etc.
Also ignore the fact that without disclosing the passwords etc, you will
have a tough time proving that the information contained inside an
encrypted file, for example, is not evidentiary.

In other words, all your crypto are belong to us.

[1] http://www.efa.org.au/Issues/Crypto/Walsh/
[2] http://the.wiretapped.net/security/info/papers/cryptography/au-crypto/walsh-report.html
[3] http://cypherpunks.venona.com/date/1995/09/msg00136.html

> The proposed amendments would clarify that a
> search warrant can be used to access data that is accessible
> from, but not held on, electronic equipment
> at the search premises. As most business computers
> are networked to other desktop computers and to
> central storage computers, it is critical that law enforcement
> officers executing a search warrant are
> able to search not only material on computers located
> on the search premises but also material accessible
> from those computers but located elsewhere.

If these computers are connected to the Internet, doesn't this mean that
such warrants are essentially unlimited, given that other material located
elsewhere is accessible using the Internet?

> Computer equipment and disks would be able to
> be examined and processed off site if this is significantly
> more practicable than processing them on site.
> The proposed amendment recognises that searching
> computers and disks can be a difficult and time consuming
> exercise because of the large amount of information
> they can store and the application of security
> measures, such as encryption. A further proposed
> amendment would permit officers to copy all data
> held on a computer hard drive or data storage device
> where some of the data is evidential material or if
> there are reasonable grounds to suspect the data contains
> evidential material.

How does this differ from the current situation?  Hard drives can be
mirrored onsite by appropriately qualified personnel then returned to use,
especially if law enforcement aren't wanting to alert the target.

This is nothing new, is already partially covered in the changes made to
the ASIO Act in 1999, and is therefore largely unecessary.

> A magistrate would be able to order a person with
> knowledge of a computer system to provide such information
> or assistance as is necessary and reasonable
> to enable the officer to access, copy or print data.
> Such a power is contained in the draft Council of
> Europe Convention on Cybercrime and will assist
> officers in gaining access to encrypted information.

See above.  All your crypto are belong to us.

> Conclusion
> The high speed and broad reach of computer technology
> offers new means, methods and possibilities
> for crime. The measures contained in the Cybercrime
> Bill are vital to protecting the security, reliability and
> integrity of computer data and electronic communications
> and remedying the deficiencies in existing
> laws. By addressing the threats posed by cybercrime
> activities, the bill will strengthen community confidence
> in the use of new technology and provide a
> means of ensuring that the benefits of that technology
> are not comprised by crime. I commend the bill to the
> House, and present the explanatory memorandum to
> the bill.
>
> Debate (on motion by Mr Horne) adjourned.

This law does absolutely nothing to remedy perceived deficiencies in
existing laws relating to offences that might happen to involve a
computer, an electronic device or a communications network, as discussed
above.  In fact, it places a great many things in jeopardy, such as the
free flow of information relating to security deficiencies in computers
and electronic infrastructure, the free flow of information that assists
system administrators to secure and protect computers and electronic
infrastructure, and provides for forced disclosure of information that may
have been lawfully encrypted, protected or hidden.

It should not be passed in this or any similar form.

Grant Bayley
Speaking on behalf of 2600 Australia



ISN is hosted by SecurityFocus.com
---
To unsubscribe email isn-unsubscribe () SecurityFocus com.