Also concerning is what they are doing towards companies (pardon the tangent):
> It covers [...] device vendors [...] as long as they have "a nexus to Australia"
> But what if the suspect stores the keys themselves? In that case, the government would pull out the big guns with a second kind of order called a technical capability notice. It forces communications providers to build new capabilities that would help the government access a target’s information where possible.
> What if the communications provider doesn’t want to help? Then they could face penalties from the government, or "injunctions or enforceable undertakings".
Yeah, right. But the precedent is alarming, because what is happening (and you see it with other "pro law enforcement" or "pro privacy" legislation too) is governments are giving themselves broad enforcement powers to ask for things and then only using it when push really comes to shove. This they-can-but-they-probably-won't approach towards enforcement is dangerous as it removes predictability in favor of government subjectivity. What does it mean in practice? It can mean that while Samsung or Apple would give them the middle finger resting on their size/leverage, a smaller company can't do that. So the enforcement agencies proportionalize their punishments to the amount tolerable without citizen backlash.
Everyone should just remember this tactic when we go around praising laws with big punishments for big companies just because we happen to like the spirit of the law. And also remember this when people call us stupid for questioning subjectivity of statute enforcement or the lack of statute enforcement in general when new versions of these laws are crafted.
The article mentions both child abusers and terrorists yet the laws will rarely be used for that. Mandatory metadata retention was also bought in for the same reasons and has barely appeared as evidence in any subsequent cases, despite >300,000 warrantless metadata requests last year, overseen by a handful of public servants behind closed doors, in a country of 25 million people.
Another very concerning law is about "fixated persons", which was bought in with big budgets and huge teams of detectives solely dedicated to going after lone wolf terrorists, so far the only person charged is a former mining executive who was a respected lawyer and Head of Compliance at one of Australia's biggest gas companies (One of the largest gas exporters in the world.)
She turned whistleblower on some corrupt deals and environmental coverups involving certain fracking leases and the government. After contacting the Mining Minister about it over the space of a few months, instead of investigating, the Minister referred her to the police, she was then deemed a "fixated person", which involved incarceration without charge, being taken to a mental institution and forcibly injected with anti-psychotic drugs for months. Eventually a judge decided she could go home. All media coverage of it is banned in Australia until the trial is finished, which has been postponed at every hearing for over a year now, time heals all wounds I guess.
It's naive to think that those in power wouldn't abuse such laws. I'm all for giving police the powers they need and perhaps even more as long as there is transparent oversight and it's targeted, but the complete opposite is happening in many places on Earth right now. Monsters flourish in the darkness.
> she was then deemed a "fixated person", which involved incarceration without charge, being taken to a mental institution and forcibly injected with anti-psychotic drugs for months. Eventually a judge decided she could go home. All media coverage of it is banned in Australia until the trial is finished, which has been postponed at every hearing for over a year now
Holy shit. Maybe I'll stop complaining about the US plastering the names of the accused all over if this is the alternative.
Yep, that's the entire point. It would be horrifying to have your name broadcast in connection to some heinous crime you didn't commit, but the alternative to broadcasting that is effectively secret trials. People should be able to view due process, they just need to withhold judgement until the facts come out in court.
The problem is that the average passer by, John/Jane Doe, doesn’t on average care enough about the abstract reasons why they should withhold judgment, they instead react along the line of “well if they are being investigated they are probably guilty” which is results in the public typically judging anyone dragged into the judicial process.
So it’s actually inverted outcomes from what you described, secret is normally good, (with obvious exceptions, such as the case in point) and public is normally bad.
Completely agree, most trials should be reported fearlessly after completion and not have speculation or the court of public opinion loom over the judge/jury beforehand.
Yet it seems to be abused here in order to protect cozy relationships between a certain big business and the government. Whistleblowers proven correct should be held up on a pedestal and highly respected, not thrown to the wolves with little chance of future employment.
There seems to be a rather simple solution. Trials must occur within four weeks. Prosecution is not allowed extensions to this so long as the accused is charged with a crime and in custody or released on conditions. Any charges not tried for within thirty days are automatically dismissed, expunged, and the defendant paid compensatory damages out of the prosecutor's budget. Defendants may petition for limited extensions on the explicitly defined grounds of preparing a defense.
This will obviously never happen because it's far more lucrative to draw trials out for years.
That's fucking scary. Never heard that story, will be looking into it.
Process for any whistleblowers:
- Don't go to your boss
- Don't go to the authorities
- Don't go to anyone who may be remotely suspected of having any involvement or benefit from the activities
- Research how to protect your identity online (this is a bit recursive, as researching how to protect your identity online may set off flags if you are suspected as the whistleblower)
- Burner phone
- Burner laptop
- Burner email address(es)
- Tor
- public wifi (know where the cameras are in the area and make sure you're unrecognisable on them, stake it out in winter when it's more acceptable to have your face covered with a scarf or something)
- Contact a respected journalist that's NOT in your local area
- Try to make sure the journalist has the facility to allow documents to be transferred by a SecureDrop system or similar
Australia's federal political-class appear to be deep in the pockets of mining companies given the extent of the resistance to renewable energy. I'd almost consider it naive to go to a politician about any kind of mining-related corruption in Australia.
Edit: Just noticed CPAHem's post saying it was QFTAC that got Fiona Wilson 'committed'. The Q stands for Queensland. To give you an idea of how protective the Queensland political class is of the mining and energy status quo, they're trying to get a NEW Coal Power Plant built in Queensland, and they have enough power behind them that the Federal Government is not flat-out saying no. There are no banks, Australian or otherwise, willing to fund the building of a new coal power plant because it's so far from financial viability that even existing coal power plants are shutting down because they can't compete on power prices.
Former Origin Energy executive and whistleblower Fiona Wilson was detained by the new Queensland Fixated Threat Assessment Centre (QFTAC) and injected against her will and without any charges laid against her. Fiona has since been released but must report for her monthly injections otherwise she will be detained again.
Media outlets often have to censor themselves, legal notices to pull articles in Australia are routine. The problem with this case is how it's been dragged out, silenced and the defendant slowly bled dry with legal fees, by the time it sees the light of day it will be old news.
A while ago the name of a senior state politician was pending trial on child pornography charges, there was a massive undertaking to ensure his name never got mentioned in print for the few months before trial.
Regarding your example of this person being forced into a mental institution, are you able to provide a source? I'm interested in learning more especially as I'm living in Australia, this is quite terrifying indeed.
I did a search for "Fiona Wilson Australia fixated" and got back a few articles, not familiar enough with AU news to determine what is tabloids and what is not. Please post if anyone finds something reputable.
Same here. The most comprehensive write-up I could find was the blog post linked below. It contains a list of references but they all seem to point to irrelevant content, or to shady-looking 'news sources'.
The moment, I hope things are improving and people become more involved and don't stand for this ..., things like these pop up as a form of disillusionment.
Her mistake I guess was contacting the minister or the minister's circle, who are probably in on this?
P.S. It seems the whistle-blower protections in Australia are ... lacking to say the least. Anyone care to pitch in? I can find a bunch of articles with horror stories.
Plausible deniability. The system should allow two (or more) passwords, one unlocks only the important stuff and one unlocks much less dangerous stuff while destroying any evidence of the first, including the multiple passwords protection layer.
To add some credibility, the less dangerous data should contain something one could get in trouble for but not enough to have his life destroyed.
As an example, if after being forced to reveal a password my phone showed photos of myself having sex with a hooker, I don't think many prosecutors would believe I put them there to protect other more sensitive stuff that would ruin my entire life and not just my relationship. And if they did, I just served them with real proof of why I encrypted my phone which should be enough to counter their unfounded accusations.
> The police can't just keep saying "we didn't find anything, therefore you MUST have ANOTHER double secret password!"
You might want to watch "Making a Murderer". Or, for the UK equivalent, have a look at the Cleveland Child Abuse Scandal (where social workers were asking children questions like "Tell us the truth, you're not going home until you tell us what Daddy did to you").
The police can, and do, subject people to coercive interrogation techniques. These techniques have been designed to extract a confession, whether you're guilty or not.
The device is rated 1TB. Given all of the passwords you gave us we can account for .5TB and we cannot find a free-space map. Ergo there is at least one more password that you're not sharing with us.
Partition will report it’s 1TB large[0]. You should perhaps read about the software before continuing to post comments claiming it’s unfit for purpose. There is a list of considerations that a TrueCrypt/VeraCrypt user with stricter security requirements would have to keep in mind, following all of it makes it fairly difficult to discover hidden partitions. The people who wrote and maintain the software aren’t dumb either.
That's not how partions work for these things. And the people who wrote these security systems thought of exactly this attack vector.
If you create a passworded partion, it adds a bunch of extra unused space, that MIGHT be another passworded partion, or might just be random empty space.
IE, maybe you have 3 passwords and 200 GB of extra space, or maybe it is actually 4 passwords and 150 GB of extra space that is random bytes.
These 2 situations are identical and cannot be differentiated.
The police tell you to access that 150GB of extra space, and it is impossible. Because it's random bytes, and there really isn't an extra partition.
That is where LEO is screwed. They can't prove if you do or you don't have hidden data. EG. There isn't a /hidden_stuff_here/ directory. Its somehow baked into the encryption blocks.
Truecrypt always had that - one password decrypts into your real partition, the other decrypts the prepared one, with a clear OS. It's impossible to say there is anything in the space where the hidden partition resides, and you have provided a password so at least in theory you are clear.
They're not dumb. You installed the thing you're claiming gives you plausible deniability -- it's a fair inference that you wanted just that so that you could hide something, ergo the court will just demand that password.
Which means you shouldn't install any such software unless you're going to have those hidden partitions and are willing to let LE have access.
Do most users of TrueCrypt/VeraCrypt use this "hidden volume" functionality, or do they just want the basic full disk encryption? It wouldn't surprise me if users of plausible deniability were in the minority.
If you could show that most users never do this, you might have an argument in court. How would you do this though?
At the end of the day, the fact that you have this sw installed will make it fair to infer that you are using this feature. You can disagree, but it's what the courts say that matters here, not what I say.
The problem is that you could totally have truecrypt installed and not have a second hidden partition. There is no way to prove that you do. Of course, the court could throw you in jail for not being able to provide something that doesn't exist anyway, but yeah....I'd hope that the lack of proof here would help you win the case.
A prosecutor, a jury, and a judge, will all have a chance to decide that you're telling the truth. There is not mathematical proof here (there never is in any trials, really), so it will all come down to: do we believe the LEO's and the defendant's experts' testimony? Recall, the defendant won't testify -- their lawyer won't let them -- but if they did, they'd probably do themselves in anyways, the court (jury, judge) won't believe them.
Putting someone in jail because they won't provide a password to a partition that might exist is truly beyond the pale. If that happens we have completely discarded the notion of presumption of innocence.
You can easily go a 3rd level (more) deep by adding another veracrypt file within the hidden partition. You could also use stenography techniques to hide your encrypted file/data within an image or video.
There are also use-cases that don't include a hidden partition, ex: I keep private code repositories in a veracrypt partition to protect them in the event of laptop theft while not avoiding the perf hit of full disk encryption. There's no need for the hidden partition / plausible deniability for a use-case like that.
Which is why you have 10 passwords, only 1 of which has the important stuff on it.
You are industiguisable from someone who has 9.
What, are the police just going to keep you in jail? What if you really ARE innocent? Jail for life then, because they didn't find anything incriminating?
Free space management needs imply that at some point you must provably have all N passwords or that you're wasting some amount of space just to avoid that, but since that's dumb the fair inference is that you're not doing that, and that you have N passwords to reveal.
Tools like this do not do free space management unless you've unlocked all hidden partitions. You are responsible for that. If you fill your partitions beyond capacity, you corrupt the other data in your other hidden partitions. Of course, unless you've unlocked all the hidden partitions you care about - then it can. However, well designed tools that do this have no way of knowing if you have.
How does the Truecrypt version of this idea work? I was under the impression that the double-secret data were written in such a way as to be indistinguishable from random bits that normally appear in the files that contain encrypted volumes, with no metadata (e.g. a partition table) to suggest that those random bits are actually interesting.
I figure there is at least one good reason to include amenable "filler" in a "single-secret" file containing encrypted data: it means the size of the plaintext data cannot be inferred from the size of the file. So there is plausible deniability for having amenable "random" data present on that basis alone.
I'm not saying it's easy to extend this scheme to accommodate all environments and/or user experiences. As you say, you can't just e.g. have another partition sitting around full of nothing but suspicious random data.
>The government’s explanatory note says that the Bill could force a manufacturer to ... install government software on it
If the bill passes, using a phone purchased in Australia is no longer secure. I know my security threat model excludes manufacturer-installed root kits - is there a reasonable strategy for mitigating this risk? Buying a phone in the US and importing it yourself is one, but that seems very awkward.
edit: reading the actual text, there's some protection in section 317ZG, which prohibits the law from being used to cause "systematic weakness" or "systematic vulnerability", but explicitly carves out an exception for targeting specific devices. So for a specific example, the bill would allow the Australian government to compel Apple to secretly push an over-the-air update to backdoor a specific device of interest.
>The mere fact that a capability to selectively assist agencies with access to a target device exists will not
necessarily mean that a systemic weakness has been built.
Yeah, the bill is definitely designed to allow exactly the scenario I described. They're after using the code-signing keys and technical expertise of device manufacturers and communication program developers to target individual devices with encryption backdoors.
>Likewise, a notice may require a provider to facilitate access to information prior to or after an encryption
method is employed, as this does not weaken the encryption itself.
Definitely planning on backdooring devices and reading the messages pre-encryption and post-decryption.
> This includes accessing communications at points where it is not encrypted.
I am an Australian, and I have been listening to the Minister for months tell everybody they were going to do something about encryption, but then categorically ruling out weakening crypto with back doors. I wondered what he was on about. Now I know I guess.
In case it's not obvious, they aren't just targeting phones. Anything with an app store or automatic updates is fair game. So this includes Microsoft updating Windows and Edge, Google updating Chrome and Chromebooks, and of course all of Apple's products. They don't have the expertise to write the software bugs to do this of course - but the bill allows for this by making provision for forcing the tech companies to provide whatever technical assistance is required (and encourages them to go further by providing voluntary assistance).
I see a few comments here that seem to think that encryption on (eg, Signal, PGP, encrypted hard disks, bimetrics) will save you. The entire point of these provisions is to get to the data when it is not decrypted, which it must be if you want to use it. Nothing will save you on these devices - once the bug is installed they are an open book. Possibly more open than you imagine, as they can turn on the microphone, camera, gps without you knowing.
Since there are commercial organisations they are targeting, I expect once they roll over they will do it in the most efficient way possible. Which is to say I expect it will be automated - something like the law enforcement agency will provide a MAC or some other unique identified and a few minutes later the bug is installed and sending data back.
What that means it is will be highly centralised, meaning you can compromise just a few people and/or pieces of equipment and you have the keys to the entire thing. A spy machine that can track everyone - it's an impossibly attractive target. I can't imagine state actors like Russia or China not to turning a gift like that from the democracies into something useful.
They are arguably sticking to the letter their promise not to back door encryption, but in reality they are legislating a centralised system that can see even banking password, everything you read, and everything you say, and everywhere you have been. It's pretty much the same outcome.
A few years ago I read references to LEA Racks (Law Enforcement Agency Racks) being installed into every NBN POI. I think I saw it in the NBN design documents, but a few years later I could not find it again so who knows.
After getting over the initial shock of the implications, I put my engineering hat on and then it was "of course there are LEA racks, you idiot". I presume when the TIA was written (1979) getting a tap involved filing a request with Telecom who then raised a work order for some department, and it wormed it's way down the management layers until some worker was directed to install the thing. If I was in charge of optimising that process, I too would have created LEA Racks, filled it with gear and told the LEA's "here, you look after it, and try not to bother me again".
I'd be amazed if the process hasn't been automated to the extent ASIO doesn't now have a button in Canberra somewhere they can press to tap phone or internet connection. There is no doubt in my mind commercial forces will mean Apple, Google and Microsoft go down the same road. Someone who had a hand in drafting this bill has dreams of a future where the old telephone line taps will become part of ancient history - it's all done via bugs installed at the touch of a button onto the end users devices.
I doubt their idea of utopia will last for very long. The likes of Russia and China must be delighted with the idea of democracies building a surveillance of the likes they could only dream about, and then handing it to them on a platter by just leaving it in control of just few humans easily manipulated with social engineering hacks, and a few machines they can focus enormous resources at cracking.
That's if it lasts that long. It's trivially easy to bypass now by simply using Open Source. The timing is bad for them as Debian has just added the final nail making that all possible by creating the first ecosystem using repeatable builds.
If anyone is wondering why Open Source is the solution - it's because the root cause of the problem is they are putting control in a central choke point. Compromise that choke point in a way that no one notices you have own whatever it controls. The people in charge believe they can fix that by heavily fortifying the choke point. But as the saying goes, every man has his price, as oddly does every computer and every SIM. If you are centralising, you are making the worth of what the choke point controls higher and higher, then eventually you will hit that price. They have created something that can reveal every banking password, every confidential email discussing corporate takeovers worth billions, all trade secrets and government secrets.
Open source solves that (as indeed did world the TIA was born into with its work orders involving many people) by making the cost scale. Over time there are thousands of programmer looking at the source in Debian - that's why it's called Open. You have to compromise every one of those programmers.
A government's ability to control its population weakens as subversive technology evolves. The law is always behind the state of the art. This frustrates officials so much they react with incredulity and throw childish tantrums. In order to maintain control, the government must ask for more and more power and become more and more totalitarian. It's like a politico-technological arms race.
What will be the end of this? Will the technology evolve so much the government won't be able to win no matter what it does and surrender? Or are they going to ban encryption, non-vulnerable computers and everything that could stand in the way of prosecuting people they don't like?
No need to ban encryption, you just create a state sponsored encryption system on a chip, and if anyone is caught trying to break/hack it you get life in prison / death penalty. /s
I read something similar to that in "Rainbows End: A Novel with One Foot in the Future" by Vernor Vinge. A really interesting take on the soon to be future of 2025.
Technology can already more or less deal with this.
Encryption plus a hidden volume (the existence of which cannot be proven) provides the ability for someone to 'unlock' the phone but still not provide access to the real data.
It would be quite difficult to ban encryption without causing a ton of other problems.
But the argument being made is that in the face of such technology, the government will make increasingly drastic laws to compensate. E.g. require you use vulnerable phone software approved by them, and allow inferences of guilt if you use something else.
That's concerning, because it's incredibly easy to feed sensitive and/or valuable data to your phone without it being deliberate. One could argue that that's Google's (and many others') business model.
Practically speaking, this is not a long jump to suggesting "don't think any banned thoughts", which obviously gets ugly fast.
Practically, it’s quite a leap from regulating privacy controls of a portable, globally connected node (your phone) to thought control. Just my hypothesis, but while the tech community might recognize the theoretical ideals of a libertarian future, the masses don’t agree. I’d bet that those who actually have something more deeply incriminating to hide comprise a majority (or a significant minority) of those who intend to use surreptitious privacy tools.
It seems that regulating encryption and privacy and agreeing to use regulated devices has parallels to agreeing to a breathalyzer when operating motor vehicle, when implemented correctly. Of course, that ideal implementation has a ways to go.
We will always need to balance privacy with the need to reduce suffering. Libertarian ideals don’t apply universally, given the variety of human behaviors.
And yet somehow, it doesn't matter that these tools will be used by deeply compromised people.
US police officer Daniel Holtzclaw used his position as police officer and specifically search power to rape women. [4] It took years before the police was even willing to investigate the claims. YEARS, plural.
Who runs child services ? Pedophiles, at least in Norway [1] (and yes, that guy had used his power to get children "allocated" to him, and of course, the government decided to let that guy go, immigrant mothers however, must lose their children and get beaten up more than once in the progress. Same for the kids by the way. Why ? Well the decision was made by someone who "enjoyed child porn" for > 20 years)
The Australian police is at least partly run by criminal torturers [2] (note, aside from this happening, they also have a bit of a reputation that they're doing this, so don't think this is an isolated incident).
In the Netherlands, mental patients were thrown in solitary, and the government "can't find anyone who ever did that". [3]
In Belgium, the most notorious unsolved crime of the country, the "Brabant killers"/"Nijvel gang", famous for extremely violent attacks against supermarkets who killed almost 40 people in the process, is strongly suspected to at least partially consist of police officers, maybe entirely. [5] (one of the suspects is an ex-policeman, and the reactions of the police to the investigation defy all reason)
What is difficult to see is that, of course, positions of power attract criminals. That means a lot of criminals work for the police. A lot of paedophiles work for schools, or as priests (though not any more), and for child care, and child institutions. A lot of bullies, racists, torturers and rapists work for mental health institutions. Besides, does anyone seriously think so many paedophiles worked for the church because they liked Jesus ?
Governments don't want global thought control. Governments have police/military working for them and they pay them ... in status, in control they get over others. They want to get the criminals working for the police. That means that it's a system explicitly designed to let these people in, and the price is that the police, child care, mental health, ... bully, torture and rape.
The government can then as described in the Australia example, use this as a weapon against individuals, and they frequently do. That's why governments want to expand this power, and reduce the options people have to complain about these actions.
That's why the power of these institutions must be tightly controlled and minimized, and they must be prevented from exercising such powers without tight oversight.
The government doesn't want to do that, because that would limit their own power as well. Look at the australian case mentioned above: these laws mean that the government can just destroy individuals that are a threat or a nuisance to them. On the other hand it takes away one of the main reasons people become police officers: they want power, and of course people who want power ... use it. Here's some links to the most egregious cases.
I am not a lawyer, and I haven't read the document in detail. There are three places where penalties of 10 years in jail are mentioned:
- 64A (Person with knowledge of a computer or a computer system to assist access etc.), which comes under the "Schedule 2: Computer Access Warrants etc"
- 3LA(5) which comes under "Schedule 3: Search warrants issued under the Crimes Act 1914"
- 201(A) (Use of electronic equipment at other place), which comes under "Schedule 4: Search warrants issued under the Customs Act 1901"
10 years in jail appears to be a penalty for not unlocking your phone when a warrant has been issued to do so. As long as a warrant is required, I don't really have a problem with this, it doesn't seem to be an unreasonable extension into the electronic world from the analogue. Warrants already exist to search your house and everything in it - that's pretty much the biggest privacy invasion you could have, but it requires paperwork and sign-off by "certain parties".
(The trustworthiness of those doing the paperwork and the "certain parties" signing-off on warrants is a separate argument as that's not "new" to this change in legislation).
It doesn't appear that you could get thrown in the clink for 10 years for refusing to unlock your phone during a random traffic stop.
Happy to hear why my take on this may be wrong though.
For that to stick they would need proof that there was some evidence on the phone. Since the only way to prove that something was evidence on the phone is to know what was on the phone I'd expect that to be thrown out immediately.
If they were able to get the phones contents from some other avenue then destroying the phone had no purpose.
On some level this is why I'm skeptical of all security efforts in the electronic space.
Because if the government or anyone sufficiently powerful is actually after me, the first thing I'm going to do is throw my phone down the garbage disposal and blindly dd all my hard drives with zeros.
Unfortunately this plan relies on you knowing that they are after you. In the case of a raid when you're not home, you won't have access to the hard drives to erase them.
Tampering with evidence, which includes destroying evidence is also a crime. IANAL so I'm not sure at what point a phone becomes evidence, i.e. once there is a indictment, once there is a warrant, t=0, etc. John Carmack got in trouble for deleting emails in that IP case if I recall. A better privacy feature might be that the phone stores no history.
Would you, under immediate threat, be able to locate and destroy the memory chips—and specifically the memory chips—on your phone? If they're prepared to lock you up for 10 years, they're prepared to do some serious digital forensics on some unsnapped chips.
Would factory resetting your phone be sufficient, or is data still recoverable even after the standard factory reset option on Android (and I assume, iPhones)? I don't really know much about these "serious forensics."
Yes, the conductivity of electrolytes in solution will tend to short out conductive pathways in the short term, and contribute to corrosion of exposed metals later on.
Has anyone created a mobile OS that has a feature where if a certain password is entered on the unlock screen that it boots up a dummy desktop while silently encrypting or erasing the phone in the background?
That doesn't seem like it would be helpful from a forensics standpoint -- if a court is asking for my password, they probably already have an image cloned from my device, so any such things seem like they would either be noticeable, or simply be ineffective.
If they have a cloned copy of an encrypted phone; and a suspect gives them a password that gives them an experience of having access to the phone, They might be satisfied with that. (Especially if they aren’t reading this thread)
I don't think the call and SMS log is what needs to be hidden, as those are so easily accessible that it would be foolish to use them for anything very sensitive. It would be to protect more sensitive things such as email accounts, encrypted messaging, photos, documents, etc.
It's evident citizens are not going to win the fight for privacy by trying to change policy. Voting has become nearly meaningless in the modern age when it comes to changing politics. Influencing businesses to do what's right is becoming more challenging too as this order shows they can just be forced to hand over data by authorities.
I don't want the "bad guys" getting away with their activities either, but I don't want some jackass in a volatile country to obtain my confidential data because the authorities are too incompetent to store it securely on their servers. It's just begging for identity theft and black-mail. Time and time again we've been shown that even the most sensitive data can't be secured properly (e.g. Equifax, Google, Yahoo, Anthem, NSA/CIA hacks and leaks).
I also don't want some corrupt cop having a bad day make up an absurdly false reason to go through my private life. It's bad enough with people getting drugs planted by corrupt cops; authorities just can't be trusted and there is no proper oversight to make sure they're acting ethically.
The only way to fight this is by developing tools to counteract these measures in a reasonably intelligent manner. Hidden multi-layer partitions, hidden "remote" hosts, encrypted decoys that show faux private content so it appears you're cooperating when real content is hidden, etc.
I disagree that voting has become meaningless. The issue is that young people think and feel that voting is meaningless. Thus politicians don't really have to pay attention to what young people think or want.
(You don't vote, you don't count.)
If you don't vote, your peers don't vote. You transfer your power to other people. Think of NRA. It is a small relatively movement. But if they say to their members go vote X, 100% of them are voting X. This conviction makes a difference. Even if they have 200 votes say, those 200 people are going to make sure everyone around them is going to vote appropriately. And the numbers stack. Also, as usual in the U.S. call your representatives, create a group and take legal action through courts, etc.
You have other tools in your belt too, which you mention. These are the "oh shit". But you wouldn't want 20 years from now, to have to use them, or go to jail for using them, because they were illegal.
You literally have better odds of winning the powerball than your vote having any effect on the outcome of a general election. Even if it did, the people put in office are worried about themselves and the people they owe money to -- not your opinions.
People should also be aware that trying to convince people on the other side of whatever political fight you are in that voting is meaningless is a real strategy.
Voting is meaningful if you are aware of the candidates stances on such policies. If you would like to know more about a US candidate's stance on privacy, internet freedom, etc. then visit _decidethefuture.org_ to see what grade your local representative is getting.
> Voting is meaningful if you are aware of the candidates stances on such policies.
That's necessary but not sufficient. It's also necessary, in a representative democracy, for a candidate to exist that has a compatible stance on enough (for some definition thereof) policies and few enough incompatible stances.
Arguably, such a candidate must also have a reasonable chance of being elected.
Complicated. 5th amendment protections against self-incrimination prevents the court from using the fact that you can unlock your phone with a password you know from being used against you. Court opinion has been mixed as to whether you can have an obligation to reveal a password. Even then, the government requires a warrant to search the phone, and that requires a reasonable belief that they would find evidence on it. They can't just go fishing and make you help them.
There's less protection for fingerprint based unlock mechanisms and the like. It's not "something you know", so they're free to compel you to provide it.
Interesting. Latest Android (pie) lets you "lock down" your phone using a quick shortcut which basically locks the phone, hides all notifications and will require your PIN to unlock it not your fingerprint. Wonder if that's related to the law you mentioned.
US: Life sentence. If a judge orders you to unlock your laptop/phone and you don't -- it could be a life sentence. IMHO, they go around the constitution with "Contempt of court".
Politicians and plebs have the same exact ability there - in both cases what is already happening will just continue unimpeded. That's a principle called equal protection!
Granted my source for this is The Newsroom, but IIRC contempt of court is a tool that can only be used coercively, and not punitively. In other words, if you refuse to give your password, you could be detained indefinitely for contempt. But if you forget your password, you should be released immediately. Obviously that's open to interpretation and abuse, I'm just saying contempt would only be correctly applied here if there was reason to believe a witness/suspect was withholding the information, not when they're not able to provide the information.
refuse to give your password: detained indefinitely
forget your password: should be released immediately
How could that possibly work? The court has no way of knowing whether someone is refusing to comply, versus being unable to because they don't know (or never knew) a secret. Because of this, it seems very likely that any claim of having forgotten (or having never known) something will be treated as contempt.
Contempt of court is not a life sentence. It ends the moment the defendant complies. Whereas a sentence for a "10 years in jail for not revealing password" charge would not be vacated when you decide to reveal the password.
You're dramatically over-simplifying by using one example to claim it's law. That is not the US law, that's one individual instance. In fact it's unsettled legal territory. The Supreme Court has yet to settle it, and they will very likely be the final word.
We need a certificate transparency type solution that makes pushing compromised firmware to individual devices impractical.
That still leaves forcing manufacturers to insert backdoors in all devices, which as far as I know can only be made tamper evident by open sourcing (and using reproducible builds for) all security critical software and hardware.
For a couple of decades pre-XKCD that technique was called "rubber-hose decryption". I don't know why he thought it necessary to change the implement; a hose causes repeatable pain, a wrench can cause fatal damage.
I think it's fine. If you did nothing wrong then you have nothing to lose by unlocking your phone. So if you don't unlock your phone, it's an admission of guilt.
People are way too paranoid. Nobody cares about what you do with your phone.
Sometimes I feel like the upper classes of society (especially hypocrites who have money and a reputation to protect) are projecting their fears on all other classes. Then like fools, the honest proletariat adopts all these ridiculous fears as their own.
I upvoted this comment not because I agree with this viewpoint, but specifically because I don't, and I want this to be seen by more people.
Whether this is an attempt at trolling or not, I am not sure, but I believe many people, especially those somewhat removed from marginalized populations, also hold this viewpoint.
I advise those that hold this viewpoint to see the excellent video, "Don't Talk to Cops". This should not be seen as an indictment of the many good people that work in law enforcement, but rather one of a system that incentivizes convictions over actual guilt or innocence.
At any moment in time, it we are breaking so many laws because of how the laws are written. It's illegal to speed. Who has never done that? A cop can pull you over. If the cop is having a bad day, and asks you to do something you don't want to, and you argue, now you're resisting arrest, which is another crime. And then for how many people has the next step been imprisonment and/or death due to an altercation that all started from a thing nearly everyone does almost every day?
The government does not need more powers to find more people guilty of crimes that shouldn't even be illegal. There are already too many people in jail and too many people dead due to a justice system that, sadly, skews far away from actual justice.
> If you did nothing wrong then you have nothing to lose by unlocking your phone
What's right and wrong changes every few decades. Not too long ago a guy was jailed and pushed to suicide because he was gay. In UK.
There are countries today, where you can be put in a concentration camp for being gay (Chechnya Republic in Russia).
There are people that had to escape USA because they warned people of government institutions abusing the law (see Snowden for 1 example).
There are people killed in Mexico for protesting against drug cartels and corruption in government protecting them.
Liberal and paceful France sent spies to put a bomb and explode ecologists' ship that was protesting against nuclear tests in international waters. Later New Zaeland caught the spies, and France blackmailed them to release the spies threathening war.
It's pretty common for nice democratic governments to do EVIL things. It's even more common for non-democratic, or non-liberal governments to do that. Most of the time you're fine, because government ignores most people. But the law is concerned with protection of the few that wouldn't be fine.
> So if you don't unlock your phone, it's an admission of guilt.
Even medieval inquisition had higher standards than that. They tortured people, but at least they required them to admit the crime. You don't even want that. Congratulations.
>People are way too paranoid. Nobody cares about what you do with your phone.
Perhaps others' lives are too uneventful. In these here parts of Western Europe we had 3 dictatorships active within the last 50 years (up to ~1980 -- Spain, Portugal, Greece), including torture and everything. Easter Europe had worse up to 1989. All could come back quite easily.
And even in other parts of Western Europe there was mass surveillance of political opposition, lots of cases against activists, hundreds of thousands of people against the political establishment (e.g. in Italy), mafia, etc.
If the world needs to be more transparent, then I think it should start with the Australian politicians. Give us access to their phones and computers, give us CCTV in their offices. Then we can be sure that no crimes are being committed, that no corruption takes place. They are, after all, working for us.
If you have the data from breaches listed on https://haveibeenpwned.com/ you can already get access to some of his passwords (not tested of course). It seems like the "nothing to hide"-philosophy has also been applied to the password complexity.
I'd strongly recommend to use secure passwords and maybe a password manager. Further, I'd recommend using different aliases and email addresses for different websites, or at least keeping email addresses private where possible.
"Arguing that you don't care about the right to privacy because you have nothing to hie is no different than saying you don't care about free speech because you have nothing to say." -E. Snowden
And actually, most people have nothing to say. See China, for an example. Most people want peace, security and to create a home in which to raise children. They care, but not very strongly, for the rights of minorities the environment and other things you might need freedom of speech to advocate. Freedom of speech and civil liberties are luxuries that can be sacrificed, as we see each time a new dictatorship is cheered forward by the masses. Most people are not idealistic, and have higher priorities than freedom.
If we want to preserve these rights we can't just appeal to their utility for the individual.
Free speech in a country that goes authoritarian is very harmful for your career. People in power have connections, they can make it hard for you to make a living without even breaking the law, just asking the right people for a favor. Anonymity is one of the things that make people more likely to say what's need to be said.
Without protection of privacy - very few people will exercise their free speech when things get hard.
Maybe these types of people would not have power if everyone knew who they really where.
That said I understand people who are afraid that loss of privacy would be asymmetric but I don't think that would happen. Celebrities and public figures will always have less privacy than everyone else.
> I understand people who are afraid that loss of privacy would be asymmetric but I don't think that would happen
If Trump wants to know your tax returns - he will. You don't know his, no matter how much you want to.
And anyway, Trump insist he could murder someone and give himself a pardon. You can't. So, even if the information flow is symetric - the consequences aren't.
Sure, but his point was that you don't give up rights to the government simply because you have no use for them. Other people do. If you don't defend them, they get eroded and society regresses. History shows us this.
It's still about the basic human dignity, you loose it once you don't have free speech or the right to privacy. Would you feel dignified if you were forced to go around with a huge hole in your pants without the ability to "cover your ass"?
> Right to privacy affects my ability to cover my own ass.
Actually this isn't the most important reason for privacy.
Privacy and other basic rights do very little for me as an random law-abiding dude. I don't break laws, so don't have any reason to cover my ass. I don't have much to say, so not being allowed to express my opinion doesn't seem like that big of a deal. Even in the doomsday scenario where evil totalitarian dictator takes over the country and mass-surveils everyone and otherwise stomps on our rights, it probably won't be that big a deal to lowly me.
The most important reason for protecting individual privacy is to protect the future of society and civilization itself. The average dude in Nazi Germany and Pol Pot era Cambodia probably barely noticed his loss of individual rights as far as daily life was concerned. Mass surveillance enables mass control, and the worst atrocities in history have all happened in environments where individual rights - including privacy - were disregarded. It's bigger than just me. It's about protecting society itself and giving my children a decent world to live in.
Refusing to unlock your phone isn't an admission of guilt. It's just being smart when you know your legal system regularly engages in parallel construction and fishing expeditions.
So if you don't unlock your phone, it's an admission of guilt.
I understand the evidence indicates that some people do choose not to unlock their phones on demand by police, even when they are innocent. You can interpret that as an admission of guilt if you like; this puts you in the same moral boat as police who write up a confession for someone and then fake their signature, because they just know the guy is guilty.
You can say what you think all you like, but the evidence is against you.
> It covers [...] device vendors [...] as long as they have "a nexus to Australia"
> But what if the suspect stores the keys themselves? In that case, the government would pull out the big guns with a second kind of order called a technical capability notice. It forces communications providers to build new capabilities that would help the government access a target’s information where possible.
> What if the communications provider doesn’t want to help? Then they could face penalties from the government, or "injunctions or enforceable undertakings".
Yeah, right. But the precedent is alarming, because what is happening (and you see it with other "pro law enforcement" or "pro privacy" legislation too) is governments are giving themselves broad enforcement powers to ask for things and then only using it when push really comes to shove. This they-can-but-they-probably-won't approach towards enforcement is dangerous as it removes predictability in favor of government subjectivity. What does it mean in practice? It can mean that while Samsung or Apple would give them the middle finger resting on their size/leverage, a smaller company can't do that. So the enforcement agencies proportionalize their punishments to the amount tolerable without citizen backlash.
Everyone should just remember this tactic when we go around praising laws with big punishments for big companies just because we happen to like the spirit of the law. And also remember this when people call us stupid for questioning subjectivity of statute enforcement or the lack of statute enforcement in general when new versions of these laws are crafted.