Who Is Watching The Watchers?

By John Bigelow

In a recent interview, when asked if he could ever see a future in which Cyborgs might become a reality, Tesla/Space X CEO and well-know tech entrepreneur Elon Musk commented that he believed that people had already reached that point.  According to Musk, if you accept that a Cyborg is simply a person who survives without the use of a specific piece of technology, then it is only reasonable to conclude that the dependence most people have on their mobile phone, by definition, makes us cyborgs.

Whether you agree with his interpretation of the definition of a cyborg or not, Musk highlights an important point. In many parts of the world, Australia included, most people have become utterly dependent on their mobile phones, along with other technology such as computers. We have become so reliant on our phones that we use these devices for virtually everything, from taking photos to recording videos to texting, messaging and calling friends, loved one and colleagues. And we do all of these things secure in the belief that our phones and laptops are protected repositories – safe from prying eyes thanks to the vendor’s built-in encryption. But are they?

In part, our beliefs regarding the safety and security of our devices stem from a string of well-publicised incidents between Apple and the Federal Bureau of Investigations (FBI). Between 2015 and 2016, Apple received, and objected to, at least 11 attempts by U.S. courts to compel Apple to unlock devices or provide a ‘back door’ into the security of its devices. The goal was to enable governments and law enforcement to extract and read data from Apple devices, at will, in circumstances in which the Government or a government agency believed it necessary to do so.

The FBI argued that the ability to read the data on the phones of the people under investigation was integral to saving lives, preventing future terrorist attacks and/or securing convictions against those responsible for carrying out serious crimes. While on the surface, the Government’s argument for access sounds very sensible and plausible, Apple argued that it was unwilling to create a ‘back door’ in its operating system that would enable government agencies to access data on Apple devices for a variety of reasons. Firstly, it would put at risk the privacy of all its users, not just those under investigation by government agencies. In short, Apple argued there, even though government agencies had no intention of sharing the access key they were asking Apple to create, there were no guarantees that it could not or would not be leaked.

Further, any vulnerability in security presented unscrupulous actors with the same opportunity to access data.

Third, if the U.S. Government could order Apple to create such vulnerabilities in their security, then any Government, of any country, could potentially exercise the same power. This action might potentially render Apple devices almost worthless from a security or trust point of view in the eyes of their customer. Apple also believed this would significantly and adversely impact on the value of their product and their company.

In the wake of Apple’s successful opposition against a multitude of court orders it received, many people came to believe that their data and privacy were secure. However, according to Dr Paul Brookes, Chair of Internet Australia, is that this could not be further from the truth.

The passing of the Telecommunications and Other Legislation Amendment (Assistance and Access) Bill (the TOLA Bill) in 2018 gave the Australian Government and its security agencies a range of wide-reaching powers that few even know exist.

“These amendments effectively give security agencies like ASIO, the federal police, the state police, and various anti-corruption bodies, even greater powers to carry out things like telecommunications interception, phone tapping and even breaking into a suspect’s house and accessing their computer and taking copies of the records on their computers in addition to accessing their phones when they’re confiscated.

“As disturbing as these powers might be, the part that we are particularly concerned about is the section of the legislation that gives security agencies the ability to compel service providers and equipment manufacturers to make changes to their systems and their products that allow law enforcement access to the private information stored on those devices.

These new laws give agencies, the ability to issue compulsory notices to anybody that runs a website, anybody that manufactures any equipment, anybody that runs a facility or a data centre, or anybody that makes hardware like a broadband modem or the like. Those compulsory notices the give those agencies the power to compel the groups I just mentioned to make changes to their system or hardware, that would enable government agencies to bypass security, potentially creating back doors in the systems that the agencies can then use to access information stored on a device or account.

In short, a government agency can order Samsung for example, to make changes to the software of a Samsung phone that would enable access to a suspect’s inbox and outbox in the WhatsApp app to see the content of the messages before they’re encrypted or after they’re encrypted. The common misconception about this legislation is that it is about encryption. It’s not. It’s legislation about devices. Devices and websites, and software platforms, which get access to information before it’s encrypted or after it’s decrypted, while it’s stored on those systems.” explains Brookes.

The U.S. introduced their version of legislation a couple of weeks ago enabling the same sort of powers. What we, the Internet Society of Australia, find particularly troubling, is that under TOLA Bill, there is no appeal process. If Apple, or Samsung, or NetGear, or TPG  or any other company were issued a notice to comply, unlike the previous instances in which Apple received and fought court orders, under this new legislation there is no legal recourse to appeal.” Explains Brookes.

A recently released report by the Independent National Security Legislation Monitor (INSLM) into the Government’s Telecommunications and Other Legislation Amendment (Assistance and Access) Bill 2018 (the TOLA Bill), echo’s many of the recommendations made earlier by Internet Australia since the laws were first unveiled.

In particular, Internet Australia strongly supports the INSLM’s recommendations to create a genuinely independent judicial body to review proposals for notices, which are essentially directives issued to organisations by a government agency, and to increase the threshold of ‘serious Australian offence’ into line with other similar laws.

According to Dr Brookes, “If the INSLM’s report gets adopted, and their recommendations are enacted, many of the aspects of the new legislation we find troubling will be negated. However, one of the main issues with the legislation as it now stands, is power an agency has to self-approves a notice according to criteria that they have a vested interest in interpreting a particular way to ensure the notice is approved.

“For example, under previous legislation, if an agency such as ASIO wanted the ability to intercept information from a suspects phone, they required a warrant that had to be issued by an impartial judge based on precise criteria that the court had to believe had been met. Under the new legislation, an agency can approve its own application. Furthermore, the grounds on which that agency can apply for and approve the issuing of its own notice, along with the things that they can ask people to, do are just too vague. In addition, the types of people that agencies can order to do things is so widespread, that almost anybody can be ordered to do anything without having any recourse to fight against the notice. Under the current legislation, if a company such as an Internet Service Provider were issued with a notice, and order to allow access to customer data, the only advice the ISP can seek is legal advice. If a modem manufacturer were given a notice to reengineer their modems the enable an agency to bypass security, the manufacturer is not allowed to seek technical advice. They can’t get an engineer’s advice. They can’t get their accountant’s advice on how much it might cost – even if they wanted to comply with the notice.

“The INSLM recommendation, and our recommendation, is that their ability to engage advice, be expanded to not just legal advice, but all forms of professional advice, including technical engineering advice. That’s something that a lawyer is not going to be able to advise on the costs of reengineering a database or code.” Explains Dr Brookes.

“A small operator who gets a notice isn’t likely to have the resources necessary to evaluate how or what they should do if they receive a notice. The fact that a person has to keep it secret and can’t get advice, except potentially legal advice, is a significant problem. As is the fact that an agency is allowed to approve its own application to issue and enforce a notice.

“One of the things that this Independent National Security Legislation Monitor’s report does is create an independent appeal process; an independent arbitration form effectively that, for example, Apple, or any company like them, could use in an attempt to have a notice rescinded. Under the current version of laws that are already passed, that doesn’t exist.

If an agency issues Apple with a notice, and Apple refuses to implement that notice, then they’re subject to jail terms and stiff fines. Their only potential remedy under the legislation as it stands is for Apple, or any other company, to not service the Australian community. In other words, not sell their products in Australia.”

There is a lot that needs to be done to ensure that agencies cannot just issue companies with notices to comply with demands to circumvent their own security, or provide customer data and confidential information, without proper oversight and scrutiny.

It is in the best interests of all Australian’s that the finds of the Independent National Security Legislation Monitor (INSLM) into the Government’s Telecommunications and Other Legislation Amendment (Assistance and Access) Bill 2018 be enacted as quickly as possible.

For further information visit  https://www.internet.org.au or contact Dr Paul Brooks – Chair, Internet Australia on +61 2 8004 7961 email: chair@internet.org.au