[Enderboi]

You can't be forced to introduce a "systemic" weakness. On the other hand, a certain four-letter agency can certainly craft a TAN requesting you to, say, weaken your key negotiation for a specific client.

That's targetted, not systemic. And hey, you're not removing the encryption your just making it slightly less secure. Neatly sidesteps a whole bunch of restrictions in 317ZG.

It's only FUD until the policy makers decide it's the norm :P

[Youden]

A "back door" would by definition be systemic, so the initial comment's statement that the government could compel backdoors is FUD.

But yes, targeted attacks are permitted, but only so long as they don't cause any collateral damage.

Making encryption systemically less secure is forbidden by 317ZG paragraph 3.

[alfiedotwtf]

Have you read the whole legislation? It's not FUD... the Australian government has the powers for full commandeering of it's citizens via TOLA

[Youden]

I've given you a factual basis for my claim that backdoor powers are FUD: section 317ZG puts clear limitations in place that forbid backdoors or any other kind of systemic weakness.

If you want to argue that backdoor powers are real and not FUD, please back up your statement with facts (e.g. a limitation on 317ZG or a case where it does not apply).

[alfiedotwtf]

> Designated communications provider must not be requested or required to implement or build a systemic weakness or systemic vulnerability

The key words here being systemic.

Sure, they can't create a backdoor that will allow weaken everyone's protections, but the way the whole 317ZG is written is that between the lines a "communications provider" can be compelled to provide targeted access to individuals.

For example, let's say all our phones have e2e encryption and cannot be unencrypted unless you have a password. There is scope within the act to commandeer Google/Apple (who both have offices in Australia) to push targeted updates to a specific user and save targeted plaintext data or even install a keylogger etc.

In other words, this would then give authorities access to plaintext data on the phone without a user's consent, all without being systemic weakness.

And I'm writing this based on many discussions with lawyers. I was very vocal about the AABill when most people Australian tech people didn't care, but I can tell you know that a lot of lawers were concerned and reached out.

It is commandeering Full. Stop. Want to disobey a TAR, TAN, or TCN? Go right ahead given that you say it's not FUD... but be my guest arguing with:

    9  Subsection 3LA(5)

    Repeal the subsection, substitute:

    Offences

             (5)  A person commits an offence if:

                     (a)  the person is subject to an order under this section; and

                     (b)  the person is capable of complying with a requirement in the order; and

                     (c)  the person omits to do an act; and

                     (d)  the omission contravenes the requirement.

    Penalty:  Imprisonment for 5 years or 300 penalty units, or both.

[Youden]

I'm not saying TARs, TANs or TCNs are FUD and you can ignore them, I'm saying the suggestion that they can compel the introduction of a backdoor is FUD.

The example you give, if it's possible, is an example of an existing systemic weakness. Yes, the government is free to exploit it but the government can't compel its existence.

Apple and Google are free to eliminate it, if they so choose.

FWIW, I'd consider the possibility of such a mechanism to be a problem in itself. And I don't believe it is possible today. Android, at the OS level, will only install updates with the same signature as the currently-installed version.

[alfiedotwtf]

> I'm not saying TARs, TANs or TCNs are FUD and you can ignore them

> Apple and Google are free to eliminate it, if they so choose.

Pick one.

Again, a TCN compels a provider to develop a targeted capability, or face jail time.