mark nottingham

Do you Trust Australia? Part Four

Thursday, 15 November 2018

Australia

Mr. Nottingham Goes to Canberra

On 20 August, I went to Canberra to participate in an Internet Society experts’ panel on encryption. The next day we returned for followup meetings. It was an interesting day to be in Parliament House.

Since then I’ve been busy with a variety of things – including getting multiple submissions ready – so apologies for the delay in writing a summary and wrapping up this series of posts.

It was enlightening and interesting to talk to the folks behind the Australian Assistance and Access Bill 2018; both public servants and senior staffers, as well as some members of the opposition. It became very clear that these are people are are trying to do the right thing (for some value of “right”), and very good at what they do. Those who believe government is hopeless should have a closer look.

That said, my concern has only grown, based not only on those discussions, but the subsequent hearings and other discussions I’ve been party to. It’s difficult to organise one’s thoughts on such a broad piece of legislation, so forgive me for addressing it from a few different angles below.

The Internet is Not Just Telecommunications

One of the foundations of the proposed legislation is the Telecommunications (Interception and Access) Act 1979. Time and again, it (and its supporting material) fall back to looking at the Internet through the lens of a telecommunications provider.

After all, the Internet is telecommunications, right?

Well, no. This legislation just doesn’t apply to the bits on the wire; it also creates new powers over the people on the end – whether it’s a Web site, a DNS server, a mail server – and on the people who create and run pretty much anything that uses the Internet (including “cloud” services, software and even hardware).

The analogy doesn’t apply; these are very complicated systems that not only use encryption, but also balance trust relationships to offer known properties. A 1970’s rotary dial telephone cannot be remotely programmed to attack someone else, nor to reveal my personal data – and yet that’s the generation of technology that this legislation is based upon.

But let’s talk about encryption, and why their assurances ring hollow.

Internet Security is So Much More than Encryption

The Government has tirelessly stressed its hands-off approach to encryption in this legislation. For example, from the Department of Home Affairs:

The Government has publically announced that it supports technologies such as encryption which are important for protecting data and communications, and has no intention or legislative power to force providers to build or implement systemic weaknesses.

Good on them (and yay maths!), but it’s not nearly enough.

Much more of the Internet’s security is provided by trust; trust that your Web browser is acting in your best interest, trust that your Operating System isn’t sending data to a third party, trust that the cloud services you use are behaving well, trust that your keyboard, your mouse, your monitor and especially your camera and microphones aren’t working against you.

Try an experiment: Go through your house and count the number of Internet-connected microphones and cameras you have. Make sure to count headsets, Airpods, Apple TV remotes, phones, laptops, maybe TVs if you’re especially brazen.

Realise that encryption is just a tool that these products should be using to guarantee that their communication is private, has integrity, and is to a verified party. What that party does with the data you send it (and it sends you, including things like updates) is completely a matter of trust, and very fragile.

This is the big secret of the Internet; it’s just a bunch of people who agree to do things in a certain way. We trust people we’ve never met with huge chunks of our lives (and businesses), because things are structured in such a way that their incentives line up with yours (most of the time; we’ve had some pretty big failures too).

Inserting a new party into those structures – or even the remote possibility of it – creates a lot of fear, uncertainty and doubt. It changes the way people uses the Internet, and changes the way the Internet works.

Transparency, Oversight and Incentives

Speaking of oversight, we may have come to the biggest problem with the proposed legislation.

I don’t think anyone I’ve talked to believes it’s unreasonable, under certain circumstances, for a government to have access to data or for it to work with a service provider in pursuit of an investigation. The trick is defining what “certain circumstances” are, and assuring that there isn’t overreach.

In the proposed legislation, if an intercepting agency gives you a TAN or a TCN that you don’t agree with, your only recourse appears to be to take them to court. A secret court where you can never talk about what happened. And you have to prove that the “decision maker’s state of mind” wasn’t in keeping with the law – even though this law gives them the explicit power to ask you for whatever they deem reasonable.

I understand that there’s a lot of legal context for terms like “state of mind” that might be used by a competent lawyer to fight this, but the reality is that Australia is creating a massive stick to beat anyone who does anything on the Internet with, along with a very juicy carrot.

The stick is the threat of non-compliance with a notice, coupled with the knowledge that fighting it has slim chances indeed.

The carrot is the indemnity that is offered; if you cooperate with Australia, you can’t get sued (at least in Australia). And since you can’t talk about it publicly, and at most issue a very vague transparency report about it, the carrot is all the juicier.

A network operator, app vendor, operating system, Web site, or service provider would have to care very much about their users indeed to overcome this.

Will interception agencies abuse their powers? I don’t think they’re evil; far from it. However, they’re trying to do a very difficult job that often feels like they’re on the losing side. It’s very easy to slip into the thinking that “we’re the good guys,” because “we’re not a communist regime.”

The problem here is that there is very little accountability for a remarkable amount of power being given to the government. That’s not how democracies work. Give the intercepting agencies appropriate powers, yes – but assure that there’s real oversight and transparency, and don’t give cooperating service providers an incentive to buckle so quickly.

This lack of accountability leads us to one more issue.

Metadata is Back

The explanatory memorandum says:

Access to personal information like telecommunications intercept material, telecommunications content and telecommunications data will continue to require a warrant or authorisation pursuant to existing law.

And, that’s true; because this legislation is built upon the TIA Act, access to “Content of Communication” requires a warrant.

What they’re not saying is how “Intercept-Related Information” – i.e., metadata – will be handled under this regime. In Australia, IRI does not require a warrant, and under this legislation, an intercepting agency can compel release of IRI without a warrant.

While the distinction between IRI and CoC is well-understood for telecommunications, it’s not at all clear how the line will be drawn, given the diversity of services on the Internet and the breadth of parties that this legislation will apply to.

Since the TIA Act’s requirement of a warrant is so heavily relied upon for oversight in this regime, that’s a huge concern.

I go into a lot more detail in my submission, but one scenario deserves highlighting:

If the Attorney-General requires Google to incorporate a machine learning model into Gmail to identify suspected terrorists amongst all Australian users, only supplying the “hits” but not their e-mails, will that require a warrant?

Interestingly, I brought this issue up with the senior staffer for the Minister in Canberra; his response was roughly “Oh, I hadn’t thought of that.” Hm.

What’s Next?

The Assistance and Access Bill 2018 came up in a few hallway conversations at IETF 103 last week. I’ve heard Internet infrastructure operators, service providers, hardware and software vendors say that they’re deeply concerned about it.

Some are considering pulling out of the Australian market; others thinking about creating special ‘dumbed down’ products so that they don’t expose non-Australian customers to risk.

One well-known figure declared it was equivalent to “cyber-Brexit.”

It’s pretty clear that as written, this legislation will put Australian businesses at a significant disadvantage, because they won’t be on a level playing field as suppliers or consumers of Internet-related technologies.

What’s most interesting to me at the moment are the unforeseen reactions. Since this is an attempt to circumvent encryption by attacking trust infrastructure before and after it takes place, the obvious response is to create new technologies that don’t rely on trusting unknown third parties.

That might be one of the many flavours of distributed technologies that are becoming popular, or it might be some more creative incentive structures (like Certificate Transparency) that convinces anyone in a trusted position that misuse of these instruments is not only a systemic weakness, it’s also an existential threat to them.