The escalating crypto-war in Australia and what it means for us

It was a sunny day in December 2015 and 14 people lay dead in San Bernardino, California after a mass shooting at the North Park Elementary School.


I still remember the news footage taken from a helicopter hovering over a bullet-ridden black Ford Expedition, in which the perpetrators Syed Rizwan Farook and Tashfeen Malik had fled and were killed in, during a shootout with police.

There have been so many mass shootings in America since, including last year’s horrific killing of 58 concertgoers in Las Vegas, that the grim memory of San Bernardino has faded.

But the tragedy has had a lasting legacy in unexpected ways. In the months after the shootings, the FBI attempted to enlist the support of phone-maker Apple to gain access to Syed Rizwan Farook’s iPhone 5C as part of their investigation into what was being labeled a terrorist attack. The FBI wanted Apple to create a new operating system they could install on the dead shooter’s phone that would bypass security features. It would also serve to give the FBI access to iPhones in future criminal investigations too.

Apple famously refused, telling the FBI that giving in to a demand to “hack our own users” would set a precedent undermining the privacy of all iPhone users.

“While we believe the FBI’s intentions are good, it would be wrong for the government to force us to build a backdoor into our products. And ultimately, we fear that this demand would undermine the very freedoms and liberty our government is meant to protect,” he wrote in an open letter to customers at the time.

This was just a couple of years after the Edward Snowden leaks, which revealed the extent to which government security agencies were secretly gathering masses of internet data. The big tech companies, keen to shore up trust, rushed to introduce end-to-end encryption to services like WhatsApp, Gmail and iMessage, making the argument that if their customers’ data was invisible to them, they couldn’t hand it over to the authorities.

FBI vs Apple

There were tense meetings between then-president Barack Obama and Apple chief executive Tim Cook, who didn’t resile from his position. Eventually, the FBI found a company that could break the phone’s encryption, paying them nearly US$1 million to do so. The issue died down as a technical fix broke the impasse. But politicians have continued to push the issue calling for new legislation that would force tech companies to allow law enforcement agencies access to encrypted systems.

In the wake of the San Bernardino massacre, President Trump made his feelings on the issue plain, calling for a boycott of Apple products.

“Who do they think they are?" He complained to the hosts of Fox & Friends.

Since then, he has been relatively silent on encryption, but his officials and US senators have been quietly working on the issue with a view to drafting encryption circumvention legislation that they know will face stiff resistance from the tech sector and its K Street lobbyists in Washington D.C.

Governments elsewhere have the same goal in mind as they struggle to track the online communication of suspected criminals and terrorists. An attack in London last May that saw a man drive his car into pedestrians, killing four people, opened the encryption debate in Britain.

The killer had apparently sent a message on the encrypted WhatsApp platform hinting at what he was about to do, moments before he ploughed into unsuspecting pedestrians. It led Theresa May to call for her security services to be given the ability to circumvent encryption systems.

Five Eyes stand together

The UK’s Investigatory Powers Act or ‘Snooper’s Charter’ introduced in 2016 gives British law enforcement agencies some powers to require network operators to remove “electronic protection” from communications and data. But it isn’t seen as strong enough to demand backdoors to encryption services, particularly for services delivered from outside the UK.

New Zealand introduced similar legislation in 2013, with the Telecommunications (Interception Capability and Security) Act. That requires internet providers to make their networks interception available to government agencies armed with a warrant. But it only applies to “network operators” - it is unlikely that the law could be used to demand Apple or Microsoft retrieve encrypted data for the New Zealand Police or the GCSB.

The issue hasn’t flared up in New Zealand in recent years, but our membership of the ‘Five Eyes’ security partnership with Australia, the United Kingdom, the US and Canada could propel us towards the legal changes other countries are pursuing.

Meeting earlier this year, the Five Eyes issued a joint statement stating their preference for technology service providers to “voluntarily establish lawful access solutions to their products and services that they create or operate in our countries”.

Then came the veiled threat:

“Should governments continue to encounter impediments to lawful access to information necessary to aid the protection of the citizens of our countries, we may pursue technological, enforcement, legislative or other measures to achieve lawful access solutions.”

Backlash in Australia

Across the Tasman, the Liberal Government is pushing ahead with mandatory measures.

The so-called Assistance and Access Bill proposes three levels of assistance that tech companies and internet providers could be required to lend law enforcement agencies. At the lowest level, voluntary assistance could be offered, with the highest level of assistance seeing the country’s attorney general requiring tech companies to “build a new capability” into their systems to allow access to encrypted information.

The Bill has been slammed by Apple and other multinational tech companies as being too ambiguous and wide-ranging as well as by privacy and encryption experts.

“This is not a solution to the problem of just-in-time policing and border force security but an override on the freedoms of everyday Australians and Australian companies, or even those doing business in Australia,” says Professor Katina Michael, a technology and innovation expert at the University of Wollongong and Arizona State University.

“Privacy is a human right, and one way that right can be maintained in today's digital transactions is through encryption.”

Apple reiterated its call that breaking encryption systems will undermine security for everyone.

“This is no time to weaken encryption,” it wrote in a submission on the Bill.

“There is a profound risk of making criminals’ jobs easier, not harder. Increasingly stronger — not weaker — encryption is the best way to protect against these threats.”

The Australian Computer Society saw no reason to expedite the legislation which it described as “problematic”.

Technically, it can be done

But Dr Richard Adams, Adjunct Fellow in the School of Information Systems at Curtin University, said that while tech companies had an obligation to protect their customers’ data, they also had obligations to the “wider community”.

“The challenge is for manufacturers to meet the needs of both groups rather than adopt the best stance from a marketing/cost perspective,” he says.

With that in mind and the legislation putting the onus on the tech companies to come up with ways to grant security services access to encrypted services, it was time to consider what technical solutions could be offered to meet the government half-way.

“A simplistic solution on phone devices would be to store the data twice, once with the ‘user key’ and once with the ‘manufacturer key’ so the strength of the encryption itself would not be affected and the risk of having two ‘keys’ could be mitigated by the use of a very complex manufacturer key requiring physical access to the device,” he says.

“Obviously there would be push-back on the additional storage required and reduced battery life but the point is that from a purely technical standpoint it could be done relatively easily."

With the Five Eyes member countries all at different stages in pushing for stronger laws to deal with encrypted services, such technical efforts to assist governments will need more serious consideration.

The alternative is heavy-handed legislation that is not fit for purpose, rammed through by governments with a larger law enforcement agenda.

But Michael says we also need to consider the threat to privacy posed by the companies that are opposing efforts to circumvent encryption, which are wielding immense power themselves through their access to masses of our data.

“The complexity here is in the fact that private corporations like Apple, Google, Facebook, Amazon and Microsoft are amassing so much personal data that citizen data rights are being equally eroded by corporations themselves who share the data with third parties,” she says.

“We need to take a step back as Australians and ask ourselves why these private corporations are fighting this government bill together?”

Mandatory Data Breach Notification (2017 Amendment to Privacy Act)

Today I had the pleasure to speak to Meredith Griffiths, reporter of the ABC, on the newly enacted Mandatory Data Breach Notification (MDBN) that take effect on Feburary 28, 2018.

Some of the main points I made in the interview with the help of my colleagues at the Australian Privacy Foundation (primarily David Vaile) were:

MDBN doesn't go far enough because:

  1. small business, <$3m annual turnover are exempt from MDBN
  2. self-assessment of "serious harm" is ambiguous (on what test to companies come forward? and only if PC agrees it is serious? what if slightly serious on one view, and very serious on another- do companies take the easy way out and not disclose?)
  3. companies are given 30 days to make a data breach notification to the privacy commissioner (too long for customers to be kept in the dark and thereafter how long might it take the Privacy Commissioner to determine 'seriousness' and/or publicly response with an unenforceable determination)
  4. what about data breaches offshore (how do Aussies respond to loss of their PI abroad)?
  5. what about 'open data' re-identification thru AI/machine learning?
  6. OAIC is overloaded, slow, determinations are also unenforceable and very rare.

So where does this really leave us? We have a law that neither prevents breaches of personal information nor compensate individuals for privacy breaches. What we need to do is consider the outcomes of the ALRC from 2008 that stipulated we need a tort on the serious invasion of privacy so that individuals CAN sue other individuals (like hackers), or companies (like Google) or government agencies for breaches in their privacy (whether accidental or deliberate or through some form of negligence).

The lack of auditability of the new law means that current practices that rely on de-identification to safeguard people's personal information, say in the case of OPENGOV data initiatives, may not be enough down the track as the threat of increases from machine learning algorithms that can look at patterns of information and highlight individuals like finding a needle in a haystack. The issues of going down this path are grave- including the potential for re-identification and bringing several disaparate treasure troves together like social media data, and government data, and personal records together to be analysed.

Links to MDBN include:

Having a statutory tort of serious invasion of privacy (like in the UK and US) or a common law tort (like in New Zealand), allows individuals to sue other entities depending on the severity of the privacy breach. Why is Australia lagging so far behind other advanced digital nations? When will this legislation be amended?

Already, we are seeing large ICT companies set up "shop-fronts" in Australia with NO enforceable penalties to international misdemeanours when it comes to amassing treasure troves of data, and data breaches offshore. How do we hold these companies accountable when they are taking in a lot of business from Australian consumers and yet seem to be let out in the "wild" to do as they please, storing data on the Cloud either in the USA or Ireland. Bruce Schneier called this "data as a toxic asset". As the toxicity rises, we can expect major pollution spills.

For now, at least we can say that the MDBN is a step in the right direction despite that it falls short through exemptions and loopholes. It can have some reputational impact on "data addicts" that don't do the right thing via their subscriber base, but little more. Sadly, large corporations can handle this reputational damage in their "risk appetites". The fines are also "measly" when it comes to government or regulatory action, and so corporate and government entities in particular are left to their own devices here in Australia. While well-meaning, it seems that it is nothing more than a theatrical show- data hosts are still not responsible for bettering their security practices or urgently responding and fixing a breach.

Data is a bit like mental illness. You can't see it. It is not tangible. You cannot put a price on mental health, and you cannot put a price on your personal data. While we can manage damage to property very well, because we can see a scratch on a car, or the loss of inventory, we cannot see data as we see a broken arm.

We already have very weak Privacy Legislation- Australia needs to get serious like Europe (through the General Data Protection Regulation, considered the gold standard) has on the value of personal identifiable information (PII). Both the liberal and labour governments need to listen to the commissioned reports by the Australian Law Reform Commission, and act on the implementation of statutory tort legislation with respect to intrusions of privacy. There is no reason why this has not happened yet.

Robotics Cleaning Technology at Australian Shopping Centres

Vicinity Centres is considering replacing some of its cleaning contractors with robots in a bid to automate and save costs, according to one of the company's non-executive directors, Wai Tang.

In a roundtable discussion ahead of International Women's Day, Ms Tang said disruption and volatility in the sector had led to many changes.

Vicinty Centres, which manages shopping centres around the country, had recently started trialling whether robots could be used to clean its centres.

But such a move, if it was formally implemented, would "displace many jobs", she said.

More here 


The bot in question is Cleanfix. The product is made by Teksbotics that also makes Pepper, iCub, and other small humanoid robots with AI. Cleanfix has 11 sensors on board.

Standard company blurb includes:

The robotic technology being trialled is a hands-free system that incorporates 11 sensors, giving the robot a 360-degree view of its surroundings, and allowing it to operate and clean autonomously. Advanced navigation and sensors detect obstacles as well as people - stopping to let them pass before proceeding.

The award-winning Cleanfix RA 660 Navi is specifically designed for hard floors and is ideal for shopping centres as it scrubs and vacuums independently, reduces the need for chemicals and uses water more efficiently which significantly lowers its impact on the environment.

Other sources:

Citation: Katina Michael and Jon Faine, "Robotics Cleaning at Australian Shopping Centres: is it a good idea?" ABC Radio Melbourne: Mornings, 7 March 2017.

Biometric Borders on Radio New Zealand (The Panel)

The Panel with Niki Bezzant and Peter Elliott (Part 2) and Producer Julie Moffett. 4.44pm. 26/01/17

More here:

Australian study looks at public attitudes toward mobile emergency alerts

The use of location-based services by governments to send alerts during emergencies sparked privacy concerns over data collection- but not over the potential for unauthorized secondary use of the data, according to a study published onllne by the journal Telematics snd lnformatics.

The study was based on surveys of residents of Australia, which has considered the use of nationwide mobile alerts in emergencies. The surveys, though, too place in well in advance of leaks by Edward Snowden that have had a major impact on the public discourse over privacy and government data collection.

Overall, Australians would accept location-based services during emergencies, the study says. Perception of whether such a service would be useful depended largely on whether respondents trust the government to control and provide the service effectively.

The perceived usefulness of [location-based services] for emergency management was the key driver behind the individual positive attitude towards using the services and intention toward using them in the future, the researchers found.

There was little evidence, thought, that ease of use would be important to users, the
study says.

The study has been peer-reviewed but not yet published In an Issue of Telematlcs
and lnformatics

It notes that future research could compare the results across countries. "Such studies would shed light on the role of culture and government, such as the role and influence of
government administration in creating disparities in the factors determining the acceptance or rejection of location-based emergency services."

For more: go to the study, "Social acceptance of location-based mobile government services for emergency management" by Aloudat and Michael.

Citation: Zach Rauanitz, September 10, 2013, "Australian study looks at public attitudes toward mobile emergency alerts", Fierce Mobile Government.