Canberra competence shines in day of PM domain lapses and tortured analogies
Once again, Australia politicians have failed at the first hurdle when it comes to handling anything remotely technical.
Today's victim is none other than Prime Minister Scott Morrison, whose scottmorrison.com.au domain lapsed and was subsequently picked up by a digital marketer called Jack Genesin.
Rather than a federal member's electorate site, a WordPress install instead blasted out the song "Scotty doesn't know".
In a blog post by Genesin's company Digital Eagles, the domain has been offered back to the Prime Minister's Office.
"The important thing is that it was purchased by someone who won't use it to cause harm," the post says.
"What could've happened? If a catch-all email was set up and Jack started doing password reset requests to websites, he could have access to anything that was set up under the domain. Because he hasn't done this, we don't know what emails are coming in, who they'd be from, or any damaging information, but if the opposition party or others with malicious intent gained access, they could definitely do some damage.
"So, while #scottydidntknow last night, we're pretty sure he does now."
All fantastic hijinx, and those of us who have ever let a domain lapse should not be throwing stones, but then, we've not been prime minister of Australia.
The lapse arrives in a week where the government had other so-called administrative errors of much more serious nature, and happened on the eve of the first hearing into the proposed Assistance and Access Bill as it is being rammed through Parliament.
From the morning testimony delivered by the Department of Home Affairs, Australian Signals Directorate, Australian Federal Police (AFP), and Australian Security Intelligence Organisation (ASIO), only one concrete exclusion was teased out, and it was the thankful exclusion of any sort of key escrow.
More often, though, the intelligence and law enforcement representatives stumbled through the details of the practical implementation of the legislation, and went this way and that on the definition of a systemic weakness, which is one of the few provisions that would allow service providers to push back and deny government demands to access encrypted content.
Under the proposed law, Australian government agencies would be able to issue three kinds of notices:
- Technical Assistance Notices (TAN), which are compulsory notices for a communication provider to use an interception capability they already have;
- Technical Capability Notices (TCN), which are compulsory notices for a communication provider to build a new interception capability, so that it can meet subsequent Technical Assistance Notices; and
- Technical Assistance Requests (TAR), which have been described by experts as the most dangerous of all.
Setting the tone for the morning, ASIO Director-General of Security Duncan Lewis said the Bill is proposing to take existing powers from the real world into the cyber realm.
"To put it simply, I'll describe it as similar to using a pair of precision tweezers to extract a needle from a communication haystack. We're looking to communication providers to help us pick that needle out of the haystack by informing them of exactly what that needle is, which needle are we after," Lewis said.
"Far from being a backdoor, we are knocking on right on their front door, this is not backdoor stuff.
"The haystack, just to continue that analogy, is of no interest to us; it is not within our capacity to monitor the haystack, it is not within our legal authority to apply en masse surveillance to it, and we certainly do not collect against it."
Stating that the proposed laws to not remove the need for a warrant to access content, Secretary of the Department of Home Affairs Michael Pezzullo picked up on the door analogy.
"We've got the warrant, we've arrived at the house, but it is very securely locked, we need a locksmith," Pezzullo said. "So the warranted authority for the activity already has to pre-exist.
"That authority has to exist at all times, this is not extraneous to that regime."
Of course, in the case of end-to-end encrypted communications, there is no door, so you cannot require a locksmith. The only way to get into the figurative house is with some sort of wrecking ball.
To give Pezzullo credit, at least houses do exist, unlike cybermoats.
What will be concerning to those potentially going to be hit by these laws is the flexible definition of systemic weakness.
"To try and define what a systemic weakness is for every individual company relies on an understanding of what their business structures are," Hamish Hansford from the Department of Home Affairs said.
"What a systemic weakness might be for Apple and Google might not be for Microsoft."
From the testimony, it was clear that the intelligence and law enforcement agencies only consider a systemic weakness one that impacts a majority of users on a service.
With the rush to get this Bill passed, many of its unintended consequences may not be examined, such as the warning from the Office of the Australian Information Commissioner (OAIC).
"The OAIC considers that the Bill should ensure that weaknesses and vulnerabilities are not unintentionally created because the impact of a particular request is not fully understood by the agency or the designated service provider," it said.
Telcos, vendors, and industry and privacy groups will have their turn to appear at the hearing later in the day.
Related Coverage
Australia's anti-encryption legislation fails to address human rights concerns: Committee
The Australian Parliament's own human rights watchdog committee has identified a raft of concerns with the Assistance and Access Bill 2018, and is 'seeking additional information'.
OAIC calls for sunset clause on encryption-busting Bill and warns of privacy risks
The Office of the Australian Information Commissioner seeking greater transparency and judicial oversight to Australia's proposed Assistance and Access Bill.
Australian Minister for Home Affairs Peter Dutton claims the Bill is already watered down, and Labor should support it.
Australian industry and tech groups unite to fight encryption-busting Bill
The new mega-group has called on Canberra to ditch its push to force technology companies to help break into their own systems.
Home Affairs makes changes to encryption Bill without addressing main concerns
Services providers now have a defence to use if they are required to violate the law of another nation, and the public revenue protection clause has been removed.
Encryption Bill sent to joint committee with three week submission window
Fresh from rushing the legislation into Parliament, the government will ram its legislation through the Parliamentary Joint Committee on Intelligence and Security.