[Linux-aus] Encryption bill and open source

Anthony Towns aj at erisian.com.au
Fri Dec 7 02:14:40 AEDT 2018 

On Thu, Dec 06, 2018 at 09:21:57PM +1100, Linux Australia President via linux-aus wrote:
> Sure - volunteers to take this on very warmly welcomed.

>     Would improving the state of the art in open source help to defray its effects?
>     Yes, but no-one's going to do it.
> I don't have time to do it, and neither does the rest of Council. This is
> precisely my point.

Oh, sorry, I should've expected that interpretation and avoided it in
advance.

What I'm thinking of is more that LA (the council, but the membership
more broadly) just encourage people to focus on various measures to
ensure trustworthiness of the software users run, and the vendors that
provide that software. So encouraging LCA and PyCon and the like to
have BoFs or suggest the topic in their CFPs, or encouraging LUGs to
host talks or tutorials on the topic if you're talking to them, or even
just retweeting people who do have novel, helpful things to say about it.

For instance:

 - anyone running stock Android or iOS on their phone or table is
   vulnerable to vendor backdoors; is it practical to build your own
   version of Android from source to avoid this? Personally, I've been
   waiting since last LCA for Marco to give a talk at HUMBUG about
   LineageOS which maybe solves this... <eyeroll emoji; that exists
   right?>

 - anyone running any Android or iPhone apps by Australian authors
   are potentially vulnerable to backdoors due to the new legislation;
   can you use fdroid or some other open source "app store" to at least
   theoretically avoid that risk? Are there any app stores that are
   both open source-y and can accept payment via Bitcoin, say?

 - is there any realistic best practices for code verification, so that
   deliberate backdoors can be detected before you install a binary or
   get exploited? in particular ones that square with things like pypi
   or nodejs or java or ruby dependency systems where you're randomly
   installing bunches of easily updatable code from internet
   repositories?

 - is it realistic to do any of the things everyone relies on centralised
   trusted third parties for, ourselves? like Google Maps'
   location history, or facebook/instagram/snapchat's photo
   and story sharing, or hangouts/skype/zoom videochat, or
   signal/whatsapp/telegram/wickr/whatever "private" messaging, or
   dropbox/evernote/gdrive/etc file storage, or even gmail? Every trusted
   third party has always been a security hole, but now you're not only
   trusting the nominal provider, but every Australian security dept too
   (except the anti-corruption ones, apparently?). Freedom Box was meant
   to help with this, but never really did afaik...

I know enough to ask the questions, and to know that I don't have good
enough answers to any of those; if someone actually knows better about
any of them, I'd like to subscribe to your newsletter, so to speak. Or
attend an impromptu BOF or similar at lca or elsewhere? But maybe nobody
knows better, and lots of people know less and I should be offering the
BOF? I have no idea.

> On 6/12/18 8:32 pm, Paul Shirren via linux-aus wrote:
>     I am wondering it Linux Australia should try and get some clarification
>     about the responsibilities of open source contributors under the
>     legislation?
>     Would they have to comply with a technical assistance notice? Would
>     volunteers be treated the same as people paid to contribute to projects?

It applies to anyone who even has a website...

The objectives can be "enforcing the criminal law and laws imposing
pecuniary penalties" (so, by my reading, traffic fines and fines for your
dog not being leashed totally qualify...), or "assisting the enforcement
of the criminal laws in force in a foreign country", or "safeguarding
national security".

There are civil penalties for:
  * aiding, abetting, counselling or procuring non-compliance with
    assistance and capability notices
  * inducing (by threat or promise) non-compliance
  * knowingly concerned in or a party to non-compliance
  * conspiring with others to effect non-compliance

If I'm reading it right, penalties are $50k for individuals, and $10M
for companies. But it's a defence if complying requires doing something
in a foreign country and complying would be an offence in that country.

If you (as a website owner given a notice) or anyone in the applicable
govt agencies (the ones giving the notices) reveal any of the info in
relation to the notices, then it's 5 years imprisonment. However you
can do so if authorised (ie, loophole for the govt) or if a State Gov
requires it, or if you need legal advice. Disclosure between intelligence
agencies is also fine. You can also disclose the number of notices you've
received in a 6+ month period, so warrant canaries should be possible.

Costs for the work you have to do in complying are covered; but you're
not allowed to profit; which probably means if you're a sole trader that
your time isn't compensated at all... 

There's also "section 64A" (of the surveillance devices act?) which
allows LEOs to ask a judge for an assistance order that requires a
specified person to provide info to allow them to "access or copy data
in a computer that's subject of a warrant or emergency authorisation",
or to "convert that data into a form intelligible to a LEO"; if the
person is the computer's owner, or their employee or a contractor or a
sysadmin or anyone who's used the computer.

There's a bunch of sections which set penalties at 5 years prison and/or
$63k, or 10 years prison and/or $126k; but I can't tell what they're
actually for from the bill text.

>     Does it matter that open source projects usually have a global user
>     base. What if the copyright is owned by others including
>     non-Australians? What about people packaging others code for a distro?

AFAICT, they can require a company to insert backdoors and provide
encryption keys, as long as they pay costs (probably including salaries
for time spent). They can require individual devs to apply patches to
the code; and can require admins to reveal or update keys/binaries or
anything else admins are technically capable of.

Maybe it would be a defense that you have to ship the source if you're
modifying a GPLed binary that you don't have full copyright control of
(particularly if your hosting site is foreign?), but if you're just
revealing a crypto key or you're given obfusticated source to ship,
I think you're out of luck. Being able to make pull requests, but not
commit directly, seems like it might be an effective defense.

Cheers,
aj

More information about the linux-aus mailing list