1/11: If you haven't read the (Aus) Critical Infrastructure Bill because (like me) you foolishly assumed it was about protecting critical infrastructure, now is ... probably too late. aph.gov.au/Parliamentary_…
So here's a short summary of the "protections" you can't refuse #Auspol
2/11: Everyone agrees that the threat of cyberattack is serious, the results could be devastating, and Australia is woefully unprepared.
The question is whether forced "assistance" from @ASDGovAu and Home Affairs will make us more or less safe & secure.
3/11: Critical infrastructure isn't just dams and power plants - it will also include financial systems, health providers, and "data processing" (i.e. almost anything). It's clearly important to protect them; less clear that forced "protection" from ASD is the right way to do so.
4/11: So what's in the bill? It gives the Secretary of Home Affairs, sometimes with Ministerial direction and sometimes not, *never* with the slightest obligation for judicial oversight, the power to make several kinds of "assistance" and "protection" offers you can't refuse.
5/11: An "intervention request" (which you can't refuse) comes from the Minister and can force you to modify your system or install their software on it.
Large fines for refusal.
6/11: An "Information gathering direction" (which you can't refuse) can include being forced to give information about your system to the Secretary of Home Affairs.
Slightly-less-large fines for refusal.
7/11: An "Action direction" is like an "intervention request" but with 2 years jail for refusal.
8/11: I don't usually agree with Google, they make a good argument that the power to interfere in their networks runs a large risk of making them *less* secure: aph.gov.au/Parliamentary_…
9/11: The opportunity for abuse is obvious. There are no practical constraints on the exercise of these powers. They do not require a warrant or have any kind of judicial oversight. They do not require a cyberattack to be occurring – it suffices to believe one to be "imminent".
10/11: @ASDGovAu may exfiltrate sensitive personal information (health records, financial info and communications) as long as it is de-identified enough to not be "personal information" under the Privacy Act. There's no requirement that they refrain from re-identifying it later.
11/11: So what can you do? Nothing. Get some solar panels, install Signal, tell your GP not to write notes into an electronic system.
As usual, the tragedy here is that we really do need to do something that actually protects our critical infrastructure. This is not it. #Auspol
• • •
Missing some Tweet in this thread? You can try to
force a refresh
1/4: When I installed the service Vic app on June 4 (when it became compulsory) the splash screen told me "Your personal details always stay on your phone," which is not true: your check-in details are uploaded to a central database immediately when you check in. #Vicpol@OVIC_AU
2/4: Now (surprise, surprise!) we're debating further access to that database, which never had to be built in the first place. Aotearoa/NZ and the UK have 'automated diary'-style apps in which your check-in data does stay on your phone, with notification to the affected person.
3/4: I even wrote up an idea for the best of both worlds, in which local personal data storage could be combined with automatic notification to govt if you'd visited an exposure site. github.com/AusOpenTech/Au…
1/5: Remember how @ElectionsACT didn't need to make their source code openly available for public scrutiny because it was going through an "audit and certification process"?
They published the votes on Friday and it is immediately evident that the counting code has bugs. #ACTpol
2/5: Andrew Conway implemented the count & found notable discrepancies with the official tallies - more than 20 votes in some cases. Our report is at github.com/SiliconEconome…
None of these bugs change the winners. They could have, but this year - by sheer good luck - they didn't.
2/11: Singapore & the UK have released whitepapers explaining their crypto and assumptions. The UK's is by @NCSC's Ian Levy: ncsc.gov.uk/files/NHS-app-…
In both cases, there are some things I disagree with, but I respect the authors for putting the details out for review.
3/11: Singapore rotates encrypted IDs every 15 mins.
Aus #CovidsafeApp rotates them every 2 hours.
The UK's app keeps the same one all day. The explanation is that this can helpfully nudge people about how much close contact they've had.
1/11: Why there are there two almost-opposite technical threads here, one saying "#covidsafeapp gathers so much LESS data than anything else on your phone," and another saying "this app gathers info that no other app on your phone collects"? The answer is that they're both true.
2/11: It's true that #covidsafepp doesn't do any of the usual nasties, e.g. GPS tracking or microphone surveillance. However, it builds an infrastructure for gathering a completely new kind of mass data: fine-grained detail about who was how close to whom, when.
3/11: Just as #covid19 is a new virus that will probably be with us forever, physical proximity data is a new form of data gathering whose implications will be lasting, and which we are only beginning to understand.
1/7: Hang on a minute, I have misunderstood something important. In my blog post I wrote of Tracetogether "Whenever you're within Bluetooth range of a person, you send them your ID, encrypted with the public key of the Singaporean authorities."
Is that what everyone else thought?
2/7: But their whitepaper actually says: "TempIDs are cryp-tographically generated by the backend service." bluetrace.io/static/bluetra…
Those encrypted IDs you send out all the time are AES encryptions, generated for you by a central server, using a key you don't know.
3/7: The public-key-based system I thought they were using is described as an alternative that isn't implemented because of its computational burden. They add that this allows health authority monitoring by "logging the issuance of daily batches of TempIDs." Daily is a key word.
1/6: OK, let's think of a list of specific questions - I'll start with whether "What is being proposed is no different than our existing health surveillance system." In our current system, a health official asks an infected person for a list of people & places they've been near.
2/6: Some obvious differences:
- When relying on human memory, you might forget. Automation should be better.
- When relying on human memory, you can choose to omit certain people or places. Will Australia's app have that option, or will it be all-or-nothing? #covid19australia
3/6:
- Human memory cannot usually be compelled (at least not in countries like Aus), but data can be compulsorily acquired, e.g. under TOLA. Will TOLA, and other laws about compulsory phone-opening, be amended to carve out contact data stored on your phone by the app? #auspol