Cyber Security Weekly Podcast
Episode 152 - The Toll of TOLA - Australia's Amendment for Assistance and Access
Interview by Executive Editor Chris Cubbage with Nick FitzGerald, Senior Research Fellow of ESET, discussing the Telecommunications and Other Legislation Amendment (Assistance and Access) Act (TOLA).
Based on the interview, conducted on May 1, 2019 in Sydney, Nick has provided the following opinion piece:
During the podcast, in response to something I said about the extremely broad-brush definitions in the Telecommunications and Other Legislation Amendment (Assistance and Access) Act (TOLA), Chris said “We have to then trust the government to use the legislation in the correct way and not in their own sort of interpreted manner.” On reflection, I think that is largely why there is so much unease about TOLA. I’m no legal scholar, but a little online searching readily confirms my expectation that avoiding ambiguity or obvious points for diverging interpretation is core to drafting good legal documents of any kind, be they employment contracts, conveyancing agreements or parliamentary Bills.
It seems the government is aware of this, as one of the defences it stood up to face the extensive criticisms levelled at earlier versions of the Bill (now TOLA), is a FAQ-style Myths about the Assistance and Access Act page. The defences on that page are generally unconvincing. Many just restate the intentions attributed to the former Bill (now TOLA), and few of them provide clear support for the denials of the “myths” they purport to debunk. Perhaps someone should explain to the Department of Home Affairs that referring, in a circular manner, back to the exact text in the Act that gave rise to a concern (or “myth” in the Department’s view) in the first place is unlikely to allay the concerns that that text raises with so many people. That it is clearly open to multiple interpretations is, in and of itself, evidence of deep problems with TOLA.
Enough about the quality of its drafting – what else about TOLA should concern us?
We live in an age that has recently seen an explosive growth in the digitalisation of our everyday lives, and we expect this to continue for some time, with the continuing, rapid growth of the internet of things. Further, the looming adoption of 5G, with its greater bandwidth and reduced latencies, promises even more connected “things” and services. However, we are also increasingly aware of just how poorly secured much of the already internet-connected stuff we now depend on is, and perhaps ironically, this has driven increased consumer demands for better security, better encryption of network traffic, and so on.
And that we are increasingly turning to encryption-protected services, which means the criminal elements are too, is clearly what partly motivates the provisions of TOLA. When the bad guys used landline telephones, law enforcement could readily tap all calls to or from a given phone at the local telephone exchange (or anywhere along the trunk cables with some additional effort). The move to cell phones complicated that somewhat, particularly once cheap “burner” phones became available and could simply be bought over the counter with no registration, phone company contracts and so on. But now, we are told, the bad guys are increasingly moving to end-to-end encrypted messaging, voice and video calling services, such as WhatsApp, Telegram and Signal.
Early criticism of what was to become the Bill (now TOLA), centred around some truly awful messaging from some of the politicians involved, who seemed to be suggesting that Australia’s intelligence agencies had advised the government that the encryption itself could be broken. This resulted in responses from the “you clearly do not understand mathematics” end of the spectrum through to what was basically name-calling. As time passed and drafts of the Bill appeared, it became clear that – to be polite – these politicians had misspoken.
Although contributing to the UK’s version of the same debate, two senior UK spooks – the technical directors of the National Cyber Security Centre, and of cryptanalysis, both parts of GCHQ – published an article on the Lawfare blog explaining the UK’s approach to the same set of perceived problems. In short, they argued that just as “the early digital [telephone] exchanges enacted lawful intercept through the use of conference calling functionality”, it should be “relatively easy for a service provider to silently add a law enforcement participant to a group chat or call”. Such solutions would require the client app on the target device(s) to be modified to not indicate that an apparent one-to-one call was actually a group call, and likewise that a group call contained N – 1 participants if one of those was a lawful intercept. As another member of the Five Eyes alliance, it seems that this kind of thinking behind the developing framework for the UK’s own exceptional access legislation is probably not too dissimilar to what the drafters of TOLA had in mind.
While many of today’s most popular messaging and VOIP protocols do employ a central broker of some kind to at least perform the initial setup of sessions between callers, that is not a necessity of such designs. Fully decentralised, peer-to-peer systems, where no one client or central authority controls how connections are setup, what encryption keys are used, and so on, already exist. Further, TOLA specifically prohibits an order that would prevent an existing service provider from switching to use such a protocol, even if they were doing so explicitly to avoid being able to cooperate with Australian law enforcement intercept orders under TOLA.
But why all the focus on just the modern equivalent of yesteryear’s telephone systems? We now live the era of the cunningly mis-branded “smart speaker” that millions have rushed to adorn their kitchens or living rooms with. And most of us carry a device apparently purpose-made for spying on our every move with its GPS sensors, microphones, multiple video cameras, multi-axis accelerometers and all with near-permanent internet connectivity. The overlords of Oceania in Orwell’s 1984, with their paltry “telescreens”, would be gobsmacked at the sheer enthusiasm with which we embrace contemporary technology that could so easily be turned to surveil us. As much of this technology only works through communicating with its centralised cloud services, these all appear to also be fair game to TOLA…
ACSM Article - ESET - How to detect, mitigate and stop cryptomining malware