[ISN] 2600 Australia response to 2nd Reading of Commonwealth Cybercrime Bill 2001

From: Grant Bayley (gbayleyat_private)
Date: Thu Jun 28 2001 - 09:03:01 PDT

  • Next message: kwalker2at_private: "[ISN] Message to Vendors: Drop the Mind Games"

    To all,
    
    This is a "first response" to the second reading of the
    Australian Commonwealth Cybercrime Bill, 2001 from 2600 Australia, a
    self-described "hacker advocate group".  A full response to the bill
    itself will be forthcoming, though this discussion sums up a large number
    of the arguments against the proposed legislation.
    
    Grant Bayley
    
    -------------------------------------------------------
    Grant Bayley                         gbayleyat_private
    -Admin @ AusMac Archive, Wiretapped.net, 2600 Australia
     www.ausmac.net   www.wiretapped.net   www.2600.org.au
    -------------------------------------------------------
    
    References:
    
    Explanatory Memoranda:
    http://www.2600.org.au/misc/cybercrime/cybercrime-bill-2001-explanatory-memoranda.pdf
    
    Cybercrime Bill, 2001 (at first reading):
    http://www.2600.org.au/misc/cybercrime/cybercrime-bill-2001-firstreading.pdf
    
    > House of Representatives Hansard 27 June 2001   P 27081
    > CYBERCRIME BILL 2001
    > First Reading
    >
    > Bill presented by Mr Williams, and read a first time.
    >
    > Second Reading
    >
    > Mr WILLIAMS (Tangney—Attorney-General)
    > (9.57 a.m.)—I move:
    >
    > That the bill be now read a second time.
    >
    > More than three million Australian households and
    > over one billion people worldwide are connected to
    > the Internet. With the exponential growth in the
    > Internet population and in electronic commerce over
    > the last decade, the integrity, security and reliability
    > of computer data and electronic communication is
    > becoming increasingly important. Cybercrime activities,
    > including hacking, virus propagation, ‘denial of
    > service’ attacks and web site vandalism, pose a significant
    > threat to the integrity and security of computer
    > data. Indeed, according to recent estimates, cybercrime
    > is costing companies worldwide approximately
    > $3 trillion dollars a year.
    
    First off, this figure is unsubstantiated.  It was not generated by an
    organisation such as the Australian Bureau of Statistics or any recognised
    authority on the matter, rather various commercial organisations whose
    business depends on the existence of (or appearance of the existence of)
    cybercrime.
    
    This alone makes the basis on which this law is being proposed deceptive
    and misleading at best.
    
    Secondly, the term "cybercrime" is so poorly defined, even by the very
    authorities that wish to pass laws regarding it, that almost any activity
    that might be considered criminal in the context of a computer or
    electronic equipment might qualify for prosecution under this law.
    
    This is a dangerous precedent considering the lack of understanding
    amongst legislators about the very activities they are wishing to outlaw.
    
    > Updated laws are vital if authorities are to effectively
    > detect, investigate and prosecute cybercrime
    > activities. The proposed new computer offences and
    > investigation powers in the Cybercrime Bill 2001 are
    > a significant development in the fight against these
    > activities and will place Australia at the forefront of
    > international efforts to address the issue of cybercrime.
    
    Indeed, they are, but not in this rough-riding, rights-restrictive
    fashion.
    
    > Computer offences
    > The Cybercrime Bill 2001 proposes the enactment
    > of seven new computer offences. The offences are
    > based on the recommendations of the January 2001
    > Model Criminal Code damage and computer offences
    > report developed with the cooperation of the Commonwealth,
    > states and territories. Implementation of
    > the Model Criminal Code offences is an important
    > step toward achieving national consistency and
    > remedying deficiencies in the existing laws. The new,
    > updated offences would replace the existing offences
    > in the Crimes Act, which, although only 10 years old,
    > are already seriously outdated.
    
    Sadly, this is a common misconception.  Existing laws cover many, many
    computer related offences, whether it be directly or indirectly.  Directly
    in that they cover offences such as unauthorised access, unauthorised
    insertion, modification and deletion of data, covers offences against
    telecommunications carriers that may be used in the commission of an
    offence, covers impairment of service offences carried out against
    networks supplied by telecommunications carriers.  And indirectly relating
    to such offences as false personation, obtaining credit by false pretences
    and the like.
    
    All are directly applicable to the type of situations that Justice
    Minister Ellison and Attorney-General Williams crow about when attempting
    to justify the creation of such laws as the Cybercrime Bill, 2001.
    
    Yet, there have been very few cases where all of these existing components
    of law have been applied to offenders.  In some cases, the offences simply
    aren't easily traceable.  In others, the actual loss caused by the offence
    pales in comparison to the time and effort of prosecuting an individual
    for the offence.  In others, the offences alleged to have been carried out
    by individuals have been grossly overstated, leading to short, suspended
    sentences, good behaviour bonds and small fines.  None of these are
    failures in the laws themselves, but the application of appropriate laws
    to particular crimes.
    
    Therfore, I ask the question - will this law make it any easier to trace
    such crime?  Any less costly for individuals or companies or law
    enforcement to bring actual, legitimate criminals to justice?  The answer
    in both cases is no, because although the legislation seeks to bring a
    number of these existing components of law together and extend them in
    other cases to meet a perceived dire need, law enforcement simply aren't
    any better equipped to deal with such cases than 5 or 10 years ago nor is
    there any increased level of understanding in the judiciary to take into
    account the horribly ill-defined phenomena of "cybercrime".
    
    > All the proposed offences are supported by extended
    > extraterritorial jurisdiction in recognition of
    > the fact that computer crime is often perpetrated remotely
    > from where it has effect. The proposed offences
    > have been drafted in technology-neutral terms.
    > The offences also dovetail with the terminology of
    > the Electronic Transactions Act 1999, which has been
    > an important vehicle for expanding electronic commerce.
    
    Will extraterritorial jurisdiction bring about the prosecution of the
    Phillipino creator of the so-called ILOVEYOU worm in this country,
    considering it is alleged to have caused $7 billion by the Customs and
    Justice Minister and the NSW Attorney-General, Mr Debus?
    
    Lets not kid ourselves here.  It hasn't happened, and it won't.
    
    > The first offence in the bill targets those who access
    > or modify computer data or impair electronic
    > communications to or from a computer that they are
    > not authorised to access, modify or impair and who
    > do so with the intention of committing a serious offence,
    > punishable by five or more years imprisonment.
    > The offence would attract a maximum penalty
    > equal to the maximum penalty for the serious offence.
    > For example, if a person hacked into a bank
    > computer and accessed credit card details with the
    > intention of using them to obtain money, the penalty
    > would be equivalent to the fraud offence the person
    > was intending to commit (10 years imprisonment).
    
    How would this change if the bank's computer contained no access
    protection, such as that which you mention three paragraphs below?
    
       "The offence relates only to unauthorised access or modification of
        data that is protected by a password or other security feature rather
        than any data."
    
    If the bank's computer was not protected by a password or other security
    feature and an attacker (as we prefer to call such people) accessed credit
    card details with the intention of using them to obtain money but did not
    in fact follow through and do this, how would they be treated?  By my
    layperson's understanding, they may not be liable for punishment for any
    crime, especially if they only thought to use the credit cards to obtain
    money after having found them then decided against it prior to doing so.
    
    Although each case would be decided on it's merits, I can supply
    sufficient counter-examples for each and every situation that might be
    raised in support of this proposed legislation.
    
    It's sort-of a saying in computer security circles that nothing is
    absolute.  For every possible security protection, there is a potential
    misconfiguration or fault or failure that renders such protection useless,
    null and void.  While this proposed legislation is "technology-neutral",
    whether some things are in fact a "bad" thing at all (such as exposing a
    misconfiguration in a security system by means of a controlled
    demonstration) aren't even clearly agreed upon amongst the computer
    security community, let alone the Council of Europe with its' Cybercrime
    Treaty.  The Australian Government is way out on a limb claiming it has
    the answers to these questions, embodied in this proposed legislation.
    
    > It would be an offence for a person to cause any
    > unauthorised modification of data in a computer
    > where the person is reckless as to whether that modification
    > will impair data. A maximum penalty of 10
    > years imprisonment would apply. The offence covers
    > a range of situations, including a hacker who obtains
    > unauthorised access to a computer system and impairs
    > data and a person who circulates a disk containing
    > a computer virus which infects a Commonwealth
    > computer.
    
    Just out of interest, how does the Government approach the topic of
    "benign" or "good" viruses.  They're certainly the exception to the rule,
    but they indeed exist.
    
    An example of a "benign" virus would be one written for demonstration
    purposes to expose an insecurity in an operating system that might be used
    at some point in the future as a propagation vector for a not-so-benign
    virus.  The benign virus (or possibly a worm, something that spreads of
    it's own accord) simply sits resident on the computer, using very
    negligible memory, processor and disk space resources and does not impair
    the normal usage of the computer.
    
    An example of a "good" virus is one that propagates in much the same
    fashion as above, but carries with it a payload capable of repairing a
    misconfiguration, patching an insecure piece of software or otherwise
    preventing further potential damage to machines it is transmitted to.
    Arguably, such viruses enhance the security of the machine.  That is,
    they're doing the exact opposite to impairing the operation of the
    computer - they're fixing it.
    
    None of these scenarios are accounted for in the proposed legislation.
    Some would respond by saying "it doesn't have to account for them", but
    I'd challenge that on the basis of "where do you draw the line between
    impairment and enhancement?".  Nothing is absolute in the world of
    computers, remember.
    
    > The bill proposes an offence of causing an unauthorised
    > impairment of electronic communications to
    > or from a computer, carrying a maximum penalty of
    > 10 years imprisonment. This offence is particularly
    > designed to prohibit tactics such as ‘denial of service
    > attacks’, where a web site is inundated with a large
    > volume of unwanted messages, thus crashing the
    > computer server. The penalty for this offence recognises
    > the importance of computer facilitated communication
    > and the considerable damage that can result
    > if that communication is impaired.
    
    There's an obvious target here - people that generate such large volumes
    of traffic.  As before and as always, there's examples where this fails to
    pass muster.  What is the Government's opinion about "Hacktivism" actions
    (misguided as the causes themselves may be) where a significant number of
    computers each place a tiny and insignificant portion of load upon a
    server, whether it be in the form of "hits" to a website or "emails" to an
    email server.
    
    Under the law, each of the participants in this action would, in theory be
    subject to prosecution under this part of the Cybercrime Act, 2001, but
    where things get murky is where we consider how such an action differs
    from the ordinary operation of a busy web or email server - a large
    number of clients each make a small, insignificant number of connections,
    generating on the whole a significant and sometimes destructive load on
    the web or email server.  The slang term for this is "Slashdotting", named
    after a website that was so popular at one point in it's existance that
    when any other site was linked from it it, the sheer number of visitors
    innocently following the link brought many a server to its' knees.
    
    The definition between such illegal impairment and high-load ordinary
    operation is dangerously blurry.  Would an Australian site have reason and
    recourse under the law to charge the operator of another site that
    directed visitors to it with a crime?  How does this differ from the
    "denial of service" examples provided?
    
    > The proposed offence of causing unauthorised access
    > to or modification of restricted data held in a
    > computer carries a maximum penalty of two years
    > imprisonment. The offence relates only to unauthorised
    > access or modification of data that is protected
    > by a password or other security feature rather than
    > any data. The offence will target those who hack into
    > a password protected computer system in order to
    > access personal or commercial information or alter
    > that information.
    
    Okay, so anything that is not protected by a password or other
    (functioning) security feature is fair game for open, unrestricted public
    access?
    
    Like the detailed network diagrams for internal Commonwealth networks
    found on a public file server on the Internet several months ago?
    
    > The bill proposes an offence of causing unauthorised
    > impairment of the reliability, security or operation
    > of any data held on a Commonwealth computer
    > disk or credit card or other device. A maximum penalty
    > of two years imprisonment would apply. This
    > offence is particularly designed to cover impairment
    > of data caused by actions such as passing a magnet
    > over a credit card or cutting a computer disk in half.
    
    So, correct me if I am wrong, but would it be an offence to "impair the
    reliability" of an electronic service by exposing an obvious, repairable
    security flaw in it?  It would certainly instill doubt in the present and
    future customers of the service, but would bringing this to the attention
    of the proprietors of the service and/or the public be an offence?  If so,
    what is to gain by making this an offence?  Is it the aim of the
    Government to reduce the security of electronic services by preventing
    appropriate disclosure of security faults?
    
    Anyone remember the GSTAssist site?  The site that had no security
    protection at all, yet freely gave out people's personal information to
    all and sundry?  Who gained from this situation?  The young man who
    exposed the flaw (albeit in an odd fashion)?  I doubt it.  He was
    investigated by the Federal Police and received scorn from members of
    Federal Parliament, who were understandably scampering about to divert
    blame from the inability of their staff to properly design the system.
    The only people that gained from this situation were those that had their
    personal information put in jeopardy by incompetent Government staff -
    after all, once the problem was exposed and the security of the system was
    put into doubt (the reliability of it was impaired), it could be resolved
    appropriately.  I doubt that without the young man's disclosure, this
    could have occurred.
    
    Again, for every example, there's copious examples of where such proposed
    legislative changes do not make sense.
    
    And what's this about destruction of computer disks?  Of passing magnets
    over a credit card?  What's the basis for these examples?  The
    justification?  If I own a disk, surely I'm not prevented from doing
    whatever I please with it?  Doesn't the same apply to my credit card?
    
    > Lastly, the bill proposes two offences relating to
    > the possession and supply of data or programs that
    > are intended for use in the commission of a computer
    > offence. Each offence would attract a maximum penalty
    > of three years imprisonment. These offences are
    > designed to cover persons who possess or trade in
    > programs and technology designed to hack into or
    > damage other people’s computer systems. For example,
    > a person will commit an offence if he or she possesses
    > a hacking program or a disk containing a computer
    > virus with the intention of using it to access or
    > damage data.
    
    This is downright dangerous, firstly because of the "dual use" nature of
    large types of computer hardware and software and secondly because it
    establishes a unique branch of "thought crime" - storing information that
    could be used to "hack into or damage other people's computer systems" in
    one's own mind (the danger of this should be self-evident).
    
    The "dual use" nature of large types of computer hardware and software
    exists because the very tools that can be said to assist a user in
    preparing to break into a computer system can be legitimately used to
    test the security of one's own computer system against such break-in
    attempts perpetrated by others.  In fact, it is the wide public
    availability of such tools in the first place and their utilisation in
    the protective role that reduces their effectiveness as tools for the
    former of the two roles - the unauthorised and potentially destructive
    one.
    
    The obvious and oft-quoted example of such a tool is "nmap" - a network
    mapping tool.  nmap allows a remote user to map out the availability of
    services on a network-connected computer.  Nothing more.  Nothing less.
    With such a map, a user could attempt to break into a computer, narrowing
    down the potential means of entry on the basis of what information is
    contained in the map.  At the same time, the owner of the computer could
    use the map to evaluate what defences might need to be put into place,
    what services are exposed to the outside world, possibly as the result of
    a misconfiguration.  In other words, nmap is a dual-use technology.
    
    For those that aren't aware, "dual-use" is a term usually reserved for
    technologies such as encryption, which (as emotive as these sound) could
    be used just as effectively by a paedophile to hide archives of illegal
    material as by a human rights crusader hiding information that could
    compromise their personal safety or those in their care.
    
    And this leads us onto the next part of this dangerously flawed
    legislation...
    
    > Investigation powers
    > The bill will enhance the criminal investigation
    > powers in the Crimes Act 1914 and Customs Act
    > 1901 relating to the search, seizure and copying of
    > electronically stored data. The large amounts of data
    > which can be stored on computer drives and disks
    > and the complex security measures, such as encryption
    > and passwords, which can be used to protect that
    > information present particular problems for investigators.
    > The proposed enhancement of search and seizure
    > powers will assist law enforcement officers in
    > surmounting those problems.
    
    In short, and as expressed in the Walsh Report [1][2], Governments and
    their Defence/Intelligence organisations have all but lost the crypto-war,
    and they're really, really pissed off.
    
    The upshot of this is that in the absence of intelligence ingenuity [3]
    or mathematical assistance from quantum computing technologies, you'll now
    be obliged by law to reveal any passwords, passphrases, keys, codes,
    cryptographic and steganographic methods used to protect your information
    from prying eyes.
    
    Ignore the fact that you might be incriminating yourself in revealing
    such passwords etc.  Ignore the fact that there will no doubt be
    substantial criminal punishment for not disclosing such passwords etc.
    Also ignore the fact that without disclosing the passwords etc, you will
    have a tough time proving that the information contained inside an
    encrypted file, for example, is not evidentiary.
    
    In other words, all your crypto are belong to us.
    
    [1] http://www.efa.org.au/Issues/Crypto/Walsh/
    [2] http://the.wiretapped.net/security/info/papers/cryptography/au-crypto/walsh-report.html
    [3] http://cypherpunks.venona.com/date/1995/09/msg00136.html
    
    > The proposed amendments would clarify that a
    > search warrant can be used to access data that is accessible
    > from, but not held on, electronic equipment
    > at the search premises. As most business computers
    > are networked to other desktop computers and to
    > central storage computers, it is critical that law enforcement
    > officers executing a search warrant are
    > able to search not only material on computers located
    > on the search premises but also material accessible
    > from those computers but located elsewhere.
    
    If these computers are connected to the Internet, doesn't this mean that
    such warrants are essentially unlimited, given that other material located
    elsewhere is accessible using the Internet?
    
    > Computer equipment and disks would be able to
    > be examined and processed off site if this is significantly
    > more practicable than processing them on site.
    > The proposed amendment recognises that searching
    > computers and disks can be a difficult and time consuming
    > exercise because of the large amount of information
    > they can store and the application of security
    > measures, such as encryption. A further proposed
    > amendment would permit officers to copy all data
    > held on a computer hard drive or data storage device
    > where some of the data is evidential material or if
    > there are reasonable grounds to suspect the data contains
    > evidential material.
    
    How does this differ from the current situation?  Hard drives can be
    mirrored onsite by appropriately qualified personnel then returned to use,
    especially if law enforcement aren't wanting to alert the target.
    
    This is nothing new, is already partially covered in the changes made to
    the ASIO Act in 1999, and is therefore largely unecessary.
    
    > A magistrate would be able to order a person with
    > knowledge of a computer system to provide such information
    > or assistance as is necessary and reasonable
    > to enable the officer to access, copy or print data.
    > Such a power is contained in the draft Council of
    > Europe Convention on Cybercrime and will assist
    > officers in gaining access to encrypted information.
    
    See above.  All your crypto are belong to us.
    
    > Conclusion
    > The high speed and broad reach of computer technology
    > offers new means, methods and possibilities
    > for crime. The measures contained in the Cybercrime
    > Bill are vital to protecting the security, reliability and
    > integrity of computer data and electronic communications
    > and remedying the deficiencies in existing
    > laws. By addressing the threats posed by cybercrime
    > activities, the bill will strengthen community confidence
    > in the use of new technology and provide a
    > means of ensuring that the benefits of that technology
    > are not comprised by crime. I commend the bill to the
    > House, and present the explanatory memorandum to
    > the bill.
    >
    > Debate (on motion by Mr Horne) adjourned.
    
    This law does absolutely nothing to remedy perceived deficiencies in
    existing laws relating to offences that might happen to involve a
    computer, an electronic device or a communications network, as discussed
    above.  In fact, it places a great many things in jeopardy, such as the
    free flow of information relating to security deficiencies in computers
    and electronic infrastructure, the free flow of information that assists
    system administrators to secure and protect computers and electronic
    infrastructure, and provides for forced disclosure of information that may
    have been lawfully encrypted, protected or hidden.
    
    It should not be passed in this or any similar form.
    
    Grant Bayley
    Speaking on behalf of 2600 Australia
    
    
    
    ISN is hosted by SecurityFocus.com
    ---
    To unsubscribe email isn-unsubscribeat_private
    



    This archive was generated by hypermail 2b30 : Thu Jun 28 2001 - 22:48:37 PDT