To all, This is a "first response" to the second reading of the Australian Commonwealth Cybercrime Bill, 2001 from 2600 Australia, a self-described "hacker advocate group". A full response to the bill itself will be forthcoming, though this discussion sums up a large number of the arguments against the proposed legislation. Grant Bayley ------------------------------------------------------- Grant Bayley gbayleyat_private -Admin @ AusMac Archive, Wiretapped.net, 2600 Australia www.ausmac.net www.wiretapped.net www.2600.org.au ------------------------------------------------------- References: Explanatory Memoranda: http://www.2600.org.au/misc/cybercrime/cybercrime-bill-2001-explanatory-memoranda.pdf Cybercrime Bill, 2001 (at first reading): http://www.2600.org.au/misc/cybercrime/cybercrime-bill-2001-firstreading.pdf > House of Representatives Hansard 27 June 2001 P 27081 > CYBERCRIME BILL 2001 > First Reading > > Bill presented by Mr Williams, and read a first time. > > Second Reading > > Mr WILLIAMS (Tangney—Attorney-General) > (9.57 a.m.)—I move: > > That the bill be now read a second time. > > More than three million Australian households and > over one billion people worldwide are connected to > the Internet. With the exponential growth in the > Internet population and in electronic commerce over > the last decade, the integrity, security and reliability > of computer data and electronic communication is > becoming increasingly important. Cybercrime activities, > including hacking, virus propagation, ‘denial of > service’ attacks and web site vandalism, pose a significant > threat to the integrity and security of computer > data. Indeed, according to recent estimates, cybercrime > is costing companies worldwide approximately > $3 trillion dollars a year. First off, this figure is unsubstantiated. It was not generated by an organisation such as the Australian Bureau of Statistics or any recognised authority on the matter, rather various commercial organisations whose business depends on the existence of (or appearance of the existence of) cybercrime. This alone makes the basis on which this law is being proposed deceptive and misleading at best. Secondly, the term "cybercrime" is so poorly defined, even by the very authorities that wish to pass laws regarding it, that almost any activity that might be considered criminal in the context of a computer or electronic equipment might qualify for prosecution under this law. This is a dangerous precedent considering the lack of understanding amongst legislators about the very activities they are wishing to outlaw. > Updated laws are vital if authorities are to effectively > detect, investigate and prosecute cybercrime > activities. The proposed new computer offences and > investigation powers in the Cybercrime Bill 2001 are > a significant development in the fight against these > activities and will place Australia at the forefront of > international efforts to address the issue of cybercrime. Indeed, they are, but not in this rough-riding, rights-restrictive fashion. > Computer offences > The Cybercrime Bill 2001 proposes the enactment > of seven new computer offences. The offences are > based on the recommendations of the January 2001 > Model Criminal Code damage and computer offences > report developed with the cooperation of the Commonwealth, > states and territories. Implementation of > the Model Criminal Code offences is an important > step toward achieving national consistency and > remedying deficiencies in the existing laws. The new, > updated offences would replace the existing offences > in the Crimes Act, which, although only 10 years old, > are already seriously outdated. Sadly, this is a common misconception. Existing laws cover many, many computer related offences, whether it be directly or indirectly. Directly in that they cover offences such as unauthorised access, unauthorised insertion, modification and deletion of data, covers offences against telecommunications carriers that may be used in the commission of an offence, covers impairment of service offences carried out against networks supplied by telecommunications carriers. And indirectly relating to such offences as false personation, obtaining credit by false pretences and the like. All are directly applicable to the type of situations that Justice Minister Ellison and Attorney-General Williams crow about when attempting to justify the creation of such laws as the Cybercrime Bill, 2001. Yet, there have been very few cases where all of these existing components of law have been applied to offenders. In some cases, the offences simply aren't easily traceable. In others, the actual loss caused by the offence pales in comparison to the time and effort of prosecuting an individual for the offence. In others, the offences alleged to have been carried out by individuals have been grossly overstated, leading to short, suspended sentences, good behaviour bonds and small fines. None of these are failures in the laws themselves, but the application of appropriate laws to particular crimes. Therfore, I ask the question - will this law make it any easier to trace such crime? Any less costly for individuals or companies or law enforcement to bring actual, legitimate criminals to justice? The answer in both cases is no, because although the legislation seeks to bring a number of these existing components of law together and extend them in other cases to meet a perceived dire need, law enforcement simply aren't any better equipped to deal with such cases than 5 or 10 years ago nor is there any increased level of understanding in the judiciary to take into account the horribly ill-defined phenomena of "cybercrime". > All the proposed offences are supported by extended > extraterritorial jurisdiction in recognition of > the fact that computer crime is often perpetrated remotely > from where it has effect. The proposed offences > have been drafted in technology-neutral terms. > The offences also dovetail with the terminology of > the Electronic Transactions Act 1999, which has been > an important vehicle for expanding electronic commerce. Will extraterritorial jurisdiction bring about the prosecution of the Phillipino creator of the so-called ILOVEYOU worm in this country, considering it is alleged to have caused $7 billion by the Customs and Justice Minister and the NSW Attorney-General, Mr Debus? Lets not kid ourselves here. It hasn't happened, and it won't. > The first offence in the bill targets those who access > or modify computer data or impair electronic > communications to or from a computer that they are > not authorised to access, modify or impair and who > do so with the intention of committing a serious offence, > punishable by five or more years imprisonment. > The offence would attract a maximum penalty > equal to the maximum penalty for the serious offence. > For example, if a person hacked into a bank > computer and accessed credit card details with the > intention of using them to obtain money, the penalty > would be equivalent to the fraud offence the person > was intending to commit (10 years imprisonment). How would this change if the bank's computer contained no access protection, such as that which you mention three paragraphs below? "The offence relates only to unauthorised access or modification of data that is protected by a password or other security feature rather than any data." If the bank's computer was not protected by a password or other security feature and an attacker (as we prefer to call such people) accessed credit card details with the intention of using them to obtain money but did not in fact follow through and do this, how would they be treated? By my layperson's understanding, they may not be liable for punishment for any crime, especially if they only thought to use the credit cards to obtain money after having found them then decided against it prior to doing so. Although each case would be decided on it's merits, I can supply sufficient counter-examples for each and every situation that might be raised in support of this proposed legislation. It's sort-of a saying in computer security circles that nothing is absolute. For every possible security protection, there is a potential misconfiguration or fault or failure that renders such protection useless, null and void. While this proposed legislation is "technology-neutral", whether some things are in fact a "bad" thing at all (such as exposing a misconfiguration in a security system by means of a controlled demonstration) aren't even clearly agreed upon amongst the computer security community, let alone the Council of Europe with its' Cybercrime Treaty. The Australian Government is way out on a limb claiming it has the answers to these questions, embodied in this proposed legislation. > It would be an offence for a person to cause any > unauthorised modification of data in a computer > where the person is reckless as to whether that modification > will impair data. A maximum penalty of 10 > years imprisonment would apply. The offence covers > a range of situations, including a hacker who obtains > unauthorised access to a computer system and impairs > data and a person who circulates a disk containing > a computer virus which infects a Commonwealth > computer. Just out of interest, how does the Government approach the topic of "benign" or "good" viruses. They're certainly the exception to the rule, but they indeed exist. An example of a "benign" virus would be one written for demonstration purposes to expose an insecurity in an operating system that might be used at some point in the future as a propagation vector for a not-so-benign virus. The benign virus (or possibly a worm, something that spreads of it's own accord) simply sits resident on the computer, using very negligible memory, processor and disk space resources and does not impair the normal usage of the computer. An example of a "good" virus is one that propagates in much the same fashion as above, but carries with it a payload capable of repairing a misconfiguration, patching an insecure piece of software or otherwise preventing further potential damage to machines it is transmitted to. Arguably, such viruses enhance the security of the machine. That is, they're doing the exact opposite to impairing the operation of the computer - they're fixing it. None of these scenarios are accounted for in the proposed legislation. Some would respond by saying "it doesn't have to account for them", but I'd challenge that on the basis of "where do you draw the line between impairment and enhancement?". Nothing is absolute in the world of computers, remember. > The bill proposes an offence of causing an unauthorised > impairment of electronic communications to > or from a computer, carrying a maximum penalty of > 10 years imprisonment. This offence is particularly > designed to prohibit tactics such as ‘denial of service > attacks’, where a web site is inundated with a large > volume of unwanted messages, thus crashing the > computer server. The penalty for this offence recognises > the importance of computer facilitated communication > and the considerable damage that can result > if that communication is impaired. There's an obvious target here - people that generate such large volumes of traffic. As before and as always, there's examples where this fails to pass muster. What is the Government's opinion about "Hacktivism" actions (misguided as the causes themselves may be) where a significant number of computers each place a tiny and insignificant portion of load upon a server, whether it be in the form of "hits" to a website or "emails" to an email server. Under the law, each of the participants in this action would, in theory be subject to prosecution under this part of the Cybercrime Act, 2001, but where things get murky is where we consider how such an action differs from the ordinary operation of a busy web or email server - a large number of clients each make a small, insignificant number of connections, generating on the whole a significant and sometimes destructive load on the web or email server. The slang term for this is "Slashdotting", named after a website that was so popular at one point in it's existance that when any other site was linked from it it, the sheer number of visitors innocently following the link brought many a server to its' knees. The definition between such illegal impairment and high-load ordinary operation is dangerously blurry. Would an Australian site have reason and recourse under the law to charge the operator of another site that directed visitors to it with a crime? How does this differ from the "denial of service" examples provided? > The proposed offence of causing unauthorised access > to or modification of restricted data held in a > computer carries a maximum penalty of two years > imprisonment. The offence relates only to unauthorised > access or modification of data that is protected > by a password or other security feature rather than > any data. The offence will target those who hack into > a password protected computer system in order to > access personal or commercial information or alter > that information. Okay, so anything that is not protected by a password or other (functioning) security feature is fair game for open, unrestricted public access? Like the detailed network diagrams for internal Commonwealth networks found on a public file server on the Internet several months ago? > The bill proposes an offence of causing unauthorised > impairment of the reliability, security or operation > of any data held on a Commonwealth computer > disk or credit card or other device. A maximum penalty > of two years imprisonment would apply. This > offence is particularly designed to cover impairment > of data caused by actions such as passing a magnet > over a credit card or cutting a computer disk in half. So, correct me if I am wrong, but would it be an offence to "impair the reliability" of an electronic service by exposing an obvious, repairable security flaw in it? It would certainly instill doubt in the present and future customers of the service, but would bringing this to the attention of the proprietors of the service and/or the public be an offence? If so, what is to gain by making this an offence? Is it the aim of the Government to reduce the security of electronic services by preventing appropriate disclosure of security faults? Anyone remember the GSTAssist site? The site that had no security protection at all, yet freely gave out people's personal information to all and sundry? Who gained from this situation? The young man who exposed the flaw (albeit in an odd fashion)? I doubt it. He was investigated by the Federal Police and received scorn from members of Federal Parliament, who were understandably scampering about to divert blame from the inability of their staff to properly design the system. The only people that gained from this situation were those that had their personal information put in jeopardy by incompetent Government staff - after all, once the problem was exposed and the security of the system was put into doubt (the reliability of it was impaired), it could be resolved appropriately. I doubt that without the young man's disclosure, this could have occurred. Again, for every example, there's copious examples of where such proposed legislative changes do not make sense. And what's this about destruction of computer disks? Of passing magnets over a credit card? What's the basis for these examples? The justification? If I own a disk, surely I'm not prevented from doing whatever I please with it? Doesn't the same apply to my credit card? > Lastly, the bill proposes two offences relating to > the possession and supply of data or programs that > are intended for use in the commission of a computer > offence. Each offence would attract a maximum penalty > of three years imprisonment. These offences are > designed to cover persons who possess or trade in > programs and technology designed to hack into or > damage other people’s computer systems. For example, > a person will commit an offence if he or she possesses > a hacking program or a disk containing a computer > virus with the intention of using it to access or > damage data. This is downright dangerous, firstly because of the "dual use" nature of large types of computer hardware and software and secondly because it establishes a unique branch of "thought crime" - storing information that could be used to "hack into or damage other people's computer systems" in one's own mind (the danger of this should be self-evident). The "dual use" nature of large types of computer hardware and software exists because the very tools that can be said to assist a user in preparing to break into a computer system can be legitimately used to test the security of one's own computer system against such break-in attempts perpetrated by others. In fact, it is the wide public availability of such tools in the first place and their utilisation in the protective role that reduces their effectiveness as tools for the former of the two roles - the unauthorised and potentially destructive one. The obvious and oft-quoted example of such a tool is "nmap" - a network mapping tool. nmap allows a remote user to map out the availability of services on a network-connected computer. Nothing more. Nothing less. With such a map, a user could attempt to break into a computer, narrowing down the potential means of entry on the basis of what information is contained in the map. At the same time, the owner of the computer could use the map to evaluate what defences might need to be put into place, what services are exposed to the outside world, possibly as the result of a misconfiguration. In other words, nmap is a dual-use technology. For those that aren't aware, "dual-use" is a term usually reserved for technologies such as encryption, which (as emotive as these sound) could be used just as effectively by a paedophile to hide archives of illegal material as by a human rights crusader hiding information that could compromise their personal safety or those in their care. And this leads us onto the next part of this dangerously flawed legislation... > Investigation powers > The bill will enhance the criminal investigation > powers in the Crimes Act 1914 and Customs Act > 1901 relating to the search, seizure and copying of > electronically stored data. The large amounts of data > which can be stored on computer drives and disks > and the complex security measures, such as encryption > and passwords, which can be used to protect that > information present particular problems for investigators. > The proposed enhancement of search and seizure > powers will assist law enforcement officers in > surmounting those problems. In short, and as expressed in the Walsh Report [1][2], Governments and their Defence/Intelligence organisations have all but lost the crypto-war, and they're really, really pissed off. The upshot of this is that in the absence of intelligence ingenuity [3] or mathematical assistance from quantum computing technologies, you'll now be obliged by law to reveal any passwords, passphrases, keys, codes, cryptographic and steganographic methods used to protect your information from prying eyes. Ignore the fact that you might be incriminating yourself in revealing such passwords etc. Ignore the fact that there will no doubt be substantial criminal punishment for not disclosing such passwords etc. Also ignore the fact that without disclosing the passwords etc, you will have a tough time proving that the information contained inside an encrypted file, for example, is not evidentiary. In other words, all your crypto are belong to us. [1] http://www.efa.org.au/Issues/Crypto/Walsh/ [2] http://the.wiretapped.net/security/info/papers/cryptography/au-crypto/walsh-report.html [3] http://cypherpunks.venona.com/date/1995/09/msg00136.html > The proposed amendments would clarify that a > search warrant can be used to access data that is accessible > from, but not held on, electronic equipment > at the search premises. As most business computers > are networked to other desktop computers and to > central storage computers, it is critical that law enforcement > officers executing a search warrant are > able to search not only material on computers located > on the search premises but also material accessible > from those computers but located elsewhere. If these computers are connected to the Internet, doesn't this mean that such warrants are essentially unlimited, given that other material located elsewhere is accessible using the Internet? > Computer equipment and disks would be able to > be examined and processed off site if this is significantly > more practicable than processing them on site. > The proposed amendment recognises that searching > computers and disks can be a difficult and time consuming > exercise because of the large amount of information > they can store and the application of security > measures, such as encryption. A further proposed > amendment would permit officers to copy all data > held on a computer hard drive or data storage device > where some of the data is evidential material or if > there are reasonable grounds to suspect the data contains > evidential material. How does this differ from the current situation? Hard drives can be mirrored onsite by appropriately qualified personnel then returned to use, especially if law enforcement aren't wanting to alert the target. This is nothing new, is already partially covered in the changes made to the ASIO Act in 1999, and is therefore largely unecessary. > A magistrate would be able to order a person with > knowledge of a computer system to provide such information > or assistance as is necessary and reasonable > to enable the officer to access, copy or print data. > Such a power is contained in the draft Council of > Europe Convention on Cybercrime and will assist > officers in gaining access to encrypted information. See above. All your crypto are belong to us. > Conclusion > The high speed and broad reach of computer technology > offers new means, methods and possibilities > for crime. The measures contained in the Cybercrime > Bill are vital to protecting the security, reliability and > integrity of computer data and electronic communications > and remedying the deficiencies in existing > laws. By addressing the threats posed by cybercrime > activities, the bill will strengthen community confidence > in the use of new technology and provide a > means of ensuring that the benefits of that technology > are not comprised by crime. I commend the bill to the > House, and present the explanatory memorandum to > the bill. > > Debate (on motion by Mr Horne) adjourned. This law does absolutely nothing to remedy perceived deficiencies in existing laws relating to offences that might happen to involve a computer, an electronic device or a communications network, as discussed above. In fact, it places a great many things in jeopardy, such as the free flow of information relating to security deficiencies in computers and electronic infrastructure, the free flow of information that assists system administrators to secure and protect computers and electronic infrastructure, and provides for forced disclosure of information that may have been lawfully encrypted, protected or hidden. It should not be passed in this or any similar form. Grant Bayley Speaking on behalf of 2600 Australia ISN is hosted by SecurityFocus.com --- To unsubscribe email isn-unsubscribeat_private
This archive was generated by hypermail 2b30 : Thu Jun 28 2001 - 22:48:37 PDT