Aussie Bill Would Ban Hacking Tools, Virus Code

rtscts writes: "The Australian govt. is at it again: 'Under the bill, which proposes seven new computer offences carrying jail terms of up to 10 years, it is illegal to possess hacker toolkits, scanners and virus code.'" The bill is called the Cybercrime Bill 2001; according to this article, it "does allow the Defence Signals Directorate (DSD) and Australian Security Intelligence Organisation(ASIS) to hack legally. It also forces companies by law to reveal passwords, keys, codes, cryptographic and steganographic methods used to protect information."

Define 'tools'

Doesn't this sort of make Unix illegal? I mean, every unix I've heard of pretty much comes with a suit of network utilities, of which scanners are a usual componenet.

Re:"Criminal paraphernalia"

Child pornography is very different. The reason: the making of child pornography pretty much by definition involves one of the most hideous abuses of another human being possible: sexual exploitation of a child.

Now, before you say "why not just go after the makers?" consider this: child porn is not given out for nothing. Usually it involves paying money. Other times it's done in a trade. Even if no cost is involved, you're showing demand for the stuff. So by obtaining it, you've financed the operation, directly (by paying money) or indirectly (by providing more goods, which can later be sold, or by showing demand, which motivates further production). Under most legal definitions, that would make you an accomplice or accessory to the crime. That seems to be a fair enough reason to criminalize the stuff.

Now, things do get stickier in the case of hand-drawn or computer-generated child pornography, in which case it's quite possible (even probable, in the case of CG) that no living beings were ever used in the creation of the work. I don't know if this has been tested in a legal system or not. It would be interesting to see the results of such a case.
----------

Re:No, its still a problem

As an example of succesfully proving an "intent" circumstantially where there was none in fact, take a look at my ongoing case [stonehenge.com].

As a fellow computer professional, would it make more sense to you to "hack in to get my own email" as the prosecutor offered, or to believe me when I say that I was doing this to show that my former sysadmin group was failing to maintain proper security? Yeah, I thought so.

To this day, the prosecutor still claims that he doesn't understand the case. And yet, he managed to share that confusion with the jury in such a way that I'm still a felon, awaiting yet another round of appeals to support a greater common good.

Yes, my methods may have been lousy, and I certainly didn't get prior approval for what I thought would be a no-brainer, but my intent was to help the people that had paid my bills for five years, not harm them.

Interesting...

By owning a DVD you can theoretically go to jail, because you can be ordered to reveal the key that encrypts the data...

That puts most people between a rock and a hard place, because then they would have to use hacking tools (DeCSS) to get the key...

Text of the bill

You can read the Full Text [aph.gov.au] and an Explanatory Memo [aph.gov.au] from the Australian Parliament Legislation [aph.gov.au] page.

No, its still a problem

Most crimes have both a factual component (actus reus) and a state of mind component (mens rea). The Mens Rea for a crime may be intent, knowledge, recklessness, negligence and at times (such as for statutory rape) strict liability.

In theory, a state of mind must be proved just as the factual elements, beyond a reasonable doubt. In practice, a jury is instructed by the judge that they may infer intent from any of the circumstances in which the crime was committed. Unless the defendant takes the stand in her own defense and convinces the jury to the contrary, and thereby submitting herself to a blistering cross-examination, the prosecutor will simply ask the jury to ask themselves any number of rhetorical questions.

Mens rea is a non-issue. With enough stuff on your disk, intent can be "proved" by twisting circumstantial evidence to the satisfaction of the jury. To a jury -- the mere fact of the trial is taking place evidences (which would not otherwise be admissible) the proposition that the government thinks the defendant is guilty.

"with intent" is better than strict liability. But in practice, its grievously dangerous. Anyone possessing tools is ultimately at the mercy of the whim of the authorities. The cost of a criminal defense (which no intelligent person, however good an advocate, should attempt to do by themselves) will never be compensable and can itself be more ruinous than any fine.

In short, this law an authoritarian nightmare -- it serves no good purpose, will actually chill productive anti-hacking technology.

Basic common sense aludes another Slashdotter

Dont you think for just one moment that this bill provides a provision that says "excluding registered computer virus researchers", like every other computer related law on the books in Australia? Anyone who knows anything about the antivirus industry knows full well that it is a cartel. Symantec and the other members of CARO would like nothing better than everyone else to be excluded from antivirus research. It helps them maintain their power. As for the bill itself, have you even read it? If so, I would really like a copy cause yet again an online "journalist" has failed to provide basic references. Please dont tell me you're forming your opinion on the three lines printed in the article or the poor attempt at a sentence provided in the summary on Slashdot.

Re:Calm down people *please*

The problem with that is that the arresting constable must have a reasonable suspicion in order to make a legal arrest. The quality and quantity of cops that actually know anything about what they are doing in relation to computers is extremely negligible. A reasonable defence would be to say that the cop did not understand the software and thus was unable to form a resonable suspicion as to your intentions.

Re:Calm down people *please*

that link doesnt work, it's a search that has expired. Try this instead: http://search.aph.gov.au/search/ParlInfo.ASP?actio n=browse&Path=Legislation/Current+Bills+by+Title/C ybercrime+Bill+2001&Start=4&8cD#top [aph.gov.au]
also there is some more stuff on http://www.2600.org.au/ [2600.org.au]

Re:Anyone have a copy of the bill?

These are the 2600.org.au mirrors of the bill, they are probably available somewhere on http://www.austlii.edu.au/ [austlii.edu.au] Australia's awesome law resource with searchable case law and legislation, reportedly the best law site in the world.
http://www.2600.org.au/misc/cybercrime/cybercrime- bill-2001-firstreading.pdf [2600.org.au]
http://www.2600.org.au/misc/cybercrime/cybercrime- bill-2001-explanatory-memoranda.pdf [2600.org.au]

This proposed ban is senseless

Banning all products that allow people to do naughty stuff computers isn't cool. Many people like Outlook Express.

Re:Wouldn't it be nice if..

Why should I be in a lot of trouble for not giving up access to my encrypted partitions - containing personal information given to me by close friends that I've promised to never let anyone else see/read etc?

My passphrases are >32 characters long. Ooops, seems the brutality of the police caused a trauma that made me forget one or two. How sad.

The Australian government are clueless

The current Liberal government [liberal.org.au] in power don't understand technology, and have been making this evident for years in every piece of legislation relating to the Internet. They fail to consider the technological, privacy, or fair competition implications of anything they do. A few examples:

• Legislation they cannot realistically enforce. Banning Internet gambling [slashdot.org], attempting Internet censorship [efa.org.au], making web caching illegal [slashdot.org], making PlayStation mods illegal [slashdot.org]. Censorship laws have so far been a complete failure [efa.org.au], with people circumventing them [australianit.com.au]. Internet censorship is said to have cost $2.5 million [news.com.au], while providing no benefit. It's genuinely frightening that the people writing these laws have no knowledge of what they are trying to control.

• Partially privatising the previously Government-owned telco (49% so far) for political purposes, which has made them give clear priority to profit and share price over service. Access to affordable telecommunications in rural areas is getting gradually worse [alp.org.au] (though the private sector [whirlpool.net.au] is helping). They restrict their broadband net access [alp.org.au] to 3Gb/month after selling it as unlimited [slashdot.org], while ensuring they are the only available broadband provider for many Australians. They were force to give [slashdot.org] other carriers access to their DSL network, so they now sell wholesale network access at $69/month [whirlpool.net.au], while selling broadband DSL net access to consumers at $70/month (line + access + equipment), and placing limits [theage.com.au] on the service. Just today, they are refusing to give any rebate to a broadband customer who had a 13 day outage [whirlpool.net.au]. Somehow the government don't see any of this as a problem, and still plan to sell the rest of Telstra [alp.org.au].

• Various laws with no regard for the privacy of citizens, like allowing spies to crack systems [slashdot.org], and remotely tap and alter data [slashdot.org].

For what it's worth, even Microsoft realise they are hopeless [slashdot.org]. Hopefully they'll be voted out at the next election (probably later this year?), and this insanity will end.

Text of the bill, what it really does

The text of the bill is available here [aph.gov.au].

The bill doesn't make any of the things listed in this article illegal on their own - you have to be using them for, or intending to use them for, committing another federal crime. There is no requirement to divulge passwords, just to assist law enforcement in effecting the execution of a warrant. Without this they'll just seize the equipment anyway, so it's actually in the interests of the person owning the equipment to provide this assistance as it allows them to take just the relevant data.

Of course it does sound a lot more interesting to say it bans the posession of tools that are being used for legal purposes, but the bill explicitly mentions that there must be a use for, or an intent to use for, an otherwise illegal activity.

Self corruption of professions..

You laugh, but you'll laugh even harder with this article [computerworld.com.au] basicly saying email is the no1 threat for australian companies.

This shows how rigid they are in their thinking. I mean, if people used propper policies and security protection, there was no need for the digital witch-hunt they are now proclaiming.

Now I don't agree with the way things are now, for instance I don't think security firms SHOULD exist, but this kind of artisanal malpractice where the trade itself corrupts and starts to sustain itself, is present in all sorts of professions. You see it in law, you can see it in the medical department of hospitals, you can see it in university research labs looking for ever more funding, and you have it in the IT world. I think this is where the real issue is.

The abuse in the profession leads to a perverse effect of self sustainability, which is ofcourse exploited without any regulatory force, usually because the knowledge in the field is a barrier on itself, preventing people to get in, unless they comply to the practices of the trade, after which they are absorbed in the system, which will take good care of them.

That's a little abstract, but to give an example, if there weren't any people hacking and cracking, there would not be a need for security. But companies are about money, and are ths subject to hacking/cracking/virus/worms etc, giving existance to security companies. And who works for these companies ? Presto, there's your self-sustainability.

And no I'm not an anticapitalist or communist, or in security or cracking or hacking or law or medicine myself, these issues have been roaming my overly concerned mind for quite some time. Considering my signal to noise ratio, this post probalby won't mean much either way..

ah well..

Re:Define 'tools'

That's what the article says, allthough UNIX itself probably is not illegal, but the sysadmin/company owning it is. If Sysadmins are not supposed to be able to test their own machines with scanners, how on earth can they be made secure ? If Anti-virus software makers are left with this law, how on earth can they design antidotes and detectors and scanners ? If tools and sourcecode hacks didn't surface, how can OS vendors fix loopholes in their software ? I'm sorry, but this is really a ticket to the stoneage. Seems the only thing lawyers are interested in these days is 'control', 'control' and even more 'control', who cares how idiot their laws may sound to a softwareworld that appears to be running away with allmost anything. As if digital crime is suddenly going to stop right at their borders. Gimme a break.

Calm down people *please*

Okay, from my reading of the Bill (PDF) [aph.gov.au], it seems that the new offence is possession with intent (Schedule 1 lists the relevant amendments to the Criminal Code, you're looking for Part 10.7, Division 478.3). Means they have to prove you were going to commit a crime with the tool. It's a bit hard to prove that a sys admin who uses a particular tool for legit purposes was going to commit a crime.

As a matter of fact, given the legitimate usefulness of most 'cracker' tools, it seems that it would be quite difficult to prove that anyone was going to commit a crime unless you had a smoking-gun e-mail or other clear evidence of intent.

Re:ASIS v ASIO

ASIS stands for the Australian Secret Intelligence Service, essentially the Australian foreign spies. I'm not sure but I believe they have no jurisdiction to operate within Australia, but I might have that wrong. They are not, BTW, held accountable in any public forum, even Parliament (?!)

ASIO is the Australian Security and Intelligence Organisation. They are *only* allowed to operate withing Australia and I believe the article refers to them.

DSD is the Defence Signals Directorate, essentially a (much smaller) analogue of the NSA.

Dave

And in other news....

Australian officals have been puzzled by the sudden mass migration of technical personnel off the island continent. When asked to comment, Professor Lambert of Syndey U. stated "Usually we only see this sort of behaviour in rodents; and then only when there is some kind of immediate danger, such as a sinking ship..."

Re:Wouldn't it be nice if..

"I was talking about being arrested for a crime and then not cooperating with the police. That's probably illegal in any country"

110% WRONG! In the United States, you have a 5th Amendment protection against self-incrimination. That includes the right to NOT co-operate with the police, as codified in the "Miranda" rights that all arresting officers have to read to the person being arrested.

It's up to the police/prosecutors to prove your guilt, and they have NO right to your assistance in that task.

Now, I'm not saying that there haven't been recent law, etc, where the police lobby hasn't been attacking those rights, but until the Bill of Rights is repealed, they are still there.

" - there's nothing special about this act in Australia. If they demand that you give the key to the safety deposit box where you hid your child porn and you refuse, you're basically doing the same thing as if they demand the keys and pass phrases to your data. There's nothing special about digital data and there shouldn't be anything special about it"

The police in the USA can very well get a search warrant for such a safety deposit box, or your home, and may search them. However, again, you DO NOT have any obligation to do anything other than let them in, you do not have to lead them on a "guided tour". Again, the 4th and 5th Amendments cover this.

This Australian law sounds very much like the odious "RIP" law in the UK, which basically gives more or less ANY cop the power to forcibly hand over your security to them, without any oversight (and in the case of RIP, you can even be jailed for letting anyone KNOW they did this to you).

There is no place for such laws in a free society. A people who will tolerate such enormous State power over their persons and property are in effect, tolerating State ownership of all their information and property.

And we all know governments are ALWAYS 100% trustworthy, and would never murder innocents (Waco, Ruby Ridge), and individuals within it would never abuse their power to politically persecute ideological or religious "enemies" (Keith Henson)...

The United States was founded by wise men who feared the power and abuse wrought by too-powerful federal governments. Unfortunately, there aren't many such men in power today.

Elections and clutching at straws

I'm from Australia. There's a federal election coming up and the incumbents (the "Liberals"; similar to the US Republicans but more socially conservative) are worried they might lose due to a botched introduction of a goods and services tax. They've been clutching at straws and more Internet legislation looks like just the ticket to distract the population and also make the Liberals look forward thinking and progressive.

I wish. I'm going to take great pleasure in putting Senator Alston last on my ballot paper.

Hmmm...

They might need to start a penal colony, maybe on a large island or something, to put all the offenders.

Re:I don't see the difference

So, we should ban screwdrivers and pins, right?

No, as knives shouldn't be banned just because you can kill somebody with them. But when a tool only use (reasonable use) is doing something illegal, yes I think the tool can be outlawed. That covers also the DOS tools. If they are general purpose, they are OK. If they are single purpose cracking tools they can IMHO be banned.

Exception being if you are a computer security specialist (that's the locksmith in the metaphor). I admit I have no clear solution for the hobbyist locksmith, or hobbyist computer-security expert.

I was not trying to defend that law, not particularly. But sometimes when treading into computer or internet laws, there is a big load of paranoia going around. And the fact that the same kind of problems and imperfect solutions have been around for centuries is overlooked. The world is, has been and will keep on being an imperfect place. That's not to say we should not try to fight, for it to be better (or at least not worse), but I think we should choose our battles with a little bit more forethought.

--

What do I do?

Help! I've just caught this Love Bug virus on my Windoze machine. How do I stop getting thrown into jail for having this "virus code" on my machine?!

Glorat

More seriously...

On a more serious note, it looks like this means a company like Symantec cannot operate there as they will not be able to store "virus code" for analysis. Someone down under there really doesn't understand the implications here

Of course, the people who would have the best expertise at "correcting" this policy are those right here at /.!

Who need them?

It also forces companies by law to reveal passwords, keys, codes, cryptographic and steganographic methods used to protect information.

If they have to reveal all passwords and whatnot, hacker tools aren't needed. Just go to the part of their site where it will say somthing like "By law we are required to post the root passwords to all of our boxes here..." and you will have all the info you need.

What

Who defines what is a hacker toolkit or virus code? Many legitimate applications and utilities can be used for evil. Would this affect people/organizations that mirror linux distros that include these programs? And what about virus code? If they ignorantly mean source code, then they will have a problem because all of the popular (mainstream popular of course) viruses are written in VBS or a similar interpreted language. So anyone infected could be guilty of a crime. The potential for abuse by vindictive law enforcement agents is obvious. If your neighbor Officer Jack decides he dislikes you, he could release a VBS worm on his own machine which would email everyone in the outlook address book (assuming you are on the list here). Then he could come and arrest you and do whatever he can to ensure that you recieve a severe penalty as a dangerous hacker.