[LINK] session messager app: On the recent Australian surveillance legislation

[Kim Holburn]

https://getsession.org/blog/on-the-recent-australian-surveillance-legislation

>
>   On the recent Australian surveillance legislation
>
> September 09, 2021 /
>
> Regulators are increasingly acting with open hostility <https://getsession.org/blog/war-on-encryption> towards encryption, 
> security, and privacy. The latest chapter in this sorry story took  place in our own backyard when Australia’s government passed a 
> new bill granting the Australian Federal Police (AFP) and the Australian Criminal Intelligence Commission (ACIC) new surveillance 
> capabilities. Because Session is built in Australia, we’ve always kept a close watch on emerging regulation in Australia as well 
> as the other Five Eyes countries. Unfortunately, this isn’t the first time Australia has rushed an anti-encryption bill into law, 
> with the infamous Assistance and Access Act 
> <https://getsession.org/blog/session-and-australias-laws-to-circumvent-secure-communications> speed-running through Australia’s 
> parliament in 2018.
>
> Because surveillance capacities are being expanded and strengthened all over the world, Session’s design takes this into account. 
> After all, the people using Session are often vulnerable people living and working in the most highly surveilled places in the world.
>
>
>     *So where the bloody hell are you? *
>
> Choosing to build Session in Australia is something that has always raised eyebrows for people who are privy to the Five Eyes 
> intelligence alliance. Why wouldn’t Session be based in Russia, Switzerland, or...just anywhere with a less hostile regulatory 
> environment, really.
>
> //
>
> The answer is simple: running away from regulators is not a sustainable future for private tech. No, the solution is to build 
> technology which is actually resistant to surveillance and other encroachments on people’s personal privacy. Local regulatory 
> environments are always evolving and changing, and it’s not viable for development teams to pick up and move to the latest privacy 
> haven every time their local laws change. An (unfortunate) recent example of this is ProtonMail.
>
> //
>
> While ProtonMail is widely trusted by the privacy community—I use it myself—and they’ve done awesome work spreading private, 
> encrypted services to lots of people, there was a view ProtonMail could operate with impunity because they were based in 
> Switzerland. So strong was this belief, that being Swiss was a core part of ProtonMail’s branding.
>
> But the /Swiss is safe/ mantra copped a body blow when it was revealed 
> <https://twitter.com/tenacioustek/status/1434604102676271106> Swiss authorities compelled ProtonMail to share the IP address and 
> device information about activists in France. This information reportedly resulted in the arrest of a climate activist, and now 
> ProtonMail has deleted the claim they ‘don’t log your IP’ from their website 
> <https://www.theregister.com/2021/09/07/protonmail_hands_user_ip_address_police/>.
>
> While credit has to be given to Proton for remaining relatively transparent about this incident, it serves as an excellent 
> illustration of the problem with placing too much importance on where a company is domiciled. While it’s an important aspect to 
> consider, the technological design should always be a part of the evaluation as well. No matter how friendly government 
> authorities might seem, when push comes to shove companies must always comply with their local laws. In this case, because of the 
> way email technology and ProtonMail are designed, the Proton team simply had no legal alternative.
>
>
>     *What this means for Session*
>
> The Session team has always been prepared to face regulatory hostility. Before a single line of Session code was written, we were 
> pondering how to make sure the app itself would always remain a safe, secure place for people to communicate.
>
> Decentralisation is at the heart of Session’s design. While it’s true that Session’s main development team is based in Australia, 
> its infrastructure is spread all across the world. Over 1,500 community operated servers are currently routing Session messages 
> for over 150,000 users. The network is growing all the time, as more and more people commit to upholding the privacy of Session’s 
> users by running their own server. The team hasn’t got any way of accessing these servers, and we will never have the capacity to 
> gain access.
>
> Session is designed to minimise the amount of data required to deliver a message from one person to another. That data is also 
> spread across many, many servers operated by many different people in different jurisdictions all over the world.
>
> The whole point of Session is to keep its users safe — no matter where in the world they are.
>
>
>     *The beating heart of privacy*
>
> Before we finish off this article, it’s important to criticise this legislation and its consequences — not necessarily for 
> Session, but for all Australians. In Australia, this is the second major piece of legislation we have seen in the last few years 
> which greatly inhibits the privacy of Australian citizens as well as jeopardising the future of several Aussie tech companies.
>
> The right to privacy is enshrined in the UN’s Universal Declaration of Human Rights (UDHR). Australia sat on the Drafting 
> Committee for this milestone human rights document and was one of 48 countries which voted for its adoption.
>
>     “No one shall be subjected to arbitrary interference with his privacy, family, home or correspondence, nor to attacks upon his
>     honour and reputation. Everyone has the right to the protection of the law against such interference or attacks.”
>
>     Article 12 of the UDHR <https://www.un.org/en/about-us/universal-declaration-of-human-rights>
>
> Due to the grossly insufficient safeguards contained within the recently passed Identify and Disrupt Bill, Australia is failing to 
> uphold its commitment to protect the privacy of its citizens.
>
> The contemporary issue of privacy rights is deeply entangled with the concept of digital privacy and security. For Australians to 
> enjoy the right to privacy as described in the UDHR, guarantees around the privacy of digital information is absolutely necessary. 
> Because the Identify and Disrupt Bill doesn’t mandate any judicial oversight (by requiring a warrant), it’s also a possible 
> concern that (as a consequence of weakening of the right to privacy) the act could lead to the contravention of other rights — 
> such as people’s implied right to freedom of political communication, which is provided for in the Constitution of Australia.
>
> In the future, the government should consider more carefully the rights of its people, as well as the recommendations made to them 
> by the relevant human rights experts, before rushing amendments through its parliament.
>
>
>     *Looking forward*
>
> As disappointing as attitudes towards privacy and encryption are, it is not entirely unexpected. We hope that, as the world moves 
> forward, everyone will have the ability to navigate the digital world peacefully and privately. That’s the future Session is 
> contributing to, and rest assured that the Session team is extremely dedicated to that vision. But for the time being, the most 
> popular technology is centralised, and this kind of regulation punches a huge hole in centralised tech’s ability to remain private 
> — even for platforms with the best intentions. That’s why engineered solutions like Session’s decentralised infrastructure are so 
> important for the future of technology — without it, no service (regardless of where it’s based) can guarantee your privacy.
>
> If you’ve got any questions for us, feel free to get in touch with us using the Session open group 
> <http://116.203.70.33/session?public_key=a03c383cf63c3c4efe67acc52112a6dd734b3a946b9545f488aaa93da7991238> (on Session, of course).
>

-- 
Kim Holburn
IT Network & Security Consultant
+61 404072753
mailto:kim at holburn.net   aim://kimholburn
skype://kholburn  - PGP Public Key on request