The lesson here is complete trust in modern computing platforms is misplaced and impossible. Your hardware has backdoors, so does your OS, and encryption clients. In addition, popular apps, especially in the US, can always be commandeered by 3-letter agencies.
You're only anonymous as long as you're not actively targetted, despite using "secure" apps and stuff like Tor, which media makes it seem are unbreakable.
Not quite. They were using an app developed by the police as a honeypot. Someone else had even discovered this and blogged about it[0]. If they had used email and PGP they likely wouldn't have been caught in this way. 3-letter agencies are not going to use their trump card of backdoored OS or hardware to catch drug runners.
True.. however the three letter agencies are going to pass along any relevant information that they stumble across while filtering for money laundering in relation to terrorism.
> Your hardware has backdoors, so does your OS, and encryption clients
None of these were exploited to retrieve this data, and the third party app that was installed was not intended to encrypt conversations given that it was a honeypot.
> popular apps
This was a small app unknown by anyone outside of criminal orgs. It had no "legitimate" non-criminal users.
> especially in the US
The app was deployed in Australia.
> can always be commandeered
Why distribute a random app when they could have gotten the criminals to use Signal or Telegram and bust them there?
> as long as you're not actively targeted
How long did it take to find Bin Laden?
> despite using "secure" apps
This was not a secure app and any audit would have revealed this (audits such as the ones that Signal and friends have undergone).
> and stuff like Tor,
Tor was not involved.
> media makes it seem are unbreakable.
None of the apps hyped as "unbreakable" were broken here, so...point still stands, I guess?
Honestly, if anything, the recommended approach from this incident would be to use the walled garden - an FBI-backed honeypot would have a lot harder time getting from the App/Play Store onto a user's phone if it was obviously a scam to collect user conversations, asked for a bunch of permissions, had no reviews, and no apparent update history. Who would download some random chat app that nobody uses?
I was also under the impression this can be served to individuals without the knowledge of their employer, leaving the individual in a position where they can consult a single lawyer about the legality of the request and face jail time for discussing the request with anyone else (including employers).
I would need to re-read the act, but the gov website[1] indicates you are correct that these requests are served to organisations and not individuals excepting sole traders.
The reports you read were likely based on commentary from techies who have no understanding about law, plus a handful of lawyers involved with digital rights organisations that have an incentive to play up the significance of the legislation a bit / talk about worst-case scenarios, worst possible interpretations of a dangerous law and the broadest possible interpretation of who constitutes a "designated communications provider". The government has stated that's not how they interpret the legislation, as the service provider will be the employer not the employee, and I don't think government lawyers are in the habit of arguing that the government _doesn't_ have power to do something.
I'm as suspicious about the Assistance and Access Bill as anyone, but the "telling an employee to implement a backdoor without telling their employer" is really a red herring and I don't know why the Australian tech community was so keen to go along with that.
You're only anonymous as long as you're not actively targetted, despite using "secure" apps and stuff like Tor, which media makes it seem are unbreakable.