Why even have the AABill then? What criminal will agree to police spying on their phone? And how does the Bill attempt to answer the question of getting access to a device without the owner's knowledge? Again, back in copper-phone-line days, that was pretty easy. Today, not so much. Either you are "bypassing protections" (my phone is encrypted and locked with a complex password, and will data-self-destruct in several unlock attempts), or you're not doing squat. Again, what's the point of the bill then? "We can tap phones only if crims let us"? It's clear from the wording that "non weakening" code - new code that's vendor sanctioned and doesn't rely on exploits, can be used to load keyloggers. What happens when these tools are leaked? (And yeah, they'll be leaked). And again, I'd be highly surprised if these tools were being loaded in person, manually, on to individual devices. Point is that EternalBlue could have been plugged YEARS earlier. I repeat - there was a day when the NSA did the right thing and told vendors about holes in their code. Now, they sit on it and exploit it. So no, I can't blame the NSA for the hole. But I can, and do blame them for not disclosing the hole in a reasonable amount of time. Months - fine. Years - no. Valid questions are not hysteria. People are people, and they fuck up. I've said several times I'm not anti the idea of the modern day equivalent of "wire taps" or key loggers or whatever, but so far there has been no evidence that whatever tool is being used to do so doesn't fall into the wrong hands. Again, back in the good old days, a leak of these tools resulted in minimal, localised damage. The concern of a great deal of people is what happens when tools that allow keylogging of a given brand of device that is being sold in the millions leak. Beyond that, all the "protections" in place are legal ones. They're there to stop the police from using exploits in what we call a "Swiss Army Knife" approach. The police must follow the rules, not remote exploit the system, not load the keylogger without permission (that last one I'm still dubious about how it actually works in practice when surveilling in secret, but whatever). But again, what happens when the tool leaks. Bad guys don't follow the rules. Bad guys stack exploits on top of each other to get to things with whatever tools they have. And a keylogger good enough for the feds to use is a pretty bloody juicy tool on top of a stack of basic remote pwn exploit code. I'm willing to talk through your points here. Thus far you appear to be caught up on the legal limitations of EternalBlue, and the practical limitations of Odin, and not seeing the issue of what new tools the AABill could give birth too, and how they could be abused or leaked. And yes, I'm fully willing to concede the point that the private sector needs to come to the party and protect their shit better. But at the same time, there's a level of responsibility on the government if they're going to will these tools into existence in the first place by crafting bills that mandate them. In short, I struggle to trust a government (and in particular Dutton, who as an individual removed from any party or belief structure, continues to prove himself utterly untrustworthy and constantly acts in bad faith) that couldn't keep a filing cabinet full of secrets off eBay with writing laws that safely deal with something as complex as this issue. The bill, as it stands, leaves questions unanswered. Important questions that neither the bill nor your posts answer. And I'm quite afraid that there'll have to be a few "I told you so" type events coming from security advisers within the coming years, given typical trends in computing over the last decade.