Would an Australian employee of 1Password be forced to lie to us and do something that we would definitely object to?
We do not, at this point, know whether it will be necessary or useful to place extra monitoring on people working for 1Password who may be subject to Australian laws.
So not only does this idiotic law destroy the Australian software industry, it could prevent Australians from being hired outside Australia. Someone or some group in the Liberal/National Party (the current government here in Australia) really, really, really hates developers.
Edit. Time for some Aussie geek civil disobedience I think.
Edit 2. We have a huge number of Aussie developers here on HN. Let's use this to organise some sort of protest. Either that or we will all be off to Centrelink.
I guess I'm moving back to the UK. No wait, can't do that either. Perhaps I'll live in the US for a while, I haven't lived there yet.
Or just become the digital nomad and move off to Budapest like many of my past colleagues and friends.
I don't have the emotional depth at this point to articulate a well thought out perspective on what impact these laws will have one me, our industry or my own personal safety in Australia.
But I can say for sure, that the entire thing is completely fucked.
Budapest, in Hungary? You might wanna look up Viktor Orban before moving to there.
If you're British you can roam freely through the EU. I can recommend Germany instead: strong privacy laws, and due to recent history (WWI, WWII, Cold War) there is a relative strong pro privacy mindset. Though I recommend learning German if you intend to settle in large cities such as Berlin and international companies or IT you can easily get away with English.
Fair enough, gonna depend on the deal though. I really doubt UK civilians living in Germany are going to get kicked out to UK. That'd be so counterproductive for self employed people...
Well if you are Australian you are fcuked everywhere. What company is going to want to hire a Australian developer who can be pressured into secretly inserting a backdoor into your software?
At one point, I worked on a lawsuit involving a firm that had entirely outsourced its IT to India. There was literally nobody left in the US who knew how stuff worked. I don't know, in retrospect, whether that was pathetic, or utterly clever.
I was working for people who were suing them, so mainly it created problems in discovery. Compelling testimony of non-citizens/non-residents was a lot harder, I gather.
You can still travel and work across europe for now, as long as a brexit deal is reached. You have a fine startup scene in the baltic, crazy startup in Paris and Berlin (tbh, it'll be easier in germany right now), you have really professinnal, interesting companies in the Netherlands, Lille or Hambourg if your thing is devops/non-web dev. With the AI4EU project, you can also land a job building tools for machine learning[1]. We have plenty of oportunities here.
[1] Honestly, it'll mostly be integrating different ML opensource solutions together and maybe some FOSS contribution from what i've seen.
They fucking love it. The work is occasionally sparse, they've expressed it's not some where to raise their family but as couples/single income workers, they wouldn't trade it for the world.
Problem is the Greens are unelectable in the lower house because they dilute their message across too many fringe issues that the majority of the public don't care enough about.
If they focussed on climate change, renewables, health and education (issues that affect the majority) they would have a better chance of picking up some lower house seats.
Otherwise we need a modern day Don Chipp to splinter a group off of either the LNP or ALP and form a new party that can hold key votes in both houses.
What sort of change? I agree with the parent that they spread themselves across too many fringe issues. I.e I may vote the greens to help save the environment, but that doesn't mean I care about kids with gender dysphoria.
That doesn't fully work, because I may care about environment but I may strongly disagree with everything else on their agenda. The main issue with the greens is that they don't stand for one thing anymore. They try and stand for everything.
Plus, I don't think most normal people have time to be sending letters to political parties.
Voting is about which party you agree with most. If you care about climate change and Australia not bombing its economy enough, you should probably vote green.
it's bipartisan in the interests of pragmatism. Labor were forced to collude because idiot Scomo and his buddies decided to go for the cheap "keep Aussies safe over Christmas" banter. Labor capitulated with the proviso that the bill be reexamined next year. Let's reserve judgement until then.
I don't buy it sorry. They failed to protect Australias best interests. This was their opportunity to stop it, not next year. It's not like they haven't had time to examine it, they know exactly what is in the bill. If it is no good then don't let it go on until it is. It's just them trying to save face. By all means the bill is in and the damage shall begin immediately.
> It's just them trying to save face. By all means the bill is in and the damage shall begin immediately.
I'm sick of all this idealism. Life is not a Disney movie. Labor did what they could under the circumstances. I hate it as much as anyone else, but c'mon, You can't expect an opposition, who are in a very strong position right now to die on their sword for what is, for the vast majority of Australians, a fringe issue.
> You can't expect an opposition, who are in a very strong position right now to die on their sword for what is, for the vast majority of Australians, a fringe issue.
I think you make an intuitive point here that warrants attention: you’re not wrong, someone is free to “pick their battles”, and be strategical. And that’s fine.
However, when they do, they should face the consequences.
Supposedly, this is a fringe issue, and only the people on HN will care. So we shouldn’t chastise them for being strategical.
But you are on HN! This is where those few people are, who care! So this is where they are held to account. If nobody else does, great, then you were right and it was a fringe issue. But that’s not up to you to decide.
It’s essentially like a market. If Apple decides to “piss off” developers by removing the F keys, do we tell people on HN not to be crybabies because “it’s a fringe issue”? “You know they were right from their perspective, so keep buying Apple products”? No. Those who liked F keys enough will stop, and the market will decide how important it really was and who was right.
Same with political issues.
This is not idealism. This is people choosing their battles. The Australian government did. The people here do. Just a market for votes. Nothing idealistic about it.
Labor quite clearly did not do what they could under the circumstances. If the Opposition is incapable of actually opposing something they had serious reservations about they aren’t really trying.
If they can't oppose the bill they are opposed to then what has gone wrong, and how do we fix it? (I think we all agree Rupert Murdoch is part of the issue, so there is one thing)
I appreciate that they might be "playing the game" to keep on the court, but it looks like that is at our expense, and something is wrong with that.
No idealism here mate, we are accusing the Labor party of lying about their motives and reasoning. This bill was bipartisan (shame on both their houses and all that).
Saying they would "die on their sword" is wrong. Nobody would care if they said "we're waiting 6 months because we want time to debate". They do that sort of thing all the time, doesn't raise a blip. This is a fringe issue! Nobody understands or cares about cybersecurity, that is the only reason that they can get something like this passed.
To claim the Liberals would run a scare campaign is one of the most baldfaced lies since "I thank the honorable [opposition] member for their question" in parliamentary Question Time. Scare campaigns don't need to be run based on facts, politics has moved beyond that. If a scare campaign is in the works it will go ahead regardless. Labour are still going to get called soft on crime if the Liberals think it will win them votes.
>Saying they would "die on their sword" is wrong. Nobody would care if they said "we're waiting 6 months because we want time to debate".
Again, be realistic, and account for the context of the situation. The LNP, in cahoots with our corrupt media made this a "keep Aussies safe over Christmas" issue.
No one in Australia is strong enough to take on the Murdoch media cabal. If Labor opposed, and even a minor incident occurred over Christmas they would have jeopardized their chances of election. For what? An issue that the vast majority of Australians don't care about? Idiocy.
I'm as disappointed as any other punter, but I've been unable to convince any of the tech-illiterate in my social circle that it matters.
Which is even more disingenuous when you consider that the bill won't even take effect until March, and probably won't lead to any backdoors until significant time after that.
you're preaching to the choir here mate. It's corrupt though-and-through, but the Murdoch media controls the narrative in this country, and the vast majority of Australians a) don't care and b) only consider the "but what about ISIS on whats app" argument.
Oh, I was intending to preach to the choir :) Just pointing out a little bit of extra hypocrisy that some might have missed.
Honestly, I don't know how we could possibly win in this scenario. A corrupt media stoking unfounded fears in an ignorant public is a very powerful thing.
You have said this one way or another a few times, but I just thought I would point out that "nobody cares about this but it will ruin their chances of election to oppose it", doesn't on the face of it make a whole lot of sense.
It's simple. Nobody, besides us nerds, cares about the details. Unfortunately it's extremely easy for those in the media to paint this as 'isis loving Labor allows terrorists to communicate secretly' and that gets every man and his dogs attention, because privacy and civil liberties is a thorny, complex issue, but terrorist bashing is easy low hanging fruit we can all agree on.... right?
It depends how you present things, get some press release that say: "The Australian government knows all about your visits to Youporn" would talk to people way more than "Australia new encryption law". About that, see the episode about government surveillance on last week tonight that tries to explain all the NSA programs when it comes to dick picks: https://www.youtube.com/watch?v=XEVlyP4_11M
It definitely effects all Australians. Meta-data hoovering spoke to more people than usual due to the same framing, "The gov wants to record what sites you look at". That's why we had much better engagement on that bill. This recent bill barely popped up in my tech heavy bubble. I only knew about it from a reddit post.
Their job is to lead not to jump off a bridge because it is cool and everyone else is doing it.
Their job is to keep a cool head and not shoot their economy in the foot twice. Their job is to point out that it is an incredibly stupid idea that makes /China/ look like a better place to do business with if you are concerned about data security at all.
This is a very sympathetic interpretation of Labor’s actions. Passing a law despite admitting it needed a few amendments at the very least, with a vague verbal agreement that it might be amended sometime in the first half of the next year, is neither a very promising nor a politically responsible course of action for a party hoping (and likely) to govern within six months.
It’s legislative and electoral cowardice more than political pragmatism.
> It’s legislative and electoral cowardice more than political pragmatism.
The only reason you can say this is because you have no skin in the game. If you were in Parliament, faced with a fringe issue (I don't think it is, but the vast, vast majority of Aussies do, probably because they don't understand the ramifications), then, unless you wanted to commit political seppuku, you'd have done the rational thing and supported this bill.
Politics isn't like Internet armchair quarterbacking, you do what you can to ensure that a) your position is safe, and b) that you will lose the battle to eventually win the war.
The privilege of never compromising on your values is reserved for the rest of us who have nothing to lose by criticizing the process.
Your comment only works because Australian politics lacks any real clear distinction between the two major political parties, and also lacks any real leadership.
You can choose from any of the following one broad categories of incompetence.
So to hell with pragmatism.
Politicians deserve, and should be subject to, unrelenting ridicule and scorn.
>Your comment only works because Australian politics lacks any real clear distinction between the two major political parties, and also lacks any real leadership.
Yes it fucking sucks. But please point out to me any other democratic country that is not a 2 party system? I don't know of any and maybe that says something about democracy itself. This may be any issue that can't be fixed.
No, it's a failure mode of first past the post election systems. Politicians are incentivized to join one of the first two parties, and voters are incentivized to vote for them.
This is not a failure of democracy. It's a failure to teach people about voting systems and game theory.
Proportional representation is the solution to this, so that new ideas can enter government incrementally instead of only when they get the majority vote, by which time it's probably too late.
But this is really hard to get through people's heads, because it is very hard to get someone to understand something, when their influence and power depends on not understanding it.
Thanks, I appreciate it, I'm not well versed in foreign politics, so digging into these examples now. Germany, in particular seems to be a great example of political plurality.
The Greens voted against it, and do not seemed to have suffered political disembowelment as a result. And yes, I know they're also not in a position to win the next election, but Labor's total capitulation to the Libs here was still pretty darn craven.
> The only reason you can say this is because you have no skin in the game. If you were in Parliament, faced with a fringe issue (I don't think it is, but the vast, vast majority of Aussies do, probably because they don't understand the ramifications), then, unless you wanted to commit political seppuku, you'd have done the rational thing and supported this bill.
I absolutely, as an Australian citizen, resident and voter, have skin in the game.
Labor losing the next election just because they refused to pass this specific bill is an extremely unlikely course of events. I don’t find it particularly rational – especially when the urgency to do so is blatantly manufactured and it was so widely opposed by public submissions – to pass a potentially disastrous, under scrutinised and widely criticised law, just because you’re worried a hypothetical scare campaign might work. It sounds a lot like paranoia or cowardice.
> Politics isn't like Internet armchair quarterbacking, you do what you can to ensure that a) your position is safe, and b) that you will lose the battle to eventually win the war.
What’s the war here? If you keep losing battles you’re certain to lose the war.
If the war is the election, Labor could certainly have afforded to lose this PR battle. If the war is cybersecurity policy in Australia, then I think the tech industry and tech users are getting quite sick of people trying to make excuses for yet another surrender.
> The privilege of never compromising on your values is reserved for the rest of us who have nothing to lose by criticizing the process.
A lot of people have a lot to lose if the process is abused or outright fails.
> I absolutely, as an Australian citizen, resident and voter, have skin in the game.
sigh, I meant real skin in the game, i.e. you would face another 4 years in opposition if Murdoch and mates politicized your "support of ISIS".
>Labor losing the next election just because they refused to pass this specific bill is an extremely unlikely course of events.
I wish the world were different, but it just isn't. Given a modest 1/10,000 possibility of some "terror" attack over Christmas, would a rational actor hang their political future on an issue that 99.99% of average Aussies don't understand?
I hate this bill. I hate that we're moving in the direction of a world with mass surveillance, but realistically, if we take off our rose coloured glasses, and putting aside political idealism, would we expect Labor to do any different?
> sigh, I meant real skin in the game, i.e. you would face another 4 years in opposition if Murdoch and mates politicized your "support of ISIS".
I mean, in this scenario most Labor MPs keep their jobs, while thousands of people face an uncertain future as companies openly contemplate the risks of hiring Australians or doing business here, and perhaps millions risk their cybersecurity being covertly weakened. If you are subject to Australian law, you have just as much skin in this ‘game’ as the politicians themselves, if not more. After all, the law does apply to you.
> I wish the world were different, but it just isn't. Given a modest 1/10,000 possibility of some "terror" attack over Christmas, would a rational actor hang their political future on an issue that 99.99% of average Aussies don't understand?
Again, please define rational. Is Labor’s only rational plan to amass as much political power as possible at the least cost? To absolutely eliminate any risk of losing the next election by being as uncontroversial as possible? I’m not so cynical as to think there aren’t any technologically literate or principled people in the Labor Caucus, so I’m rather disappointed they simply went AWOL when they were needed most.
Labor just had an election in Victoria where News Corp went pretty hard after them on law and order for several months – yet they won. They weren’t going to lose federally in the next six months because of this bill.
> I hate this bill. I hate that we're moving in the direction of a world with mass surveillance, but realistically, if we take off our rose coloured glasses, and putting aside political idealism, would we expect Labor to do any different?
You’re sounding awfully defeatist. Labor didn’t have a gun to their head, either metaphorically or literally. They do actually have political power and they are allowed to use it. Be as cynical as you like, but opposition parties are still allowed to oppose things on principle.
> you'd have done the rational thing and supported this bill.
I actually think they've created a huge problem for themselves. Instead of shelving this issue away for the election, they have guaranteed it's going to come back. The government is already flagging they will not accept amendments as a political tactic to prolong the discussion because they think it will distract from all their other policy failures. This may actually be a massive own-goal from Shorten.
They don’t want to fight the election on any of the major details of national security. The liberals would be happy to fight the election on this front if Labor stopped supporting every bill that come up.
Scomo is a political dead man walking and the news that day was mostly about his failure to get legislation through parliament. Another failure would have highlighted this more, potentially even bought down the government.
Shorten/Labor let it through because they support it and won't look at it next year. We judge them on their actions not their vague promises.
>Shorten/Labor let it through because they support it
yep fair comment, and fwiw I agree with you, but I take issue with people who think it's reasonable for an opposition party to take sides on a complex technical issue that unfortunately boils down to "should we allow ISIS to use whats app?" argument.
It's unwinnable.
I hate it, but I can't fault them for taking a pragmatic stand. It's a lose-lose for them to block the bill. How could they realign the narrative to make it palatable to joe average brickies apprentice?
I disagree because 1)
Bill Shorten goaded the PM to stay late at parliament and pass the bill “to protect Australians” with no amendments on a vague promise.
2) those with courage resign and sit on the cross bench (as we have seen recently).
This is, at best, a very fringe issue for the voting public. That's sad, and I'm disappointed that it's turned out this way, but seriously, it is the only sane position for Labor to take right now. You can't affect much change from the cross bench and Labor are poised to win in a landslide. Politically it makes no sense to make this an issue. You know it and I know it. Other than political suicide over an issue that 99.99% of Aussies couldn't formulate a coherent argument around, what could Labor have done? And be realistic in your rebuttal. Dying on their sword only to potentially lose the coming election is idiotic, and irrational, regardless of what we, the tech literate think about the issue.
> Other than political suicide over an issue that 99.99% of Aussies couldn't formulate a coherent argument around, what could Labor have done?
So "99.99% of Aussies" don't care that their software industry (or at least, security-related stuff) gets destroyed, and Australian engineers etc become unemployable?
>So "99.99% of Aussies" don't care that their software industry (or at least, security-related stuff) gets destroyed
Yes, I'm sorry, but in AU "Information Media and Telecommunications" sector employment made up 1.7% of all employed people [1]. Most Aussies don't care about your nerdy tech job :( and FWIW that makes me really sad.
Sorry I didn't have a chance to dig into your data, but even if it were 10%, that leaves 90% who are uninformed/disinterested and are easily swayed by the rhetoric: "If you've got nothing to hide then you are fine", "Do you want to protect ISIS from ASIO eyes?" etc...
The for case is so easily won in the public sphere that it's laughable. I wish it were otherwise, but most people cannot understand where we come from because they lack the background knowledge.
We're not special in that regard. As tech people we oppose this bill. How many other crappy bills pass without any protest from us nerds, just because we don't understand the particulars of climate/jobs/pollution/forestry/land management/policing/urban development etc.etc.etc.?
That goes both ways, you think they're going to care about scomo pushing for this legislation they don't understand? He'd have more success continuing the great onion debate.
None of the bill will be used over Xmas. Everyone knows this. Labor blinked. Security is their kryptonite. It's shamful to play around with these laws.
I can't believe someone actually bought that line. It's an obvious soundbite to make people ignore what they did, just like when they say "we did it for the children."
We don't need to "reserve judgement until then". We already know they don't plan on repealing the bill in any meaningful way. They also gave up on creating a new interim bill because "the police wouldn't have access to these powers over summer", which is an even worse excuse than the one that they don't have access for Christmas. These excuses all sound made-up, and like they weren't even trying.
Labor did make Liberals compromise on one thing - not allowing the anti-corruption agency access to this power. I guess they gladly "fell on their sword" for that one, huh? This is such a joke, I can't believe people actually take their excuses at face value. There must be bigger partisanship in Australia than I thought, which make people ignore this.
Also, 99% of the public comments were against this bill, and Labor ignored that, too. But, ultimately, if Labor did actually believe they were "keeping people safer over Christmas" with this bill which had no debate and was passed at night, then that just shows extreme weakness to compromising.
Will they pass any bill the other parties want to pass as long as they threaten Labor with accusations of "not wanting to keep people safe"? Is that how weak of a party they are, that they can't find real arguments against what that is a baseless accusation meant to cause misdirection?
One more thing, Australia just became the first western country to allow encryption backdoors, something all security experts have been warning is a very bad, terrible idea, that will both destroy the security of the systems in which those backdoors exist and hurt the tech economy. Even if you believe that Labor's action was genuine, does that really not sound like something you would want your party to "fall on its sword" over?
But again, their excuses make no sense, especially in the light of them actually fighting Liberals on disallowing the powers to be used against politicians.
> I can't believe someone actually bought that line.
I didn't buy the line, but be realistic, what percentage of Australians could even make a coherent argument against this bill? It's a vanishingly small percentage.
I watched some bullshit morning TV segment on this where an EFF spokesperson gave some sound arguments wrt this bills overreach potential and downsides, the opposing argument? "But who can argue against ISIS using whats app?". Boom, argument shut down and the presenter sided with the ISIS argument.
It's sad, it sucks, but unfortunately most people are not even able to comprehend the anit-argument because terrorists=bad.
> Is that how weak of a party they are, that they can't find real arguments against what that is a baseless accusation meant to cause misdirection?
Yes this is modern politics. What is your solution? I don't have one.
>One more thing, Australia just became the first western country to allow encryption backdoors, something all security experts have been warning is a very bad, terrible idea,
Australia is a piddling little country that is a test bed for the 5eyes. We think we're globally important, but that is simple self-delusion.
>But again, their excuses make no sense, especially in the light of them actually fighting Liberals on disallowing the powers to be used against politicians.
Yes, absolutely. It makes me sick that there is a provision within the bill to exclude parliamentarians. There is a deep sickness in our democratic process, but how do we expect to fix it?
I work at a company in Australia that works on systems that will get deployed into locked down enviroments for privacy reasons/laws.
Could the Australian government force us to spy on our overseas customers? What about our indirect customers (Customers of Customers)? Can the Aus government strong arm us to spy on these people we in theory could spy on but don't deal with directly.
All of this while lying to our clients, legally of course....
My understanding is that this is the whole point of the five eyes program. It's illegal for the US to spy on its citizens, so they ask Australia to do it and report the findings.
According to Wikipedia, Snowden revealed that the five eyes countries "have been spying on one another's citizens and sharing the collected information with each other in order to circumvent restrictive domestic regulations on surveillance of citizens."
I can imagine go-banning a country from GitHub repos. This is true insanity on Australia's part.
Don't they know any backdoor will undoubtedly be found and spread? People find vine abilities in software designed to be secure. When there is an intentional backdoor, it will be abused even quicker.
Seriously our current government is a thick as two planks of wood, but this law is so stupid that it must be deliberate. Maybe whoever wrote this law ex-girlfriend left him for a software developer, because it seems almost perfectly designed to punish developers.
I hope they do. I hope the global tech industry ostracises us and our tech industry falls apart, and that the politicians wear every bit if it in some kind of political aftertmath, referendum, vote, protests, I don't care.
My worst fear isn't this causing damage, my worst fear is that the tech community will be apathetic and impotent, like they have been all other erosions of privacy so far.
I'm far more worried that this bill will be forgotten than acted upon.
What happens 2 decades down the track when a newly elected government suddenly realises that through 20 years of apathy they've been slowly handed every tool they need to turn themselves into the 4th Reich?
Well, under the current circumstances, how can it not be?
I mean, who pays well enough for employees to risk prosecution and huge fines? The honest ones will just quit. But now that I think of it, does that in itself violate the law, or at least the nondisclosure aspect?
I'm not sure what you're getting at. If you're a soldier, sure it can get you killed, in battle. And if you're a soldier, and your side loses, you may be tried for war crimes. Even if your side wins, you may be tried for war crimes if you follow illegal orders. In modern military, you're trained to refuse illegal orders. But that's an iffy thing, especially in the heat of battle.
My point is that I believe those in the Nuremberg trials were following legal orders at the time, but their side lost. And yes, it's an iffy thing to disobey when it may be the morally correct thing to do.
Forcing someone to do a job without paying them is slavery. Don't conflate things just to suit a narrative. This kind of law is problematic for legitimate reasons, not made up BS like "it's slavery."
Being a citizen awards you with rights and responsibilities.
Whether we think that implementing backdoors is morally right, that does not mean that Australian citizens do not have responsibilities to their country. And neither does it mean that the Australian government cannot force their citizen to fulfill their legal responsibilities.
Something being lawful doesn't imply it's moral. The line is blurred, since slave labor can be enshrined in law as the responsibility to their country, making slavery a lawful order.
In my opinion, responsibilities are better fulfilled by things like paying taxes and not being a nuisance.
Thought experiment: how large, either in number or geographic area, does a group of people forcing someone to do something against their will have to be to make it no longer slavery?
I'm not sure that it's as straightforward as you claim. For instance, is conscription ethical? What about indentured servitude?
You could easily argue these are violations of some human rights, but these sorts of things might be lawful orders.
And let's not forget, literal slavery was legal in America until the Reconstruction Amendments that outlawed it. Was it ethical that a responsibility of being an American citizen was that you may become a slave or a slave owner? Of course not.
In Australia we have very few constitutional or statutory rights (arguably this means we are in violation of several international human rights treaties). "You have a responsibility to your country" isn't a get-out clause from a government treating its citizens ethically. Just because something is the law doesn't mean it's reasonable or morally acceptable.
(I don't think the new legislation is a form of slavery, since that's a very hyperbolic way of phrasing things. But I disagree that "it's a lawful order" is the only factor that should be considered when discussing what is moral.)
True. Many countries require military service of one sort or another. And more generally, governments do tend to view their citizens as resources. I recall a great book on the history of data science. But not the title :( One of the drivers, as I recall, was knowing resources to plan wars.
Still, the juxtaposition of "lawful" and "government" makes me smile.
Just to be clear, I was rather agreeing with "Forcing someone to do a job is slavery." And just pointing out that states do that a lot. But they couch it in language about "duty" and so on.
I mean, many millions of soldiers died in WWI and WWII. Many were volunteers, sure. But many were conscripts. And of course, having your country conquered may also not be such a great thing, unless your government are jerks.
Anyway, I distrust all governments above the village level. I do see the argument for ~state level government. Basically, to deal with groups of jerks. National defense is arguably the only justification for national government. And that's just because there are other national governments, controlled by jerks. So it's sort of like a multi-player protection racket.
That seems a great book. But this was more about database design, and statistics. Covering maybe 17th-18th centuries, and focusing on Western Europe. I recall France and Germany, in particular.
I'm curious if similar rules are applied to foreign nationals (and software/hardware) of other much more totalitarian regimes like China or Russia?
Not defending how retarded our government is, but it seems this is an issue we should have already contemplated as an industry. How many other nations should be banned for similar reasons? Do you really trust those chips made in china?
Military and NSA are probably cooperative enough with our government that this isn't an issue for them, it was probably even initiated by them.
The bigger issue is the private sectors of companies worldwide throwing confidential information into things like JIRA. They can no longer consider that confidential.
Or, alternatively, maybe it's just not true that you need to do this, because maybe the law doesn't work how most software engineers automatically assume it does, and maybe it doesn't apply based on citizenship...
(It's still a really bad law, but for different reasons, and the ridiculous rhetoric from all sides is ridiculous. There's been a few good people like Stilgherrian writing decent commentary.)
The article states that the law is too vague to know how it will be used:
> There is a great deal of vagueness in the law in its current form, and we do not know how it will be interpreted and used when it goes into effect in March.
When dealing with security issues, you are dealing with worst case scenarios. If a law can be abused I am happy my password manager has thought about how to best protect me from this scenario. Same as with software vulnerabilities: if 1password detects one that doesn't mean that someone read my passwords, but I expect them to work on it nonetheless for the slight change someone might.
Yes, it's a bad law. Yes, in large part that's because it's vague. No, it's not so vague that it's impossible to figure out any limits to the implications for service providers.
The worst vagueness is in specific areas (e.g. what does the prohibition on "systemic weaknesses" in mandated technical capabilities actually mean - lots of expert opinion says that the definition of that particular safeguard doesn't actually protect us against very much).
The final section of their post discusses a common idea that interception agencies can request individual employees to do things without their employers' knowledge. I'm pretty confident this is bogus, and appears to be based on a misunderstanding of statutory interpretation that some organisations have encouraged (see the thread at https://twitter.com/stilgherrian/status/1072666031963979777, which includes at least one actual lawyer), and at least one representative of the Australian Government who was involved in drafting the legislation has explicitly denied this (towards the end of the recording at https://www.lawfareblog.com/lawfare-podcast-global-developme..., there may be better and more formal written sources for this).
Also, they're wrong about the start date of this legislation - it's already commenced.
So, yes, the law is very bad and vague (in parts), and yes, you need to think about worst case scenarios, but that doesn't excuse poor analysis.
edit: I should also add that apart from the badness of the law itself, the Government primarily has itself to blame for not communicating with industry and community and allowing wild speculation to go around unchecked - they have really lost control of the narrative here, and that's bad for their own desired outcomes more than anything else.
Can someone share if there's any protest or event one could participate to maybe change things or at least gain public attention? I'm one of those sole trader based in Sydney extremely worried by this law and very willing to protest
Is there anything we can do that will have an actual impact? I don't really rate standing in the streets with signs as an effective tactic in this country. Remember only one of the submissions on this bill was in favour of it, the politicians here don't listen to words from the citizens.
If you are an Australian in tech start the brain drain. If they won't listen to facts reality will make them listen and assert that the laws of mathematics do indeed surplant the laws of Australia.
As an Australian front end developer currently sitting in the UK, my plan has always been to go home in 5 or so years. Am now deeply concerned with what the industry will look like in that time, not only are there major bandwidth issues due to the NBN mess but laws like this that carelessly punch holes in security make a bunch of startups non starters onshore.
It's not just the liberals at fault here, the labour party also supported this bill. Both sides of the same corrupt coin, beholden to their five eyes masters.
> Would an Australian employee of 1Password be forced to lie to us and do something that we would definitely object to?
This law is a disaster for Australia's software industry (sorry Atlassian) but as an Australian living and working outside Australia I can't see that I would be subject to it.
Australia is notoriously punitive to Aussies overseas (quite different from, say, India) so it would hardly make sense for such a stupid law to apply to us -- unless the US demanded it I suppose (this whole law is clearly a 5 eyes effort).
The fear would be that software engineers who are Australian citizens would want to travel to Australia again to visit family, and then be forced to comply. You can be living and working in the United States, but if you're an Australian citizen traveling with an Australian passport they can simply not allow you to leave unless you implement a backdoor, never mind the fines and jail time.
Where exactly does it mention individuals, elsewhere under the definition of provider, individuals are specifically included. 317ZG appears to make no mention of individuals.
How about simply visiting Australia without your corporate laptop? Or take the laptop but without the means to connect to the corporate network/accounts?
Visit Australia, get the notice, go back to wherever you live and work, and either implement the backdoor or get kicked whenever you return to Australia one more time.
People tend to be deeply attached to seeing their family and friends, so the mere hint that the reality of such laws could be purposely weaponizing those emotions is nothing shy of vicious. As a Dane who lives in Brazil I’d be devastated if I had to choose between the ability to see my family once a year or my ideals. It would tear me apart. To not be 100% sure I could go to my parents should one of them fall gravely ill e.g. would be heartbreaking.
I mean I love you people and I believe you are entitled to freedom, privacy and security but that is not a choice I’d make lightly. I do not envy Australian developers right now, not only is their marketability severely reduced, the emotional cost of taking a stand can be downright crushing to the spirit.
This is just.. evil. There is no other word for it.
Aren't you then trapped, as implementing a backdoor in foreign software on foreign soil on command of a different state might lead to charges of espionage in the country you are residing in?
Australians can be arrested and prosecuted for violating Australian law while outside of Australia. So even if something is not illegal in another country and you do it, you can still be charged under Australian law when you return, or in serious cases when they extradite you back.
You can't deny to help, and you can't tell anyone you've been asked.
They could extradite you, put you in jail and the case simply wouldn't see the light of day. Even if they couldn't extradite, you've essentially renounced citizenship.
> They could extradite you, put you in jail and the case simply wouldn't see the light of day. Even if they couldn't extradite, you've essentially renounced citizenship.
Noncompliance with a TCN is a civil offense, not a criminal one. This law is bad enough, so there's no need to misrepresent how it handles noncompliance.
This law honestly makes me reluctant to hire anyone in Australia or any AU citizens abroad. Which is a shame, because the ones I know are good developers.
I hope the law is negated by another one before it goes into effect. If not, at least it will force everyone to have good software practices such that no one person can put a backdoor into a piece of software.
1Password has recently been pushing a subscription model where your passwords are stored on their cloud. It's still end-to-end encrypted across devices, but the Australian (or other) government could be silently added as a "device".
For now, they still support storing on Dropbox and iCloud, which is what I use - because I don't want to hand over too many keys to any one company regardless of how trustworthy they are. I hope they continue supporting as many options as possible.
> It's still end-to-end encrypted across devices, but the Australian (or other) government could be silently added as a "device".
You can add any amount of "devices" as you want to my account. Hell, go ahead and just copy the db without adding *Agency as a "device".
You are still out of luck until you get the Master Key AND my One Password. [XKCD 538](https://www.xkcd.com/538/) say's it won't be too hard but still not trivial.
Honestly, you can post your password vault publicly if you dare. It is random bits useless you can decrypt it with your master password.
For quite some time this was one of the way to access your passwords from alternative OS's, with html page doing decrypting.
I'm glad companies like this are speaking up in this way. Politicians need to understand that this is really happening: the destruction of the Australian software industry is now underway. Even if they still think they voted for a perfectly good law, they must understand that perception is everything and the outcome of what they have done is going to have horrific consequences.
As an Australian, please help us and speak up like this.
Hypothetically could they force BitBucket to inject code into repos or binary releases? I know git is signed, but how many consumers (who just download and compile) check the git log in the cloned repo actually match the the website?
It's one of the questions we're asking ourselves internally at atlassian. The only upside to the law is it was written without any idea of how modern software development works - any backdoor or explicit code injection should be caught at the pull request stage.
What happens when the entire Australian staff get the order? Usually to sneak something in, you just need a clique of about 2-5 staff to write it, approve the change and get it deployed.
If the company is large enough, most won't notice the rogue commit, and if %90 of the company gets the order, well good luck!
If I were some shady Australian spy organization, I wouldn't just demand an employee write some obvious change that rips open a backdoor, I would have my highly qualified spy programmers write a fix to an existing bug (ticket) in a repository, but inject a subtle bug (buffer overflow, unescaped input), then have a junior programmer commit it to the repository. The junior programmer might not even be able to spot the problem.
I'm pretty sure ASIO et al only pushing so hard for this precisely because they are incapable of that fairly mundane level of sophistication. But yes, they could get better at it and we wouldn't know.
They can ask your company directly, and anyone at your company, to formulate a method of injection. They don't really care how it seems, so a way to deliver code silently post PR is entirely within scope.
But isn't it bad that the law isn't more specific? As it is right now, couldn't the one issuing the order specify exactly what steps the compelled need to take? I'm sure there are quite a few highly skilled individuals working for the Australian spy agency that could craft a method of implementation for a backdoor with a low possibility of detection. Especially if the compelled needs to disclose internal development and security practices.
I haven't fully understood the law myself, so this is both speculation and a question.
> ... will not introduce back doors into our products, ....
Surely 1Password can't actually make that promise in good faith. They're the perfect target for the kind of intervention that the AU gov wants to carry out.
Although concerning and moronic, I'm comforted by the fact that this bill is so fantastically infeasible that I'll never personally have to worry about it as a developer. Any organization where you could be secretly compelled to introduce a back door in such a way that it wouldn't be detected is not a company I will work for.
As I understand it, this law also applies to solo developers, so if you create a tool that many people decide to use as an Australian, you might be compelled to betray your users. Not many checks and balances there.
Realistically, I think there are always people at any organization who could do this—anyone with access to monitoring, alerts, and logs, for example, will be able to make undetected changes. Sure, you can put alerts on your alerts and monitor your monitoring, but you need people to manage that second layer too. And no matter how tightly you restrict access, you’ll need people to manage access control.
> Would an Australian employee of 1Password be forced to lie to us
Any employee could be forced to lie to you.
Section 317C of the Act outlines what sorts of products and services come under its jurisdiction. The primary test is whether you have one or more Australian users.
You do not need to be an Australian resident or company to be affected by this law. If you have Australian users, you are subject to the Act.
> Any employee could be forced to lie to you. [...] If you have Australian users, you are subject to the Act.
Suppose I am a Brazilian working in Brazil for a Brazilian company with Australian users. What authority would this Act have to prevent me from immediately showing the demand to my boss, the company's legal counsel, my coworkers, or even publishing it on the Internet? Sure, they could forbid me from ever visiting Australia, and perhaps demand my extradition if I ever visit a few other countries, but I don't see what they could do to me in my country. In fact, I could even argue that obeying their demand would be illegal under my country's laws.
You are correct. The practical reality is that the Australian government doesn't have much authority in Brazil. It's more of an issue for people from the other 5 eyes countries.
If you are a UK citizen working in the UK, and a UK agency wants access to encrypted data, successful extradition would be more likely.
The 5 eyes governments won't rush into this. They will be tactical in establishing a legal precedent.
The game plan is to wait for a case where there would be little public sympathy for a developer, perhaps where the developer has committed other crimes too. They will seek extradition then.
Once they have done it once, it will be much easier for them to do it again.
I am happy I recently left Australia, and that my company is incorporated in the states with European servers.
I can't imagine the govt would want any data on any users of my software (not that I have any other than what any standard mailing list would have). But this law still gives me pause before thinking about ever moving back... such a shame, as it's a great country. But out of principle, im not sure I could move back knowing that the govt could ask me to spy for them whenever they feel like it.
Presumably the law also applies not just to devs but to anyone who updates software, e.g. a password protected word file or any file on a password protected system, i.e. all computers/phones, etc.
The problematic wording is here, which defines a "provider":
the person develops, supplies or
updates software used, for use, or
likely to be used, in connection with:
(a) a listed carriage service; or
(b) an electronic service that has one
(a) the development by the person of
any such software; or
(b) the supply by the person of any
such software; or
(c) the updating by the person of any
such software
It is far broader than just software entering into production, but can include ancillary software.
What I am missing in the article: Which are the measures taken making it hard to insert backdoors into the product? I've expected a link to their security practices and development process at least. And even then how can I vet this as a customer?
“Because iocane comes from Australia, as everyone knows, and Australia is entirely peopled with criminals, and criminals are used to having people not trust them, as you are not trusted by me…”
Guess I’m off to gaol soon because I’m certainly not implementing a software backdoor for the Australian Government. Nor will I approve any pull request that does so. I expect I should do well in prison, definitely got the skills & personality to succeed in there (hint: mild sarcasm).
And in particular: State so clearly, in written form, so that the people you fire have something to show their representatives. Those idiots obviously can't think in hypotheticals, but they might well understand "I got fired because of this law".
Consider than any employee could be threatened physically and capitulate to a demand, and this is just another, not necessarily greater application of force.
Even if you're overseas, I doubt that authorities will come between you and your lawful government. And OK, maybe they would, if it were North Korea, or even China. But Australia? That seems unlikely. Especially with the 5/13/whatever Eyes aspect.
Please note, if you're an employer, you will need to consider Australian labour laws and whether firing Australian employees is allowed.
If I was fired because of a legislation change I'd sue my employer for unfair dismissal. But of course, that assumes your (Australian) subsidiary continues running. I would expect that you'd want to shut that down too, since it could be given a TCN as well -- and the fines for noncompliance are in the millions.
> If I was fired because of a legislation change I'd sue my employer for unfair dismissal
It would be because you showed up to work late, or your performance suffered. There is plenty of discretion for normal practices to become scrutinized when convenient in an employer-employee relationship.
This always leaves the former employee to spend time and resources trying to make some impossible correlation that could only be proven if the employer said the most amateurish thing possible.
> There is plenty of discretion for normal practices to become scrutinized when convenient in an employer-employee relationship.
As someone who has had family members go through the unfair dismissal process (where an employer tried to pull exactly this tactic), employers cannot just lie about the reasons for a dismissal. Doing so can actually result in larger compensation, as a punitive measure. There needs to be sufficient evidence for the lay-off, as well as evidence that it was a long-term issue. Courts often favour employees in such cases (in one case a friend was unfairly dismissed from CSIRO, a government body, and they received the maximum possible compensation as well as assistance from CSIRO to help him update his resume for his next job).
But this is besides the point. The topic in question is whether employers should lay off their employees in protest of the new law -- it would hardly be an effective protest if you didn't state why you were laying this people off. It'd also be ridiculously suspicious if the entire Australian office was fired because they "consistently showed up to work late".
Don't get me wrong, I really hope companies retaliate by killing Australia's tech industry so the government realises how much they just shot themselves in the feet (if you can't buy an iPhone from Apple in Australia I guarantee there will be riots -- that's just what it takes unfortunately). But if you're an employer you should make your employees whole -- because doing otherwise will result in lawsuits.
> If I was fired because of a legislation change I'd sue my employer for unfair dismissal.
It wouldn't really be unfair (of the business) though. It'd be more a case of legislation making the operating environment untenable, thus the business having to let go of Oz staff.
That's not the business's fault, as much as the situation clearly sucks.
No, it isn't the business's fault they can't really operate in Australia anymore because of a legislative change.
But the business can decide how they'd lay off all their employees, and a proper severance (and transition period) and so on would be the reasonable way to do it. There is an unfair (retaliatory) way to do it too, and that's what I was referring to.
This should not be a discussion about Australia or any government in particular. The discussion should be about the importance of not supporting closed source.
I believe in open-source. This just proves once again that closed source cannot be trusted. I would never use 1Password or any of it's variants. It still amazes me that so many people are sending their most precious secrets to a commercial companies' cloud server.
I only use Keepass open source password manager, every day for over 9 years now, and I'm really thankful to the devs that build and maintain this nice piece of software.
We do not, at this point, know whether it will be necessary or useful to place extra monitoring on people working for 1Password who may be subject to Australian laws.
So not only does this idiotic law destroy the Australian software industry, it could prevent Australians from being hired outside Australia. Someone or some group in the Liberal/National Party (the current government here in Australia) really, really, really hates developers.
Edit. Time for some Aussie geek civil disobedience I think.
Edit 2. We have a huge number of Aussie developers here on HN. Let's use this to organise some sort of protest. Either that or we will all be off to Centrelink.