
Does Australia's access and assistance law impact 1Password? - macintux
https://blog.1password.com/does-australias-access-and-assistance-law-impact-1password/
======
danieltillett
_Would an Australian employee of 1Password be forced to lie to us and do
something that we would definitely object to?_

 _We do not, at this point, know whether it will be necessary or useful to
place extra monitoring on people working for 1Password who may be subject to
Australian laws._

So not only does this idiotic law destroy the Australian software industry, it
could prevent Australians from being hired outside Australia. Someone or some
group in the Liberal/National Party (the current government here in Australia)
really, really, really hates developers.

Edit. Time for some Aussie geek civil disobedience I think.

Edit 2. We have a huge number of Aussie developers here on HN. Let's use this
to organise some sort of protest. Either that or we will all be off to
Centrelink.

~~~
FuckOffNeemo
I guess I'm moving back to the UK. No wait, can't do that either. Perhaps I'll
live in the US for a while, I haven't lived there yet.

Or just become the digital nomad and move off to Budapest like many of my past
colleagues and friends.

I don't have the emotional depth at this point to articulate a well thought
out perspective on what impact these laws will have one me, our industry or my
own personal safety in Australia.

But I can say for sure, that the entire thing is completely fucked.

~~~
Fnoord
Budapest, in Hungary? You might wanna look up Viktor Orban before moving to
there.

If you're British you can roam freely through the EU. I can recommend Germany
instead: strong privacy laws, and due to recent history (WWI, WWII, Cold War)
there is a relative strong pro privacy mindset. Though I recommend learning
German if you intend to settle in large cities such as Berlin and
international companies or IT you can easily get away with English.

~~~
mr_toad
> If you're British you can roam freely through the EU.

Unfortunately it doesn’t seem likely that this will last much longer, unless
the UK makes a u-turn on brexit.

~~~
Fnoord
Fair enough, gonna depend on the deal though. I really doubt UK civilians
living in Germany are going to get kicked out to UK. That'd be so
counterproductive for self employed people...

------
gumby
> Would an Australian employee of 1Password be forced to lie to us and do
> something that we would definitely object to?

This law is a disaster for Australia's software industry (sorry Atlassian) but
as an Australian living and working outside Australia I can't see that I would
be subject to it.

Australia is notoriously punitive to Aussies overseas (quite different from,
say, India) so it would hardly make sense for such a stupid law to apply to us
-- unless the US demanded it I suppose (this whole law is clearly a 5 eyes
effort).

~~~
chc4
The fear would be that software engineers who are Australian citizens would
want to travel to Australia again to visit family, and then be forced to
comply. You can be living and working in the United States, but if you're an
Australian citizen traveling with an Australian passport they can simply not
allow you to leave unless you implement a backdoor, never mind the fines and
jail time.

~~~
mbo
I'm sorry, this is FUD.

Section 317ZG of
[https://www.legislation.gov.au/Details/C2018A00148](https://www.legislation.gov.au/Details/C2018A00148)
specifically prevents individuals from implementing backdoors.

~~~
rmbeard
Where exactly does it mention individuals, elsewhere under the definition of
provider, individuals are specifically included. 317ZG appears to make no
mention of individuals.

------
jedberg
This law honestly makes me reluctant to hire anyone in Australia or any AU
citizens abroad. Which is a shame, because the ones I know are good
developers.

I hope the law is negated by another one before it goes into effect. If not,
at least it will force everyone to have good software practices such that no
one person can put a backdoor into a piece of software.

~~~
brokenmachine
As I understand it, the law is already in effect.

~~~
jedberg
According to the article it doesn't go into effect until March of 2019.

~~~
ajdlinux
Most parts of the Amendment Act have come into effect as of the day after
assent (9 December 2018).

The fact that they get this wrong is probably a good indication of how much
you should trust the rest of their analysis on how this may affect them.

------
diebeforei485
1Password has recently been pushing a subscription model where your passwords
are stored on their cloud. It's still end-to-end encrypted across devices, but
the Australian (or other) government could be silently added as a "device".

For now, they still support storing on Dropbox and iCloud, which is what I use
- because I don't want to hand over too many keys to any one company
regardless of how trustworthy they are. I hope they continue supporting as
many options as possible.

~~~
medecau
> It's still end-to-end encrypted across devices, but the Australian (or
> other) government could be silently added as a "device".

You can add any amount of "devices" as you want to my account. Hell, go ahead
and just copy the db without adding *Agency as a "device".

You are still out of luck until you get the Master Key AND my One Password.
[XKCD 538]([https://www.xkcd.com/538/](https://www.xkcd.com/538/)) say's it
won't be too hard but still not trivial.

------
zmmmmm
I'm glad companies like this are speaking up in this way. Politicians need to
understand that this is really happening: the destruction of the Australian
software industry is now underway. Even if they still think they voted for a
perfectly good law, they must understand that perception is everything and the
outcome of what they have done is going to have horrific consequences.

As an Australian, please help us and speak up like this.

------
steve19
Hypothetically could they force BitBucket to inject code into repos or binary
releases? I know git is signed, but how many consumers (who just download and
compile) check the git log in the cloned repo actually match the the website?

~~~
jjcm
It's one of the questions we're asking ourselves internally at atlassian. The
only upside to the law is it was written without any idea of how modern
software development works - any backdoor or explicit code injection should be
caught at the pull request stage.

~~~
woolvalley
What happens when the entire Australian staff get the order? Usually to sneak
something in, you just need a clique of about 2-5 staff to write it, approve
the change and get it deployed.

If the company is large enough, most won't notice the rogue commit, and if %90
of the company gets the order, well good luck!

~~~
jay_kyburz
If I were some shady Australian spy organization, I wouldn't just demand an
employee write some obvious change that rips open a backdoor, I would have my
highly qualified spy programmers write a fix to an existing bug (ticket) in a
repository, but inject a subtle bug (buffer overflow, unescaped input), then
have a junior programmer commit it to the repository. The junior programmer
might not even be able to spot the problem.

~~~
cormacrelf
I'm pretty sure ASIO et al only pushing so hard for this precisely because
they are incapable of that fairly mundane level of sophistication. But yes,
they could get better at it and we wouldn't know.

------
npunt
From what info is available on LinkedIn, it looks like 1Password does not
employ anyone in Australia currently:
[https://www.linkedin.com/company/1password/people/](https://www.linkedin.com/company/1password/people/)

However, Agile Bits (parent company) does have a customer service person in
Australia: [https://www.linkedin.com/company/agilebits-
inc/people/](https://www.linkedin.com/company/agilebits-inc/people/)

It's weird and depressing to have to do this search. Having a diverse
international team should be something we celebrate.

------
timClicks
I feel like this provides almost no assurance.

> ... will not introduce back doors into our products, ....

Surely 1Password can't actually make that promise in good faith. They're the
perfect target for the kind of intervention that the AU gov wants to carry
out.

~~~
FuckOffNeemo
They could just stop doing business in Australia entirely unless they were
then strong armed by the 5 eyes?

All my other favourite services in Australia are geo-blocked, let's geo-block
my preferred password manager next.

------
Niksko
Although concerning and moronic, I'm comforted by the fact that this bill is
so fantastically infeasible that I'll never personally have to worry about it
as a developer. Any organization where you could be secretly compelled to
introduce a back door in such a way that it wouldn't be detected is not a
company I will work for.

~~~
endominus
As I understand it, this law also applies to solo developers, so if you create
a tool that many people decide to use as an Australian, you might be compelled
to betray your users. Not many checks and balances there.

------
lachdoug
> Would an Australian employee of 1Password be forced to lie to us

Any employee could be forced to lie to you.

Section 317C of the Act outlines what sorts of products and services come
under its jurisdiction. The primary test is whether you have one or more
Australian users.

You do not need to be an Australian resident or company to be affected by this
law. If you have Australian users, you are subject to the Act.

[https://parlinfo.aph.gov.au/parlInfo/search/display/display....](https://parlinfo.aph.gov.au/parlInfo/search/display/display.w3p;db=LEGISLATION;id=legislation%2Fbills%2Fr6195_aspassed%2F0001;query=Id%3A%22legislation%2Fbills%2Fr6195_aspassed%2F0000%22)

~~~
cesarb
> Any employee could be forced to lie to you. [...] If you have Australian
> users, you are subject to the Act.

Suppose I am a Brazilian working in Brazil for a Brazilian company with
Australian users. What authority would this Act have to prevent me from
immediately showing the demand to my boss, the company's legal counsel, my
coworkers, or even publishing it on the Internet? Sure, they could forbid me
from ever visiting Australia, and perhaps demand my extradition if I ever
visit a few other countries, but I don't see what they could do to me in my
country. In fact, I could even argue that obeying their demand would be
illegal under my country's laws.

~~~
lachdoug
You are correct. The practical reality is that the Australian government
doesn't have much authority in Brazil. It's more of an issue for people from
the other 5 eyes countries.

If you are a UK citizen working in the UK, and a UK agency wants access to
encrypted data, successful extradition would be more likely.

The 5 eyes governments won't rush into this. They will be tactical in
establishing a legal precedent.

The game plan is to wait for a case where there would be little public
sympathy for a developer, perhaps where the developer has committed other
crimes too. They will seek extradition then.

Once they have done it once, it will be much easier for them to do it again.

------
sweetp
I am happy I recently left Australia, and that my company is incorporated in
the states with European servers.

I can't imagine the govt would want any data on any users of my software (not
that I have any other than what any standard mailing list would have). But
this law still gives me pause before thinking about ever moving back... such a
shame, as it's a great country. But out of principle, im not sure I could move
back knowing that the govt could ask me to spy for them whenever they feel
like it.

------
rmbeard
Presumably the law also applies not just to devs but to anyone who updates
software, e.g. a password protected word file or any file on a password
protected system, i.e. all computers/phones, etc.

The problematic wording is here, which defines a "provider":

the person develops, supplies or updates software used, for use, or likely to
be used, in connection with: (a) a listed carriage service; or (b) an
electronic service that has one (a) the development by the person of any such
software; or (b) the supply by the person of any such software; or (c) the
updating by the person of any such software

It is far broader than just software entering into production, but can include
ancillary software.

------
chopin
What I am missing in the article: Which are the measures taken making it hard
to insert backdoors into the product? I've expected a link to their security
practices and development process at least. And even then how can I vet this
as a customer?

------
justsee
Why would moderators intervene on an important, popular discussion like this?

[https://twitter.com/justsee/status/1072766976194301952](https://twitter.com/justsee/status/1072766976194301952)

Calling dang?

------
anotherevan
“Because iocane comes from Australia, as everyone knows, and Australia is
entirely peopled with criminals, and criminals are used to having people not
trust them, as you are not trusted by me…”

— The Princess Bride

------
stock_toaster
Wonder how long until a Fastmail employee is compelled to hack the company. I
have really liked Fastmail over the years. What a sucky situation.

Any good Fastmail alternatives (not google, outside AUS)?

~~~
praneshp
I reached out to Fastmail, who referred me to
[https://fastmail.blog/2018/09/10/access-and-assistance-
bill/](https://fastmail.blog/2018/09/10/access-and-assistance-bill/)

------
mshirlaw
Guess I’m off to gaol soon because I’m certainly not implementing a software
backdoor for the Australian Government. Nor will I approve any pull request
that does so. I expect I should do well in prison, definitely got the skills &
personality to succeed in there (hint: mild sarcasm).

------
gammateam
Fire your Australian employees.

This isnt about “Jobs for the sake of Jobs” this is about a secure product.

But you already knew that.

~~~
cyphar
Please note, if you're an employer, you will need to consider Australian
labour laws and whether firing Australian employees is allowed.

If I was fired because of a legislation change I'd sue my employer for unfair
dismissal. But of course, that assumes your (Australian) subsidiary continues
running. I would expect that you'd want to shut that down too, since it could
be given a TCN as well -- and the fines for noncompliance are in the millions.

~~~
gammateam
> If I was fired because of a legislation change I'd sue my employer for
> unfair dismissal

It would be because you showed up to work late, or your performance suffered.
There is plenty of discretion for normal practices to become scrutinized when
convenient in an employer-employee relationship.

This always leaves the former employee to spend time and resources trying to
make some impossible correlation that could only be proven if the employer
said the most amateurish thing possible.

~~~
cyphar
> There is plenty of discretion for normal practices to become scrutinized
> when convenient in an employer-employee relationship.

As someone who has had family members go through the unfair dismissal process
(where an employer tried to pull _exactly_ this tactic), employers cannot just
lie about the reasons for a dismissal. Doing so can actually result in larger
compensation, as a punitive measure. There needs to be sufficient evidence for
the lay-off, as well as evidence that it was a long-term issue. Courts often
favour employees in such cases (in one case a friend was unfairly dismissed
from CSIRO, a government body, and they received the maximum possible
compensation as well as assistance from CSIRO to help him update his resume
for his next job).

But this is besides the point. The topic in question is whether employers
should lay off their employees in protest of the new law -- it would hardly be
an effective protest if you didn't state _why_ you were laying this people
off. It'd also be ridiculously suspicious if the entire Australian office was
fired because they "consistently showed up to work late".

Don't get me wrong, I really hope companies retaliate by killing Australia's
tech industry so the government realises how much they just shot themselves in
the feet (if you can't buy an iPhone from Apple in Australia I guarantee there
will be riots -- that's just what it takes unfortunately). _But_ if you're an
employer you should make your employees whole -- because doing otherwise
_will_ result in lawsuits.

------
rmbeard
Also for those thinking of leaving, it is illegal for Australians to give up
their citizenship, i.e. Australian law excludes this possibility.

------
heavymark
Would back doors only be an issue if you use their online site to store and
access your logins vs just keeping it local?

------
rmbeard
An Australian passport is now a liability.

------
bespoken
This should not be a discussion about Australia or any government in
particular. The discussion should be about the importance of not supporting
closed source.

I believe in open-source. This just proves once again that closed source
cannot be trusted. I would never use 1Password or any of it's variants. It
still amazes me that so many people are sending their most precious secrets to
a commercial companies' cloud server.

I only use Keepass open source password manager, every day for over 9 years
now, and I'm really thankful to the devs that build and maintain this nice
piece of software.

