
Microsoft says encryption laws make companies wary of storing data in Australia - technion
https://www.abc.net.au/news/2019-03-28/microsoft-says-companies-are-no-longer-comfortable-storing-data/10946494
======
mastazi
I have migrated to Australia many years ago and I have recently become
eligible to become a citizen. However I’ve heard stories of tech companies
refusing to hire Australians because of the AA Bill, so I’m holding it off for
now. The problem seems to be the provision that a tech worker can be coerced
by the Australian Government into creating a backdoor, and they are not
authorised to disclose it to their employer. I don’t want to hurt my future
employability. On the one hand, if I had my citizenship then I could vote at
the next elections, but on the other hand the AA Bill has been supported by
all major Australian parties so I feel powerless.

~~~
KorematsuFred
Is this true ? There is no way I am hiring an Australian citizen then.

~~~
mastazi
"For example, Australia’s law enforcement could compel Apple to provide access
to a customer’s iPhone and all communications made on it without the user’s
awareness or consent. An engineer involved would, in theory, be unable to tell
their boss about this, or risk a jail sentence."

Source: Sydney Morning Herald [https://www.smh.com.au/business/consumer-
affairs/dangerous-o...](https://www.smh.com.au/business/consumer-
affairs/dangerous-overreach-on-encryption-leaves-backdoor-open-for-
criminals-20181214-p50mak.html)

That would be a 5-year jail sentence apparently:

"The Australian government could demand web developers to deliver spyware and
software developers to push malicious updates, all under the cloak of
“national security.” The penalty for speaking about these government
orders—which are called technical assistance requests (TAR), technical
assistance notices (TAN), and technical capability notices (TCN)—is five years
in prison."

Source: EFF [https://www.eff.org/deeplinks/2018/09/australian-
government-...](https://www.eff.org/deeplinks/2018/09/australian-government-
ignores-experts-advancing-its-anti-encryption-bill)

~~~
philliphaydon
So developer discusses with his boss. Developer A adds back door. Developer B
then patches back door. Boss fires developer A. Developer A then uses this TAR
crap to sue government for forcing him to do something and lose his job.

I can’t see the government being able to defend itself. We elect the
government to serve the people and the decisions of the government are
negatively impacting the people no matter which way you spin it.

My 2cents.

~~~
ENGNR
'developer discusses with his boss' => that's 5 years prison right there, not
joking

It's 5 for not doing it and 5 for telling anyone, 10 for both

~~~
maldeh
Assuming it could be proven, surely?

And there have to be limitations as to how far an individual could go as to
subterfuge, so if your company enforces a 2-person code review and there
aren't other authorized Australian nationals at hand, you could point at
process preventing you from doing so without others' knowledge (how naive this
defense is, I have no idea)

~~~
int_19h
You opt into participating that process by accepting the job, though. So from
Australia's perspective, the way to comply with their law is to not take such
jobs, and to leave if the process changes prevent you from complying.

~~~
viraptor
I think you're inventing scenarios here that are too unlikely even for a
pretty corrupt country. There probably exist laws in a number of countries
which would technically jail you for taking some not-explicitly-illegal job.
But this is absurd. Unless you're an actual lawyer giving opinion here?

~~~
Nasrudith
I think if you trust people to not be corrupt you will wind up with
corruption. A bad law is one that requires the empowered to not abuse it. A
good law can't be abused. Harsh and cynical but true - reducto ad absurdum
giving someone the legal power to murder anyone and relying on it to "not be
abused" is a law literally bad enough to be causus beli for a civil war.

------
jjcm
That's one of the biggest things that lawmakers here couldn't seem to
understand - tech companies have high mobility across borders. Even if a law
has no teeth, why would Microsoft store data in Australia when the next
country over can still serve data for the region? It just creates too much
risk, from a privacy and PR standpoint. Startups will be more adverse to
founding in Australia as well. It just creates a black mark on their record
from the start. These data laws were very poorly planned by the Australian
Government.

~~~
yingw787
I think that "high mobility across borders" is an assumption based on existing
trade regulations. From recent developments it's clear countries can and do
force companies to do things they don't want, and companies will do it because
they can't or won't lose access to consumers in those markets.

For example, Apple has begun storing Russian user data in Russia in compliance
with Russian data storage laws ([https://venturebeat.com/2019/02/01/apple-
will-reportedly-sto...](https://venturebeat.com/2019/02/01/apple-will-
reportedly-store-russian-user-data-locally-possibly-decrypt-on-request/)), and
Google is still working on its censored search engine in China.

Of course, if nobody else does this, this means you may have older software on
your systems or less priority in development roadmaps or whatever as your
country is an edge case, and you can probably say goodbye to market leadership
and have to coast on your existing advantages. However, if _everybody_ begins
to cartelize the Internet, you may not lose as much in comparison to everybody
else, since you will no longer be the edge case but the common case, and it
will be a bad time to start a company or store data anywhere you go at any
time. Companies will simply have to live with the geopolitical reality. In
this sense, the Internet devolves into a suboptimal Nash equilibrium, where
everybody has data localization laws and nobody will want to loosen up because
storing your citizen's information on servers in another country will leave
your citizens vulnerable. If this happens, the large homogeneous markets with
a single language, government, and economy (U.S/China) may have an advantage.

This is sad, and I hope they reverse this law. An open Internet is good for
economic and societal dynamism (and as a civilization is tautological to
organized chaos, slowing that down weakens said civilization), and I wouldn't
know how to work backwards to where the Internet should be. In the meantime,
maybe this will lift some open source, decentralized communications means past
some threshold of viability.

~~~
lsiebert
The Trump Administration also passed a law that affects companies that store
data overseas so that they can get that data, after big companies fought such
subpoenas.

~~~
coolspot
The case[0] started on Obama watch though.

What happens now is that after many appeals it goes to the supreme court.

[0] - [https://mashable.com/2014/06/12/microsoft-u-s-government-
dat...](https://mashable.com/2014/06/12/microsoft-u-s-government-data-foreign-
servers/#qYJesfHDogqd)

------
throw0101a
Ironically OpenSSL started in AU because the crypto (export) laws of the US
were too stringent:

* [https://en.wikipedia.org/wiki/SSLeay](https://en.wikipedia.org/wiki/SSLeay)

Now it's the opposite?

~~~
ehnto
Encryption isn't illegal due to the bill. In fact encryption law itself hasn't
changed. The bill gives the government the ability to compel someone to
circumvent encryption (backdoors, spyware etc.) if technically feasible while
acting to service a warrant.

It is much worse than banning encryption as it is silent subterfuge and
forcing the hand of citizens who would otherwise just be going about their
day.

Laws should be able to stop people from doing certain things but forcing
people to do something they had no business doing in the first place is
insane.

------
oedmarap
The three areas of contention in the bill:

> A technical assistance request (TAR): Police ask a company to "voluntarily"
> help, such as give technical details about the development of a new online
> service.

> A technical assistance notice (TAN): A company is required to give
> assistance. For example, if they can decrypt a specific communication, they
> must or face fines.

> A technical capability notice (TCN): The company must build a new function
> to help police get at a suspect's data, or face fines.

This approach is ripe for abuse. Even if a company is served with a TAN and
"can't technically decrypt" then a TCN can force them to downgrade/backdoor
the platform security to comply. The TAR seems token at best.

~~~
mikro2nd
Thought experiment: Company gets served with a TCN. They task Jolene (Snr
Programmer) to implement the backdoor. She does so in a way that spews
information far and wide in a highly visible manner. What are the consequences
for Jolene and/or the company, especially when the spooks cry foul and
Jolene's lawyer/Company replies with something along the lines of "I guess
she's just incompetent and did a bad job. Sorry. But we did comply with your
TCN."

Does this law actually address such a scenario?

~~~
brokenmachine
Jolene and some people from the company go to jail for exposing the Gestapo
overreach.

The govt talks about being tough on baddies, coal keeps being sold, there's no
pedophiles in my house and wow, it's Sunday so lets all watch the footy!!

------
dalbasal
It's incredible to watch the degree to which intelligence wants and needs are
dictating the coming regulatory environment of internet & tech generally.

Losing access to an information stream due to routing or encryption. Matching
allies' and rivals' levels of information access (a la prism). Denying them
access... From the perspective of the spooks (asio, in this case) these are
equivalents to exposing a microphone in Bin Laden's proverbial cave.

Meanwhile, FB & Google's revenue streams are, at this point so big and so
tightly coupled with creepy ad-tech/spyware that the economy depends on
privacy intiatives failing. Narrowing down a list of FB users who are >n%
likely to sign up to a new candy subscription is a lot like producing a list
of >n% likely to march in charlottesville or support some specific jihad.
Colaboration is inevitable.

Lets not underestimate where these roads are leading.

------
grizzles
Aussie entrepreneurs aren't too happy about this law or some of the other
ones, eg. the immigration laws.

One friend (health related ml/ai) is moving from Australia to Thailand next
week. He is PISSED the Aussie government wouldn't let him hire one guy who was
already in the country but not a citizen. That cost 6 other domestics their
job. They were sent packing last week.

He's not the first and he certainly won't be the last to move his company
overseas because of the govts anti biz policies.

------
dgzl
From what I understand, Australia (and other nations) don't give their
citizens explicit rights, such as to personal and property privacy.

~~~
jaza
Australians have very few constitutionally guaranteed rights (compared to
countries such as the US). The Constitution only gives us the right to vote,
the right to a trial by jury, and freedom of religion (and a few others). But
many more rights, including extensive privacy rights, exist in statute law and
elsewhere.

The main argument against adding more rights to the Constitution, is: "we
don't want to end up with obsolete rights that do more harm than good, and
that are virtually impossible to get rid of, like the US with its right to
bear arms".

~~~
tracker1
The U.S. actually goes a step further... the only rights the constitution
actually spells out are the rights of government. Most encroachments have been
under the guise of "interstate commerce" or "taxation" in general...

> The powers not delegated to the United States by the Constitution, nor
> prohibited by it to the States, are reserved to the States respectively, or
> to the people.

As to the bill of rights, so long as the police are armed and can act with
impunity... imho, the populace should be able to be armed. I don't personally
own a firearm... I also don't spew racist rhetoric. I am a strong believer in
all civil rights.

~~~
Sabinus
Maybe if the police in America wasn't armed to the teeth and scared of being
blown away by armed populace they wouldn't act like they do. For a country who
keeps guns to hold governments accountable, your government is just a
unaccountable as everyone else; if not more so.

~~~
12298765
We've also been around for longer than anyone else with a modern democracy,
and our goal is longevity of a sustainable relationship between the people and
their government.

We have some issues in our country right now, but I have a good feeling we'll
get them worked out in the next few years.

Many of our laws and rights are in place not for short term feelings about
safety between people and police, but for long term safety of the people from
a tyrannical government. And that tyrannical government might take hundreds of
years to begin to form in a democracy... But the bill of rights and ability of
the people to feel secure without their government's support, keeps the
government from getting too power-hungry or separating too far from the will
of the people.

~~~
dragonwriter
> We've also been around for longer than anyone else with a modern democracy

No, we haven't. In fact, we copied it largely from the UK. (We didn't like the
fact that as a colony we didn't get representation in the national legislature
or the full range of rights citizens in the UK itself had, but, hey, the US
does the same thing. Initially, and still partially, even to it's _capital
district_.

We've got the oldest surviving written Constitution, sure, but that's a
different issue.

~~~
why_only_15
The US has a very different system in a lot of ways. The UK doesn't have a
formal constitution, its executive is subject to the legislature in a way it
isn't in the US, one house, etc. The UK is a parliamentary democracy and the
US is a republic. Also, the UK wasn't a democracy in any meaningful sense in
1776. The History Of Parliament Online is a very useful resource
([https://www.historyofparliamentonline.org/research/constitue...](https://www.historyofparliamentonline.org/research/constituencies/constituencies-1754-1790)).
Out of some 6 million people in 1776 that lived in Britain, approximately
100,000 had the right to vote, most of which were in a small segment (i.e. the
ability to vote was highly geographically concentrated).

~~~
dragonwriter
> The UK doesn't have a formal constitution

The UK doesn't have a single written document that lays out the Constitution,
but I wouldn't necessarily call the Constitution _informal_.

> its executive is subject to the legislature in a way it isn't

True.

> one house,

The UK still has a bicameral, not unicameral, legislature, though it now has
priority in the lower house (unlike the US, which retains greater power in the
undemocratic upper house, a feature it copied from the UK which has since shed
it.)

> The UK is a parliamentary democracy and the US is a republic.

The UK is a representative democracy with a ceremonial monarch and the US is a
representative democracy without a ceremonial monarch; the absence of a
monarch is the sum total of the difference indicated by “republic”.

> Also, the UK wasn't a democracy in any meaningful sense in 1776.

Neither, though, was the US in 1776, or 1789, for much the same reason: the
colonies had imported and retained (in some cases added to) the kinds of
restrictions on the franchise found in the UK, and kept them past the
revolution and Constitution, which left decision of who could vote to the
States (and, while not in the federal government, also often had even more
stringent property, etc., requirements for office _holders_.)

------
dreamcompiler
I was about ready to move all my email over to Fastmail before this happened.
But not now.

~~~
doorbellguy
There was a thread I made about ProtonMail v FastMail and this one point came
up at the top. However ProtonMail’s inability to support standard clients
without an awkward bridge app seems to take edge off it.

[https://news.ycombinator.com/item?id=19372882](https://news.ycombinator.com/item?id=19372882)

~~~
C14L
> ProtonMail’s inability to support standard clients without an awkward bridge
> app

Isn't that one of the pros of Protonmail? All the data is encrypted and
decrypted on the client. There is no way to have mail apps access the data
without a piece of software that handles the encryption.

~~~
ams6110
Unless you only send email to yourself, the hole in that idea is that all the
recipients have a copy of your email.

~~~
jeremyjh
So I should store all my bank statements in clear text because my bank has a
copy of them too?

------
kdtsh
Who could have guessed that laws which turn encryption into a legal quagmire
in Auatralia would make companies that do encryption things less interested in
working in Australia ...

------
pgkyc
Here are my thoughts on jurisdictional sovereignty, in terms of your data, and
how an American company calling out Australia is the pot calling the kettle
black.

[https://www.krisconstable.com/its-time-to-think-about-
jurisd...](https://www.krisconstable.com/its-time-to-think-about-
jurisdictional-data-sovereignty/)

------
vmware513
Hey Microsoft, please move your Data Centers to New Zealand. ;)

------
carmate383
The Australian government is increasingly becoming an abuser of human rights.
I could not have left fast enough.

------
coldcode
My employer (S&P 100 sized) is rapidly deciding to move away from all
Atlassian products including Jira. If enough people stop doing business with
Australian tech companies, this law will likely be punted. Money talks,
politicians run.

~~~
brokenmachine
Is your employer a mining company?

If not, the Australian government doesn't care.

Sell all the things!

------
lugg
It's ok, a lot of us Australians work for the major USA tech companies anyway.

What should be more concerning is that your govt uses our govt to spy on you.

You didn't really think it was Australia that wants your secrets did you?

------
chirau
i'm just sitting here looking from Africa smiling... eventually you'll come to
us.

------
Dravidian
Beware that Indian companies can hand over your data to Indian agencies
anytime without any court order[0].

[0]:[https://m.slashdot.org/story/350062](https://m.slashdot.org/story/350062)

------
alfiedotwtf
In case anyone has any questions regarding the AABill (now TOLA), please see
[https://news.ycombinator.com/item?id=19508937](https://news.ycombinator.com/item?id=19508937)

------
otabdeveloper1
"Nice user network you have there. Be a shame if something happened to it,
eh?"

\- Always yours, Microsoft.

------
mbrodersen
Yeah as if the NSA/FBI doesn't have the same powers in practice in the US.

------
xiaodai
It's quite sad that Australia has such a stupid law.

~~~
chirau
are you sad about any of the "stupid" (relative and subjective term) laws in
the US? Would be curious to know which, if any.

~~~
why_only_15
What? Of course everybody has some laws they dislike that are stupid. To get a
sampler, check out @crimeaday on Twitter
([https://twitter.com/CrimeADay](https://twitter.com/CrimeADay)).

