
Australia’s vague anti-encryption law sets a dangerous new precedent - djsumdog
https://protonmail.com/blog/australia-anti-encryption-law/
======
Taniwha
(essentially repeating a recent twitter thread here)

Imagine you work in a modern software house and you get one of these ... and
here I mean you, not your boss, not your coworkers, the govt knocks on your
door and demands you put a back door in the thing you are working on at work
...

So you write the code ... how do you write the unit test? how do you get it
past the code review? the mandatory QA tests? ... all these things are
designed into our modern software design processes essentially designed to
stop bad stuff like this happening ... what happens when you get caught? you
lose your job, get blacklisted in the industry, after all you can't tell them
the govt made you do it (on your CV/resume trying to explain why you were
fired)

Equally say you run a big open source software project and you have valued
contributors from Australia, people you trust and depend on ... what do you
do? refuse them commit right? explicitly audit their every checkin? ask them
to move on?

Suppose you buy closed source code from Australia .... you can't trust it in
any way, even if you trust the company any one of their employees may have
been asked to suborn the code you've paid good money for ... any smart
purchaser is simply going to put Aussie software on the "do not purchase" list
.....

So how do I find out which software on Android Play is written in Oz?

~~~
BLKNSLVR
This:
[https://twitter.com/alfiedotwtf/status/1070047303275175936](https://twitter.com/alfiedotwtf/status/1070047303275175936)

Which is absolutely brilliant.

~~~
Taniwha
yes that's the thread, thanks

------
cyphar
While I understand why they didn't mention this (because it's not clear if
this interpretation of the bill is correct -- given there is currently no
common law around it), I would like to point out what is the most concerning
thing (to me) about this legislation.

It potentially allows the government to turn employees into saboteurs.
According to s.317C(6), a "designated service provider" can be someone who has
developed software that is likely to be used in an electronic service that has
one end-user in Australia. This is a very wide net and immediately includes
effectively every free software developer, and the employees of every tech
company. Now, there is an argument to be made that employees don't qualify
(because they're acting on behalf of their employer), but that's not clear at
the moment. It also includes sysadmins (or even _ex-sysadmins_ ) as people who
can be "activated" as saboteurs.

It should be noted that it's very unlikely that this legislation would result
in the Armageddon most people (including myself) are quite worried about. I
imagine it's much more likely this power will be used against a few big
players (Apple, Facebook, Google) in order to add features like being able to
add additional devices to group chats (or something like that). But obviously
the law gives them _much_ more power than that, and that's a very big concern.

(And the fact that only 2 MPs voted against it tells me there's almost
certainly some back-door dealings that resulted in this bill being passed.)

~~~
drngdds
>This is a very wide net and immediately includes effectively every free
software developer, and the employees of every tech company.

This doesn't seem very meaningful? I live in the US. If the Australian
government goes to me and tells me to sabotage my employer, I can tell them to
pound sand.

~~~
pera
I am really not trying to be an alarmist but couldn't one be extradited to
Australia for not complying?

~~~
jeeeeb
Non-compliance with a TAN/TCN is a civil mater and the law explicitly states
that being required to do an act or thing in a foreign jurisdiction that would
contravene the laws of that jurisdiction is a defence for non-compliance.

~~~
mcherm
> being required to do an act or thing in a foreign jurisdiction that would
> contravene the laws of that jurisdiction is a defense for non-compliance

There is no law in the US prohibiting me from creating an alternate login
screen for one particular customer just in order to capture their login
password. So as a US citizen I have no defense within Australian law against
an Australian demand that I capture the password of one of my users... perhaps
a parliament member of the Australian opposition.

I can choose to simply ignore the demand. The US will not extradite me for
violating a foreign law that does not have an equivalent in US law. But I
suppose I can never go on vacation to Australia.

~~~
jeeeeb
Are you sure there is no law against this in the US? Isn't this potentially:
1\. Circumventing an electronic protection 2\. Unauthorised access (if your
employer does not authorise the changes) .etc.

~~~
mcherm
Yes, I am fairly sure.

> Circumventing an electronic protection

> Unauthorised access

The company providing the protection cannot _by definition_ circumvent it or
be unauthorized. If a third party decides to deliver a payload to your browser
to discover your Facebook password, then they are violating the DMCS in the
US. But if Facebook decides to deliver a payload to your browser to discover
your Facebook password that is simply them doing business in a different
fashion. This isn't a violation of US law, so refusing it do it _would_ be a
violation of Australia's very poorly-considered new law.

~~~
jeeeeb
I'm obviously not an expert on US law but I find it very hard to believe that
it is legal for an _employee_ of a US company, without the permission of that
company to put up a fake login page for particular users and then provide that
information to a foreign government.

Now if the TAN/TCN was issued to a US based company that would be a different
issue but then you as an individual would not be in violation of it.

Not that that makes it a better law, but I think for people not physically in
Australia the risk of being issued an enforceable (under Australian law)
TAN/TCN is quite low.

~~~
rendall
It is not legal. It would break so many laws that a prosecutor would have a
difficult time sorting through them all.

------
zmmmmm
I'm grappling with what to do about this law. I develop software in Australia,
for a company, separately as a private software vendor and separately again as
an open source contributor. From what I can understand, this law can compel me
to silently insert malware into any of these. Morally I feel like I need to
modify the licenses, READMEs and terms of conditions for products I sell and
the contracts under which I do commercial work to clearly state that I may at
any time include malware into the software I supply, if directed to by my
government.

However unlikely, the idea that I could be commandeered at any moment to
betray the users of my software and ship malware to them sickens me. But I
also know that the reality of this happening is almost vanishingly small. I
genuinely don't know what to do.

~~~
ObsoleteNerd
Maybe something like a warrant canary makes more sense? An encryption canary?
Would that even pass with the new laws though?

Also you stating that you might have been forced to insert malware by the
government surely breaks the rule that says you can't tell anyone too, if I'm
understanding it correctly.

~~~
cyphar
Warrant canaries aren't necessary (nor are they legal in Australia). The law
allows you to provide aggregated statistics on how many requests you've
received in a 6-month period.

~~~
brokenmachine
Yes but a single request can include an unlimited number of targets.

They can literally ask for all communications of every one of your users.

~~~
zmmmmm
It would be very hard for that to pass the proportionality test in the law. I
know it's tempting to go for the worst case dystopian scenarios but it's
actually important not to go overboard. Politicians and other people with a
say immediately stop listening once they hear that. This law is extremely
problematic even with a conservative interpretation, so I think we should
stick with that.

~~~
brokenmachine
What proportionality test?

Lets go with how the law is actually written.

Say they decide hn is a den for hackers. I mean, it's right there in the name!

Hacking attracts a >3yr sentence - hence, we need the data of all hn users,
they're all potential hackers!

~~~
zmmmmm
The bill states:

The Director General of Security or the chief officer of an interception
agency must not give a technical assistance notice to a designated
communications provider unless the Director General of Security or the chief
officer, as the case requires, is satisfied that:

    
    
        (a) the requirements imposed by the notice are reasonable and 
            proportionate; and
        (b) compliance with the notice is:
          (i) practicable; and
          (ii) technically feasible
    
    

So I don't believe intercepting en masse the communications of all the
visitors to a web site purely based on its name would be seen as "reasonable
and proportionate".

~~~
brokenmachine
When thinking about such unprecedented powers, I prefer to consider the worst-
case scenario of the laws as written, rather than what seems currently
acceptable.

Because even if the current government is harmless, the next regime might not
be, and these powers are basically the equivalent of a nuclear bomb with
respect to privacy. They move the pendulum far away from what many would
consider reasonable for a free society.

These laws just seem so rife with loopholes and ambiguities that even as an
honest law-abiding citizen with nothing of interest to hide, I find them
honestly terrifying.

If they're doing these things for legitimate reasons then there would be
little reason to be against having reasonable limits to scope, reasonable
oversight, accountability, as well as real reporting on the actual number of
citizens whose data has been accessed.

The fact these concerns and all the consultation submissions from experts in
both legal and technology issues have been ignored makes me strongly fear the
whole law has not taken citizens right to privacy into account at all, and
that is a terrifying proposition.

~~~
zmmmmm
I agree with all of your sentiments, I just don't think that tactically this
approach results in a useful outcome.

~~~
brokenmachine
In what way does downplaying the possible consequences help tactically?

I'm hoping that if more people realize the implications of this horrible law,
there's more chance of the lobotomized public actually exerting some pressure
on our supposed representatives to actually represent us.

It's unlikely given the media has been painfully silent on the horrible
implications of this terrible law.

------
LeoPanthera
I am particularly concerned how this will affect Fastmail, an Australian
company.

I've hosted my mail there since 2002 and they've always been quite pro-
privacy. But I fear that such a stance is now literally impossible for any
Australian company.

~~~
cyphar
TCNs (which is the primary thing this article is about) won't practically
affect email providers, because email providers already have your plaintext
emails -- they don't need to implement new capabilities to intercept them. (As
an aside, I use Mailbox.org which has a feature to auto-encrypt incoming
emails to a PGP public key -- which means that only new emails would be usable
with interception.)

 _However_ there is now a no-warrant-required method of getting information
(in the form of TANs and TARs) which has no judicial overview -- previously
they would've needed a warrant. This is definitely a massive concern, but
given that _you_ wouldn't have seen a warrant previously (Fastmail would get
it) this is not a practical difference _to you_ (obviously it's a massive
ethical difference and so on).

But to be honest, I actually hope people stop using Australian services and
big companies start backing out of the Australian market. It's the only way
our dropkick government will realise how much of an own-goal this legislation
was.

~~~
bad_user
It’s not the same thing.

Don’t know Australian law, but for a warrant you need to demonstrate probable
cause in front of a judge. And that’s a pretty high bar.

~~~
briandear
The problem is that if a back door exists for government, it necessarily
exists for anyone.

Here’s Tim Cook making that point:
[https://m.youtube.com/watch?v=rQebmygKq7A](https://m.youtube.com/watch?v=rQebmygKq7A)

~~~
cyphar
I'm aware of that, but in the case of email service providers there is no need
for a backdoor. They have access to your emails on-disk since emails are
plaintext (in general).

------
gtbc
Australia has an unstable federal political system, with elections every three
years or less (this is baked into the constitution, so it will be hard to
amend). Imagine the US House of Representatives with the equivalent of Speaker
of the US House of Representatives as the Prime Minister of Australia as you
won't be far off. Unlike the UK, there isn't a strong civil service, and
unlike the US, the Senate, states and courts are weaker, and there isn't a
separate executive branch.

This leads to a revolving door of occasionally unsavoury characters getting
into positions of great, and virtually unchecked power. Giving these figures
enormous power without judicial oversight is deeply problematic. Checks and
balances are not a big thing in Australia.

~~~
ggm
Do you live here? I do, and while tiny nuggets of truth are in individual
sentence clauses, this is a very paranoid and over stated argument.

We have a high court. They reverse bad federal and state laws. Lots of bad
immigration decisions by ministers are being overturned. Mabo happened.

~~~
gtbc
The jurisdiction of the court is largely granted by statute is it not? In
fact, in the case of the bad immigration decisions you mention, the minister
has tried to pass legislation to restrict judicial oversight.

EDIT: And he is also alleged to have used his already considerable
discretionary powers to allow au pairs for politically connected individuals
into Australia in violation of their visa conditions, with no consequences.
Not exactly a ringing endorsement of the rule of law.

~~~
cyphar
The High Court's powers are defined in Section III of the Australian
Constitution. In fact, s73 explicitly disallows parliament from stopping the
High Court from hearing an appeal from a Supreme State Court.

~~~
gtbc
Does that have much to do with the matter at hand?

~~~
cyphar
"The jurisdiction of the court is largely granted by statute" is not an
entirely accurate statement (though there are restrictions on what you can sue
the Commonwealth for) . That was my point.

~~~
gtbc
There are actually significant areas that are excluded from judicial review.
[https://www.alrc.gov.au/publications/laws-restrict-access-
co...](https://www.alrc.gov.au/publications/laws-restrict-access-courts)

------
jmpman
Apple should suspend selling any products into Australia and announce layoffs
of all Australian employees for the day before the law goes into effect. The
Australian market is small enough to make a stand without impacting the bottom
line.

~~~
nojvek
Layoff all Australian employees. That just looks weak.

Apple is only pro privacy when it makes them more money. They already do
business in China. They have a fiduciary duty to their investors to not jump
the gun like that.

~~~
jmpman
If taking a stand results in higher confidence in their products in other
parts of the world, and higher sales, then it may be fiscally prudent to
abandon the Australian market.

------
cesarb
For free software, I wonder if reproducible builds plus a "certificate
transparency"-style check in the updater (only allow an update once several
build servers, preferentially located in separate jurisdictions, have
validated the build and published the corresponding source code) could help.
That is, make it impossible to push a backdoor to a single user without making
it public to everyone. Making updates anonymous (that is, never sending any ID
which could be used to target an update to a specific user) might also help.

~~~
cyphar
I don't think that's sufficient. We need devices that only allow software to
run that has been signed by TPM-resident keys on the device. Updates are only
attempted to be installed if the binary has been signed by multiple keys (by
people in different jurisdictions) and then the device prompts the user to
sign the update (which requires entering the TPM passphrase). Even if you
managed to compromise all of the developers you couldn't run signed code on
the device -- you'd need the user to install it.

And for bonus brownie points we could have reproducible build checking (a-la
certificate transparency) against the source repo, to see whether the binary
is different to the official one. However, I think the threat model might have
to be reconsidered (if all the developers are compromised, couldn't they
upload a bad hash to the certificate transparency trail with a dummy version
that only one user is given?).

I might write a blog post about this actually, though I'd need better experts
than myself in IMA (which is what you'd use on Linux for this) and other
secure-boot work.

------
robryan
One of the worst things about this bill is that the opposition knows it is
full of problems and could have blocked it and forced a range of amendedments.

The Labor party here though is afraid of creating any point of difference on
anything that could in any way be considered “national security” legislation.
So instead of risk a lengthy period over the summer break where they would be
attacked if any kind of terrorist attack happened they caved and passed the
original version.

~~~
talaketu
There is a bipartisan consensus on security and other matters in Australia.
Most policy development in Australia is driven by the unelected agencies and
departments that survive their political masters.

There is nothing in the values and philosophies of the ALP such that they
would not have legislated this agenda were they in government rather than
opposition.

There are so many other examples of this over history, such as the GST,
Australia Card, refugee policy, copyright laws.

~~~
brokenmachine
_> There is a bipartisan consensus on security and other matters in
Australia._

Unfortunately, in this case, all the experts (and commenters here) seem to be
in agreement that security has been significantly weakened by bringing in
these laws.

------
danieltillett
I am an Australian software developer. There is no way I am putting any
backdoor into any software I write and I am willing to go to jail if needed.
If all us Aussie developers tell the government to go jump this stupid law
will fail.

~~~
cyphar
The punishment for non-compliance is civil fines, not gaol time. _However_ I
believe it's technically possible for them to push you into bankruptcy by
making many requests and revoking them after you refuse them (fining for each
copy of the request they resend to you).

~~~
danieltillett
Well then bankruptcy it will have to be if it comes to this. A mass outbreak
of civil disobedience is the only way to fight this.

------
Animats
What problem does Australia have that could possibly justify this? Gangs in
Sidney? Drug traffickers from New Zealand? Terrorists from Vietnam?

~~~
thiagocsf
Being the the country with the weakest civil rights protections in the 5 eyes
allows us to be used as a test bed.

If this thing goes smoothly, expect the same to be attempted in UK, US, NZ and
CA.

~~~
A2017U1
It doesn't need to be implemented anywhere else, the wording of the
legislation specifically says they can ask on behalf of other nations.

------
XorNot
It's not much but I'm writing my local member, paper-copy, about this right
now and encourage any Australian to do the same.

It's the least you can do, costs a dollar, and politicians react to getting
stacks of paper more then they do emails.

------
aichi
It is not about PR with malicious code, I expect. I think the PR which will
have backdoor code wold bump version of some dependency package only. Like the
targeted attack on Bitcoin vallet few weeks ago. If you or your company isn't
scanning dependencies you would never discover it.

------
rcaught
How does this affect the AWS Sydney region? Will KMS and CloudHSM be under
threat of a backdoor and this propagate to all systems that base themselves
off these products?

------
retrogradeorbit
The thing that makes me most despondent is, you just watch them all get voted
back in next election.

~~~
cyphar
It looks like Labor will win next election, but that really doesn't matter.
Labor voted for the bill unanimously.

~~~
thiagocsf
Shorten’s strategy to lose the battle/win the war has soured my view of him
forever. He’s revealed himself to be a man of no principles.

~~~
ux-app
> soured my view of him forever. He’s revealed himself to be a man of no
> principles.

I don't have a strong opinion of Shorten one way or the other, but I've read a
lot of people express a similar POV and it strikes me as extremely naive.

If you went into politics with a view to die on your sword rather than
compromise any of your values you'd have a very short career. Losing the
battle to win the war is the only way to achieve anything.

I mean, be realistic. If the ALP had blocked the bill it would be political
suicide for them. For now some nerds (us) are debating the issue on an obscure
forum. The alternative would be for every man and his dog having our corrupt
media ram the "Labor has made it easier for terrorists to kill you" story down
their throat for the next few months.

~~~
stonith
> If the ALP had blocked the bill it would be political suicide for them.

They opposed the bill over the weekend and then backflipped because if there's
an attack over Christmas they'll look like fools. I don't think that risk was
worth selling out 25 million people, but maybe that's just me. They get
attacked constantly in the media anyway, it's not going to make much
difference.

------
tempodox
That means, nobody outside Australia can afford to let an Aussie anywhere near
a computer, since Canberra will send them to prison if they don't spy or say
anything about it.

~~~
brokenmachine
Don't let us near your phones either. Every Aussie is a government-mandated
blackhat hacker and spy now.

------
edoo
Imagine you run a secure webmail provider where all data is truly encrypted
and served up to the user that decrypts it using a 3rd party javascript
library that isn't even hosted on your site.

Based on the wording of this they could compel you to target that user and
serve up a javascript decryption library of the governments choice.

In a similar vein they could compel Android/MS/IOS system updates to include
trojans in search of decryption keys.

Edit: This is a good argument to only use Linux or BSD. Unless you had some
sort of management contract it would be near impossible to be directly
targeted with system updates. They'd have to get the signing key for your
distro and intercept/rewrite package downloads. I bet you this is standard
affair for high value targets. If you were paranoid you could update or mirror
through a proxy.

~~~
ColanR
That's why in-browser email should never be considered secure against an actor
of this scale.

------
brokenmachine
It will be interesting when we have our first outbreak of phishing, claiming
to be ASIO and demanding backdoors to all IT infrastructure.

Literally any employee would be subject to these laws. They could just quote
the laws and demand that any employee installs malware or creates a backdoor
admin account.

------
banku_brougham
Regardless of what becomes of this horrific law in practice, a whole class of
workers now need to spend time on legal research, money on legal advice, and
prepare for contingencies that could truly upend their lives.

------
askvictor
Consider Signal, which is open source and not based in Australia. If AU wants
to intercept a signal message, then presumably they would need to either force
Google and/or Apple to push a custom app to a specific user, or take over the
entire phone (again, via Google or Apple). In the first case, is the app that
comes from the app store somehow verifiable, or do you need to build from
source to be sure? Is there anything that can be done about the second case
(which I suspect is the general intent of this law)

~~~
cyphar
I think that, for long-term security, we need to have devices that are
resilient to orchestrated sabotage by the vendor. The current approach by
Apple is great, until Apple is compromised in one way or another.

I have some idea for how this could be done (TPM-resident signing keys on each
device, which have to sign all binaries before they can execute). I might end
up writing a blog post about the idea.

~~~
gruez
Sounds like applocker in windows

~~~
cyphar
My experience with AppLocker is that it doesn't really work. As high-school
students we would trade ways to break it to play games on our laptops (we were
given school laptops which had AppLocker). If high-school students were able
to figure out how to break it, I have no doubt there are more serious issues.
In addition, I believe you can only whitelist based on:

    
    
      1. Paths (like AppArmor).
      2. Publisher (which I think is a signature, but is a signature of the publisher not the machine itself -- so a compromised publisher could give you a bad update silently).
      3. Hash (which is _okay_ but arguably requires more maintenance of the "good hash" list than requiring a specific signature -- though the nice thing with hashes is that you can disallow old ones).
    

On Linux we have IMA, and there is quite a lot of work on being able to use it
as a way of requiring signed-binary execution (it's still not there, from what
I've heard in recent talks). But even with that we'd need quite a bit of work
to create an installer that bootstraps TPM-resident keys and signs all of the
system binaries -- as well as requiring all new updates to sign said binaries.

~~~
askvictor
I often wonder if the cat and mouse game of high school IT restrictions is an
under handed way of training the next generation of security professionals.

------
lamerman
Considering this, ban of Huawei looks ridiculous.

~~~
peterkelly
It makes sense in a way. The government wants to make sure they're the ones
with the upper hand when it comes to surveillance, rather than China.

------
willfiveash
Creating and maintaining a large software project that "features" differing
crypto strength depending on the country it's being shipped to is a HUGE PAIN
IN THE ASS! I know because this was something I did for the Solaris
implementation of Kerberos. What an excellent way to introduce bugs that never
get tested. Crypto/security is hard enough to get right without added
complications like this.

------
Jedi72
Do we trust Intel chips are free from gov backdoors? Or that Microsoft/FB
arent in bed with the NSA? I would say the precedent has long since been set.

~~~
mimixco
You're right, but this is the first time (I know of) that a government has
explicitly required backdoors and forcing tech companies to download
malware/spyware to their customers' devices. This new law brazenly makes
encryption useless and sets a dangerous precedent.

~~~
djsumdog
There was an attempt to do this in the 90s in the US, but it failed. There's a
paper titled "Keys Under Doormats" that outlines the debate of that era:

[https://www.schneier.com/academic/paperfiles/paper-keys-
unde...](https://www.schneier.com/academic/paperfiles/paper-keys-under-
doormats-CSAIL.pdf)

------
dbg31415
Two relevant humor bits.

* Honest Government Ad | Anti Encryption Law - YouTube || [https://www.youtube.com/watch?v=eW-OMR-iWOE](https://www.youtube.com/watch?v=eW-OMR-iWOE)

* Encryption: Last Week Tonight with John Oliver (HBO) - YouTube || [https://www.youtube.com/watch?v=zsjZ2r9Ygzw](https://www.youtube.com/watch?v=zsjZ2r9Ygzw)

------
quantum_state
This is as outrage as forced implementation of external device into a person's
body. All civic person should rise up and protest against it.

------
bsg75
This is what happens when policy and law makers are essentially uneducated in
the modern world. A law degree does not prepare on to understand technology,
medicine, or even social issues.

Government needs lawyers in the body, but if as a whole it lacks a broad
education, it essentially lacks an education.

If only we elected like we hired.

------
brokenmachine
Have any tech giants like Apple or Google commented yet?

They should be the ones leading the charge against this draconian insanity.

------
amelius
No more ssh at work ...

------
tempodox
The last government I remember that wanted every citizen as a potential spy
was the German “Democratic” “Republic”. They should have patented their
business model and sold it to Australia.

------
metta2uall
How about we take a bigger-picture view than the implementation flaws of this
super-rushed law and ask what is to be done about encrypted messages that
allow many serious criminals to circumvent traditional police powers of search
& surveillance? I think society as a whole will not accept criminals having
such an advantage. So I think alternative laws have to be suggested &
promoted, otherwise potentially really bad ones are likely to get passed
everywhere..

~~~
whiskers08xmt
Coded communication is nothing new between criminals, and weakening the
security/privacy of Australian software is not going to solve this problem.
Weakening encryption of Australian software is not going to work against
organized crime; These organizations are quick to adapt to changing law
enforcement techniques. It is, however, going to make it much easier to
surveil the general populace.

~~~
metta2uall
There will always be some criminals who are sophisticated enough to evade
surveillance (until they make a mistake) - but that doesn't mean it's useless
as many violent and/or organised criminals do get caught. Many get caught even
with old-fashioned phone taps.

Also, aren't there ways of implementing targeted surveillance without
weakening privacy/security very much, if at all? For example, targeting a
specific user/device and making sure all exfiltrated data is encrypted with a
public key belonging to the police.

------
ohiovr
If the government has open source software poisoned would they eventually be
victimized by their own policy?

~~~
brokenmachine
In my opinion it's inevitable they will be victimized by this policy.

If you think about logistics, the govt will probably need to come up with
standard ways of implementing backdoors and API for sending data back. It
won't be a whole new system for every targeted company.

Every unwilling company/individual served with a notice will be aware of those
methods. How long until those methods and/or keys are leaked?

After that, the hackers have unlimited time and motivation to break what will
be the world's largest honeypot.

Also, it's only a matter of time until politicians will use these new powers
against each other/their political enemies. Even State Police are getting
these powers with no judicial oversight.

Many of the largest data breaches have been from government departments, and
in my opinion this will be no different. I know they didn't leak everything,
but even the NSA with their budget couldn't keep all their data secret.

------
DyslexicAtheist
warrant canaries, but for individuals

~~~
cyphar
The law allows you to provide statistical information about how many of the
relevant notices you've received within a 6-month-window. So there's no need
for warrant canaries (which is a good thing, since they're not generally legal
in Australia).

~~~
brokenmachine
A single notice can request the data of every single one of your users.

~~~
cyphar
This is not necessarily true (as discussed elsewhere in this thread), but even
if it was true you could still tell people that you've received 1 request.
This fulfils the same properties as a warrant canary.

I'm currently talking to some lawyers about how flexible the 6-month window
might be. (Can you give overlapping 6-month windows? What if you give a new
6-month window every day?)

------
shmerl
It's called a law that has unrealistic expectations on reality. Society simply
would refuse to obey such "laws".

------
TomMarius
Doesn't this directly contradict GDPR?

~~~
SpicyLemonZest
Data for the purpose of law enforcement is generally exempt from GDPR.

~~~
djsumdog
Plus Australia is not part of the EU.

~~~
TomMarius
And? Any service that serves European customers needs to adhere to the GDPR.

~~~
HumanDrivenDev
It's possibly a good commercial decision given the size of the EU market, but
a lot of people seem a bit delusional as to how much of an authority the EU
is. They can't compel people outside their jurisdiction with the GDPR, anymore
than Australia can with this law.

~~~
TomMarius
Actually they can - the second you place your foot on EU (or collaborating -
extradition treaties) soil, and of course if you want to do business in EU
then you need to have legal presence in the EU.

~~~
HumanDrivenDev
But if you set foot inside the EU... you are in the EUs jurisdiction.

Extradition treaties are usually subject to 'dual criminality' \- so you would
have to be breaking the country you are in as well to be extradited for
violation of that same law to the EU.

And be realistic. The US hasn't even successfully managed to extradite Kim
Dotcom from mighty New Zealand.

------
exodust
Don't worry, nobody is going to build back doors into anything for a
government which can't keep its own pants from falling down every couple of
weeks. They're fishing for likes, desperately wanting to "keep Australia safe"
with political spin and rushed laws, just in time for Xmas.

People can already have 100% private verbal conversations in person without
anyone listening or knowing what was said. In the 21st century, this full-
proof mode of communication has simply extended to digital mediums via
encryption. They need to face reality of the modern age, and move on.

~~~
retrogradeorbit
But don't forget these fools whose pants constantly fall down can do
horrendous damage as they run smack bang into the modern age. And they are
unlikely to "move on". They are more likely to wreck everything, and then when
they fail, try again but worse.

