The page for the inquiry is:
The email address for submissions is:
A submission only has to be a few lines, so just bang out a few words. Whilst a well researched submission is the gold standard, even a rudimentary email will send the message that people care about this issue and counter whoever is whispering in politicians' ears. Anything is better than nothing.
Less time critically, you also need to write to or call your federal MP.
The committee might also be swayed by submissions from non-Australian experts? Australia first, your country next.
It's very entertaining, and explains it in a way that everyday people can understand how bad it will be. I highly urge all Australians to either send this video out to your circles.
(No affiliation, it came up in a previous thread about this topic)
Every video is hilarious.
* thejuicemedia - YouTube || https://www.youtube.com/channel/UCKRw8GAAtm27q4R3Q0kst_g
Suggested videos similar to the one above.
* Honest Government Ad | My Police State! - YouTube || https://www.youtube.com/watch?v=XlUQMH19BkQ
* Honest Government Ad | Article 13 (Internet Censorship Bill) - YouTube || https://www.youtube.com/watch?v=89ZkydX0FPw
Absolutely, specifically if you're living in a country that is a member of the Five Eyes.
They've actually been surprisingly transparent that this is a coordinated effort. The Official Communiqué opens with:
> We, the Homeland Security, Public Safety, and Immigration Ministers of Australia, Canada, New Zealand, the United Kingdom, and the United States met on the Gold Coast, Australia, on August 28-29 2018, to discuss how we can better collaborate to meet our common security challenges.
Full read: https://www.homeaffairs.gov.au/about/national-security/five-...
That means that the Australian government could just order a company to hand over their PKI/signing infrastructure (which is generally a global system) and then forward all of this information to the US or whoever else, completely outside of any judicial oversight.
I'm sure that the governments in question will deny this, and likely state that this is not their policy, but it doesn't seem to be specifically prohibited by the law and the intelligence community doesn't have a great reputation when it comes to respecting traditional legal values and due process (e.g. the FISA court in the US)
Aus + UK + US are the real drivers.
Dutton is being fed from defense dollars, from the US.
The Stockholm International Peace Research Institute ranks Australia as 13th, at 2% of Australia's GDP.
Which is below the worldwide average of 2.2%, although given our geographic remoteness and relative security, I absolutely agree that it's too much.
The International Institute for Strategic Studies places Australia at 12th.
UK and Australia are the test beds. US is the target. From there it flows onwards and outwards. Like raw sewage over the Niagara Falls.
The AU my.health opt-out debacle is similar. UK got in first, promised they wouldn’t sell the data then did so. AU then started by copying the UK’s best practice. So... fun times ahead.
They’re still trying to get the gun laws fit for size in the US but the political climate and history is too different. And the attempt on the health system via Obamacare didn’t quite take either. More time needed apparently.
Actually, so are our gun control laws, and they were motivated by mass shootings on our own soil, namely the Port Arthur massacre, https://en.wikipedia.org/wiki/Port_Arthur_massacre_(Australi..., this wasn't some ploy by the US or the Five Eyes. The Australian public wanted this, and absolutely still do, myself very much included.
So by omission you’re saying that the US won’t be getting these encryption laws. And that Australian style gun laws won’t arrive in the US either.
Wait... what? Do you always structure your arguments by putting words in other people's mouths then argue against things they never said. In doing so you're wasting your's and everyone else's time.
Not only are you wrong in you assertion. If you'd paid even the smallest amount of attention to the context in which you're posting you'd realise this. I'm the OP for this sub-thread, I suggest you read what I wrote.
Now that we've got that aside...
> And that Australian style gun laws won’t arrive in the US either.
We're talking about the Assistance and Access Bill. Stop trying to validate some totally unrelated belief you hold by loosely latching on to valid arguments that myself and others have made here. The reason I responded to you is that I want to make it perfectly clear to anybody reading this...
I do not hold your views. These are not related issues.
However, Australians are far from perfect. In particular being isolated geographical means lack of exposure to other cultures and leads to a significant portion of society being "casually racist", which sucks. All our modern political parties are a joke as well, and due to our small economy we are in many ways a puppet of the US i.e. this bill.
So no, I don't think we're a metric for how it should be. But the really depressing part is that with all the negativity I've just listed (and there's certainly more), we still have our shit together more than a lot of other countries. That's far from being a reflection on Australia being "good", rather it's a reflection on how bad a significant portion of the world is.
P.S. One positive thing about Australians is that the majority of us aren't particularly patriotic. So we will happily admit to how big of a disgrace our country can be!
Where do you live? You're very clearly entirely ignorant about the issue you've raised:
Our Prime Minister issued an official apology for the abhorrent acts that took place and led to the term "the Stolen Generation". That doesn't even remotely make those acts okay, but to suggest that it's not even acknowledged by the Australian people is just outright ludicrous.
EDIT: By the way, there's also something called "National Sorry Day", which is kind of a big deal in Australia, I suggest you Google it.
I had meant to compare Australian Medicare to when something equivalent was introduced in the USA. However, I really don't know much about the US system. I had very much incorrectly assumed that the Affordable Care Act had introduced legislation bringing in changes making it fairly comparable to Australian Medicare. Alas, that doesn't seem to be the case, they're still extremely different systems.
Also, a little extra research tells me that what I consider to be "Australian Medicare", wasn't actually introduced until 1984, which is when our healthcare became universal.
Help us out! When I google this term I just get "best breeds" lists.
I'm writing to oppose the 2018 Assistance & Access Bill. Although I recognize the difficulties encryption poses to law enforcement & counter-terrorism, it is not a strong enough reason to compromise the safety, security & privacy of 24 million Australian citizens.
Every Australian has a right to reliable, mathematically guaranteed privacy & security, not compromised/undermined by oppressive legislature.
Neither domestic nor international companies should be required to assist anyone in breaking privacy protections, nor should warrants allow access to protected devices, and nor should existing legislature be strengthened.
Would these changes help law enforcement catch a few criminals? Probably. Will it weaken the safety, security & privacy of millions of respectable, law-abiding Australians? Definitely.
I really hope this doesn't pass.
Also +1 for a good template.
I will say, I found the bill palatable and sympathetic to the concerns of industry. I am impressed at the delicacy of the bill. I still disagree with it fundamentally and emailed to that effect. But I am impressed by our government's ability to read the situation.
I am a business owner, an employer, a technologist, a programmer and a company director.
I oppose this proposed bill on the basis of it weakening the effective security of Australian Internet service providers, which would be bad for national security. I would like to raise the following points:
1) The proposed bill will inevitably lead to the creation of systemic weaknesses in the security of Australian companies that provide Internet services or products.
The burden of complying with voluntary requests will lead to new, exploitable "backdoors", despite what the home affairs department asserts.
Whether these backdoors are electronic, or process based (i.e. responding to a fraudulent request), the bill would mandate companies to effectively create new attack surfaces; weaknesses in operational security introduced to comply with the bill.
2) The Internet can only facilitate services like payments, banking and communication because of encryption. Encryption is based on mathematics.
You do not need to understand the mathematics to understand that if you provide an alternative to the encryption, you provide a weaker level of security.
As a result, Australian financial, communication or payment services are less secure than international counterparts not burdened by this backdoor.
3) Any crime under investigation can be investigated by existing legal procedures. It is proper for a warrant to be required to access any secure or private information.
4) Providing a "back door" for law enforcement is not necessary. This bill is akin to providing a backdoor for law enforcement to enter a persons home or business without seeking a warrant from a court.
5) Encryption is good. Encryption makes the Internet work.
Australia has critical infrastructure that can only function with proper encryption. Encryption is easily invalidated by inadequate process or procedure. This bill would encourage (or require) Australian companies to compromise their security practices.
Please don't assume that the laws of mathematics can be overruled by the laws of Australia. This would be foolhardy, and not in the interest of Australia's national security.
I will also be writing to (and maybe phoning!) my MPs and Senators, and I anticipate this bill will go to a Senate committee for inquiry at which point there will be a further opportunity for submissions.
edit: and oh yeah, don't forget to contact your senators, not just your local MP. I only have 2, those of you who have 12 may have a few crossbench senators who will be crucial if, somehow, Labor can be persuaded to vote against, and in any case could have an outsized impact on proposing amendments to make the new powers less-bad.
Edit - Here's the letter we wrote:
Hello, we are a collection of employees who work for Atlassian (a major Sydney based tech company) and we’d like to give our view of why we think this bill is dangerous.
First and foremost, it will damage the view of Australian tech companies. If a foreign company is deciding between our products or a non-Australian company, but knows that Australia may have required Atlassian to build a backdoor into their encryption, the objectively better choice would be to choose the non-Australian company. This isn't just Atlassian losing because of this; the entire Australian tech scene will be damaged.
Secondly, a master key to unlock encryption is a master key that’s available to steal. Time and time again in the tech world we’ve seen “security that can’t be beat” get beat. Equifax lost nearly every American Social Security number. Bitcoin gets stolen every day because someone’s private key gets compromised. Even as far back as World War II, we saw encryption get beat because a master key (the enigma machine) got stolen. History has shown us countless times that a master key leads to a non-secure product. Even if the this bill is only requiring companies to provide the capability to decrypt information, that only changes who controls the master key. It doesn’t remove the damage to security.
Thirdly, requiring companies to be able to break their own encryption will never be a game you can win. Even if every company in the world were compliant with this bill, the tools to make your unbreakable encryption are trivial to find and use. Any agent that was an actual threat to national security would have the resources available to them to create a non-breakable encrypted communication method. The only people who would be affected by this law would be petty criminals, but the dragnet of its implications would affect every Australian citizen in its wake.
Fourthly, this will damage the Australian startup scene. When choosing where to fund a company, the laws and world view of a country come heavily into play. If someone is creating the next messaging app but the public opinion of Australia is that their products are legally required to be insecure, that person will choose a more tech-friendly company to start their company in. Not only that, but if a company knows there are more requirements for compliance in Australia, then it makes a startup’s job harder to release a product. Startups are difficult enough as it is, and lowering the barrier to entry (not raising it) is how you make a tech industry blossom.
Lastly, even if one agrees that the damage to security is worth the tradeoff, the lack of judicial oversight in this bill is extremely worrying. Giving multiple people the ability to issue notices without judicial oversight is a power no person should be able to exercise alone. Overall we feel this bill will harm not only the tech industry, but Australia as a whole.
So... Atlassian is for this bill?
This is a serious question, it's a pretty notable Australian tech company and is surprising to hear the company is unwilling to make a stand.
How are you going to reassure companies elsewhere that their company communications are secure when clearly they wount be.
For what it's worth, our CEO has been outspoken against this.
This isn't a, "we're doing this because our company is for the bill" type of thing. It's a "we're doing this because me and my buddies who are working late tonight found out about this so we drafted up a letter to the government". I just don't want to say that I'm representing Atlassian's stance without running things through legal.
Whether that call is met with abstantiation or otherwise is what I was wanting to infer.
Because at this point, abstantiation or sitting on the fence is as good as supporting the bill.
But yes, I also would have expected Atlassian and other Australian-based technology companies to vocally oppose this bill because it will actually result in their customers moving away in the long run (this bill will only affect companies incorporated in Australia or other 5-Eyes countries) -- because this bill explicitly requires companies to architect security systems to be insecure. Unfortunately this doesn't appear to be the case, which is incredibly disappointing.
> A high risk Registered Sex Offender (RSO) was placed on the register for raping a 16 year old female, served nine years imprisonment and is now monitored by Corrections via two ankle bracelets whilst out on parole. Victoria Police received intel that he was breaching his RSO and parole conditions by contacting a number of females typically between 13 and 17 years of age. Enquiries showed that he was contacting these females and offering them drugs in return for sexual favours. The suspect was arrested and his mobile phone was seized but despite legislative requirements he refused to provide his passcode. Due to an inability to access his phone as well as the fact that he used encrypted communication methods such as Snapchat and Facebook Messenger, Victoria Police was unable to access evidence which would have enabled them to secure a successful prosecution and identify further victims and offences. These are high victim impact crimes that are being hindered by the inability of law enforcement to access encrypted communications.
The limited information reveals they identified some targets, which means they would know (some of) his Facebook and Snapchat account names.
While the content of messages can be encrypted, the connection graph is not, so why couldn't Victorian Police request details of accounts the suspect's account had communicated with and request the parents of those users provide endpoint access to the encrypted chat history?
Why can't they do some old fashioned police work and interview the girls? Get a warrant and physically monitor his movements to catch him visiting them, or them visiting him? You know... investigate. It's what we pay you to do.
They don't get to treat every single one of us as criminals just because they can't be bothered getting off their arses and doing some work. If I tried to make that excuse to my boss (and I'm public sector like them), they'd laugh at me and tell me to get to work or find a new job.
> Enquiries showed that he was contacting these females
What are these mysterious enquiries? Why not follow up on those? If one or more of those victims was willing to give access to their devices/accounts they'd get the evidence they needed anyway.
I know this is a rhetorical question, but the answer is that the whole "THINK OF THE CHILDREN!" angle is a façade. The real reason to implement any of this is to gain more power over the populace by making meaningful resistance of the government harder.
Do not fool yourself: Australia is on a slippery slope towards a heinous future, and ignoring the UNDHR is one of the key steps it is taking towards that event horizon. It has never given a damn about the rights of Aborigines and Torres Strait Islanders, by way of example ..
That's a textbook example of begging the question, huh. Without the alleged evidence, they don't know if they would have been able to get a conviction or not.
It also presumes that none of the parents of those minor children would let police look at their kids' phones. If I were a parent in that situation and the police wanted to see what messages the accused had sent to my child, I've break the speed of sound on my way to the police station to hand it over.
So all in all, what they intended was "OMG please think of the children". What I heard was "we have incompetent police who don't understand how the justice system is supposed to work".
I find it more worrisome that going after one person is more important than the privacy of a huge group.
If the general public knew what the ADF were doing, there would be bodies hanging from the flagpoles in Canberra. This move is a direct response to the fear that officials have, of Australians learning the truth about how the ADF is being used to effectively destroy civilisation in the Middle East and around the world.
However, the truth is out there, and it will be known. The clock is ticking for those who have allowed us all to be conned into the lies and trickery of the so-called 5-eyes new world order.
I tend to think that leaks will always happen, regardless of communications media, surveillance, and encryption. But your point isn't entirely unfounded.
I also just discovered that this law also criminalises (with a 10-year prison sentence) creating software vulnerabilities in anything that is part of public infrastructure. This means that you could arguably give any software engineer (that has ever worked on free software the government uses) a mandatory 10-year prison sentence for being a saboteur because they were "reckless".
That makes it sound as if they've got enough. Metadata Retention, which was legislated a couple of years ago, would be able to join the dots. Can't see the content, can match up sources, destinations, locations, and timestamps. Case closed - or at least it's up to a jury from there.
It's like they're requiring a high definition video of a murder being committed before they can charge someone for the murder even though they've got the murder weapon, motive, opportunity, and all those other things that almost guarantee a conviction.
Additional thought: What if the messages were deleted off the phone as soon as they were sent? Or accounts were added to the phone, messages sent, message deleted, account removed from phone? Like a smart criminal would do? The way they're desperately wanting this data makes it sound as if a lack of it could be used as defense evidence, which is NOT what the authorities would want at all.
They've got enough to make a convincing case. A smoking gun is a luxury, not a requirement.
neither of these are encrypted communication methods.
> "A back door is typically a flaw in a software program that perhaps the -- you know, the developer of the software program is not aware of and that somebody who knows about it can exploit," he said. "And, you know, if there are flaws in software programs, obviously, that's why you get updates on your phone and your computer all the time."
>"So we're not talking about that. We're talking about lawful access."
And again, the warfare is linguistic dictionary wars all over again (like "collection" etc...)
He just redefines "back door" to denote 0-day in order to be able to define "lawful access" as the TrustZone root & automagical updates which is the backdoor they demand access to.
We allowed the government to open mail, open locks and tap phones with a warrant all of which were technically challenging.
Phone networks must be set up with specific dedicated access for law enforcement heck I remember crawling through the SNMP MIBs on my Motorola cable modem 15 years ago and discovering a whole class of them dedicated to lawful interception.
Most networking equipment providers even have guides on how to set these up:
And this is why the encryption battle is a bit odd to me as much as I would like encryption to be never tampered with we’ve already as a society agreed that the government in some cases should have access so what makes WhatsApp so different to a phone call?
If encryption isn’t a way to backdoor ourselves out of the existing legal interception laws then as much as I hate to admit it we don’t have a leg to stand on.
If it is then we should just publicly say that the government shouldn’t be able to tap phones regardless of what technology they are using to communicate.
And 10 years later when people wake up to it they come out and say "but we've been using this for a decade and it's been so helpful in our investigations!". And even if that was true, often they don't provide real proof, and also the government is almost never interested in doing a cost-benefit analysis for such things. Like it may have been "helpful", but how much damage did that lack of privacy and the existence of backdoors caused, too?
What Obama did with the NSA is also a doesn't have any bearing on this issue, if the NSA surveillance is warrantless it's another issue as far as sharing the contents of the in interception with other agencies well it's again a different issue.
But again this isn't about the NSA, this isn't even about the US the question is and always was what makes WhatsApp any different than a phone call?
Your mobile provider by law must provide LEI of data, voice and text, now no one uses voice anymore, most people don't even text not without using alternative apps like WhatsApp or iMessage.
So what is so special about these apps that the laws don't apply to them? and if we are using encryption as a way to back out of the rights we as a society already granted our government then by all means let's do it publicly because there is no reason why the government should be able to tap the phone of a 90 year old grandmother but not yours just because you know how to use WhatsApp.
>Like it may have been "helpful", but how much damage did that lack of privacy and the existence of backdoors caused, too?
Practically none, every telecommunication equipment in the US and the west in large has LEI backdoors built-in these aren't used for exploitation, just like the fact that most mobile phones can be easily tapped by anyone with a $100 worth of SDR equipment.
While these are technically a risk in practice they aren't really a risk because they still have a high barrier for entry, high risk, and essentially very low reward due to the lack of scalability.
This has everything to do with the US, and the NSA, because the legislation in question is part of a broader campaign orchestrated by the Five Eyes.
Digital data is actually afforded even fewer protections than your example of letters in the mail.
Yes, all changes are tiny/gradual and the huge effect they have in combination with all others can often only be seen in retrospect. That's what makes your "this barely changes anything, it was always this way" argument usually so hard to argue against. But in this case it is obvious how our lives are becoming more and more digital...
They can tap phones, and should be able to tap phones, along with VoIP, video calls, and mail. But while privacy isn't absolute, their ability to wiretap communications with a court order has never been absolute either, merely opportunistic.
These are opportunities they don't have available to them, and it needs to stay that way.
They should not be permitted to set aside all other concerns just to keep that wiretap and search ability in the cases where it comes up, because it simply isn't that important compared to all of the problems they will cause in the process.
People, including whistleblowers and political dissidents, even in the U.S., will be harassed, threatened, blackmailed, or even killed as a result of their tampering, and the government itself will misuse those expanded access powers, just like all the others they've publicly or secretly obtained.
No it was never opportunistic, it was always by design and mandated by law as telecommunication providers must provide LEI capabilities this affects how they design and implement their networks and the equipment they use which is why LEI capabilities appear even in CPE equipment such as your modem and the FCC and other regulatory bodies enforce this as part of their certification process.
The case here is that that now the telecommunication providers aren't actually that useful for LEI or at least it's that WhatsApp/Facebook isn't classified as one because if it was it would be required to provide LEI capabilities by law.
>People, including whistleblowers and political dissidents, even in the U.S., will be harassed, threatened, blackmailed, or even killed as a result of their tampering, and the government itself will misuse those expanded access powers, just like all the others they've publicly or secretly obtained.
If we turn back the clock even only 5 years ago where essentially nothing was encrypted in a manner that would invalidate LEI this wasn't an issue, nor does it grant the government any new powers.
EDIT: Should have been posted under grandparent.
>We allowed the government to open mail, open locks and tap phones with a warrant all of which were technically challenging.
If we had a referendum on this ("should the police be able to access the communications of someone as part of the investigation of a crime?") I bet "yes" would win. Myself I also think it's acceptable. Don't think it's so clear-cut.
I highly doubt so, but if so it should be the way to go because there are backdoors in nearly every piece of telecom gear because the providers are mandated to provide LEI capability by law.
If anything the if the US has a trust problems with the government then it should be a yes rather than a no.
But anywhere else in the world there is also little to no chance that the population at large would be up for denying the government the ability to have lawful intercept and lawful access to any protected resource during an investigation.
In fact you might not want to deny them that right at all because it would essentially shift the majority of the evidence to circumstantial eyewitness testimonies.
Because why stop at a phone call? why should a government be able to search your residence? open a safe? read a diary? open your computer?
And if you deny them all that then what happens? sure at first the legal system would be in a transition phase where much less people might be convicted because under these new restrictions the prosecution won't be able to meet the bar required for conviction but fairly quickly as soon as conviction rates would drop the legal system would bounce back up and get used to the reality of less evidence and this isn't a good place to be.
Any development in forensic sciences and investigatory techniques has prevented innocent people from being charged and convicted just as it helped to convict the guilty (don't get me wrong I'm not saying it's perfect or that mistakes are not being made, but DNA for example had to exonerate as many people that it helped to put in).
So I'm not entirely sure we want to go back to the days where people were judged in court based on how many character references they could provide.
If it was already agreed there would be no bill.
Just because our forefathers succumbed to the scare tactics, fake news, logical fallacies, propaganda and plain old whataboutism does not mean we must also do so.
The people, society, law makers, whatever made their decisions and it is incredibly hard to undo them.
I would love say today, hey you know what, it was worth while having law enforcement be given access in the past but in light of their abuse re Snowden et al, maybe it's time to roll some of this back. Because you know, the rewards no longer justify the means.
But you know what? That just isn't a workable option.
Now with that said, for the bill I question, It does not just plainly follow that we must make the same mistakes. We have hindsight and should take advantage of that fact, not just squander it.
But we've elected these politicians to ... create legislation!
Should leave it up to people like ... Zuckerberg? Jack?
Why not say, cryptographers, mathmeticians, computer scientists that arent multi-billionaires that actually do have your best interests in mind and haven't been corrupted by money?
Also, money corrupts without prejudice, even cryptographers, mathematicians, and "computer scientists".
If the only way to convict a suspect would be for them to self incriminate during testimony should the 5th amendment be waived?
How many other rights should be cancelled because they prevent law enforcement from having an easier job?
Banning guns to make doctors' jobs easier is out of the question but banning privacy to make policemen's jobs easier isn't?
I'm sure that there must be something in the Australian constitution that guarantees a right for the citizens. Should it be taken away just to make someone job a little easier?
If someone just looking for holes in the law already sees this, what would the supposed to be knowledgeable politician do/think they are doing.
Note: It's wrong because you are creating a universal access point in encryption to violate the original intent of the encryption (which is end to end most likely). This would mean you sell/show end to end encryption which has a man in the middle no matter what you do. And if it is poorly implemented, which is often the case with backdoors, it is probably universally accessible. Even if they say it's not. As already stated by the author.
- The population of australia is only 24 million less than 1/10th of the US and this would require expensive engineering just to sell to this market.
- Caving to Australia makes this look like an attractive option to other more lucrative markets.
- Some people would just import their own phones from overseas
- Software products are unlikely to desire to compromise their networks/products for Australia and its 1000x easier to import software than hardware.
The best strategy would seem to be ignore Australia.
But... what I do know is that the Australian government is not the one to solve the problem. They're a small market, without a lot of technical expertise... having lived in Sydney for some time now... I know you don't want the Australian government involved in tech.
* Australian PM Calls for End-to-End Encryption Ban, Says the Laws of Mathematics Don't Apply Down Under | Electronic Frontier Foundation || https://www.eff.org/deeplinks/2017/07/australian-pm-calls-en...
* 1,464 Western Australian government officials used ‘Password123’ as their password. Cool, cool. - The Washington Post || https://www.washingtonpost.com/technology/2018/08/22/western...
* NBN regional connections to cost about $7000 per premise || https://www.news.com.au/technology/online/nbn/nbn-regional-c...
They should specify that any form of private communication cannot be encrypted end-to-end where the decryption keys are only accessible to the communication participants. Internet browsing, online shopping and banking transactions are allowed, as is communication which is encrypted by a service provider, and as such can be decrypted by said service provider upon request from law enforcement.
Anyone caught using end-to-end encrypted communications can AND WILL be fined.
The effect of this would be the same as what they're currently proposing, but they're currently hiding it behind words that most of the population don't comprehend, and therefore doesn't make the kind of mainstream headlines that it should.
By taking this weasel-worded approach the Australian Government is being intentionally ambiguous about their intentions and the effect of this legislation.
With the current scale of open source software, you can mandate a law for backdoors but countries that do not have such laws would be able to remove these backdoors from the open source software if they are ever put in. Simply banning OSS won't help either since many countries that have banned encryption still see widespread use of encryption software as the internet has no borders. Firewalls don't count because that is equivalent to trying to stop a million tunnel diggers from digging over the border all at the same time with a million more diggers ready to go. Ask China with their great firewall full of holes.
Backdooring or banning major providers like WhatsApp, etc will only push more and more people to an open solution that is globally distributed.
The only solution to gaining encryption access is the simple option. The option that if you are an interesting enough person, will get to play catch with a wrench while your hands are tied.
The question is under what criteria this will happen. Insider abuse? Government order? To make money?
Trying to make it illegal for companies to do this sort of thing on a country by country basis is worth pursuing, but it is not a real solution. We need to stop trying to use the law to enforce security.
The solution is to use tools that take court ordered backdoors off the table. Support open and federated communications networks where anyone can build their own clients or servers where pressuring of any entity can't put community built clients at risk.
There are a range of clients/protocols that meet this criteria such IRC with OTR, XMPP, IRCv3, Silence, Matrix.org.
Take your pick, and convince your contacts to use that instead of companies where you have to just take their word for it they won't backdoor you as it suits them.
The signal -client- is open source, but the server is closed. Yes partial server code is open, but running your own server is not allowed. The signal signed clients will only talk to the closed server and Moxie has made it clear he does not want forked clients or clients not built by his team connecting to his network. Open source f-droid builds are not permitted, and if you want updates you must use the play store builds. Those with open source phones must turn on unverified sources and risk man in the disk attacks to install the apk from the signal website.
Security you can't fully verify, is just called marketing.
This is not true at all, the server is entirely AGPLv3. You can run your own server, but they don't want to federate and don't want people to distribute forks of their code (that connect to their servers). What they want is irrelevant because the license they've put the code under explicitly allows you to do these things -- though arguably they are allowed to restrict connections to their servers because that's a freedom under AGPLv3.
So while I agree (and I explicitly said I agreed in an earlier comment) with the problems with Signal -- you are not helping explain why Signal has issues by spreading misinformation about it being proprietary. It isn't proprietary nor is it unverifiable, instead it is run by a company that has no interest in federation or solving much more important issues with their service. That is a serious enough problem that you don't need to make up issues that will just discredit legitimate complaints.
The source code for -a- signal server is a nice gesture for anyone that wants to build a signal fork but it does nothing to prove the signal server actually in use is fully open source and does not have last minute patches applied. Can't run my own for the real network so I must hope an employee won't be pressured into changing live systems or signing malicious client binaries at any time with no one noticing. Seems we both agree this is a real problem.
Verifiable security and centralized trust are incompatible.
I do still generally consider any code that can't be verified to be closed but I agree accuracy is important.
To reiterate -- I agree with you on the general point that federation and having a decentralised system is important for many reasons. But you're moving the goal-posts so that now, even if the server code is AGPLv3 (which requires giving source code access to network users) you still can't be sure that code is running in production, and thus it's still effectively proprietary. That's not a reasonable argument.
As an aside, WhisperSystems has remote attestation of parts of the server code using Intel SGX, which means that it actually has some degree of verifiability.
Given the context of the five eyes backdoor discussions it is not unreasonable to expect that a government could pressure WhisperSystems to manipulate a client update or patch a server, GPL laws be damned. A single employee could also be bribed or blackmailed. Intel could also be compelled to falsely attest an SGX enclave.
When it comes to protecting privacy against highly motivated and sophisticated adversaries then centralized trust is just not an option to be taken seriously. It creates a Lavabit sized target.
A company that is as serious about privacy as their marketing indicates would, like TOR, encourage as many servers to run as possible to ensure there is no central pressure point to abuse.
Cards on the table: I find Moxies insistence on a walled garden while using Open Source and Privacy to market it simply unethical.
I do again appreciate the updates on the current status of their public source code though. I will strive for better accuracy in the future on this.
It might appear from a cursory glance at the bill and the "Industry Assistance Factsheet"  that the bill would not allow for this sort of behavior (introducing backdoors), but the relevant section 317ZG of the bill only prohibits government agencies from requesting that companies build weaknesses or backdoors into their software but says nothing of the government doing the same. This is extraordinarily deceptive.
So, Apple's response (and the response of other multinationals) is likely going to be to ensure that all devices that are sold on the Australian market are sold with an Australia-only root certificate/key which they'll be forced to share with the Australian government agencies but whose compromise won't affect business in other countries.
It seems that doing business in Australia (as a multinational) is going to be like doing business in China, and no doubt there will be other countries that decide to not purchase Australian communications technology for fear of backdoors... 
What a fucking farce this is.
EDIT: I forgot to add that by writing the bill to allow for the above behavior, the total amount of TCNs and TANs that are required (for dragnet surveillance) is reduced substancially, and given that the only public reporting seems to be a rough yearly count, this is great for PR of a police-state as it means that only a handful of approvals have to be recorded. Also it's punishable by up to 5 years in jail if you reveal the existence of a TCN/TAN (except where required to in legal proceedings and to provide a total count of the number of TCNs/TANs received over the last >6 months).
 See section 317E, subparagraph (f) of the bill which states that a "communications provider must [...] assist with the testing, modification, development or maintenance of a technology or capability."
 Section 317ZG of the bill: "a [request/notice] must not have the effect of requiring a _designated communications provider_ to implement or build a systemic weakness, or a systemic vulnerability, into form of electronic protection"
To help eliminate any doubt whatsoever: as part of my job, I will absolutely, 100% veto any tech purchases from countries that mandate government encryption backdoors.
If we really want to quash this, we need to start making that clear to everyone in the UK, US, CA, NZ, and AU, that this effects ALL of us.
They're just using Australia to launch it for this exact reason, 95% of the population of the 5 Eyes will think they're not effected, not fight it, and it'll pass. Then good luck stopping their momentum.
Unfortunately I was out of the country when this whole shitshow went down. I sent an email, but I'm going to go see my Federal MP in person tomorrow.
"I probably won't go back, at least not before I switch citizenships in protest."-
Oops, I just broke the Australian sedition law. Not allowed to talk about that, either.
I can't believe it's actually necessary to argue to our MPs that a bill proposing access to every encrypted message that has anything to do with Australia without any judicial oversight is precisely the sort of tool that a police state wants -- and that even if they agree with the crux of the bill (which they shouldn't) that the bill itself is fucking insane.
It won't matter to any of my websites, I will ignore their law. Just like I ignore GDPR. I don't do anything egregious, but those laws simply are/would not be relevant to me.
From a european ISP standpoint: the introduction of a systemic weakness is a violation of Art. 32 GDPR. We just can't do it.
Classic double-bind. GDPR is more important than Australia to us, so we just block all access from and to austrialia. We have 195.000 affected webhosting customers (domain, email, website, servers), btw.
Please don't do this. The internet does not respect borders, and there's absolutely nothing positive that can come from changing that.
By blocking Australia you're just screwing over ordinary Australian people who probably don't agree with what their politicians have decided.
Are these laws just a public acknowledgement and formalisation of what has been going on since early civilisation?
In the cold war it was bugged typewriters and sabotaged chips and industrial components. Ten years ago it was counterfeit chips from China causing early failures in US military equipment and US backdooring of cryptography standards. More recently, Chinese companies have been factory backdooring hundreds of millions mobile phones and Western countries have been vacuuming up the Internet. How many integrated circuits purchased from factories abroad today can be trusted when hardware backdoors have been shown to be almost undetectable even to the best resourced labs?
Instead of manufacturers around the world being coerced into backdooring technology without regulation, at least there may now be some formality. These laws don't change how much trust can be placed in foreign technology (answer: not much at all). It shouldn't be a shock that Australia has banned Chinese equipment from the likes of Huawei and ZTE from broadband and 5G mobile network rollouts. And it shouldn't be a surprise to Australian companies if China bans the import of Australian technology.
The bill pretty explicitely talks about ASIO. I don't think these laws will be used for much less than espionage, or possibly deep corruption cases. For example, right now ASIO dont have the power to remove a computer to inspect it. That actually surprised me (what would not surprise me is that they routinely do this anyway). In many cases I dont see why physical access is required though, I am sure ASIO are capable of hacking most routers/IoT devices, possibly even laptops, just using known methods (are drug-lords really that up to date on L1TF?). The biggest issue I have is that the granting of warrants always comes down to whether some judge or minister thinks its all good. Although, in one of the sub-sections they say the Attorney-General can delegate their powers to a senior ASIO officer, so this is a C-suite level person inside ASIO likely to have these powers (note that they explicitely point out that this person can not further delegate that power, so these decision makers are direct reports to the Attorney General presumably).
On the topic of getting people to give up passwords and/or keys, it says that agencies have "the ability to compel persons" to hand them over... whatever that means. Does "compel" mean, breaking fingers compel? I am pretty sure this is with a warrant.
There are provisioms for situations where evidence may be lost, or other dire circunstances, where they can request things orally and immediately, but they do have reporting requirements around such circumstances.
Probably the most alarming thing is the technical notices. With these, they can basically ask first, but if required - demand - tech companies to add in back-doors. They try to deny it but thats what they are. It is pretty explicit that they cant compel companies to introduce 'systemic weaknesses', so its not about making product wide easter eggs that give you root permissions. I think they mean more like "put a clause in your code that when Dr Evil logs into WhatsApp, and only Dr Evil, it forwards all comms to us." Thats pretty strong power, and not really a systemic weakness is WhatsApp, but most definitely fits the definition of a back door to me. They say companies will be compensated on a 'no loss, no profit' basis. One kind of nice limitation on this is that it will definitely be expensive for ASIO to do this. Companies are in some ways incentivized to restrict their acts to single customers, because if ASIO want to monitor 10 people, well that requires 10x the budget doesnt it.
This was my first time trying to read law. If you read law as code, then law is TERRIBLY written. This amendment is the worlds most ancient pull-request system, putting this into VC would make it much clearer for all involved. There is no concept of a dependency tree, instead other acts are referenced at will and with no version lock to say whether that definition is still current. I suspect there are a lot of regression fails when they write new legislation, unless someone is pouring over all other acts looking for things which reference the act we want to change.
TL:DR; I'm gonna let this go through to the keeper. Writing law is complex. Ultimately it always comes down to, can we trust our government and public institutions, as well as our companies, to do the right thing? How much must we bind ourselves as a society, to ensure that they cannot abuse us? Its tough. I tend to think that the 99% of the people writing these laws, and the officers enforcing them, aren't monsters or evil people - they are my fellow Australians.
What this all means is that a single TCN could theoretically be issued to cover a specific case (say a reasonable investigation into some potential terrorist activity) but the signed backdoor/remote access tool that comes out of it could be used arbitrarily by the agencies involved with little to no oversight.
I know that this is a difficult area for law-enforcement to operate in and I understand that part of the problem that they have at the moment is that they sometimes have no certainty about whether they can get access to specific pieces of electronic evidence (even with a warrant) but the intelligence community (including here in Australia) has a lot of bridges to build if they want to actually have this discussion in a rational manner.
There are probably some reading this who think that I am being hysterical or paranoid about ASIO/ASIS/ASD and that they are rational and ethical actors, but I suspect that anyone who thinks that is likely under informed about their historical activities.
There is currently some international investigation into evidence of recent (in the last 15 years) potential wrongdoing  that the current Attorney General (who would be the individual responsible for approving these TCN/TANs) is attempting to frustrate.  These moves by the current federal AG are so extraordinary that a former NSW DPP (Director of Public Prosecution) and a former Victorian Appeals Court judge have stated that "[...] unlawful activity was undertaken on our behalf to improve the government’s negotiating position" and that "there is a genuine question about whether the general interests of Australians would be served by the prosecution of either person." (the whistle-blower or their lawyer). 
Given the evidence of poor behavior by these agencies and their apparent disregard for due process, it seems extraordinary to think that these extensive new powers could not be abused as they are currently proposed.
 See section 317E of the law which states that providers are required to "facilitate or assist access to software that is capable of being installed on a computer, or other equipment, that is, or is likely to be, connected to a telecommunications network" and, crucially, paragraph (f) which states that providers must "assist with the testing, modification, development or maintenance of a technology or capability"
 In Australia bugging East Timor during negotiations over a $40-56 billion oil deal. See http://www.abc.net.au/news/2014-03-04/icj-orders-australia-t...