Hacker News new | comments | show | ask | jobs | submit login
The Internet Reacts To Australia's Anti-Encryption Bill (gizmodo.com.au)
80 points by lysp 5 days ago | hide | past | web | favorite | 63 comments

I wonder what goes on in the mind of politicians who support this kind of laws.

Do they not understand it? Did they get paid to pass it? Do they hate freedom? Do they actually think it's a good law? Would they like to have lived in the USSR so they can experience the peak non-freedom experience? Are they masochists?

It's based on a delusion of centralized control. It does not require maliciousness, simple-minded benevolence leads to the same thing. There's a problem that exists, and they need to solve it, so more control can only help - or so the thinking goes.

Plus, a law like this only really sets the stage for future actions. If it turns out those type of actions are unnecessary or have detrimental effects, the capability can be restrained in the future! And it is true that the egregious totalitarian scenarios we're thinking of won't be done immediately. The frog will just slowly boil over time as the invasive behavior is normalized and gradually used for more and more routine policing.

It takes a very principled stance to assert that the unenumerable harm such laws do to the future outweighs the immediate threat of the day. Which is why totalitarian laws such at this gain more ground after violent media spectacles.

They worry that they'll be wedged on national security if they vote against it and then there is an incident. Their opponents will aggressively label them soft on terrorism and the 'reason' the attack couldn't be stopped.

Meanwhile, if they vote for it, they annoy the few people paying attention or who have strong feelings about it. Low risk in the short term.

This is exactly the reason. It's one of the many risks of having a de-facto two-party system -- if you piss off the other guy's base you'll lose the next election. As I've said for many years, we need much stronger third parties in Australia. Personally, I think problem is that there's too much political apathy.

"too much political apathy" x 21,000,000

I only took an interest in politics since the selling of Telstra and then the NBN stuff, and man, I wish I'd been more aware earlier in my life.

I haven't worked out how I'm going to introduce my kids to "the decisions that will shape their futures" yet, without turning them into suicidal nihilists bereft of hope for the future of the species / planet - but that's kinda the point.

I agree and what disturbs me the most is that the two parties have recently massively increased requirements to being a candidate with more requirements on the way. Why? One independent senator out of 76 got elected legitimately by votes and ABC Antony Green complaining about too many choices on the ballot.

The biggest attackers to Australian democracy is Liberal/Labor's actions. Are they trying to turn Australia's democracy into USA's?

I can't read minds, but I would think it's a party decision. One member of the party knows what the consequences (and benefits) of a law like this are, so all other party members "choose" to vote the same way as what everyone else in the party is voting.

I'm sure whoever is proposing the law knows precisely what they're doing: making Apple and co. choose between money or values.

Side note: There is this [0] section of the GSuite admin console. If this law passes, I can see Australia gaining a place here (but five eyes complicates that).

0: https://judge.sh/XCgDVqI0XP.png

They often do not understand it, and more importantly they usually get nice dinner invitations (etc) from lobbyists with vested corporate interests.

What is the corporate interest that you think is served by mandating encryption backdoors?

More access to US markets would be my first guess.

The USGov want's this and would be offering some incentive. The government then use that as a selling point or threat of missed opportunity to keep MPs in line - not that you'll ever get someone crossing the floor.

I assume the idea is to either "share" the data to a five-eyes partner or let them collect it and use their jurisdiction to compel it's decryption (including by US firms).

There's also a lot of politics and point scoring going on, and a trade deal is always good coming into the next election.

The US government may well be lobbying for this, but if so, I don't that they're doing it by going to Australian corporations and saying, "Hey, you lobby for this and if you do we'll give your something special." If for no reason other than that it's likely it would get out.

What I'm saying here is that "corporate lobbying" is a bugaboo for many people. There are plenty of bad ideas that stem from sources other than corporate lobbying.

The lobbying path for this would be US security (NSA/CIA/FBI) lobbying to both USGov and their AU counterparts ASIO/FedPolice who in turn lobby the AusGov.

They in turn talk to USGov and work on what they get and the selling points.

From the politicing it was the old "you're going to put people's safety at risk" if we don't do this message. So, no idea what AU gets out of it unless there a deal that makes some other issue go away for the Gov like taking some of our refugees, etc.

Corps get no say unless they need a sweetener to keep giving politicians money or favourable media via various industry bodies and groups.

The ol' five eyes conspiracy; to help big companies by collecting sensitive information on SME businesses.

Hasn't passed the Senate yet.

There is an arm-wrestle over a nasty piece of refugee legislation that might see both acts not get voted on today. That means it won't be back in parliament until next year and the government is looking so shaky it might not be in power then so... who knows!

It just passed the Senate. But even if it hadn't passed, the problem was that Labor (to non-Aussies: the opposition) voted for it unanimously. Only two MPs voted against it in the House of Representatives (Andrew Wilkie [Independent] and Adam Bandt [Greens]).

We (Australia) are doing this mostly as a five-eyes partner on behalf of the US to support their intelligence efforts.

This is the price we the Australian people pay for:

  1) The promise of future protection by the US in the event of a war (hmmm I wonder who will start it) [1]
  2) In theory better terms of trade (ok, after lots of haggling) [2]
  3) Access to exclusive visas w/ the US (ok, not so exclusive if Ireland have their way). [3]
Worth it?

  [1] https://www.news.com.au/world/asia/the-miscalculation-that-could-escalate-into-war-between-china-and-the-us/news-story/c597fe4fa7ea9e7a9929b4258625bd19
  [2] https://www.abc.net.au/news/2018-03-10/malcolm-turnbull-donald-trump-working-tariff-exemption-agreement/9534984
  [3] https://www.irishcentral.com/news/politics/what-is-e3-bill-what-would-it-mean-for-irish

Of course not.

Does anyone understand how this affects fastmail?

their blog post seems to say it isn't a big deal https://fastmail.blog/2018/09/10/access-and-assistance-bill/

Email providers already have the keys to all the data they store, so this bill does not affect them. They can already fulfill any lawful warrant that is requesting data.

The fear is that a service that is encrypted end-to-end will be forced to add a backdoor to accommodate warrants for data. But email is not encrypted E2E.

Some email providers like Protonmail provide E2E emails. :)

Unless your a bad guy who just uses a program on your own computer to do the email encryption preserver...

First the UK and now Australia. Next New Zealand and then Canada. Then the USA will have its five-eyes partners outsourced and fully-equiped to do all its internal spying.

Australia has no privacy protections (and is the only Five-Eyes country where this is the case). There's no need to get a similar law passed in New Zealand, the Five-Eyes agreement allows for intelligence analysis to be outsourced. Basically Australia will now be used as a way to subvert the privacy rights of all other Five-Eyes countries -- including countries where such analysis would violate their laws.

The most disgusting thing is that our opposition government voted for this shit. What a fucking joke.

Is this even technically possible? What happens to all the businesses in Australia that built products around crypto where it’s impossible to go backwards.

The meat of the bill is the ability to issue three sorts of notices to service providers (which only need have some incidental presence in Australia to be served, like for example a company owned storefront):

Technical Assistance Request - a non-compulsory request to provide requested information they have access to; Technical Assistance Notice - a compulsory version of a Technical Assistance Request, to use a capability that the recipient already has to obtain data; Technical Capability Notice - a compulsory instruction to develop a new interception capability.

So it doesn't constrain the way you can build products (now or in the past), they're instead just going to require your assistance to attack the targeted endpoints if that's the only way in.

So the government can now ask you to do specialised software development to retardify your own systems and if you refuse then they can fine you?

I didn’t think there was any basis whatsoever to be able to make a law that assumes a company is capable of maintaining or modifying their systems or infrastructure. That seems too generalised.. what if they’re running on a system that they don’t have the source code for?

Pretty much. Maybe they'll just ask you to sign a binary they've built themselves.

They obviously won't be able to ask you to do something you technically can't. If you sell, say, IoT devices that don't phone home for updates then you'll probably be safe.

>If you sell, say, IoT devices that don't phone home for updates then you'll probably be safe.

They can demand source code to find vulnerabilities in those IoT devices however.

That's exactly one of the things they can do yes. One of the stupid things about it is that they say that what they ask you to do cannot create a systematic weakness.

Which is exactly what they're asking you to do, create a weakness that is only for them.

They will get fined very heavily and thus will be forced to add backdoors or go out of business. The government claims that what they want aren't backdoors (they use the term "backdoor" to refer to a 0-day in possibly the most disgusting Orwellian doublespeak I've seen come out of this government in an attempt to avoid criticism) but that's simply false.

They'll lose business:


I suppose they could always go offshore.

Mike Cannon-Brookes (co-founder of Atlassian) has been fairly outspoken against it:


The expectation of bipartisanship on 'national security issues' definitely makes the average citizen feel powerless, which is particularly worrying because all of the privacy/centralised control overreaches are easily framed as such.

I'd happily contribute monthly donations to an EFF-style organisation who are proving effective (or at least tenacious) in lobbying for individual rights protections and extensions, does anyone have any personal recommendations based on their own research?

I'm aware that the EFF has an Australian partner branch, and that there are a small handful of other digital rights groups, but if someone has looked into it more thoroughly it would be nice to hear what you found.

GetUp is probably the most effective group for mobilising activists (based on MoveOn.org) but are under a lot of pressure for supposedly taking donations from overseas. (George Soros was blamed as usual) The Government is trying to blunt their influence by passing laws to cut off their access to funding.

I haven't seen anything specific regarding the anti-encryption bill but they supported action in protest of the data retention bill that was passed a few years ago.

Expect to see them a lot this election, particularly in Dickson, Peter Dutton's electorate.

173 Amendments = One wish for every politician granted to buy the bill?

ugh. I'll never forgive the LIB's for what they did to the NBN project.

Now I'm being pushed to put the ALP on the same shelf. If this shitshow of legislation passes the senate then Australia is no longer safe and can no longer export tech to places like Europe.

what a fucking joke.

I think it's about time that we Australians had a discussion about a constitutional bill of rights (modelled on Switzerland ideally).

The common argument against this is that common law protections would be strong enough to make it unnecessary, but that's ignoring that governments can pass laws that end up invalidating older common law protections. And as we've seen in the past decade, our government (both Labor and the Liberals) have been slowly degrading our rights -- they effectively suspended habeas corpus in 2005. From memory, there are even restrictions on how much you can tell your lawyers about you being tried for terrorism!

A constitutional referendum is going to be a very hard fight. But I think that the Australian public could see the problem if we compare ourselves to other nations -- the "it's all for national security" argument is specious given that we can show evidence of many countries which have such protections and still have national security protections.

One of the most concerning things is that the canonical example that motivated this bill actually includes a presumption of guilt of the person being investigated. That's a great start...

You could look at how India fixed such a loophole in its constitution based on the common law: This is of interest to any person interested in law, or mathematical logic. The rub of the whole thing is: define something called "the basic nature of the constitution", which is not part of the text of the constitution, and then mandate that no constitutional reform can violate the basic nature of the constitution.


There is a famous anecdote of Godel's Citizeship test where he claimed to have detected a loophole in the USA constitution whereby you can install a dictatorship through legal constitutional reform. He was famously shushed by Einstein. See the following article, for example (footnote 115 mentions the Indian Constitutional case).


IMHO regarding Gödel's loophole, focusing on unconstrained amending is a red herring. Any set of rules can be superseded by external means, eg revolution. Spelling out a formal procedure to do so strengthens a constitution - the only weakness it adds is a slight moral authority from technically following the procedure being contained in the original document, but if popular opinion is already against the original spirit of the document, that's moot!

My belief is that the loophole is more akin to layered complexity creating self-defeating contradictions - analogous to the technique used to to prove his first incompleteness theorem. Essentially, the law is not a consistent-incomplete system, but an inconsistent-complete one that can prove anything!

The US Constitution only defines individual rights in terms of prohibitions on the government, it does not qualitatively prescribe them! And this is indeed the totalitarian shape our modern society has taken. When you run down the Bill of Rights, for each right you can see that its basic ethos has been effectively nullified - through requirements mandated by some third party non de jure yet de facto authority. For any right, you still do technically have the option to engage in a very narrow course of behavior that preserves it, but in practice this is irrelevant!

And the real travesty is that for every such violation there is a straightforward chain of law that enabled it - handing the mob direct justification for why said violation is purportedly sensible and just!

People like to wave a constitutional bill of rights (or lack of it) as an issue for Australia.

Whilst that is true, our rights are just spread out within Australia's common law.

This can actually be a good thing, as the laws are in theory easier to get changed for the times. Such as the right to bear arms[1].

  [1] https://www.youtube.com/watch?v=RpeUznIhgLU

I mention this in my comment, the problem is precisely that it is so easy to invalidate protections in common law -- a new law can easily invalidate an old freedom. And yes, "the right to bear arms" being restricted in Australia is an example where this was a net positive.

But invalidating habeas corpus, privacy, and free speech are all things that have been done by our government in the past decade. The ability for fundamental rights to be invalidated that easily should be seen as a much bigger problem than people seem to view it as.

I used to be in the "we don't need a constitutional bill of rights, we have common law protections" camp as well. But the slow march to remove many of our rights has drastically changed my viewpoint on this topic.

[+]: And while it might be inflammatory, it is entirely correct to refer to detention centers as "concentration camps" because they concentrate a section of the population -- in this case possible asylum seekers -- into a single place.

American rights aren't presented as rights that the people explicitly have (other than right to life, liberty and pursuit of happiness). Most Americans don't even realize that out Bill of Rights outlines implicit rights for citizens. That is, the laws say "government can make no law regarding this subject". This is important because if the government "gives you rights" then they're not actual rights, they're only temporary privileges that can be removed.

No offense, but if the government of Australia is "giving" you your rights, then you don't actually have them.

This is a very strange argument, and is one that a lot of Americans seem to believe. Is this purely because of the wording of the 10th Amendment? The reason I ask is because there isn't (as far as I know) a legal distinction between being given a freedom and there being a restriction such that "Congress shall make no law abridging $some_freedom". To test this theory, consider if there was a new amendment that completely invalidated the bill of rights. Would you still have the same freedoms you have today? Of course not -- so therefore (regardless of the framing) the bill of rights gives you certain rights.

If the US couldn't pull it off 20 years ago, why the hell does Australia expect to successfully mandate encryption backdoors today?

Australia has effectively no free speech or privacy protections, and so it's very likely they'll get big companies to play ball. The US ran into trouble for a variety of reasons but it wasn't an "in principle this is untenable" problem (and let's not forget the "export" encryption has caused problems for many years thanks to the US policies).

I am quite worried about free software that implements encryption. As an Australian, I'm quite concerned that software I've written and is free software will be asked to be backdoored by the Australian government. I'm small fish, but if I was a GnuPG developer I'd be more worried -- will GnuPG even accept my patches anymore given my nationality?

As an Australian, I'm quite concerned that software I've written and is free software will be asked to be backdoored by the Australian government.

I don't believe this is a significant risk, at least for the case of source code. The proposed legislation doesn't allow them to ask for "systemic weaknesses" - so a sneaky change in the source that leaks few bits of key material or something should be out. And a big part of this is secrecy - they don't want those targeted to know they're under surveillance - so it would be self-defeating to ask you to put an "if (user == osama_bin_laden) { send_to_ausgov(msg); }" line in the public source.

If you distribute your free software through an app store or something there could be more risk, in that you might be asked to distribute a binary with code to target certain users - but even there I'd say there's still too much chance that people analysing the binary would discover the backdoor code, so it's doubtful they'd go that way either.

It seems to me that the most likely use of the TCN power would be to ask the OS vendor to deploy some Game Over malware to a targeted endpoint (using their existing update or app store mechanism). We already know what that malware looks like, the hardest part is getting it onto the device.

I find it hard to credit that Apple would stomach this, after they were seemingly prepared to go to the mat with the FBI in the All Writs Act case over a very similar issue. Would they withdraw entirely from the Australian market? You'd have to think that is a live possibility.

> The proposed legislation doesn't allow them to ask for "systemic weaknesses".

My problem with this argument is that the whole "systemic weaknesses" restriction is just a word-game so that the bill can escape certain criticism.

As a hypothetical, if I implement an e2e system which is "entirely secure" and as a provider I have no method of attacking it (and let's imagine it's free software and uses reproducible builds, so users can trivially verify if their binary is backdoored) -- how can I respond to a Technical Assistance Notice? I simply cannot, without taking my existing program and making it insecure. Without creating a weakness which, by the nature of the problem, is systemic.

Do you see what happened? The government hasn't asked me to create a systemic weakness but because of the very situation I've now been forced to make one -- it's just a word-game. They can't ask you to create a systemic weakness, but they sure as hell can put you in a situation where (in order to fulfill a "completely reasonable request" under threat of exceptionally large fines and civil prosecution) you must create a systemic weakness.

Now of course, most programs are insecure and so this hypothetical isn't entirely practical. But the principle stands that there will be many situations where (in order to avoid exceptionally large fines and civil prosecution) companies will opt into creating a systemic weakness out of fear of not being able to comply with future Technical Assistance Notices.

I assume you mean Technical Capability Notice where you've written Technical Assistance Notice? (the latter only requires you to use an existing capability that you have - if you don't have the capability, they can't force you to use it).

My reading of that is that the authorities would have to ask you for some specific technical solution. You lay out how your e2e system with reproducible builds works, and they ask you for something specific - like a backdoored build. It's up to them to figure out how to deal with issues like the reproducible build one.

I guess you could argue I'm referring to both (though Technical Capability Notice is more obvious).

The only requirement applied to a Technical Assistance Notice is that "the Director General of Security or the chief officer of an interception agency [...] is satisfied that [...] compliance with the notice is practicable and technically feasible" (317P). So if the case officer is "satisfied" it doesn't really matter whether you can practically follow it -- and it's not clear to me what recourse someone has if they are given such a notice.

Now, Technical Capability Notice restrictions are quite odd. I'm not a lawyer, so 317T.8 is pretty obfuscated to me but it appears to support the argument that they cannot require you to modify a telecommunications system so that it "has the capability to enable a communication passing over the system to be intercepted in accordance with an interception warrant". But I simply must not be reading that part of the bill correctly, because that would imply that e2e couldn't be subverted at all -- which obviously is false because that's precisely what the government wants to do. Technical Capability Notices do have review periods (which can be waived if the Attorney-General says it's urgent) and so on, but I'd be quite worried about how much of a say you really have in those situations...

The 317ZG limitations sound good in theory, but as above it feels like it's just word-games to try to avoid criticism.

Given the criminal penalties for disclosure of "technical capability notice information", I wonder how this situation would work if you were the maintainer of a GPLv3 project where not providing the source code would be a violation of copyright law.

"systemic weakness means a weakness that affects a whole class of technology, but does not include a weakness that is selectively introduced to one or more target technologies that are connected with a particular person. For this purpose, it is immaterial whether the person can be identified." (https://twitter.com/Jordonsteele/status/1070461760031797249)

IANAL, but I'm fairly certain that essentially means "anything we require you to introduce is specifically defined to not be a systemic weakness". What do we need reality for when we've got doublespeak?

Apple have already essentially stated they will not make use of Aus tech products if this goes through, as have a few other big players. I'm not sure if EU companies will be able to use Aus tech products and also comply with the GDPR, so there's a rather large chance that our nascent tech industry immediately implodes.

It pretty clearly means that ASIS can't ask Apple to put this malware on every iPhone, but they can ask them to put it on Donald Trump's iPhone.

>Would they withdraw entirely from the Australian market? You'd have to think that is a live possibility.

Honestly I pray that's what happens. Maybe the lobotomized masses will then actually start caring about their (lack of) privacy and stop these dimwits from putting everyone at risk.

I'm also concerned about the possibility of extradition. Say the Australian government decides to ask someone like Werner (Github/dd9jn) to backdoor GnuPG over the internet, and he doesn't comply. Disregarding five eyes, could he now be extradited from the US because he broke an Australian law?

This question is in light of Huwaei's CFO being extradited from Canada. I know this law isn't something like the Iran sanctions, but I imagine extradition would still be a possibility.

Delusions of grandeur.

Also, a complete lack of understanding of the problem and/or wilful ignoring of the effects of the proposed solution.

Published in 2014 so it's missing some of the up-to-date discussions and issues, but it's still worth a read for the history of paranoia:


Tangential, but the article badly malfunctions in Chrome with JavaScript disabled. It seems to redirect to https://www.gizmodo.com.au/?nojs=1, which then starts to reload the page over-and-over at about half-second intervals on my machine.

Anyone know what's going on with the article?

It is unusually bad. Loaded with javascript on, and after just scrolling and reading, it's up to 633 http requests and 6+MB to show an article: https://imgur.com/a/u0UZswK

Is this really what passes for journalism, a bunch of links to twitter posts? Anyway, I believe that this law will result in technology providers ceasing to offer their services in Australia. Of course if that happens, only businesses that can be compelled provide technical assistance etc will be left.

An update to all those watching, it just passed the Senate and has been signed into law (once it gains Royal Assent).

Here is my attempt at apolitical summary for those seeking a quick rundown on the situation. Apologies for brevity since I'm on mobile - there's a lot of small things joining together to make this an interesting situation.

Aussie Parliament has two houses: the lower house of representatives, and the upper house (of review). A bill has to pass both in the same form before it can become an Act (law). This one has passed the lower house, and not yet the upper.

The current government can't force through legislation without support from independents since they don't have a clear majority in both houses, and there are some types of lost votes in Parliament that if lost threaten the concept that they're actually a 'government'. This situation involves something like that, but it's a rare thing (1940s was the last time this kind of situation resulted in a government resigning).

Today was the last day of Parliament sitting for this year, and the government had promised to put through the encryption legislation by now, so it's in place for Christmas. They have some reputation on the line, stating many times it is a necessary law to have in place for the safety of the Australian people over summer.

At the same time, there is some legislation in the Parliament that will change how some Australian refugees on the island of Naru are treated, potentially allowing them into Australia. This is a very hot political topic with lots of debate and nuance - so forgive me if I simply say the government wants the refugees to stay on Naru and the opposition wants them to be able to come into Australia.

Both of these law changes were in the Parliament today, and both were expected to go before a house for a vote this afternoon. There is argument over the opposition deliberately aligning the to issues, but I'm not across it. Importantly, it was almost certain that if the Naru bill went to a vote, the government would lose, and be in the unfortunate position above of perhaps not being a legitimate government anymore.

The government therefore faced two choices: Allow the situation to contribute, lose on immigration and stability, but win on security and reputation; or prevent the Parliament continuing and win (for now) on Naru, but lose on security. They chose the latter.

Subsequently, both the government and the opposition have blamed the other for putting politics before people, on one of the two issues respectively. However, the encryption bill only passed the lower house because of the support from the opposition (at the time), who may have been in a better position to know the Naru bill was going to line up in terms of timing.

Quite a busy and tense close to our country's Parliament for the year!

Guidelines | FAQ | Support | API | Security | Lists | Bookmarklet | Legal | Apply to YC | Contact