Hacker News new | past | comments | ask | show | jobs | submit login
Australian parliament passes encryption laws unamended (abc.net.au)
365 points by dhx 3 months ago | hide | past | web | favorite | 393 comments

Somebody over on Reddit [1] went through all the submissions (there was a consultation period) and summarised and tallied them [2]. Fully 99%+ of submissions were against the bill. A sad day for democracy indeed. A church in Tasmania was in favour, because child pornography.

1. https://www.reddit.com/r/australia/comments/a3j466/assistanc...

2. https://docs.google.com/spreadsheets/d/1dowpZ_Xtr1N_DgkHJN8i...

Lots of people reporting that the offices of MPs and senators were inundated with calls today and over the last few days. Twitter was on fire too. Ignored, just like the expert testimony before the PJCIS. Who do these fools think they were representing?

Today I watched my country's democracy die via livestream, with the words "Labor withdraws all amendments".

> Who do these fools think they were representing?

The US government and their agenda to spread similar laws in their country and across the world.

Labor was always on board with the core of the legislation; likely as they were aware of some unreported Five Eye's agreement that Australia will be the 'thin edge of the wedge' to introduce such laws worldwide.

Any amendments proposed wouldn't have changed the goal and was simply the basis for some political theatre to look like such a law has been considered and debated by the politicians. The outcome had already been decided a lot earlier than that point.

>Who do these fools think they were representing

Voters? I don’t mean to be snarky, but while Tweets, submissions and letters may inform the content of bills in democracies, but the counts of these are not numerically representative of much, apart from the feelings of people who feel strongly about an issue.

That said, these laws sound exceedingly stupid.

As Churchill said, the strongest argument against democracy is a five-minute conversation with the average voter. The voters are getting what they voted for.

There's some seriously shady things going on for this bill to have seen the light of day.

For me, this was the 50tone block of concrete on the lead coffin on the rotting cadaver of a political system that serves humanity in a balanced manner.

> Who do these fools think they were representing?

The same interests they are always representing. Themselves. The organisations and lobbyists that got them voted in. The organisations they're looking forward to offers of high-priced consultancies and directorships after the next election.

Did you expect anything else?

Don't forget the voters who elected them. Do you see the voters running to the polls and voting for someone else when crap like this gets passed? Of course not. Therefore, the voters implicitly consent to it.

Oh hey, pwnies from reddit here! It wasn't just me, it was myself and a bunch of my coworkers over at Atlassian. As one of the larger Australian tech companies, many of us are somber today to see this passed.

For context, here was the letter we sent: http://i.imgur.com/yRrZHAq.jpg

What's the impact on you going to be like?

Hard to say. The final text of the bill with the amendments that got added this week haven't been published officially yet (https://www.aph.gov.au/Parliamentary_Business/Bills_Legislat... only the first reading is available). Once it is we'll have to do a full review from legal - it's something a bunch of us are wondering internally right now. There are a lot of loopholes in the bill, so it's hard to say what things we'll be required to do, if any. The bigger impact will be on the world view of the tech scene in Australia. Needless to say this is very damaging, and there are concerns that we wont be able to handle any European data in Australia as it could be a potential violation of GDPR. Again though, that will have to wait until we finish the legal review of the bill and how it impacts us.

In talking with some other companies, some of them are looking at potentially moving any role that would have the ability to compromise encryption outside of the country. That way there'd be no way any employee could be legally forced to implement any backdoors or weakening of encryption. That's an extreme measure and is probably overkill right now as the loophole that states you don't have to do anything to weaken your security will likely be used as a challenge against building in any backdoors. We'll have to wait and see how things pan out.

> That's an extreme measure and is probably overkill right now as the loophole that states you don't have to do anything to weaken your security will likely be used as a challenge against building in any backdoors.

I saw that, but another part of the bill that I've seen (on a cursory review, and as a non-professional) is the sweeping, extreme secrecy measures surrounding the execution of any part of the bill.

Basically, my understanding is that you can't tell me as a customer if you've been required to compromise my privacy.

So say you even take the extreme measure and ship some sensitive roles overseas. If for any reason that's not enough, and your government requires you to surrender some of my data, then you will be legally unable to tell me.

That will destroy all trust.

I like Atlassian and am extremely sorry to see this happening to you.

Any internal discussions about moving out of Australia?

I've read an interpretation that indicates that all Australian citizen employees are now essentially compromised, as they could be compelled under penalty of jail time to insert backdoors into an application without informing their employers.

Even that church was not all-in:

>The Synod has some hesitancy about ‘safeguarding national security’ being one of the objectives of the notices, as it is not clear what additional activities this captures that are not criminal activities. For example, notices to address terrorist activities are already about enforcing criminal laws as would be notices targeting foreign espionage. We have a concern that ‘safeguarding national security’ might mean the desire of a government of the day to target civil society groups and individuals that oppose its policies or to target whistleblowers that expose wrong-doing by the government of the day. It would be good if the explanatory memorandum of the Bill includes an explanation of what non-criminal activities are intended to be caught under ‘safeguarding national security’ under the Bill.

I submitted comments during the review period, but I just got an automated response asking me if they could publish it -- long after all the "town hall" discussions. They clearly didn't give a fuck what the Australian public wanted.

A sad day for democracy, but this fact restores some faith in humanity.

A sad day for democracy, but this fact restores some faith in dictatorship.


Everyone is misreading this comment. OP meant: democracy failed, but the good submissions restore faith in humanity. All the people who wrote in were on the side of common sense.

The people who wrote in do not represent the voting public, they're just a vocal minority. The voting public elected these lawmakers, and will happily re-elect them.


That so many people were against it?

Yea, that's what I meant. At least the people seemed to be overwhelmingly opposed to it, and trying to vote against it. RIP to internet points on that comment, lol.

Yeah, I too, read your comment in the -ve. Thanks for the clarification.

So, yeah, a great day for humanity that didn't want this.

A shitty day for humanity that didn't want this. FTFY.

There was 300ish responses. The tech community and savvy individuals are strongly against it, but the vast majority of people don't care or absolutely don't understand what's at stake here.

As with most deeply technical issues, it is hard to communicate to the general population exactly what the proposed problem and solution is, so the politicians are allowed to freely pass legislation (without understanding it themselves mostly) without much opposition besides the vocal minority.

Some of the comments so far seem to suggest that this bill would require software to include backdoors. However, it looks like [the bill's PDF](https://parlinfo.aph.gov.au/parlInfo/download/legislation/bi...) includes:

> Division 7—Limitations

> 317ZG Designated communications provider must not be required to implement or build a systemic weakness or systemic vulnerability etc.

> (1) A technical assistance notice or technical capability notice must not have the effect of:

> (a) requiring a designated communications provider to implement or build a systemic weakness, or a systemic vulnerability, into a form of electronic protection; or (b) preventing a designated communications provider from rectifying a systemic weakness, or a systemic vulnerability, in a form of electronic protection.

> (2) The reference in paragraph (1)(a) to implement or build a systemic weakness, or a systemic vulnerability, into a form of electronic protection includes a reference to implement or build a new decryption capability in relation to a form of electronic protection.

> (3) The reference in paragraph (1)(a) to implement or build a systemic weakness, or a systemic vulnerability, into a form of electronic protection includes a reference to one or more actions that would render systemic methods of authentication or encryption less effective.

These limitations would seem to imply that the bill can't require a "systemic weakness", either by introducing a new one or prohibiting the patching of an existing one, which would seem to suggest that end-to-end crypto wouldn't be affected.

Is this a correct reading? Or are there concerns that the government might, say, require end-to-end crypto to be vulnerable to a government-held golden key?


Edit: Part of the text,

> to implement or build a new decryption capability in relation to a form of electronic protection

, sounds like it's prohibiting golden-key-based schemes.

There are so many loopholes in this thing. One predominant thing to keep in mind is the legal onus that is put on a company that does not comply.

The basic gems are that I got from reading the draft legislation was:

- If you have server side encryption, & we want you to decrypt a particular person's data, then we expect you to do so - ad infinitum.

- If you do client side encryption then we expect you to put into place a system that allows us to decrypt a particular person's data. (One assumes that a modification should be made for the particular client such that their data can be gathered in an unencrypted manner).

So, irrespective of the caveats that you've mentioned, the bill still stands. The caveats you've mentioned are the standard bait-and-switch style legalese, to make it sound more palatable. I'd assume that in reality, it's up to the company (at their own legal cost) to prove that what needs to be created is in fact, a back door.

Does the legislation say they can do this without justification though? Can they just ask for anyones information or does there need to be some sort of warrant?

"The Director-General of Security, the Director-General of the Australian Secret Intelligence Service, the Director-General of the Australian Signals Directorate or the chief officer of an interception agency may give a technical assistance request to a designated communications provider. • A technical assistance request may ask the provider to do acts or things on a voluntary basis..."

Note that an interception agency also includes "the Police Force" p9

It later states that if a provider willingly complies:

"an officer, employee or agent of the provider is not subject to any civil liability for, or in relation to, an act or thing done by the officer, employee or agent in connection with the act or thing mentioned in paragraph (b)" p17

Meaning, you're up for civil charges if you fail to respond to a non-warrant request.

I don't see how you're up for civil charges if you fail to respond. It's voluntary. The line about not being subject to civil liability sounds to me like your employer can't fire or sue you for undermining the security of their product if you're doing so in response to a request.

That's how I interpret it too. Though does that mean they can contact an employee directly, rather than going through the company to have the backdoor installed? That's how it sounds to me, since otherwise why would you bother with this provision.

And if that's the case, software really is dead in Australia. You can't trust an Australian company, even if their leadership says they've never received a request, because one of their employees may have.

There are three kinds of notices. Only one is voluntary (Technical Assistance Request). The other two (Technical Assistance Notice, Technical Capability Notice) are both mandatory and carry several hundred penalty unit punishments for non-compliance.

It doesn't need a warrant, and the requirements are varied. None of them require judicial review.

* TARs and TANs both generally require that an agency be investigating a serious crime (one that takes). There are some toy protections against abuse but they're basically meaningless (the AG or chief officer needs to be "satisfied" that it's reasonable and a few other token requirements -- need I remind you that we imprison refugees in sub-human conditions without the right to a trial, so "reasonable" is a stretch).

* TCNs are even more general. They can be done purely "in the interests of national security".

Does it matter? The correct answer to "decrypt this person's data now" is "sorry, we can't". Not "won't", "can't".

It has to be under suspicion of a crime that attracts over 3 years jail (which is almost anything).

They mentioned oversight of a "retired judge" and a "technology expert" in the autoplay video at the bottom of https://www.news.com.au/technology/online/security/inprincip...

Why a retired judge and not an active judge? Presumably because an active is required to obey certain standards and is legally independent. A retired judge is effective just some guy.

Because they didn't want judicial oversight. It's just going to be rubber-stamp faux-arbitration.

They were going to supply a definition of "systemic weakness", but I can't find one in the bill itself.

I'm patiently waiting for their proposed method of reading end-to-end encrypted messages without introducing a systemic weakness.

But the meaning of words don't seem to matter anymore in the reality distortion field that is the Australian government. This is all supposedly to somehow make us more secure for Christmas.

Indeed, the laws of mathematics make this impossible. Count yourself lucky to be living in a country where the laws of mathematics don't apply.

The laws of mathematics are "commendable", but they're nothing compared to Australian laws hurriedly passed 5 minutes before the Christmas holidays.

History will not remember these people well.

History will most likely remember these people as the completely incompetent board of director of the fossil fuel industry that presided over the final execution of the planet's habitable eco system. The fact that they were politicians or even the Prime Minister for 5 minutes briefly in late 2018 won't even be a footnote...

This line of argument is not helpful. What are you going to do if/when somebody shows up with a scheme that shows you're wrong, and the laws of mathematics do in fact permit such schemes?

Fix cryptography.

I'm patiently waiting for their proposed method of reading end-to-end encrypted messages without introducing a systemic weakness.

I imagine that they ask for some tailored malware to be delivered to the specifically targeted device/user.

So the UK spooks have a wonderful euphemism for this. "Equipment interference":


Which, of course, leads on to a somewhat less specifically targeted "Bulk equipment interference", because once we have the capability, it'll _surely_ not get misused, right? I'm eagerly awaiting the hilarious verbal gymnastics they'll come up with to make a Technical Assistance Notice compelled "Bulk equipment interference" capability some how not a "systemic weakness"... I'm sure that'll end up in linguistics textbooks and industry jokes for decades...

We won't see any of that hilarious verbal gymnastics because any individual would be crazy to try to fight one of these orders and face 10 years in jail.

The govt will just secretly compel them, and their activity stays secret - except the bad guys can now hack our compromised infrastructure and there will be inevitable leaks of data and exploits, just like Wannacry which was originally an NSA exploit.

According to the proposed amendments (which weren't included) that had definitions, their definition of a systemic weakness is different to everyone else (yet another example of the doublespeak that this Bill contains). A systemic weakness is a weakness that is targeted, even if in order to target it you need to weaken your entire architecture in order to fulfil it. And to paraphrase the Greens MP, "the target could be as vague as all Victorians or everyone over the age of 30 and still not be considered a systemic weakness".

As long as we don't know P!=NP we're not sure if we actually need to introduce a systemic weakness to break crypto, no?

Wonder how long it'll take for the Aust branches of the US copyright cartel to start demanding access to "pirates" comms through this.

From memory, the Aust internet filter was originally introduced using similar excuses. eg stop terrorist recruitment, pedos, etc.

The copyright cartel was having "pirate" sites blocked not long after, and has been expanding it's approach since.

Seems like a similar play book in action with this.

That’s the whole point of this legislation, and one of the reasons the legislation specifically supports the death penalty is to allow this legislation to be used by Australia to support the USA, where the death penalty still exists.

There's a secondary point to this legislation: discouraging whistleblowers by making it more difficult to both hide yourself and be hidden by whichever journalist you're working with.

Chilling effects is a desired outcome of this legislation.

Whistleblowing attracts up to a 25-year sentence, so yes this is terrible for journalists.

What's the maximum sentence for copyright infringement?

25 years assuming you are sentenced in Australia rather than extradited to the USA to be killed.

I don't understand your logic. Is the death penalty specifically mentioned in this bill somewhere?

Yes, it is specifically mentioned in this legislation, and is specifically called out as indication that the foreign government’s request warrants action under this legislation. That is to say that given the foreign government seeking information that will lead to a death penalty on conviction, the Attorney General is compelled to issue an instruction under this legislation.

The problem is that "systemic weakness" and "systemic vulnerability" are very badly defined.

There's no definition of what "render systemic methods of authentication or encryption less effective".

That is by design.

The Australian Government has historically been somewhat arrogant in any area of technology.

Their attitude, in this case and others, is similar to that of management at a company with a poor technology culture. "we're in charge and we're making this law, now you nerds can go sort out the details".

There's one itsy bitsy issue with that whole "systemic weakness" thing. It's not defined in the law.

You'd think something like that would not be carelessly omitted by accident, no? What this means in practice is that virtually nothing they do will ever amount to that being a "systemic weakness", just like Obama kept saying post-Snowden revelations that there have been "no abuses" of intelligence powers and that nobody in the NSA did anything wrong (even after revelations of LOVEINT, etc came out).

An Australian government order for decryption could turn into another EternalBlue-type exploit affecting millions of PCs, and the government will likely still claim that wasn't a systemic issue because they "didn't intended it to be one" (as if spy agencies ever intend their backdoors to be used by rival nations - and yet that happens every time).



However, the bill also requires access be provided, where access is:

> access, when used in relation to material, includes:

> (a) access that is subject to a pre-condition (for example, the use of a password); and

> (b) access by way of push technology; and

> (c) access by way of a standing request

So whilst you may not build a systemic weakness, you may be required to provide a variant of your software to a specific user. Or provide the government with a "pre-condition" such as a golden key.

Thank you for this, there is a lot of doomsaying in this thread but this reads to me that it would be possible to refuse requests based on these limitations.

The problem is that you are reading it as though the words mean what a technical person means by "systemic weakness" (such as weakening the crypto in an app in order to target a user). This is not what the words mean (and this entire bill and discussion around it is full of Orwellian doublespeak -- they redefine the word "backdoor" to mean 0-day for instance).

The words aren't defined at all in the bill (which should be a massive red flag), but even the amendments that include definitions completely miss the point and basically imply that only something like Dual_EC_DRBG is considered a "systemic weakness".

There is a lot of doomsaying because it is very seriously, no-kidding bad. Not to mention that denying such a request should almost certainly be done with some very serious (and expensive) legal advice.

Noting that you can’t seek legal advice because you’re not allowed to talk to anyone about the request.

Obviously the section on disclosure doesn't involve talking to your own legal representation (there is common law on this already). But even if there wasn't common law covering this it's explicitly allowed in Sect 317ZF.3e. You can even reveal it in a legal proceeding under Sect 317ZF.3b.

Australia may be leading the path toward a Kafka-esque state but we're not there yet.

Please note that disclosure for legal advice was not in the first reading, but added later.

There's doomsaying because this is doom.

That's a pretty big call to refuse a secret request that you're not allowed to disclose to anyone, risking a lengthy jail term without the possibility of even seeking legal advice.

War Is Peace, Freedom Is Slavery, Ignorance Is Strength.

Have a safe Christmas Australia! Papers please!!

It's interesting how the English-speaking countries seem to be doing their very best to emulate the novel "1984".

They legislated the power to hand a developer a $50K fine and put them in jail for 10 years for refusing. And you can't tell anybody else about it, for them to back you up with their technical input etc.

At the end of the day, if they tell you to do it, chances are you'll have to do it. And you can't complain to anybody.

As far as I can tell there isn't a criminal penalty for refusing, what version of the bill are you looking at? In the first reading and all the amendments I could see there is "just" a 230-odd penalty units fine (which is about $25k in NSW).

What does this mean for Zero-knowledge systems?

You must build a custom made back door. eg. Something like ProtonMail would need to inject some extra javascript so that the government could obtain a copy before encryption, I expect.

If I were to write some software of this nature these days, I'd make sure that the client would be aware of any changes in the api - sort of like a personal warrant canary. (Note that a warrant canary is legal in this legislation).

Warrant canaries are illegal in Australia, at least in the case of other kinds of secret warrants. I would be very surprised that a judge would (given the existing laws that have similar properties) consider a warrant canary legal.

(For those wondering how they can be illegal, in Australia it's illegal to state the existence or non-existence of certain kinds of secret warrants. So a statement of a canary is, itself, illegal.)

There are allowances (from what I understand) in this bill. From "Section 6 - Unauthorised disclosure of information":

- A person who is: ...

...may, in the person’s capacity as such a provider or employee, disclose:

(e) the total number of technical assistance notices given to the provider during a period of at least 6 months; or

(f) the total number of technical capability notices given to the provider during a period of at least 6 months; or

(g) the total number of technical assistance requests given to the provider during a period of at least 6 months.


This subsection authorises the disclosure of aggregate statistical information. That information cannot be broken down:

(a) by agency; or

(b) in any other way. " [0]

[0] pp50-51, http://parlinfo.aph.gov.au/parlInfo/download/legislation/bil...

Right, I forgot to mention the statistics. Yes, you can publish statistics in 6-month windows -- which is kind of what warrant canaries are supposed to provide information about -- but I'd be surprised if the "cannot be broken down" might be used to restrict the usefulness of statistics...

I mean, a literal reading would allow you to provide minute-by-minute 6-month windows (or a new 6-month window each time you get a request) which could be used to get very detailed alerts each time a new request was given but obviously you'd get into hot water by doing that.

So if I was an Australian citizen, I'd be committing a crime by saying:

I have not had any communications requesting investigative cooperation from any Australian law enforcement or intelligence agency.

No, it would be an offense to make a statement about the existence or nonexistence of a journalistic information warrant.

But I believe the bill which passed actually includes the ability to publish aggregated statistics about how many notices you've received. Removing the need for warrant canaries.

(And you wouldn't have to be a citizen, just a subject of Australian law which means that you are either a citizen, are a constitutional corporation, or physically present within Australia. Same as any other nation's laws.)

>I believe the bill which passed actually includes the ability to publish aggregated statistics about how many notices you've received.

But those stats would be useless as each notice can target an arbitrary number of people. The law as written can literally ask for the data of every one of your users.

As I understand it, there can be no stats about the number of individuals targeted, only the number of notices received.

This is government-compelled labor, whose product is only of value to government, and which labors in direct opposition to the personal safety and well-being of the entire general population.

Australia, you fail at the very notion of free western civilization.

It’s also government compelled lying.

This is another thing that adds to my deep sense of shame to live in this country (sadly, that list is long and growing).

This bill does nothing to prevent the kinds of things it is intended to prevent. The apps this law targets were engineered specifically to prevent this kind of interference. The idea that passing legislation will suddenly change that, magically allowing decryption of messages is beyond idiotic.

The legal and technical barriers to getting anything useful from this legislation are huge. Not to mention the ease with which this can be bypassed (run OpenVPN and IRC on an overseas server, done).

The justification for rushing this was so that Australia could be kept 'safe' over Christmas. It's beyond difficult to describe how ridiculous that is.

Edit: Sorry, I also have to add that in the same sitting of Parliament the government also filibustered legislation that would have enabled medical evacuation of refugee children from child detention on Nauru. It's been a bad day for Human rights in Australia.

> It's beyond difficult to describe how ridiculous that is.

Especially since ASIO (who really wanted this bill to pass) has stated that even if the bill passed today, they wouldn't have the necessary powers before Christmas.

So now any of the Five Eyes intelligence agencies can have a chat with ASIO and get them to coerce companies and individuals within companies to put these back doors in. Then they can all use the same back doors, so everyone living in the USA, UK, Canada, and New Zealand can have their encryption compromised and communications intercepted. There's no way that companies will create back doors specifically just for Australia, so everyone will have access.

In terms of Australia I'm not sure what we could actually do about this. Given that it's ASIO and other government departments that want these powers and that they have tried to introduce this sort of law over the course of the last decade. Both major parties have introduced legislation such as this and both voted for it. Maybe it is time for civil disobedience, and have everyone create and distribute encryption applications for all devices, because they couldn't possibly jail everyone right? I just wonder who will be the first person jailed or the first company fined for refusing these orders.

In terms of the world at large, which country should we trust now? A lot of the Western Democracies are becoming rapidly "security" focused authoritarian, and the other countries powerful enough to stand up to them are not much better. Should we trust applications with code written in Russia? What about hardware products manufactured in China? Should we trust services running in the USA? Now we also have to be wary of any company that runs a service in the Five Eyes countries.

Sometimes I wonder if we really have it better than people in the middle ages or other earlier periods, in some ways it clearly is, but in others it's just the same smell coming from different shit.

And then somebody from inside will get a guilty conscience, but remember what happened to Snowden, and just sell the backdoor straight to Huawei or NSO or Mohamad bin Salem (salving themselves by pretending they're going to donate hundreds of millions to "improving the world", but instead will by private islands and matching citizenships to Peter Thiel's...)


While America might have the Espionage Act, we have an law (passed a year or two ago) that gives mandatory minimum sentences of >15 years for revealing information about ASIO. And sharing the information (even if it's public) carries the same penalty -- so re-tweeting such revelations is a criminal offense. As is viewing it.

Chilling effect? More like dipped-in-liquid-nitrogen effect.

I hope Australia will have its own Edward Snowden, but the immediate repercussions would be far more severe in Australia.

Realistically, if you were a developer not in the chain of command and asked to do this: Would you? Could you?

You would be knowingly putting your name to a vulnerability, and if someone asks then you have to keep it a secret and feign incompetence. Then if they revert your change you'll have to re-implement it.

If you do tell your superiors (which would be most likely what would happen, even before writing the code) then you would be in violation and could be put in jail.

If you refuse you would be put in jail, or they would go to the next person in their list.

If you think about logistics they'd have to make contact with people in the company to even find out who the devs are who are capable of making a backdoor. That would probably tip off others in the company as to what was happening anyway. You'd think they'd essentially have to serve the whole dev team with the secret order.

I think you could immediately resign. It's not a slavery bill... is it?

There's LinkedIn, there's social media, there's actually keeping a record of who enters and leaves a company's premises. There's heading down to the bar after work on Friday. There's community events and meetups.

And there's the previous backdoors they got into BitBucket/Github/Gitlab/Mercurial/Perforce/etc. And,no doubt, the "LEO Portals" that FAANG and FAANG wannabes already have which they'll just hand over to Australian authorities (probably including local councils and the taxi commission, based on evidence about how the metadata retention powers have been used...)

After the first few times they use these new powers, the people who're gonna come asking are 99.9% likely to know exactly who the person who will write, commit, and code review the backdoor they're demanding... And their direct manager, and the management chain all the way to the C suite...

I think I need to quit this entire industry, maybe take up boatbuilding or something...

But just seeing who's going into the building doesn't tell you exactly who is handling encryption and security in the codebase.

I wonder what the legal implications of just quitting on the spot when asked might be?

It's 100% posturing and optics. There was nothing achieved by passing this law at the last day of sitting.

When I was a kid I really wanted to see Australia. Kangaroos! Coral! Toilets that go backwards! Crocodile Dundee! (I was a kid, alright?)

It just seems like a hotter, drier America at this point.

New Zealand still looks lovely though. Maybe they could invade you?

Bit harsh, compared to America it's still saner day-to-day with healthcare, gun control, and very liveable cities with public transport.

And it isn't like other western countries aren't thinking of doing something similar. While this is a bad law, being smug about it is the wrong reaction.

I don't mean to be smug. It's just kind of sad to see what's happened to a country with enormous soft power. Same goes for the US.

I wish I knew more western countries who were defending privacy, and the environment for that matter. For a period it kind of looked like Germany _might_ but that hasn't stood up (Who knows, maybe the Pirate Party will get a chancellor someday). The Nordics don't seem amazing either.

What does that leave us with? Some rocky archipelago in the middle of the Pacific? Developing nations that simply don't care or lack the ability to have meaningful enforcement? I'm really struggling to think of something.

Which other western and non-English-speaking countries are doing similar things? This democratic-authoritarianism seems to be unique to the Five Eyes nations.


There’s no monopoly on violence. Gun laws are about who can’t have guns, not who can.

People have the idea that gun control affects who either can and can't have guns. They forget about the third possibility: Schroedinger's gun owner who is in a superposition of can and can't have guns at the same time.

One of the best criticisms for the rushing through of this POS legislation was "if it's such a rush to get this done, why hasn't Australia's threat level been increased?"

The answer from the intelligence agencies is that there must be a known specific threat in order for the threat level to be increased (from "Probable" to "Expected")[0]

So, they're saying that it's important for this legislation to be passed for the sake of the safety of Australian citizens despite the fact there's no specific threat that's worth raising Australia's threat level for.

Add this to the huge list of WTF's surrounding this situation.

[0] https://www.nationalsecurity.gov.au/securityandyourcommunity...

  > OpenVPN
They'll probably want a backdoor in that too.

Careful criminals will surely be able to find a set of software that isn't affected. Australia isn't the US, only a small portion of software companies would have a large local presence here.

I’m sure that will change now.

From small portion to none. And basically Australian software developers are unemployable now.

The problem is that a backdoor might not be so obvious. It can be simply a wrong chosen algorithm key size, and you need to be a cryptographic expert to know that.

That would have to be a systematic weakness... except systematic weakness is probably doublespeak for "whatever the fuck we want to do" anyway.

No reason for them to be getting it.

The government's primary goal is to protect itself and continue growing like cancer. In many ways the citizens are it's greatest threat because they can vote to cut budget and the power of the political elites. These laws are a way to increase monitoring of citizens so problems can be squashed before they grow too big and threaten the government.

Make no mistake, with the rise of ML governments will be able to crush social movements in the nascent stage before they become too big to stop. People will be arrested for thought crimes because they posted the wrong thing on the wrong website. And currently a large number of people would cheer because the people getting arrested are on the "other" side of the political spectrum. Be careful what you wish for

Except that there's other countries where their governments don't seem to have these problems.

where? From what I've seen Europe, UK, USA, Canada, and especially China are all moving in this direction of more privacy intrusions. Considering the West has traditionally offered the most freedom for its citizens I'd say things are trending towards authoritarian governments

EU seems to be pretty concerned with data privacy, and they even have laws protecting it.

They have laws protecting individuals from companies, not the government. The GDPR has special exceptions for government investigations, and many EU countries have strong domestic spy agencies that spy on their citizens.

Aside from the UK (which is doing its best to leave the EU, and never really felt like an EU country anyway), which countries are actually spying on their citizens like that to any great extent?

The EU had (until 2014 when it was ruled to violate fundamental rights) a data retention charter which required member states to store all telecommunications data generated within the EU for a period between 6-24 months[1].

The GDPR explicitly allows for government surveillance to be excluded from the directive's protection.

Privacy International and a bunch of other NGOs have filed complaints[2] against "Belgium, Czech Republic, France, Germany, Ireland, Italy, Poland, Portugal, Spain, Sweden, and the U.K." for violating rulings by the European Court of Justice over illegal mass surveillance. Here's another article[3].

[1]: https://en.wikipedia.org/wiki/Data_Retention_Directive [2]: https://www.forbes.com/sites/emmawoollacott/2018/06/25/eu-na... [3]: https://medium.com/privacy-international/a-new-era-of-mass-s...

coughs in American


Australians did not give up guns in citizen hands. And per capita, we have more guns than our military.

? citation please ?

Wow, never knew that. Thanks.

How did that work out for you when the PATRIOT Act was passed?

> as a populous is armed it can strike fear in the government.

Or it can shoot up a pre-school.

Only one of these things actually happens outside of adolescent power fantasies.

I actually provided an example where an armed populous did strike fear into the government. The IRA were targeting MPs and fairly quickly after that there were good Friday agreement discussions.

There are counter examples to every case, but my point was the Australian government can do what it wants because it's populous let's them.


Surprisingly, I have not lived at the time of the American Revolution. Neither have you.

Who we are contemporary with are the parents of a lot of dead kids; maybe you should explain to them the necessity of guns to protect them from harm.

But keep on living in the past. If events like Sandy Hooks can't change your collective opinion, I doubt that anything will. It's all on your hands, you proud all-american weekend warriors.

> Surprisingly, I have not lived at the time of the American Revolution.

I think you misunderstand. I'm asking you to imagine, or in other words, pretend for the sake of argument, that you lived at that time, and then ask yourself whether you'd join the loyalists in calling for the colonists to be disarmed. Does that make sense? If you cannot understand why many Americans are unwilling to discard a right that was fundamental to the very existence of their nation, then you'll never be able to debate this topic productively.

> maybe you should explain to them the necessity of guns to protect them from harm.

Certainly, just as I have (gently) tried to convince people who have lost loved ones to drunk driving or alcoholism that criminalizing alcohol would not be a moral response to their loss. Would you disagree? Keep in mind that alcohol kills tens of thousands of people every year, including thousands of children killed by alcohol-impaired drivers. Is this also a problem that needs to be solved by criminalizing all alcohol? If not, what's the difference in your opinion?

Australia didn't criminalize guns, we regulated them.

Alcohol hasn't been criminalized, but it has been regulated.

Regulation, in Australia's case at least, works. We went from several large public shootings, to next to none. We currently have more guns than when regulation was brought in [0], but by preventing those who too unstable from gaining access, we've prevented many attacks on the public.

Regulation isn't a ban. It isn't suppressing a right. It's protecting the populace from those who bring harm, and themselves would be harmed, by access. And when they find a way to recover in those areas of concern, access is available.

[0] https://sydney.edu.au/news-opinion/news/2016/04/28/australia...

> Alcohol hasn't been criminalized, but it has been regulated.

Yes, and that clearly isn't enough. That's my whole point. Alcohol is still killing tens of thousands of people. Way more than firearms do (apart from war).

> Regulation isn't a ban. It isn't suppressing a right. It's protecting the populace from those who bring harm, and themselves would be harmed, by access.

No kidding. You seem to assume that you're arguing with absolutist libertarian gun-nuts here. I'm all in favor of sensible regulation. I'm merely pushing back a bit on craigsmansion's brainless knee-jerk "But Sandy Hook!!!" reflex, which is as useless here as it is in similar debates over other dangers like drugs and alcohol.

Yeah, I'm not "misunderstanding" anything.

We're not living in the past. "Fundamental to very existence of the nation" is simpleton claptrap. Eradicating Native Americans was also fundamental to the very existence of the nation. It has no bearing on the present, no matter how much your kind would like to obfuscate the matter with jingoist bombast.

> which is as useless here as it is in similar debates over other dangers like drugs and alcohol

Not talking about drugs or alcohol, but sure, change the subject. "But what about...?"

> "But Sandy Hook!!!" reflex

That's not a reflex. That's a shrug: there's simply no event terrible enough that will evoke change. Apparently this actually is what you want. It's sad for the children, because they never got the chance to vote, but for the rest of you: just stay afraid, wave that flag, and polish the caskets.

I know this topic attracts emotional debate, but you're so emotional that you're inventing enemies. I personally am very much in favor of sensible, even strict, gun control. If you insist that everyone who disagrees with you is a blood-lusting gun-nut, then I think it is you who will appear crazed in the end. I think your language bears that out here.

> "Fundamental to very existence of the nation" is simpleton claptrap.

This is a bit ironic coming from someone who then says, "Apparently this actually is what you want", and, "wave that flag, and polish the caskets." You're not really interested in hearing or saying anything that's not claptrap, are you? Be honest.

> Eradicating Native Americans was also fundamental to the very existence of the nation.

I agree! However this is a strawman. No one would argue that genocide should be continued for the good of America. However you will find many, like myself, that say the Bill of Rights was and continues to be critical for democracy in the U.S. Would you disagree? Would you say that fighting for freedom of expression (1st amendment) is "living in the past"? If not, how do you justify treating it so differently from the 2nd amendment?

The parallels between firearms and other highly dangerous substances such as drugs and alcohol are highly instructive. Or at least they could be if you were willing to consider them rationally. Again, by any measure you care to take, alcohol is a greater danger than civilian gun ownership. Why should we not criminalize alcohol? Why not consider criminalizing every dangerous substance or activity? You appear to think this thought process is irrelevant, but you're unable to articulate why. I really think you haven't thought this through very well.

we also have every country the US has gone to war with in half a century

> This is another thing that adds to my deep sense of shame to live in this country (sadly, that list is long and growing).

I don't support this legislation, but I have to ask, which country is doing a better job on human rights issues than Australia in your opinion? Surely not China or nearly any country in Asia, Africa, or South America? Surely not the US? Probably not much of Europe?

To paraphrase our PM, speaking on medical evacuation of children, "I will do whatever is possible to prevent it."

Australia's government blocked legislation that would help kids not die. Because they came on a boat. Which has never been the primary way illegal immigrants get into this country.

Nauru was declared a human rights travesty by the UN.

The medical board that decides whether or not it is a medical emergency that needs to be treated in Australia is staffed by lawyers and only occasionally features a doctor.

We're killing people from neglect, because they dared to take any avenue available to them to escape their homes.

If we put half the effort into assessing their case as we do into making sure they stay in a place reminiscent of WWII slave encampments, there would be no issues.

It is an absolute national shame. MSF recently likened the mental health of the people on Nauru to victims of torture.[1]

The most disturbing aspect is the strong bipartisan and public support for the ongoing abuse. Every Australian should wake up in the morning, take a long hard look in the mirror and ask themselves if they're proud of what they've become.

[1] https://www.msf.org.au/article/statements-opinion/indefinite...

>The most disturbing aspect is the strong bipartisan and public support for the ongoing abuse.

Is there really public support? Everyone I've talked to thinks it's a disgrace.

My personal social circle and Sydney Inner West socailly aware bubble all thinks it's a disgrace, but I'm not kidding myself into thinking I'd need to go very far before I bumped into people who'd justify it to themselves as "necessary for the country", and not a lot further to find people actively and vocally celebrating the cruelness...

Yes this is the sad truth unfortunately a huge swathe of the general population support the 'tough on refugees' stance. It can get pretty ugly. About 5 years ago I was pretty heavily involved in refugee activism a friend and I were spat on in a shopping center for circulating a petition and was not uncommon to get verbally abused by people in the street. This was in a safe labor area too so it's not exactly like I was in some conservative heartland.

The pollies seem to think so. I don't know anyone who admitted voting for Abbott in 2013 either but a lot of people obviously did.

There have been slightly more encouraging signs recently that the tides are shifting, at least in my view. The rinsing the state Liberals got in Victoria after desperately pushing the openly racist and patently false "African youths are all gang members and everyone is afraid of being robbed" rhetoric, as well as the uptick in general awareness and number of protests makes me hope the publics apathy is morphing into a deep national shame.

That being said being a "coastal elite" in a progressive area isn't necessarily a good litmus test

Some people say the efforts by Liberal/Labor are to discourage a lot more refugees from overwhelming Australia. Resulting in increased crime, less jobs, etc. They acknowledge that some will suffer in the process.

Other points I noticed: - Coming across as emotional about the harm and suffering on Nauru or escaping war, they will dismiss all arguments as immature and feel like they're being an adult to you. - Some are persuaded by increased economic activity and net welfare investment benefits but want more screening but wouldn't know how to do this effectively.

Source: Asking random people about policies. Some people you can try asking: mechanics, tradies, checkout people, business people, asking people who handout stuff for Liberal/Labor. To get a deep understanding, read their sources, any of the Murdoch rags or right wing morning shows (ie Alan Jones).

>Some people say the efforts by Liberal/Labor are to discourage a lot more refugees from overwhelming Australia. Resulting in increased crime, less jobs, etc.

Meanwhile we're letting every man and his dog waltz in through the front door, as long as they have money.

But we don't want those dirty refugees! Lock them up in our own Aussie Guantanamo and throw away the key. It's sickening.

Actually I think several latin american and european country do a better job on human rights issues. Some african countries as well.

See for instance https://en.wikipedia.org/wiki/World_Index_of_Moral_Freedom#W...

Why does it matter? It's not a zero sum game, what others are doing is completely irrelevant to the question of whether or not what we're doing is disgustingly immoral (and it is, as far as I'm concerned.)


But yeah, “cryptonomicon” utopias are hard to get by, these days.

This is a classical‘whataboutism‘ trying to deflect from the real subject by bringing up another. But keeping in line with that theme: what about detaining immigrants in Nauru, Christmans Island, Manus Island etc. under doubtful circumstances with no open access for press and NGOs?

I didn't read the comment as tu quoque, I read it as "it's a bit shit everywhere". Even Canada treats native populations badly, I don't know what things are like in the Scandinavian countries.

Too bad, it's almost 2020 and we still can't get "treat people well" right. What hope do animals or the environment have?

Wasn't the situation in Nauru that the immigrants aren't considered detained as they are free to return home as soon as they agree to do so?

If you are an Australian software engineer, you have one advantage that other nationalities do not: the E3 visa. It is a US working visa that is specifically reserved for Australians and consequently it is much easier to get than an H1B.

My advice is that the Australian tech industry just got nuked from orbit, so come work in the USA. The pay is better, the work is more interesting and the tech companies actually have sway over policy here.

I am not sure that migrating will help. If I read the bill right, it implies that every person providing any service used (or "likely to be used") in Australia is under legal obligation to insert these backdoors. I don't think it specifically mentions software developed in Australia.

The bill seems to be a nightmare - it even says that the technical assistance request can be given orally. What the bloody ....?

To me, it reads like this - if you're a Nigerian developer working in Germany and refuse to do this for some software (after all, every software is "likely to be used" in Australia), you are still breaking the Australian law. But you need not be prosecutable if Germany does not have an extradition agreement with Australia. If you are an Australian anywhere in the world however, then refusing this makes you a criminal, probably later a fugitive. This is my understanding. Can someone confirm?

Australia does not have the economy to force such a perverse violation of privacy on foreign business. If they try it, Google et al will be much better served pulling a Spain and blocking access in Oz than by complying.

The courts of most nations would laugh out the notion of extraditing their own citizens to Australia for hosting a website and not giving the AU government a backdoor to it.

Just geoblock Australia.

I've heard this from a number of reliable sources (friends in the industry based in TX and other places). Absolutely considering the leap as soon as is feasible

You've got Trump. Also the NSA.

Maybe I'll just work on a farm instead of this technology madness.

Trump won't last forever and Apple and others have been staring down three-letter agencies for a while now.

the US has already been doing this stuff for a long time, without it being legal. They can always pressure you and threaten to ruin any engineer's life if they don't do what they want. and who do you think came up with this legislation? It's US Intelligence. Australia is their testing lab, just like Macca's does.

Apple stared down the FBI in a mass murder case, because it was possible for them to do so. They won't be able to do that in Australia.

I don't like the US shonkiness any more than anyone else. But these situations are not precisely equivalent, especially since this bill passed.

I don't see how it's any different to the situations with NSLs in the US. There's a veil of secrecy and no real limits on the scope of request with very harsh penalties for non-compliance.

The US government ignores their laws, while Australia passes terrible ones.

Six of one, half dozen of the other.

> The US government ignores their laws

and yet

> Apple stared down the FBI in a mass murder case, because it was [legally] possible for them to do so.

The US government couldn't make Apple help them in public, but they just spy on everything they can themselves behind closed doors.

So far we haven't seen the Australian government ignore its own laws so completely.

Could the downvoter please explain why, or educate themselves about Edward Snowden?

but health care

Typically included in your benefits package as part of the job. You don't have to give up Australian citizenship to get an E3, so if necessary you can fly back to Australia for treatment.

>if necessary you can fly back to Australia for treatment

If a sickness/injury is bad enough to need to fly back to Australia, there's a pretty good chance you won't be allowed on a plane.

That is naive and simplistic. Sure, if you were hit by a car you probably won't be making a flight. But cancer? Elective surgery? Physical therapy? There are plenty of slow roll medical issues that can survive a 16 hour plane trip.

Sure, but it's financial ruin if it isn't one of those things, even if you survive. Who's being naive?

That's fine. You're ok with taking that chance, I'm not.

If you want to get double taxed, sure you can keep your Australian Medicare and private health insurance.

As far as the ATO is concerned, unless you discontinue both, you're considered an Australian resident for tax purposes.

Even though the US considers you a resident alien, the ATO requires you to at least look like you won't be coming back for >1 year.

My experience was that the ATO did not consider me a tax resident. Basically if you've tidied up your Australian affairs, earn 0% in Australia and 100% in the US, they aren't totally bloody-minded. I did make sure to use a specialist tax agent though.

After ~3 years the IRS considers me a resident for tax purposes. The ATO only cares about my income because they want to collect HECS payments.

I am an Australian software developer and am currently getting https://www.lifepim.com ready for release which, funnily enough has the main selling point as "Your data is private, secure and free from adverts" - what a joke.

The scary part is not knowing how the law is going to be implemented - I am hopeful that smart people work on the implementation of it in terms of practicality.

If it is an on request thing "give us the details of terrorist@blah.com" then that is doable, but if they really want backdoor access to all accounts, then that is ridiculous amount of work and a lot of security risks to worry about.

Wait and see I guess.

I would not use your software because I don't believe my data on it could possibly be private and secure. Especially after you've just said you could do an "on request thing" for certain users data.

Sadly our government has failed us. We are the laughing stock of the whole world (except maybe China).

I’m sure your customers will believe you if you say that your government did not tell you to lie about backdoors and weaknesses in your products security.

That's the scary part about this - a company is not allowed to tell people when the data was accessed

They are allowed to provide statistical information (in 6-month windows). Still completely useless in a practical sense.

No. That was an amendment that was not passed.

We got the full dictatorship version with no reporting at all.

Technically, it's not like a dictatorship at all. A dictatorship is a government where there's one person at the top with ultimate power. What you have really is more like a "cabal", much like China's government.

Oops. Totalitarian government?

The section on statistics was in the first reading of the bill.

Looks like a cool product.

Realistically could we just setup all code to be hosted overseas and then pay a set of reviewers in Europe to check PR's for possible backdoors? Don't think the law let's them compell you to build the backdoor in a super secret and hidden way...

The way it’s written that could be 5 years in gaol because you let people know about it.

Not relevant, but I love the old-school spelling of "gaol". Is it still used anywhere or are you being whimsical?

Yes, Australia uses it still. e.g. Ballarat Gaol, Old Melbourne Gaol.

Ah, that's delightful.

That's the official spelling in Australia, and I think the UK.

Thanks! I don't hosting overseas would work, but then again - who knows how it would be implemented.

Don't launch in Australia.

Or don't launch in Europe.

GDPR and this legislation are in direct conflict. Pick a market...

In this case, its a market of ~25million vs a market of nearly ~500 million people..

easy choice to make.

Can launches can be targeted (legally) to a country? The site is hosted in London and am already GDPR compliant - wonder if this is means it is not under Australian laws?

If the business is registered in Australia then you're under Australian laws, regardless of where it's hosted.

All my hosting is done in the US, but that doesn't mean any of my businesses are necessarily American.

If you're not an Aussie company, and don't have any staff in Australia, then it's a long reach for them to do something to you.

If you specifically reject all customers attempting to sign up from an Aussie IP address, or with an Aussie physical address (if you have that), then you're on pretty firm ground to tell them to piss off if they come knocking.

But, y'know, I'm not a lawyer, and you might be subject to whatever whims any country cares to hit you with. Get some legal advice before trusting some random internet comment ;)

I guess the poster child for this is Kim Dotcom. Launched a file sharing service from New Zealand that didn't break any NZ laws.

USA didn't like it though, and asked NZ to extradite him to face charges in the USA.

Legal battle still going, I think... but the business is dead.

I doubt Australia has that much clout, but you never know when an extradition will be the price of some favour to someone...

Nothing bad about GDPR, since it's actually made to protect citizens.

totally agree. Which means their contradiction of the Aussie rules means...

Yup, your software just became compromised. No way in hell I'd ever use that now.

Time to find a new career, sorry.

It is now legally impossible for data to be private or secure. Your product is now dead by law.

I have to say, the coverage of this bill on the news has been atrocious.

I've seen zero discussion of the possible ramifications of losing all security companies in Australia. Any software company that depends on security (and which one doesn't?) would be insane in the membrane to think they could credibly work in Australia now.

All they are saying is "the bill was passed to access encrypted communications of terrorists and criminals".

No discussion of no judicial oversight either.

News orgs are shooting themselves in the foot because there's no possibility of a journalist protecting their sources anymore with this nightmare.

Australia doesn’t have much in the way of judicial oversight. The joys of parliamentary supremacy and a weak constitution.

To anyone with a business from anywhere else in the world. Yes please do, publicly and loudly, cease to deal with us (Australia) due to the very real possibility that all of you private and commercially sensitive communications will be monitored and recorded (Also given the five eyes agreement shared with other countries.) Australia already have a history of using their spy services for commercial gain. https://en.m.wikipedia.org/wiki/Australia%E2%80%93East_Timor...

+1 block us. Apple if you are reading this stop selling us iPhones. Australians need to feel the pain of this otherwise nothing will change.

1 billion dollars wiped from Atlassian already. I’m hoping the markets react more and destroy the industry here.

Might want to assume that all Australian developers are now potentially compromised.

Ugh, Trello is owned by Atlassian. Will this law mean we should assume Trello is compromised? Trello is based in the US, so I'm not sure how that plays out with the law.

If Australians work on it, then yes.

Possible it will go nowhere. How can Apple for example provide a backdoor for imessage which isn't a systemic weakness?

The intelligence service will request a special version of the software which will store the contents unencrypted, or decrypt the existing contents, or send information to a different server.

Then they will coerce a telecommunications provider to install this application on the targets machine (says nothing about having it installed on everybody's machine accidentally or otherwise).

Then they shall profit.

They could be compelled to send firmware updates only to specific phones with a new version of imessage that doesn't perform end-to-end encryption.

have the app store send a special version of the app or system update to robryan that as well as renders the message on the screen also sends it to the gov.

The Government simply defines systemic weakness to be something that doesn’t happen when Apple is coerced to introduce an easily exploitable hole in their security for all products.

I wish I was being facetious.

Considering that isn’t even defined in the bill that just passed I have little hope it will save it.

> have little hope it will save it.

have little hope what will save what?

I bet that the entity that sells iPhones here in Oz is different to Apple inc. and has absolutely no leverage to do anything in software.

Just like Yandex in Russia - legally they buy all of the software from a company in Netherlands, at least that what I heard.

That's how they get around tax.

Apple Inc will sell the phones at high rates to Apple Australia, so Apple Australia can claim they are making zero profit in Australia, so hence have to pay no tax.

God this is so true. I am so ashamed of our so-called representatives.

Please, Apple, do what you know is right and disable all iPhones in Australia. Google, please do the same with Android.

If you have a website, geoblock Australia from it.

Quarantine us from the world. We are sick and will infect you all.

I really hope Apple does this. Half the politicians seem to use iPads for all their computing needs.

I can’t see Apple allowing the Australian government to dictate how they handle security... it’d destroy all confidence in their brand.

They didn't let the pain-in-the-ass FBI go through their shit so hopefully they tell Australia to pound sand too.

> If you have a website, geoblock Australia from it.

Just did.. won't even respond to icmp. My Tokyo and UK sites.


Actually, if it's possible, you could redirect to a page saying the reason you are blocking, that would be even better.

Seriously the world should quarantine us.

This isn't going to help. It'd be better to refuse to do business with Australia, but be sure to show them just what they're missing out on.

No, don't geoblock us. Just refuse to do actual business in Australia. Only allow us to download apps from the U.S. where such broken legislation is not in effect.

Don't think it will help since the agencies can force telcos to mitm the store fronts.

Even this draconian bill I don't think has the power to make telcos mitm sites hosted overseas, does it?

But who knows, this bill seems to be the Christmas gift that keeps on giving! Merry Totalitarian Christmas, everyone!!

Setting up a MITM would just be a small request from a low level technical employee. Just make packets from this IP go to this other IP for this one account.

But if that foreign site is using https then the telco couldn't know which account is logging in.

How do the App Store and play store react to bad HTTPS? Do they allow the user to trust?

While you are probably correct, the world needs to urgently stop doing any business with China first.

And since it’s not going to happen, other countries beyond China unfortunately start to get some funny ideas, too...

China is a 1.3 billion people Australia is 25 million. Big difference when it comes to cost and incentive.

Although, we’re a rich 23 million. Of course China’s middle class more than makes up for it, but there’s a reason tech companies like (liked?) Australia.

yep, I'm working on an encrypted product, and will be recommending we don't launch it in Australia. Tiny market, enormous regulatory burden. Not worth it.

I second this. Please be vocal about how Australian's are now boycotted. We need the government to freak out

As an Australian dev, I concur. I would rather our tech industry die (and I end up digging holes in a coal mine for a living) than have this country become a global spy hub used by governments to subdue their citizens.

Does this mean that if I take my iphone into an Apple Store in Australia for repair that a Genius could load unknown software (under legal compulsion) without Apple itself knowing?

They have to attempt to keep Apple from learning about it, as I understand it. I wonder what steps Apple will take to bar this kind of eventuality. If an employee makes a good faith attempt to comply with this request, which is then blocked by the overseas manufacturer, can they throw their hands up and say, "Well, I tried!"? Would this allow them to avoid the $50k fine and 10 years in jail the Government can hand out for not complying?

Technically, yes, as I understand the legislation.


This is a civil rights nightmare.


Literally zero percent chance I touch any software made in Australia now.

This immensely stupid law applies to any business that operates in Australia, which includes Google, Apple, Microsoft, Samsung, Facebook, Github, and every other major tech company on the planet.

If they want to continue doing business in Australia (and they very much do) then they'll be forced to comply, which means everybody in the world is negatively affected by this insanity.

Cutting loose ~25million potential customers might actually be a financially rational for some companies. It's not like we here in Australia are really a very big market on the global stage...

Won't surprise me at all to find some businesses (like perhaps Whisper Systems) who's "doing business in Australia" doesn't actually earn them a single cent, yet will open them up to enormous reputational damage if they continue operating in Australia after this, might just choose to take thier app/service out of the .au app stores...

(BRB, backing up my iDevices and switching auto-update off...)

Please don't turn off updates. You're going to miss out on exploit fixes, which puts you in a worse position.

If they want to continue doing business in Australia (and they very much do)

Meh. 25 million people, and not a top ten economy. Australia has a powerful reality distortion field that makes it seem more important than it is. Must be the tourist marketing and the fact that it punches above its weight in producing successful entertainers.

It’s more likely that WhatsApp and other encrypted messaging apps will just get pulled from the Australian App Store (if the Australian App Store remains in place, since it’s likely to be chosen as a distribution vector for compromised software).

The population isn't a relevant part of the argument, Mexico has 130 million people and has a smaller economy than Australia. After the top 6 or 7 economies, the next 6 or 7 are all comparable in size.

But more importantly, because of the high GDP per capita and low income inequality, Australians are wealthy with lots of disposable income. And so most international marketplaces see disproportionately high amounts of Australian spending when considering population size.

For instance, where I work, the top 5 spending countries are the US, Canada, Australia, UK, China in that order.

Of they don't get pulled, well, that tells you something too.

Fastmail, don't forget.

With a somewhat heavy heart, but I shall be cancelling my service there.

Does anyone know of a similar service hosted in Canada?

i wonder if this would affect other, non autstralian mail providers (protonmail for instance).

No it does not, as we fall solely under Swiss jurisdiction since we don't have a presence in Australia.

From the Bill itself "A person is a designated communications provider if...

4 the person provides an electronic service that has one or more end-users in Australia

5 the person provides a service that facilitates, or is ancillary or incidental to,the provision of an electronic service that has one or more end-users in Australia

6 the person develops, supplies or updates software used, for use, or likely to be used, in connection with:(a) a listed carriage service; or(b) an electronic service that has one or more end-users in Australia"

I believe ProtonMail falls into these categories. As an Austrlaian and a user of your services myself, will this mean getting service "officially" cut off in Australia?

The Australian government has successfully nuked it's own entire IT industry from orbit. Great job guys.

I feel sorry for the people who started good businesses only to have them destroyed by this shitshow.

If it wasn't so scary as a citizen myself, it'd just be sad.

If that happens, then you could simply use ProtonVPN to bypass the block.

Wouldn't that mean that ProtonVPN then has an end user in Aus, and would then be theoretically subject to all this nonsense?

A user would have to double-VPN for ProtonVPN to be the solution. Right?

Huzzah, another talking point to convince the team to migrate off Bitbucket. Silver lining I guess!

Isn't Atlassian Australian? Or did they move?

They’re Australian but have offices in other countries. I believe they would move for the right reasons. This seems like a pretty big reason, considering they’re targeted at enterprise. But move where? UK will have this next, America does this without any laws at much greater effect and scale.

Iceland? Switzerland?

They'd need the system admins, CI infrastructure and code review team to be in a jurisdiction free of this kind of thing, and then treat all changes subject to laws like these as hostile

The alternative is sell software that everyone knows has backdoors. Pretty hard business case to make

California. I had to agree to some changes to their ToS the other day (for Bitbucket) in which I agreed to dispute resolution under California law. I suppose that's a pretty good indication of their thinking. It's not like this legislation is unexpected or sudden.

Are the U.S. "gag orders" equivalent to this new Australian law?

No, the new law has no judicial review and has a few other things that wouldn't fly in the US. It's markedly worse (though don't get me wrong, the US definitely has it pretty bad in this area too).

You say that like FISA Courts are actually judicial review and not rubbing stamps... where you win is that you have a stronger set of rights and case law about it.

The difference is that there isn't even fake judicial review. And I disagree that we have a stronger set of rights -- the difference is that the NSA explicitly ignores your constitutional rights.

All of our rights (other than the right to a jury for certain criminal trials, freedom of religion, the aquisition of property must be 'on just terms', the right to be a senator if you can vote, and the right to vote in federal elections) are in common law. This means that any new law can overturn those interpretations.

Personally I think Australia needs to push for a constitutional bill of rights. Unfortunately this is going to be a very hard battle to win, given the enormous requirements to get a constitutional amendment passed.

I believe Fastmail is too, sadly.

It looks like the cloud services are supplied by a company incorporated in the US [1] ‘Atlassian, Inc’. They probably needed to do this when they listed on the NASDAQ.

There is also an Australian entity `Atlassian Pty Ltd` but it’s not clear to me what role that has.

[1]: https://www.atlassian.com/legal/cloud-terms-of-service

Atlassian is still very much based in Sydney. The CEOs (there's two joint CEOs), vast majority of the engineering teams and more are all just down the road from me. As with most large international tech companies, they have a number of different legal entities for regulatory, tax and other reasons.

So that means things like BitBucket / Trello are now all fair game to the Australian government?

Trello is based in NYC. I don’t know the actual corporate structure, but they could potentially be spun into a controlled company, maybe, to avoid this law somehow.

To be honest, Trello is the least of your worries, with Atlassian. Authorities having unfettered access to all your code, regardless of privacy settings, is more worrying imho. Then again, GitHub is US-based and the PATRIOT Act already gives that power to US authorities, so if you care about that, self-hosting in the only way.

There is still a substantial engineering team in Sydney

For now. I bet there's a lot of passports being dug out and resumes being polished up tonight...

Applications are open for YC Summer 2019

Guidelines | FAQ | Support | API | Security | Lists | Bookmarklet | Legal | Apply to YC | Contact