The law explicitly allows them to target individuals. I don't believe that they gave themselves this power for no reason -- it's much easier to coerce an individual developer (who doesn't have fancy legal council) than force a company to do something. I'm sure they'll do it both ways of course, but I disagree that they'll only target companies.
I also think they would normally approach this top-down. The provision to target individuals might have been added just for the odd case were the normal approach is not feasible.
I still wonder how this law doesn't go against individual rights provided by the Constitution or other fundamental laws.
Either way this law is hilariously clueless and extremely worrying at the same time.
That's a mischaracterization. Any type of entity can be targeted, but not any agent. That's an important distinction to stop people acting as private individuals on their own time from being exempt from the law.
Not that I think this will work—it wont in the long run—but I'd rather argue against the strongest case of an argument.
According to Sect 317C, a "designated communications provider" includes:
A person is a designated communications provider if ...
6. the person develops, supplies or updates software used, for use, or likely to be used, in connection with:
(a) a listed carriage service; or
(b) an electronic service that has one or more end-users in Australia
... and the eligible activities of the person are ...
(a) the development by the person of any such software; or
(b) the supply by the person of any such software; or
(c) the updating by the person of any such software
So individuals can definitely be targeted -- it's specifically in the bill. In your parlance, all individuals that "develop, supply, or update software that is likely to be used by an electronic service that has one or more end-users in Australia" are entities and not agents. They are defined to be a "designated communications provider" and the same rules apply to them as any other "designated communications provider".
Look at it from their point of view... they approach some developer and it's amateur hour. The dev might get stroppy, there's all sorts of infrastructure problems, they might not do it right... it's a mess.
But if they approach the CEO, it gets done right. The CEO brings in Legal, who promptly shit themselves. They bring in the CTO, who is told to shut up, sign this NDA, and work out how to make this happen as fast and painlessly as possible. No problems, the bad things get done, no-one gets told anything, all good. Shit continues to roll downhill...
I'm not sure the point is actually to keep it secret, but (as with all government "services") to cover the arse.
Also, if you were an employee in a company in this situation, and you'd been told that the security of the nation depended on your silence, and more to the point, you'd be locked up and your career ruined if you went public, what would you do? Whistleblowers are pretty rare, because the consequences of doing that are huge.
Which means that the developer will be asked to stick a USB stick on a server, or pick a certain RNG; not submit a PR on a dumb backdoor such as described in this ... rant I guess.
Companies, of course, are already cooperating. For petes sake, all you need to do is talk to a couple of admins in the Bay Area to know what alphabet soup are visiting what companies (pro tip: basically all of them).
The most likely thing is going to be that Apple is going to be asked to allow police devices to be added to a user's iMessage account without alerting the user (but giving them access to their messages).
The real problem is that the law allows them to ask an individual to become a saboteur and it's unclear if you had a system that was explicitly resilient to such attacks (signed GPLv3 code with a threshold signing scheme with each key owned by people under different jurisdictions) whether you would be forced to dismantle such a system.
I think we'll need to start rethinking threat models.
