Hacker News new | past | comments | ask | show | jobs | submit login
Australia’s vague anti-encryption law sets a dangerous new precedent (protonmail.com)
467 points by djsumdog on Dec 8, 2018 | hide | past | favorite | 256 comments

(essentially repeating a recent twitter thread here)

Imagine you work in a modern software house and you get one of these ... and here I mean you, not your boss, not your coworkers, the govt knocks on your door and demands you put a back door in the thing you are working on at work ...

So you write the code ... how do you write the unit test? how do you get it past the code review? the mandatory QA tests? ... all these things are designed into our modern software design processes essentially designed to stop bad stuff like this happening ... what happens when you get caught? you lose your job, get blacklisted in the industry, after all you can't tell them the govt made you do it (on your CV/resume trying to explain why you were fired)

Equally say you run a big open source software project and you have valued contributors from Australia, people you trust and depend on ... what do you do? refuse them commit right? explicitly audit their every checkin? ask them to move on?

Suppose you buy closed source code from Australia .... you can't trust it in any way, even if you trust the company any one of their employees may have been asked to suborn the code you've paid good money for ... any smart purchaser is simply going to put Aussie software on the "do not purchase" list .....

So how do I find out which software on Android Play is written in Oz?

yes that's the thread, thanks

> modern software design processes essentially designed to stop bad stuff like this happening ... what happens when you get caught? you lose your job, get blacklisted in the industry, after all you can't tell them the govt made you do it (on your CV/resume trying to explain why you were fired)

I often wonder about this in regards to those "signed" orders in the USA, and it seems now Australia is similar.

And I wonder if we need more people going public in a very big way. i.e. Jim Smith has to put out a press release that says "I work for company X and the Government of Y country asked me to do xyz, and I refused."

Go very, very public with it, putting out press releases, etc. etc.

Obviously there are laws against that, and Jim Smith is risking a lot, but I can't imagine how things will get better until people on the front lines do stuff like this.

There's another, perhaps more insidious perspective, on this.

After the emergence of these type of laws there's going to be potential backdoors explained away with "sorry, can't tell, wink wink" and nobody will ever know for sure. What's an employer to do? Or even end users?

Every time you come across a double free bug or some complex concurrency issue that gives an attacker arbitrary write access to a process, remember that you might have been looking at a back door. Someone has an off-by-one error on an array access: is that a back door? Why do you think a backdoor is somehow noticeable in the code?

Here's what I would do: send it back to them and tell them to send it to my employer's legal department.

This might not be legal, and is one of the large problems that needs to be resolved. You individually are listed in this law as a "designated service provider", and thus you can't really pass the buck to your employer.

There is a valid question as to whether you are listed as a "designated service provider" if the only time you ever developed the relevant software under s317C(6) was as part of a job. But software developers that have done free software work outside of their job definitely would be counted.

As always, I would suggest you get legal council before doing anything in response to a notice -- even throwing it back in the face of the AG.

Good read: Reflections of trusting trust https://www.ece.cmu.edu/~ganger/712.fall02/papers/p761-thomp...

That said, this requires you to be clever and I don't think anybody can be forced to be clever with a court order, or at least what you describe offers plausible deniability

For large oss projects, accept PRs from those contributers, and outright tell the Australian government to go fuck themselves.

They have zero recourse.

I think they were trying to say "how do I know the Australians submitting PRs aren't secretly working for the govt?" Of course this raises (but does not beg) the question, "how do I ever know anybody submitting PRs isn't trying to sabatoge me?"

You just have to judge people by their fruits and hope they do the right thing or stop associating with Australians at all.

>or stop associating with Australians at all.

As an Australian, I hope people do this.

Internationally speaking, the tech community is not very good at drawing lines in the sand, we tend to want to please everyone.

I was really hoping that when it was shown how much the US was spying on traffic crossing it's borders, other countries would modify their routes to ensure their nations data didn't transit the US unless it was terminating there, but nope, didn't happen. Brazil talked about it but didn't do it.

Anyway, this is another rubicon moment. If we don't make this explode in the Australian governments face, then the US and UK will follow suit after the testing period is over. It's really important for the international software community to reject this utterly.

Start pulling out of Australia now and make it painful, or this will happen in countries it's impossible for you to pull out of.

> the US and UK will follow suit after the testing period is over

This is one case where the corporate capture of the US government works in our favor. Tech is an absolutely massive portion of the US economy (compared to Australia), and the tech companies will fight this tooth and nail. If the government couldn't do it in the 1990s (they tried) when tech companies were far less influential, they certainly won't be able to do it now.

Agreed. As an Australian, I'd also suggest that all IT staff, devs and PMs should now be treated as a plague ship for any company hiring us. At any time, our Gov can pull this new law out and coerce us into undermining your software.

This is not good for international relations at all.

The problem is that Aussie contributors of good character may find themselves forced by their government to sabotage a project they are working on - I think at the very least we have to check their work closely

> So how do I find out which software on Android Play is written in Oz?

If the above bothers you, then you should avoid any software written in the US too. The exact scenario you described can happen in the US, especially if you have a security clearance, but work in a regular tech job.

I expect they won't ask for anything crazy like that or violate the prohibition on asking for a "systemic weakness" - one of the reasons being that they want this law to be deployed as smoothly as possible to make a good case study for their 5-Eyes mates.

Why would the government ping you? Your boss can set a secondary build pipeline, that merges his brunch before producing a release build. Unless your company requires repeatable builds, you'll never notice this.

While I understand why they didn't mention this (because it's not clear if this interpretation of the bill is correct -- given there is currently no common law around it), I would like to point out what is the most concerning thing (to me) about this legislation.

It potentially allows the government to turn employees into saboteurs. According to s.317C(6), a "designated service provider" can be someone who has developed software that is likely to be used in an electronic service that has one end-user in Australia. This is a very wide net and immediately includes effectively every free software developer, and the employees of every tech company. Now, there is an argument to be made that employees don't qualify (because they're acting on behalf of their employer), but that's not clear at the moment. It also includes sysadmins (or even ex-sysadmins) as people who can be "activated" as saboteurs.

It should be noted that it's very unlikely that this legislation would result in the Armageddon most people (including myself) are quite worried about. I imagine it's much more likely this power will be used against a few big players (Apple, Facebook, Google) in order to add features like being able to add additional devices to group chats (or something like that). But obviously the law gives them much more power than that, and that's a very big concern.

(And the fact that only 2 MPs voted against it tells me there's almost certainly some back-door dealings that resulted in this bill being passed.)

Personally I've been reading the text and trying to grasp the implications of this.

There appears to be two limitations on this power: 1. You cannot be compelled to do something in a foreign country that would be a crime in that country 2. In issuing the notice the relevant oversight authority must give weight to your 'legitimate' interests.

I think 1 is a huge point as it effectively constrains the jurisdiction of the law to Australia.

However, there is still significant ambiguity. For example, can I be compelled to commit a crime against a foreign country while in Australia, if I have a legitimate interest in not committing a crime against that country?

Would a company's legitimate interest in not compromising customer trust (more than the existence of this legislation doesn't already), act as a significant constraint on the issuing of TANs/TCNs?

There's also ambiguity as to whether I can reveal the existence of a TAN/TCN to my employer. The law makes certain exceptions, including the ability to publish the aggregate total of TAN/TCN received in a 6 month period and seek legal advice. So in order to seek legal advice or reasonably execute a TAN/TCN can I let my employer know?

I'm an Australian software developer, living in Europe and working for a European company (Austria) which has an Australian partner developing software for use in both the Australian and European markets.

Can the Australian government compel me to sabotage the Australian software for their uses within Australia, and if so, can the Austrian government charge me with a crime for having done it while living in Austria?

The fact that I even have to ask this kind of question enrages me. I'm considering giving up my Australian citizenship over this, it is that infuriating.

I was worried about this as well which is why I read the law and commented above.

The short answer is: 1. Non-compliance with a TAN/TCN is a civil not a criminal mater 2. As I stated above the law clearly says that it is a defence for non-compliance if a TAN/TCN would compel you to commit a crime in a foreign country. The issue is whether you can be compelled to commit an act in Australia, which would be a crime in a foreign country. 3. Consideration must be given to your legitimate interests.

In short, if you get a TAN/TCN then seek legal advice.

It seems like the fine for noncompliance for an individual is 238 "penalty units", which currently corresponds to nearly $50,000 (Australian), unless I misunderstand things. A $50,000 fine is quite serious even for a well-paid software engineer.

I agree that a lot of people seem to be catastrophizing this, but it still seems like a pretty big mess.

If I end up writing a little library and it gets popular, who's to say the spooks won't decide that's where they want the backdoor, and just send me a TAN to the email on my GitHub profile? Very likely not, but it is possible and would cost me at least several thousand dollars in legal bills to figure out how to respond.

Wonder if it will be possible to be insured against receiving such a request for foreigners (and maybe even Australians) who work on software that the Australian government would like to backdoor. To cover any possible fines for noncompliance but also, if you do want to use the "it's a crime in my country" defense, to deal with the complication and expense of hiring an Australian lawyer to represent you.

> It seems like the fine for noncompliance for an individual is 238 "penalty units", which currently corresponds to nearly $50,000 (Australian), unless I misunderstand things. A $50,000 fine is quite serious even for a well-paid software engineer.

Note that they can always revoke the request they gave you and request a new one. So they can fine you an infinite amount of money and drive you to bankruptcy if they want to. Now, it's possible this would be seen as an abuse of power but you'd need to go to court over it and you can't afford lawyers nearly expensive as the government's.

> If I end up writing a little library and it gets popular, who's to say the spooks won't decide that's where they want the backdoor, and just send me a TAN to the email on my GitHub profile? Very likely not, but it is possible and would cost me at least several thousand dollars in legal bills to figure out how to respond.

TCN, not TAN.

Dumb idea here: Can you make a "not for use in Australia" license on free software and then claim that any Australian users are not your responsibility?

Well, I'm working on software systems that are precisely the sort of thing that the Australian government will target with this law (transportation systems), and it is highly likely that these systems will be targeted with a TAN/TCN. In fact, I'm pretty sure that the software segment that I currently work on is going to be hit by this law, and hard, within the next year or so. If I don't get a TAN/TCN request, I'm almost 100% sure that someone within the group of companies I am working, will. And I want none of that.

So I feel strongly enough about the tyranny and evil of the Australian government that it looks like I'm going to be giving up my Australian citizenship.

Oh, wait:

"We will not approve your application to renounce your citizenship if you do not have another foreign citizenship or it is not in Australia’s interests." [emphasis added]

What an extraordinarily evil thing for the Australian government to have done to its citizens.

Well then, some other options:

0. Do the typical Australian thing: "she'll be right mate!", and stick my head in the sand, hoping that ignoring the bad man will make him go away. This seems to work for a lot of Australians, so might work for me. Could be, I'll never be the subject of a TAN/TCN, but then again, why risk it.

1. I could change my profession. However, this would mean that over time, only the types of people who are willing to act as repressive agents of the Australian government would be found in the software industry. This is really a non-savoury outcome, as I have over 30 years in the software industry and am very proud of the good I have done in this field - I would hate to turn it over to such cunts who think its fine to spy for the Australian Fascist Overlords. I know they're out there - people like me are keeping them from taking over, completely.

(A brief moment of brevity for the poor Australians reading this: Fuck. The Australian Government is literally Auntie Jack. If I don't do what she tells me to, she's gonna jump out of my computer and rip my bloody arms off. [1])

2. Do the paperwork: get my second citizenship, abandon the Australian citizenship, do everything I can to protest Australia and never, ever, contribute to its well-being ever again - this means never going back, removing my assets and resources from the Australian economy, and so on. Hmmm.

3. Submit to a TAN/TCN when/if it happens, but somehow sabotage the work such that it doesn't quite work out. The True Aussie Way™.

4. Insist on working only on software that never tracks the user in any way, whatsoever. This would mean quitting my current job, which already involves tracking people (with their full approval) for productive (non-espionage/law-enforcement) purposes, and finding something with a strict no-data policy.

I guess I'm gonna go with #4. Well, #2 seems a bit more appealing, actually.

Please, I beg of you .. let me walk tall in Australia! [2]


[1] - https://www.youtube.com/watch?v=KnEOr1MgwTM

[2] - https://youtu.be/8PfDro1UGUo?t=158

Now would be a good time to protest this by systematically denying Peter Dutton and the rest of these wankers access to any online service.

Sorry, due to your part in voting for that bill, you're now in breach of our terms. Please return your devices as well.

But what would you deny? All .gov.au? All .au? Maybe a BGP suitable leak? Whatever, it wouldn't last.

Just the MPs and targetting their social media accounts would be enough and it wouldn't have to be effective or long term, it just needs to create enough of a media storm to bring it to the attention of the general population.

Mentioning that they may need to shut down services in Australia due to the law might be enough to cause a backlash.

An easier option than 2 for most Australians: come help build the software industry in New Zealand. It's a 3 hour flight and requires zero paperwork for Aussies to work here (as long as you have no criminal record; so you probably can't move so easily after you disobey one of these requests...).

Now that this is through I'm sure the rest of the five eyes nations will at least try and follow suit.

Our left-leaning party voted for this fucking bullshit too, remember. Jacinda Ardern probably isn't going to save you.

I'd recommend reading the actual law, as passed by parliament. Knowing your rights and legal options under the law and based on that approaching your MP (if you are still registered to vote in Australia) with your concerns to encourage them to address them.

To do that you really need to know what the law actually says and requires. Here is a start: TCN/TAN are not limited to Australian citizens. Revoking your citizenship will not shield you from being issued a TCN/TAN, but will lessen the value of your voice in engineering change.

Pretty simple: there are countries where these activities are highly illegal. I'll become a citizen of one of them instead.

As I said before: it is a defence for non-compliance if a TAN/TCN would compel you to commit a crime in a foreign country

That has nothing to do with whether you are an Australian citizen or not. If you are a resident in Austria, these laws do not allow the government to compel you to commit a crime in Austria.

But they can compel my colleagues in Australia to do it, and that is still too close to the tyranny to me.

Keep this in mind: The Australian government is still ripping children from their parents.

If software that I am involved in is in any way responsible for assisting that, in any way, I would be more than furious to say the least.

Nope, its Option #2 for me. Australia can go to hell.

How long until other countries explicitly outlaw complying with TAN/TCNs?

Or you could just ensure that you don't have access to production systems in your job. Which you shouldn't have as a developer anyway. And that any code you write is reviewed before it is put into production. Which it should be anyway.

And if they do try it, any of your non-Australian colleagues who review your code can immediately raise the alarm.

The law is ridiculous not only because of all the points they're making, but also because it just doesn't work in a modern, distributed, company. They need to compel the entire dev team to do as they wish to avoid it being stopped at some point, and if just one of those devs are not Australian (or even not living in Australia) then the secrecy part is blown and the company can take preventative action to stop this happening.

Australia has just ensured that every single Australian tech company needs a non-Australian to review its code. An absolute decrease in Australian security. The Law of Unintended Consequences strikes agan.

>Or you could just ensure that you don't have access to production systems in your job.

Okay, so this just pushes the problem onto someone elses plate - the operator/sysadmin. I've known a few Australian operators. The law doesn't specifically target 'only people who can write code' - it applies to anyone who has access to the systems the Australian kooks and spooks want to infiltrate.

kinda, but the important bit is that it pushes the problem onto both of them. The dev has to write the code, and then the sysadmin has to deploy it. And they have to communicate to do that. The secret is not so secret any more. By the time everyone else is involved in deploying it, testing it, paying for the extra traffic, etc... it's not a secret any more.

Lol for the Auntie Jack reference.

If you're already overseas (including NZ), it should be a pretty easy ride:

"You may be eligible to apply if you ... will acquire citizenship of another country as soon as your application to renounce Australian citizenship is approved" [0]

From what I remember, there's basically an agreement between all countries stating that a stateless person in your borders must be offered safe harbour... or something to that affect, and that might be triggering the "We will not approve your application to renounce your citizenship if you do not have another foreign citizenship" spiel.

Talk to a lawyer to get it straight though.

[0] https://immi.homeaffairs.gov.au/citizenship/give-up-citizens...

I thought a TAN/TCN also comes with a gag order.

There are exceptions to this, including for seeking legal advice.

If you think the law effects you then I highly recommend reading the entire text, as passed by parliament: https://parlinfo.aph.gov.au/parlInfo/search/display/display....

>Can the Australian government compel me to sabotage the Australian software for their uses within Australia, and if so, can the Austrian government charge me with a crime for having done it while living in Austria?

I know less about the law than other posters, but I don't think there's much of an inference in the legislation of these notices being contingent on nationality or citizenship when you're overseas. If the bill transcends borders like that then there's surely no end. Seeing as it's as broad a net as "software serving end users in Australia", it could literally affect millions of people/nationals/workers outside Aus borders, and have catastrophic economic consequences at which point the whole insane thing unravels and the absurdity of it becomes clear.

But yeah, you and me both man, as soon as I'm able I'll try and fall on my dual citizenship, if it's not too late by then. This is infuriating both in terms of ethics and logistics


That crosses into incivility and you can't post like that here.

More importantly, it looks like you've been using HN primarily for political and ideological arguments. That's an abuse of this site, because it destroys the intellectual curiosity that it exists for. So we ban accounts that do this.

If you'd please review https://news.ycombinator.com/newsguidelines.html and use HN as intended from now on, we'd appreciate it.

Thank you for this.

I've been subject to these site rules myself, and felt my ire rise when it happens that I've been on the wrong side of them (with political discussions), but this particular response absolutely infuriated me and I am grateful for the rules being applied in my favour, for once.

As a random HN reader, I just want to thank you for being our adult supervision.

Laws eventually get abused.

I think it’s very likely that this law will eventually lead to everything everybody is worrying about.

Even if it doesn't the unintended consequences and the Chilling Effect to public discourse is going to prove damaging.

I saw they were working in clauses to invoke Parliamentary Privilege so they can't be spied on.

Fuck that, there should be openness regarding discussions on any topic when they are there solely as their constituents' representatives. Had enough of them enacting laws that don't address the people's needs and serve no real purpose for the voters they clearly do not represent. Their inaction on climate change and continued embrace of the coal industry says it all.

And anything to do with security is clearly above these clowns pay grade.

My civil rights _should_ trump your parliamentary privilege (in an ideal world, I guess)...

If you think that this is a new thing, I recommend reading James Bamford's books about the NSA and its predecessors. It was not uncommon for technical staff to discreetly provide data to government intelligence agencies. Back in the telegraph days, that meant shlepping rolls of paper tape. Later, magnetic wire and tape. And this was often done without management knowledge. Because, you know, these were patriotic guys.

That is what is so scary about this. Australia is still committing crimes against humanity - this law pulls the tech community into that, and involves us in something that I would hope a lot of us would never choose to willingly participate in. But, if we leave in protest, the gap will be filled with people who have no problems with these human rights violations.

Just to be clear, this is insidious.

Before, engineers etc might be guilt-tripped into helping catch "bad people". But this makes it official, with penalties for refusal.

Maybe it demonstrates that engineers etc don't cooperate as freely as they once did. That would be good news, no?

It demonstrates that the internet has broken a lot of propaganda.

>very unlikely that this legislation would result in the Armageddon

The trouble is, the secrecy. So we'll never know if there was an Australian-digital-armageddon, because none of us (Australians) are allowed to discuss it.

From what appears in the media it looks like not so much back-door dealings as realpolitik. There is considerable domestic politics in play where the opposition (Australian Labor) party didn't want to get labelled 'soft on terrorism' by a struggling government which is looking for any message to attack the opposition over the xmas holiday period, particularly if there are any 'incidents' during this time. The opposition have requested that the legislation be reviewed and, one would hope, amended when parliament is resumed.

> only 2 MPs voted against it

Have you got a source for this? I read (can’t remebemer where, sorry) that most Greens senators voted against it. From memory, Di Natali and SHY were in the list.

The legislation was waved-through by Labor because there is an election coming up and they were afraid to be labelled as pro terrorists and child molesters.

This site has sources: https://alp.fail

MP's are different from senators. MP's are in the house while senators are in the senate.

> I imagine it's much more likely this power will be used against a few big players (Apple, Facebook, Google)

Aussie market is not that big. Its gdp is less than a tenth of USA, smaller than Canada and a half of India. It is a good size but if a bunch of google employees stage a protest over this, google may just pull out of it because losing talent can be a bigger pain.

Note that Google, Apple, etc all have Australian employees and have subsidiaries incorporated in Australia. Google Maps came out of Google Australia, for instance. So you could argue they'd lose talent by pulling out.

Don't get me wrong, I want big tech companies to retaliate since that's the only way to get the attention of the Australian government (they stopped listening to the proletariat a long time ago). But it should be done as a retaliation, because that's the only justification that I believe would be consistent and might make a difference.

>This is a very wide net and immediately includes effectively every free software developer, and the employees of every tech company.

This doesn't seem very meaningful? I live in the US. If the Australian government goes to me and tells me to sabotage my employer, I can tell them to pound sand.

It's an Australian law, so it can only affect people under Australian jurisdiction -- I didn't think that needed to be said. There are significant numbers of free software developers in Australia (I'm one of them).

The point is that all software engineers (in Australia) being able to be co-opted as saboteurs is a fairly "meaningful" problem and should be a concern to everyone...

Well, if it comes to it, we could always choose to just blacklist all Australian devs from writing software.

Which is why this bill is a complete disaster for the Australian tech industry. Every single software company in Australia just became blackmarked and could be "potentially compromised" by the government and whoever has figured out the governments likely hamfisted and boutique backdoor solutions.

Even someone's little SaaS can be asked to turn up dirt on someone. I literally couldn't comply. I don't write encryption algorithms for a living I just build websites. I can't not encrypt people's data and according to european laws I can't store most of it anyway. Here, gov, have a username, email address, and this blob of encrypted text. Enjoy the insight.

It's getting so hostile to do business in software. At least construction and engineering liabilities are clear cut. I don't even know what my risks factors are anymore and they change every month.

It took longer than expected, but the governments have finally decided it's time to ruin the internet. I am going to go be a carpenter or something.

What a shitshow.

Do we know of any organised groups who are opposing this? Both of our main political parties are in bed with this disaster so we can’t leave it to the opposition.

You’re clearly smart and lucid. Me perhaps less so but I have some spare time. Who else? Where are they gathering? What can I do?

I’m talking basic communications and publicity stuff, not anything anarchistic. Helping non-tech journalists. Writing articles to help the public understand this stuff. Lobbying MPs.

Maybe I just found a way to keep myself busy...

Greens, acs.org.au, possibly some of the business/legal councils

> I literally couldn't comply. I don't write encryption algorithms for a living I just build websites.

I don't think you'd have to "break encryption" or do anything advanced, the main thing they're looking to ask is to circumvent encryption. For example sending the plaintext password for a specific user from the login form, or OS backdoor, etc., delivered through a special software update just for that user. Additionally the wording of the law does not allow for an inability for you to do it, I believe you would be compelled to hire someone that can.

I believe you are right. What an insane proposition though.

How do you advertise for the position? Lie about the job and then once they are on board the government hits them with the no-tell paperwork? What a shitty person I would have to become to make that happen, and I would have no choice at that point.

Perhaps they would have a saboteur on staff they would be willing to lend. Very hard position to hire for, no doubt.

Yeah, and I guess most contractors would refuse to have anything to do with the project once they found out what was involved.

Actually I'm not sure you could hire a contractor, since you'd probably be under a secrecy constraint and wouldn't be able to tell them what needed to be done.

> It took longer than expected, but the governments have finally decided it's time to ruin the internet. I am going to go be a carpenter or something.

Honestly, not bad advice.

I recently had some electrician, plumbing and gas work done and the bill was around my contractor rate here in NZ.

Given the politics and bs around the big corps and govt ministries my skillsets fit into (business analyst/pm) a trade has been something I've been considering seriously for a while now. The peace of mind and lack of toxic office cultures is really appealing. They're apprenticeships too, so you're paid as you learn.

My father started his own house painting business when I was born. It's tough work and not great pay, but he loves the peace of mind of being his own boss. I worked with him growing up and can attest that owning your life in this way is actually very liberating.

Being in NZ, I wonder: do you know Mike Rowe, from the American TV show 'Dirty Jobs'? If not I encourage you to research him and the TV show. It's not very often I recommend television.

This law is so entirely bad, it's literally making highly-paid software engineers, who are essential to our way of life, seriously consider revoking their citizenship, leaving the country, working in another field, and encouraging other countries to boycott dealing with Australia entirely.

Just thought I'd note that. This is crazy.

There's another alternative you maybe haven't considered: give up your Australian citizenship.

This is something I'm seriously considering. I live in Europe anyway, and at this rate I have zero interest in ever living in Australia again. I won't return, and I won't do anything to support Australia in any way, if I have to go down this path.

The Australian government has truly committed a hostile act against its own citizens.

Suppose there is an Australian who works on important and widely used open source infrastructural software, has commit rights, and is compelled to insert a back door by this new law. Well, obviously that would be really bad. But it seems unlikely to succeed; too many eyeballs. Something closed like a mobile communications app in an app store seems like a more plausible target, but we should already have no faith in apps in app stores in the first place, with or without such laws in existence, wherever they come from. Even with "open source" apps, there is no way to know that you're running the same code. More generally, I have no faith at all that a person or company that develops such apps in (insert other country here) is not similarly compromised, even if they don't have an explicit law like that. For example, some countries have secret courts and secret court orders, so who knows? So as an end user I wouldn't personally feel any more secure if Australian developers were banned from participating in projects I care about, and of course that'd be terrible for those developers.

On the other hand, if I were a global company developing proprietary software with development offices in Australia I'd be pretty concerned... and complain loudly and publicly and lay down what the consequences will be. Maybe there could already have been court orders and ways to compel companies to assist at the management level (in probably any country), and maybe there could potentially be moles (from any country) hiding anywhere, but if the more tinfoil hat interpretations are correct this turns every employee on that continent into a mole, and even worse, risks accidental compromises through incompetence (beyond the specific target of a warrant/order/whatever). Right?

In the late 90s I recall hearing of crypto work being done in Australia to avoid the crypto export laws of certain other countries. If I'm remembering that correctly, its software development economy may have benefited in the past from other countries making choices like these, and I suppose it will now suffer. Why would a bank or whatever want to expose itself to that? Australian offices could totally finish up blacklisted for certain software projects.

Maybe you're joking, but this will arguably affect employment prospects for Australian engineers etc. And their acceptance by open-source software projects.

That sounds like a reasonable outcome...

No, not reasonable, but it's the will of the Australian people and we should respect their sovereignty.

This was not the will of the Australian people.

There was a "consultation period" and 99.7% of the submissions were against it.

https://www.reddit.com/r/australia/comments/a3j466/assistanc... https://docs.google.com/spreadsheets/d/1dowpZ_Xtr1N_DgkHJN8i...

Put it this way: it was passed into law with bipartisan support by both democratically elected legislative chambers of the Commonwealth of Australia.

All it took to convince the representatives and senators was for a submission from the Australian Federal Police that it was necessary to investigate threats over Christmas.

I really wish at least one of our representatives cared about being soft on privacy.

I honestly can’t tell if this is an honest comment, or a dark ironic reference to Trump, Brexit or current Italian politics.

The demand would come directly from the US government, after it passes the same law in five years. You do realize this is ultimately FVEY doing a trial in Australia, yes?

You could say that about any bad bill passed in any of the five eyes at any point in the past. The reality is, that's not how things work.

For example, in Britain you can be arrested for modestly offending someone on Twitter, due to their speech crime laws.[1] That's never going to commonly be the case in the US due to very strong speech protections.

Australia did away with its guns. The US is never going to follow that example. Australia's actions were not a trial for what would happen in the US.

The large counter examples to your premise are numerous.

[1] https://www.independent.co.uk/news/uk/arrests-for-offensive-...

Neither of the examples you gave have anything to do with signals intelligence.

But yes, FVEY isn't an overarching conspiracy that implements all digital authoritarianism, nor does it have a monopoly on promulgating such corruption - I doubt FVEY itself coordinated the attack on Kim Dotcom. Nor is it the only such conspiracy - Sweden isn't part of FVEY yet eagerly went after TPB and Assange.

But pointing to such agreements is a good analogy for the similar ratcheting totalitarian trends we observe across countries - how intertwined the governments are, and how willingly they give up their citizen-subjects to each other. This is the larger issue - regardless of the actual mechanics of pollination, we can be sure that after the bugs have been worked out in Australia, we'll be staring down the same exact bullshit in the US.

(And I do apologize for blowing up a thread about Australia with US centrism. The point is that we, the people, are ultimately all in this together. Looking to US-exceptionalism as a reason to write off what's happening in Australia as their own problem is a broken outlook)

> Looking to US-exceptionalism

That's funny, the only exceptionalism I feel we've exhibited for a while is our exceptional ability to bury our heads in the sand and deny the existence of all the inconvenient problems we have to address in the future. :/

My response had nothing to do with US exceptionalism (eg my reference to US policies on gun control was an intentional negative example). It's pointing out that the five eyes don't simply copy each other's choices when it comes to major laws / law changes.

Each nation in question has different protections, or lack thereof, when it comes to privacy, speech, property rights, et al. One size will not fit all, each country would see a different response to the same attempted legislation. The US Government has tried for two decades - with very little success - to reach for something equivalent to what Australia just rushed through in no time at all. What would completely rewrite so much US law and interpretation so rapidly as to make such a drastic change possible in the US anytime soon? Nuclear terrorism, as a society shaking event, is about the only thing that comes to mind as plausible and that's far-fetched.

US exceptionalism is referring to the original comment I responded to, not yours. Now maybe that comment was just interpreting "every free software developer" out of context, but it certainly fits the common pattern of myopically ignoring a trend from an imagined immunity.

USG basically tried once to mandate backdooring encryption itself - in the 90s, when the entire topic was only relevant to a small community, there was basically no low level "street crime" involving encryption, and doing so required restricting individuals' distribution of software.

The renewed push is based on telling commercial companies that they have to setup their systems to assist the police, completely in line with precedents like CALEA. The much more diffuse tech-using community is already primed for heavy handed authoritarianism based on how these companies already operate, and also in general due to being pumped full of the terrorism by the 24/7 "news" cycle. I'd hope you're right that the US has constitutional protections to backstop this, but from my perspective those "protections" serve more as coping mechanisms rather than as effective restraints on government power.

I can perhaps see a legal exception for US Free software devs who aren't working commercially, but I can just as well see a malinterpretation declaring them as engaging in commercial activity ala Wickard v. Filburn.

> Australia did away with its guns.

No it didn't. Saying it did helps prevent the US implement similar measures.

Yeah, just remember not to go to Australia on holiday. It's more of an issue for companies that have a business presence in Australia, the usual suspects that sell proprietary software or advertising there. It also makes it hard to trust software developed in Australia.

Perhaps people outside Australia should also be wary of software from companies that do business in Australia, if there's any reason to think that the Australian government may want your data.

That's a good point. There's no guarantee that compromised devices will stay within Australian jurisdiction. How are diplomats affected by this law?

I'm just looking through the bill and noticed that as well as targetting anyone who provides an electronic service that has one or more users in Australia, or anyone who develops software used in such a service, it also targets anyone who "manufactures or supplies components for use, or likely to be used, in the manufacture of a facility for use, or likely to be used, in Australia". So they can also demand that equipment manufacturers insert back doors. Manufacturers may just ship their compromised hardware worldwide, for convenience when other governments demand the same service.

The law seems to permit them to target people outside Australia suspected of violating foreign laws, possibly at the request of a foreign government. So the US, for example, could ask Australia to use its new powers to force a Chinese manufacturer to help bug a US resident, if I'm interpreting it right.

This is exactly what these laws are really about.

They are so the US and other 5 eyes members can spy on their own citizens in ways that are illegal under their own laws.

These laws are terrifying for everyone, not only Australians.

I am really not trying to be an alarmist but couldn't one be extradited to Australia for not complying?

Non-compliance with a TAN/TCN is a civil mater and the law explicitly states that being required to do an act or thing in a foreign jurisdiction that would contravene the laws of that jurisdiction is a defence for non-compliance.

> being required to do an act or thing in a foreign jurisdiction that would contravene the laws of that jurisdiction is a defense for non-compliance

There is no law in the US prohibiting me from creating an alternate login screen for one particular customer just in order to capture their login password. So as a US citizen I have no defense within Australian law against an Australian demand that I capture the password of one of my users... perhaps a parliament member of the Australian opposition.

I can choose to simply ignore the demand. The US will not extradite me for violating a foreign law that does not have an equivalent in US law. But I suppose I can never go on vacation to Australia.

Are you sure there is no law against this in the US? Isn't this potentially: 1. Circumventing an electronic protection 2. Unauthorised access (if your employer does not authorise the changes) .etc.

Yes, I am fairly sure.

> Circumventing an electronic protection

> Unauthorised access

The company providing the protection cannot by definition circumvent it or be unauthorized. If a third party decides to deliver a payload to your browser to discover your Facebook password, then they are violating the DMCS in the US. But if Facebook decides to deliver a payload to your browser to discover your Facebook password that is simply them doing business in a different fashion. This isn't a violation of US law, so refusing it do it would be a violation of Australia's very poorly-considered new law.

I'm obviously not an expert on US law but I find it very hard to believe that it is legal for an employee of a US company, without the permission of that company to put up a fake login page for particular users and then provide that information to a foreign government.

Now if the TAN/TCN was issued to a US based company that would be a different issue but then you as an individual would not be in violation of it.

Not that that makes it a better law, but I think for people not physically in Australia the risk of being issued an enforceable (under Australian law) TAN/TCN is quite low.

It is not legal. It would break so many laws that a prosecutor would have a difficult time sorting through them all.

Assuming you're in the US, you won't get extradited for anything unless your conduct was actually illegal in the US.

Definitely not in the case of the US. For other developed, liberal democracies, it'd be similarly very unlikely. It'd be equivalent to allowing China (or Turkey, etc) to extradite a citizen over speech that offends said foreign government.

The US is particularly aggressive about not ceding legal / constitutional sovereignty to other nations or entities.


"Please respond to the strongest plausible interpretation of what someone says, not a weaker one that's easier to criticize. Assume good faith."


That wasn’t their point. These are global services and many of them are written and controlled by people who aren’t under the authority of Australian law.

I don't really follow these things much but isn't Julian Assange wanted for breaking American law while not under its authority? Wouldn't America need reciprocal deals?

(And the fact that only 2 MPs voted against it tells me there's almost certainly some back-door dealings that resulted in this bill being passed.)

Not really, that's just a consequence of the Australian Parliament's history of very strong party discipline. It is highly unusual for all the members of a parliamentary party not to vote the same way on a bill.

Agree. Imagine also if, as a potential 'saboteur' the gov then try and sweeten the 'deal' with cash 'on the side'. Suddenly, we're also targets for moral corruption too -- just like the pollies who voted for this disaster.

I'm less worried that these clauses will be used/abused, and more worried that the mere existence of these clauses will be catastrophic to the trust of Australian suppliers to overseas customers.

I'm more worried they will be abused.

Also that the backdoors will be exploited by the other bad guys.

I'm grappling with what to do about this law. I develop software in Australia, for a company, separately as a private software vendor and separately again as an open source contributor. From what I can understand, this law can compel me to silently insert malware into any of these. Morally I feel like I need to modify the licenses, READMEs and terms of conditions for products I sell and the contracts under which I do commercial work to clearly state that I may at any time include malware into the software I supply, if directed to by my government.

However unlikely, the idea that I could be commandeered at any moment to betray the users of my software and ship malware to them sickens me. But I also know that the reality of this happening is almost vanishingly small. I genuinely don't know what to do.

> But I also know that the reality of this happening is almost vanishingly small.

Why do you think it’s vanishingly small?

You could somewhat trust the the current govt but you can’t trust the future. I’ve lived in Australia for a long time and the trend is clear. More surveillance is to come. Australia is very much a police state as it is.

I think it's vanishingly small because my software is pretty niche and the chance that anyone who is a target actually uses it is tiny just by pure laws of numbers. And then even if that happens they are much more likely to identify a bigger company that they can leverage before hitting me as the best vector into that person's devices. There simply isn't much value in getting my software backdoored compared to Google, Apple, Facebook, Microsoft, etc.

But that doesn't help my on the other side of the equation where I need to sign contracts that directly prohibit things that I would be mandated to do under these laws (and do secretly). I will need to come up with some interesting boiler plate escape clauses that allow for it without sounding completely dodgy.

I think the govt will attack smaller companies first, the ones who don't have the means to refuse.

They'd be stupid to start with giants like Apple or Google.

Maybe something like a warrant canary makes more sense? An encryption canary? Would that even pass with the new laws though?

Also you stating that you might have been forced to insert malware by the government surely breaks the rule that says you can't tell anyone too, if I'm understanding it correctly.

Australia has a law that specifically bans warrant canaries.


I think me merely stating that I am subject to the laws of my country under which an individual can be compelled to ... etc. probably isn't illegal. It may be illegal if I modify that statement after being issued with an order and directed not to reveal the existence order.

Warrant canaries aren't necessary (nor are they legal in Australia). The law allows you to provide aggregated statistics on how many requests you've received in a 6-month period.

Yes but a single request can include an unlimited number of targets.

They can literally ask for all communications of every one of your users.

It would be very hard for that to pass the proportionality test in the law. I know it's tempting to go for the worst case dystopian scenarios but it's actually important not to go overboard. Politicians and other people with a say immediately stop listening once they hear that. This law is extremely problematic even with a conservative interpretation, so I think we should stick with that.

What proportionality test?

Lets go with how the law is actually written.

Say they decide hn is a den for hackers. I mean, it's right there in the name!

Hacking attracts a >3yr sentence - hence, we need the data of all hn users, they're all potential hackers!

The bill states:

The Director General of Security or the chief officer of an interception agency must not give a technical assistance notice to a designated communications provider unless the Director General of Security or the chief officer, as the case requires, is satisfied that:

    (a) the requirements imposed by the notice are reasonable and 
        proportionate; and
    (b) compliance with the notice is:
      (i) practicable; and
      (ii) technically feasible

So I don't believe intercepting en masse the communications of all the visitors to a web site purely based on its name would be seen as "reasonable and proportionate".

When thinking about such unprecedented powers, I prefer to consider the worst-case scenario of the laws as written, rather than what seems currently acceptable.

Because even if the current government is harmless, the next regime might not be, and these powers are basically the equivalent of a nuclear bomb with respect to privacy. They move the pendulum far away from what many would consider reasonable for a free society.

These laws just seem so rife with loopholes and ambiguities that even as an honest law-abiding citizen with nothing of interest to hide, I find them honestly terrifying.

If they're doing these things for legitimate reasons then there would be little reason to be against having reasonable limits to scope, reasonable oversight, accountability, as well as real reporting on the actual number of citizens whose data has been accessed.

The fact these concerns and all the consultation submissions from experts in both legal and technology issues have been ignored makes me strongly fear the whole law has not taken citizens right to privacy into account at all, and that is a terrifying proposition.

I agree with all of your sentiments, I just don't think that tactically this approach results in a useful outcome.

In what way does downplaying the possible consequences help tactically?

I'm hoping that if more people realize the implications of this horrible law, there's more chance of the lobotomized public actually exerting some pressure on our supposed representatives to actually represent us.

It's unlikely given the media has been painfully silent on the horrible implications of this terrible law.

Asking for a backdoor is never reasonable. This law is rife for abuse the way it's worded.

Just to add to this, it is also a requirement to give consideration to the privacy expectations of the Australian community and the legitimate interests of the communications provider.

However, there is no guidelines on how these judgements should be made and what is / isn't acceptable. Effectively it will be left to the courts to decide through legal disputes.

I thought that decision was made by a "retired judge" and a "technology expert". Is that correct?

The person requesting the spying is the one who decides if it's proportionate.

Yes, really.

The simplest solution is probably a harder one practically - leave Australia. Sadly one doesn't simply leave their country and immigrate to someplace else in addition to any personal concerns - it might not be an option, let alone a desirable one but it has its merits.

Come to Canada :) We'll hire you.

I am particularly concerned how this will affect Fastmail, an Australian company.

I've hosted my mail there since 2002 and they've always been quite pro-privacy. But I fear that such a stance is now literally impossible for any Australian company.

TCNs (which is the primary thing this article is about) won't practically affect email providers, because email providers already have your plaintext emails -- they don't need to implement new capabilities to intercept them. (As an aside, I use Mailbox.org which has a feature to auto-encrypt incoming emails to a PGP public key -- which means that only new emails would be usable with interception.)

However there is now a no-warrant-required method of getting information (in the form of TANs and TARs) which has no judicial overview -- previously they would've needed a warrant. This is definitely a massive concern, but given that you wouldn't have seen a warrant previously (Fastmail would get it) this is not a practical difference to you (obviously it's a massive ethical difference and so on).

But to be honest, I actually hope people stop using Australian services and big companies start backing out of the Australian market. It's the only way our dropkick government will realise how much of an own-goal this legislation was.

I think that section 317ZH specifies that a TAN/TRN/TCN is invalid if a warrant would be required to access the information.


A technical assistance request that relates to an agency, or a technical assistance notice that relates to an agency, or a technical capability notice that relates to an agency, has no effect to the extent (if any) to which it would request or require a designated communications provider to do an act or thing for which the agency, or an officer of the agency, would be required to have or obtain a warrant or authorisation under any of the following laws:

                     (a)  the Telecommunications (Interception and Access) Act 1979 ;

                     (b)  the Surveillance Devices Act 2004 ;

                     (c)  the Crimes Act 1914 ;

                     (d)  the Australian Security Intelligence Organisation Act 1979 ;

                      (f)  a law of the Commonwealth (other than this Part) that is not covered by paragraph (a), (b), (c) or (d);

                     (g)  a law of a State or Territory.*

It’s not the same thing.

Don’t know Australian law, but for a warrant you need to demonstrate probable cause in front of a judge. And that’s a pretty high bar.

The problem is that if a back door exists for government, it necessarily exists for anyone.

Here’s Tim Cook making that point: https://m.youtube.com/watch?v=rQebmygKq7A

I'm aware of that, but in the case of email service providers there is no need for a backdoor. They have access to your emails on-disk since emails are plaintext (in general).

We aren't talking of back doors here.

With an email provider you don't need a back door to get somebody's emails.

I didn't say it was the same thing, and I agree that the lack of judicial oversight makes it incredibly rife for abuse as well as much easier to get.

I said that to you (a user who wouldn't be the target of a warrant) there isn't a practical difference if you're targeted. You wouldn't be able to mount a defence in court anyway.

But of course, it being easier is a very serious problem from a societal perspective.

It depends. Australia is part of the 5 eyes countries. So now via cooperation between security agencies and due to no judicial oversight, I think more people are affected, whereas before this you would have to convince an Australian judge to give you a warrant.


maybe some people cannot get iPhones. Or use netflix or other items that depend on good encryption!

Sure, but the point is that warrants already allowed for access to services that are insecure.

Atlassian is another company that comes to mind here.

Aww man. I've been a super happy user as well for quite some time. What should a privacy concerned customer do?

Given that they store all of your data in plain text, probably run your own email server or use a different service. That's not really changed by this new law and was always the case.

I use fastmail as well, I like their ui a lot. I certainly treat it as the stockpile of plain text messages tied to my real life identity through my credit card that it is though.

I'm an Australian privacy-obsessed Fastmail user, and use them for my family domains and all our primary email. I'll keep using them, because email isn't private in the first place. Any more than snail mail is. Both can be intercepted and read by authorities without you knowing.

For secure communications, you shouldn't be using email in the first place, so these new laws don't change much in that regard (in my understanding, I'm still catching up on the new laws because I have limited internet access right now, I'm happy to be corrected).

This is increasingly not true. SMTP-over-TLS is now the standard, and unless you are trying to imply that TLS is broken, email is far more secure than it used to be.

If it's not end-to-end encrypted, it's not secure in the sense OP clearly means.

Correct: if either mail server is compromised by the government then it may as well be plaintext.

Australia has an unstable federal political system, with elections every three years or less (this is baked into the constitution, so it will be hard to amend). Imagine the US House of Representatives with the equivalent of Speaker of the US House of Representatives as the Prime Minister of Australia as you won't be far off. Unlike the UK, there isn't a strong civil service, and unlike the US, the Senate, states and courts are weaker, and there isn't a separate executive branch.

This leads to a revolving door of occasionally unsavoury characters getting into positions of great, and virtually unchecked power. Giving these figures enormous power without judicial oversight is deeply problematic. Checks and balances are not a big thing in Australia.

Do you live here? I do, and while tiny nuggets of truth are in individual sentence clauses, this is a very paranoid and over stated argument.

We have a high court. They reverse bad federal and state laws. Lots of bad immigration decisions by ministers are being overturned. Mabo happened.

The jurisdiction of the court is largely granted by statute is it not? In fact, in the case of the bad immigration decisions you mention, the minister has tried to pass legislation to restrict judicial oversight.

EDIT: And he is also alleged to have used his already considerable discretionary powers to allow au pairs for politically connected individuals into Australia in violation of their visa conditions, with no consequences. Not exactly a ringing endorsement of the rule of law.

The au pairs issue had such a short time in the media, it's frustrating. The fact that a minister can overrule existing policy for individual cases means that any ministerial position is ripe for corruption. Both au pair cases were referred to the minister because of personal relationships with the minister as opposed to the cases themselves being worthy of reporting to the most senior level.

If there's a problem with policy, change the policy. Don't do favours for your mates if it contravenes policy. It's not fucking hard.

The fact the minister hasn't been fired is quite damning about the status of Australian politics, and highlights the need for a federal anti-corruption body.

What's worse is that this particular minister is the one forever pushing for lower immigration, greater protection for Australia's borders and showing no remorse for sick children in offshore detention - but fuck, my mate needs a French woman, who's previously worked in Australia despite only having a tourist visa, to look after his kids because he and his wife are rich enough not to have to parent their own little cunts.

shakes fist at cloud


The High Court's powers are defined in Section III of the Australian Constitution. In fact, s73 explicitly disallows parliament from stopping the High Court from hearing an appeal from a Supreme State Court.

Does that have much to do with the matter at hand?

"The jurisdiction of the court is largely granted by statute" is not an entirely accurate statement (though there are restrictions on what you can sue the Commonwealth for) . That was my point.

There are actually significant areas that are excluded from judicial review. https://www.alrc.gov.au/publications/laws-restrict-access-co...

You were referring to state laws. Review of decisions resulting from laws passed by parliament is granted by the ADJR act, and hence by statute.

I do and while I am happy with 3 year terms, I don't disagree with much else.

We Aussies are pretty proud of the various improvements we have over the UK and US systems. Our independent electoral commissions minimise gerrymandering. Our preferential voting system ensures more accurate representation. Mandatory voter turnout has a moderating influence on political campaigning and avoids voter disenfranchisement issues.

But you can't look at the last decade of federal politics in the country and say it has been much other than a joke. We've just per chance had Brexit and Trump happening lately which has made it seem less ridiculous in comparison.

Leadership issues aside, we need a federal anti-corruption body and a well-worded bill of rights. As it stands, the government has far more room to move than they should, and on many issues the opposition has been either useless or complicit.

I do live in Australia (forgot to mention that in reply to GP). The primary problem with the terms is not their length, but the fact that they give the Prime Minister inordinate power to control the timing of elections.

Apple should suspend selling any products into Australia and announce layoffs of all Australian employees for the day before the law goes into effect. The Australian market is small enough to make a stand without impacting the bottom line.

If only they did that. That would definitely have an impact. More non tech people will wake up and start asking questions locally in Oz. At the same time, Apple will show that they are really after people's privacy.

Layoff all Australian employees. That just looks weak.

Apple is only pro privacy when it makes them more money. They already do business in China. They have a fiduciary duty to their investors to not jump the gun like that.

If taking a stand results in higher confidence in their products in other parts of the world, and higher sales, then it may be fiscally prudent to abandon the Australian market.

Would it be considered a boycott? I believe US companies are no longer allowed to boycott another country without authorization from the US government.

Apple has a subsidiary incorporated in Australia, which is necessary to do business here. They can just shut up shop, and fire all their Australian employees (though Australian labour laws might make this difficult to do without being sued for unfair dismissal).

AFAIK unfair dismissal only applies if the business is remaining a going concern.

If you're shutting down the company, you might have to pay severance but that'd be it.

I'm dying to hear Apple's response to these laws being introduced.

I pray they do this.

For free software, I wonder if reproducible builds plus a "certificate transparency"-style check in the updater (only allow an update once several build servers, preferentially located in separate jurisdictions, have validated the build and published the corresponding source code) could help. That is, make it impossible to push a backdoor to a single user without making it public to everyone. Making updates anonymous (that is, never sending any ID which could be used to target an update to a specific user) might also help.

I don't think that's sufficient. We need devices that only allow software to run that has been signed by TPM-resident keys on the device. Updates are only attempted to be installed if the binary has been signed by multiple keys (by people in different jurisdictions) and then the device prompts the user to sign the update (which requires entering the TPM passphrase). Even if you managed to compromise all of the developers you couldn't run signed code on the device -- you'd need the user to install it.

And for bonus brownie points we could have reproducible build checking (a-la certificate transparency) against the source repo, to see whether the binary is different to the official one. However, I think the threat model might have to be reconsidered (if all the developers are compromised, couldn't they upload a bad hash to the certificate transparency trail with a dummy version that only one user is given?).

I might write a blog post about this actually, though I'd need better experts than myself in IMA (which is what you'd use on Linux for this) and other secure-boot work.

One of the worst things about this bill is that the opposition knows it is full of problems and could have blocked it and forced a range of amendedments.

The Labor party here though is afraid of creating any point of difference on anything that could in any way be considered “national security” legislation. So instead of risk a lengthy period over the summer break where they would be attacked if any kind of terrorist attack happened they caved and passed the original version.

Ties in nicely to Adam Curtis' observations regarding politics being a risk obsessed managerial domain now (see the economist article that was HN front page yesterday).

There is a bipartisan consensus on security and other matters in Australia. Most policy development in Australia is driven by the unelected agencies and departments that survive their political masters.

There is nothing in the values and philosophies of the ALP such that they would not have legislated this agenda were they in government rather than opposition.

There are so many other examples of this over history, such as the GST, Australia Card, refugee policy, copyright laws.

>There is a bipartisan consensus on security and other matters in Australia.

Unfortunately, in this case, all the experts (and commenters here) seem to be in agreement that security has been significantly weakened by bringing in these laws.

I am an Australian software developer. There is no way I am putting any backdoor into any software I write and I am willing to go to jail if needed. If all us Aussie developers tell the government to go jump this stupid law will fail.

The punishment for non-compliance is civil fines, not gaol time. However I believe it's technically possible for them to push you into bankruptcy by making many requests and revoking them after you refuse them (fining for each copy of the request they resend to you).

Well then bankruptcy it will have to be if it comes to this. A mass outbreak of civil disobedience is the only way to fight this.

Yep. This is what I'm leaning towards as well. They can't lock us all up!!

What problem does Australia have that could possibly justify this? Gangs in Sidney? Drug traffickers from New Zealand? Terrorists from Vietnam?

Being the the country with the weakest civil rights protections in the 5 eyes allows us to be used as a test bed.

If this thing goes smoothly, expect the same to be attempted in UK, US, NZ and CA.

It doesn't need to be implemented anywhere else, the wording of the legislation specifically says they can ask on behalf of other nations.

I think, you are right. It looks like governments globally are doing it. It may be a good indicator that encryption actually is hard for them at least on big scale. Russia also introduced a law year ago that forces companies to help "police" decrypt traffic, it works very selectively now though. It has of course nothing with criminals or terrorists, there is something more. :)

Crime is pretty low in Australia, but that doesn't stop political parties trying to whip up paranoia about it to help their election chances.

One of the major parties' state election campaigns just a couple of weeks ago was running off the promise to curb violence in Melbourne (almost entirely baseless hysteria of African gangs). We had a mostly foiled terrorist attack the week of the election, and it was quite disgusting to see the leader of that party "pay tribute" to the victims even while having some sort of glee for the timing.

If you live in a number of places in the US you would likely find the levels of violent crime hilariously low here in comparison, yet there was attempt to play on the fears and "make Melbourne safe again". Luckily it was one of the least successful major party election campaigns in recent years.

The worst problem of all, a conservative government who are about to lose an election

It's not much but I'm writing my local member, paper-copy, about this right now and encourage any Australian to do the same.

It's the least you can do, costs a dollar, and politicians react to getting stacks of paper more then they do emails.

It is not about PR with malicious code, I expect. I think the PR which will have backdoor code wold bump version of some dependency package only. Like the targeted attack on Bitcoin vallet few weeks ago. If you or your company isn't scanning dependencies you would never discover it.

How does this affect the AWS Sydney region? Will KMS and CloudHSM be under threat of a backdoor and this propagate to all systems that base themselves off these products?

The thing that makes me most despondent is, you just watch them all get voted back in next election.

It's exceptionally sad since Australia has order of preference, instant runoff and mandatory voting. Even with all those safeguards to prevent major parties and ensure equal representation, Australia still ends up with major parties and too many people who don't bother with the bottom of the ballot.

I think this is partly the fault of how electorates work. Imagine an election where every electorate votes 30% party A, and the remaining 70% of the vote split somehow between parties B and C. Then you get only members of parties B and C in office, and so you could argue that 30% of the population is not even represented.

This is not so far off what happens with the Greens - in the last federal election they had about a 15% first-preference vote across Australia, but ended up with only 1/150 seats in parliament.

> This is not so far off what happens with the Greens - in the last federal election they had about a 15% first-preference vote across Australia, but ended up with only 1/150 seats in parliament.

As someone who has lived in the US and Australia... the difference would be that in the US, the Greens would get nothing, zero. And due to gerrymandering, it's equally likely that even without party C in play, you can and do easily get situations where 30% votes for party A but win a majority.

Even in our recent mid terms here, whilst the House went back to Democratic control, in the Senate the Republican vote went down 20% but they didn't just keep the same number of seats, they _increased_ their majority.

ya and it will happen every year... those in power have been trying to take control of people's lives forever but so far they have been unable since it requires physically being present. but as technology becomes seamless and is woven into the fabric of society, eventually our thoughts too wont remain private. the only thing protecting us is we are just one data point in billions...

Do you think that will just magically happen on its own?

The party that may win the next election already supports the bill. They claim they would update it with a few inconsequential changes, to make it look like they're "fixing it". But that's about it.

It looks like Labor will win next election, but that really doesn't matter. Labor voted for the bill unanimously.

Shorten’s strategy to lose the battle/win the war has soured my view of him forever. He’s revealed himself to be a man of no principles.

> soured my view of him forever. He’s revealed himself to be a man of no principles.

I don't have a strong opinion of Shorten one way or the other, but I've read a lot of people express a similar POV and it strikes me as extremely naive.

If you went into politics with a view to die on your sword rather than compromise any of your values you'd have a very short career. Losing the battle to win the war is the only way to achieve anything.

I mean, be realistic. If the ALP had blocked the bill it would be political suicide for them. For now some nerds (us) are debating the issue on an obscure forum. The alternative would be for every man and his dog having our corrupt media ram the "Labor has made it easier for terrorists to kill you" story down their throat for the next few months.

> If the ALP had blocked the bill it would be political suicide for them.

They opposed the bill over the weekend and then backflipped because if there's an attack over Christmas they'll look like fools. I don't think that risk was worth selling out 25 million people, but maybe that's just me. They get attacked constantly in the media anyway, it's not going to make much difference.

> The alternative would be for every man and his dog having our corrupt media ram the "Labor has made it easier for terrorists to kill you" story down their throat for the next few months.

In some ways that would be a good thing, because it would force a public debate about warrantless surveillance at a time when relatively few people trust the LNP government or its law-and-order rhetoric.

If you sell out your principles to get that power, what's the purpose of having it? By the time you get there, you're no better than the person you ousted.

Realistically, I don't think the majority of the Australian community is particularly aware of, let alone opposed to this legislation. The idea that law enforcement should be able to gain access to encrypted communications if they have a warrant doesn't seem particularly controversial in the wider community either.

Given this, I'd assume the law is here to stay. The question we need to ask is how can we constructively engage politicians to minimise the flaws in the law. On that front Labor has been much more open and were instrumental in addressing some of the deeper flaws in the original legislation.

So to be clear:

1. The law specifically forbids the government requiring weakening of encryption / authentication / authorisation mechanisms.

2. The law specifically forbids the government requiring systemic vulnerabilities be introduced.

3. The law defines a consultation, review and appeal process.

4. The law prevents the government requiring someone commit a crime in a foreign jurisdiction

5. The law allows publishing the number of aggregate TAN/TCN/TAR received in aggregate in a 6 month period.

The question is where should the law be fixed and how do we engage Labor / Liberals to fix those aspects.

Personally I would like to see:

1. Better protection for software exported for use outside Australia

2. Better definition of what defines a 'systemic' vulnerability

3. Greater protection for individuals. For if a TCN/TAN could be otherwise issued to a company, then the law should not allow a notice to be issued to an individual.

I now call him Backdoor Bill.

Actually they voted on the promise from the Libs that the amendments they proposed would be revisited in 2019, just to make Australia safe over Christmas. Which is somehow even more boneheaded than unanimously agreeing.


Except the law doesn't kick in until the New Year.

No, it got royal ascent yesterday. It’s now law.

The actual implementation of any capabilities though would take months even if they started requesting them tomorrow.

>would take months even if they started requesting them tomorrow.

All they have to do is start spamming notices.

It's up to the nerds to figure out how to implement them.

Or Jail.

That means, nobody outside Australia can afford to let an Aussie anywhere near a computer, since Canberra will send them to prison if they don't spy or say anything about it.

Don't let us near your phones either. Every Aussie is a government-mandated blackhat hacker and spy now.

Imagine you run a secure webmail provider where all data is truly encrypted and served up to the user that decrypts it using a 3rd party javascript library that isn't even hosted on your site.

Based on the wording of this they could compel you to target that user and serve up a javascript decryption library of the governments choice.

In a similar vein they could compel Android/MS/IOS system updates to include trojans in search of decryption keys.

Edit: This is a good argument to only use Linux or BSD. Unless you had some sort of management contract it would be near impossible to be directly targeted with system updates. They'd have to get the signing key for your distro and intercept/rewrite package downloads. I bet you this is standard affair for high value targets. If you were paranoid you could update or mirror through a proxy.

That's why in-browser email should never be considered secure against an actor of this scale.

Hasn't the FBI already done this years ago?

It will be interesting when we have our first outbreak of phishing, claiming to be ASIO and demanding backdoors to all IT infrastructure.

Literally any employee would be subject to these laws. They could just quote the laws and demand that any employee installs malware or creates a backdoor admin account.

Regardless of what becomes of this horrific law in practice, a whole class of workers now need to spend time on legal research, money on legal advice, and prepare for contingencies that could truly upend their lives.

Consider Signal, which is open source and not based in Australia. If AU wants to intercept a signal message, then presumably they would need to either force Google and/or Apple to push a custom app to a specific user, or take over the entire phone (again, via Google or Apple). In the first case, is the app that comes from the app store somehow verifiable, or do you need to build from source to be sure? Is there anything that can be done about the second case (which I suspect is the general intent of this law)

I think that, for long-term security, we need to have devices that are resilient to orchestrated sabotage by the vendor. The current approach by Apple is great, until Apple is compromised in one way or another.

I have some idea for how this could be done (TPM-resident signing keys on each device, which have to sign all binaries before they can execute). I might end up writing a blog post about the idea.

Sounds like applocker in windows

My experience with AppLocker is that it doesn't really work. As high-school students we would trade ways to break it to play games on our laptops (we were given school laptops which had AppLocker). If high-school students were able to figure out how to break it, I have no doubt there are more serious issues. In addition, I believe you can only whitelist based on:

  1. Paths (like AppArmor).
  2. Publisher (which I think is a signature, but is a signature of the publisher not the machine itself -- so a compromised publisher could give you a bad update silently).
  3. Hash (which is _okay_ but arguably requires more maintenance of the "good hash" list than requiring a specific signature -- though the nice thing with hashes is that you can disallow old ones).
On Linux we have IMA, and there is quite a lot of work on being able to use it as a way of requiring signed-binary execution (it's still not there, from what I've heard in recent talks). But even with that we'd need quite a bit of work to create an installer that bootstraps TPM-resident keys and signs all of the system binaries -- as well as requiring all new updates to sign said binaries.

I often wonder if the cat and mouse game of high school IT restrictions is an under handed way of training the next generation of security professionals.

Considering this, ban of Huawei looks ridiculous.

It makes sense in a way. The government wants to make sure they're the ones with the upper hand when it comes to surveillance, rather than China.

Well, I'd much rather spies from the 5 Eyes read my emails than spies from the Communist Party of China..

Creating and maintaining a large software project that "features" differing crypto strength depending on the country it's being shipped to is a HUGE PAIN IN THE ASS! I know because this was something I did for the Solaris implementation of Kerberos. What an excellent way to introduce bugs that never get tested. Crypto/security is hard enough to get right without added complications like this.

Do we trust Intel chips are free from gov backdoors? Or that Microsoft/FB arent in bed with the NSA? I would say the precedent has long since been set.

You're right, but this is the first time (I know of) that a government has explicitly required backdoors and forcing tech companies to download malware/spyware to their customers' devices. This new law brazenly makes encryption useless and sets a dangerous precedent.

There was an attempt to do this in the 90s in the US, but it failed. There's a paper titled "Keys Under Doormats" that outlines the debate of that era:


> Do we trust Intel chips are free from gov backdoors?

No. But there are people working hard on things like Power8-- which already exists-- and RISCV-- which don't include anything similar to Intel's ME.

Probably more to the point, Apple already designed and implemented a secure enclave that makes it much harder for them to turn over things to law enforcement like messaging content of its users. Signal similarly has a design that limits the amount of data it has to turn over.

Without a legal precedent that says you can't do such hardware/software designs, lots of companies do such designs. We've even seen a company fold rather than change their design on the request of the government to make it easier to spy on users.

Plus, if there is an Intel ME backdoor it is almost certainly only available directly to NSA-- not to FBI, not to the Treasury, definitely not to local law enforcement, and definitely not to other tech companies or politicians who have the sway to convince any of the above to give them access to some data they'd like to have.

A law that makes it possible for more government agencies to force a company to turn over data or serve up malware is a law for the worse. A law that makes it harder for companies to design secure protocols and systems in the first place is a law for the worse.

Or that Microsoft/FB arent in bed with the NSA? I would say the precedent has long since been set.

Well, Facebook isn't a very good example here. There were so many inputs/outputs into its user data that it's hard to imagine a type of inference that could not have been retrieved by an interested third party on any subset of its userbase.

If Facebook is supposed to be a metaphor for all modern general purpose computing software, your only serious conclusion is to stop using all modern general purpose computing software.

Actually we have yet to see any evidence that the government have forced Intel, Facebook, Amazon etc to insert backdoors. In fact the Snowden leaks kind of have evidence to the contrary - the NSA hacked Google's private network. They wouldn't need to bother if they had legally compelled them to add some kind of national security backdoor.

Not that this is any good, but at least in the US the state pays for the surveillance. Here the businesses have to foot the bill for who knows hoe many unending requests. If you thought it was hard to make a viable tech business in Australia before, well you can forget all about that now.

It's more like if Microsoft and FB were in bed with the NSA. And then they sent you the bill for your own surveillance. And if you didn't pay, then sent you to jail.

That's not necessarily true. For TCNs there is an explicit section that deals with compensating businesses, through an "Applicable costs negotiator". See s.317ZK(16).

And there is no criminal liability for non-compliance. "Just" very hefty civil fines.

If intel does have a backdoor, would you think they were compelled to include it against their will by government, or that they willfully included it for their own use?

Two relevant humor bits.

* Honest Government Ad | Anti Encryption Law - YouTube || https://www.youtube.com/watch?v=eW-OMR-iWOE

* Encryption: Last Week Tonight with John Oliver (HBO) - YouTube || https://www.youtube.com/watch?v=zsjZ2r9Ygzw

This is as outrage as forced implementation of external device into a person's body. All civic person should rise up and protest against it.

This is what happens when policy and law makers are essentially uneducated in the modern world. A law degree does not prepare on to understand technology, medicine, or even social issues.

Government needs lawyers in the body, but if as a whole it lacks a broad education, it essentially lacks an education.

If only we elected like we hired.

Have any tech giants like Apple or Google commented yet?

They should be the ones leading the charge against this draconian insanity.

No more ssh at work ...

The last government I remember that wanted every citizen as a potential spy was the German “Democratic” “Republic”. They should have patented their business model and sold it to Australia.

How about we take a bigger-picture view than the implementation flaws of this super-rushed law and ask what is to be done about encrypted messages that allow many serious criminals to circumvent traditional police powers of search & surveillance? I think society as a whole will not accept criminals having such an advantage. So I think alternative laws have to be suggested & promoted, otherwise potentially really bad ones are likely to get passed everywhere..

Coded communication is nothing new between criminals, and weakening the security/privacy of Australian software is not going to solve this problem. Weakening encryption of Australian software is not going to work against organized crime; These organizations are quick to adapt to changing law enforcement techniques. It is, however, going to make it much easier to surveil the general populace.

There will always be some criminals who are sophisticated enough to evade surveillance (until they make a mistake) - but that doesn't mean it's useless as many violent and/or organised criminals do get caught. Many get caught even with old-fashioned phone taps.

Also, aren't there ways of implementing targeted surveillance without weakening privacy/security very much, if at all? For example, targeting a specific user/device and making sure all exfiltrated data is encrypted with a public key belonging to the police.

If the government has open source software poisoned would they eventually be victimized by their own policy?

In my opinion it's inevitable they will be victimized by this policy.

If you think about logistics, the govt will probably need to come up with standard ways of implementing backdoors and API for sending data back. It won't be a whole new system for every targeted company.

Every unwilling company/individual served with a notice will be aware of those methods. How long until those methods and/or keys are leaked?

After that, the hackers have unlimited time and motivation to break what will be the world's largest honeypot.

Also, it's only a matter of time until politicians will use these new powers against each other/their political enemies. Even State Police are getting these powers with no judicial oversight.

Many of the largest data breaches have been from government departments, and in my opinion this will be no different. I know they didn't leak everything, but even the NSA with their budget couldn't keep all their data secret.

warrant canaries, but for individuals

The law allows you to provide statistical information about how many of the relevant notices you've received within a 6-month-window. So there's no need for warrant canaries (which is a good thing, since they're not generally legal in Australia).

A single notice can request the data of every single one of your users.

This is not necessarily true (as discussed elsewhere in this thread), but even if it was true you could still tell people that you've received 1 request. This fulfils the same properties as a warrant canary.

I'm currently talking to some lawyers about how flexible the 6-month window might be. (Can you give overlapping 6-month windows? What if you give a new 6-month window every day?)

It's called a law that has unrealistic expectations on reality. Society simply would refuse to obey such "laws".

Doesn't this directly contradict GDPR?

Data for the purpose of law enforcement is generally exempt from GDPR.

Plus Australia is not part of the EU.

And? Any service that serves European customers needs to adhere to the GDPR.

It's possibly a good commercial decision given the size of the EU market, but a lot of people seem a bit delusional as to how much of an authority the EU is. They can't compel people outside their jurisdiction with the GDPR, anymore than Australia can with this law.

Actually they can - the second you place your foot on EU (or collaborating - extradition treaties) soil, and of course if you want to do business in EU then you need to have legal presence in the EU.

But if you set foot inside the EU... you are in the EUs jurisdiction.

Extradition treaties are usually subject to 'dual criminality' - so you would have to be breaking the country you are in as well to be extradited for violation of that same law to the EU.

And be realistic. The US hasn't even successfully managed to extradite Kim Dotcom from mighty New Zealand.

I'm not sure if it works like that. Could a country completely go around it just that easily? Seems like it's written extremely badly if this is really the case.

Guidelines | FAQ | Support | API | Security | Lists | Bookmarklet | Legal | Apply to YC | Contact