Imagine you work in a modern software house and you get one of these ... and here I mean you, not your boss, not your coworkers, the govt knocks on your door and demands you put a back door in the thing you are working on at work ...
So you write the code ... how do you write the unit test? how do you get it past the code review? the mandatory QA tests? ... all these things are designed into our modern software design processes essentially designed to stop bad stuff like this happening ... what happens when you get caught? you lose your job, get blacklisted in the industry, after all you can't tell them the govt made you do it (on your CV/resume trying to explain why you were fired)
Equally say you run a big open source software project and you have valued contributors from Australia, people you trust and depend on ... what do you do? refuse them commit right? explicitly audit their every checkin? ask them to move on?
Suppose you buy closed source code from Australia .... you can't trust it in any way, even if you trust the company any one of their employees may have been asked to suborn the code you've paid good money for ... any smart purchaser is simply going to put Aussie software on the "do not purchase" list .....
So how do I find out which software on Android Play is written in Oz?
Which is absolutely brilliant.
I often wonder about this in regards to those "signed" orders in the USA, and it seems now Australia is similar.
And I wonder if we need more people going public in a very big way. i.e. Jim Smith has to put out a press release that says "I work for company X and the Government of Y country asked me to do xyz, and I refused."
Go very, very public with it, putting out press releases, etc. etc.
Obviously there are laws against that, and Jim Smith is risking a lot, but I can't imagine how things will get better until people on the front lines do stuff like this.
After the emergence of these type of laws there's going to be potential backdoors explained away with "sorry, can't tell, wink wink" and nobody will ever know for sure. What's an employer to do? Or even end users?
There is a valid question as to whether you are listed as a "designated service provider" if the only time you ever developed the relevant software under s317C(6) was as part of a job. But software developers that have done free software work outside of their job definitely would be counted.
As always, I would suggest you get legal council before doing anything in response to a notice -- even throwing it back in the face of the AG.
That said, this requires you to be clever and I don't think anybody can be forced to be clever with a court order, or at least what you describe offers plausible deniability
They have zero recourse.
You just have to judge people by their fruits and hope they do the right thing or stop associating with Australians at all.
As an Australian, I hope people do this.
Internationally speaking, the tech community is not very good at drawing lines in the sand, we tend to want to please everyone.
I was really hoping that when it was shown how much the US was spying on traffic crossing it's borders, other countries would modify their routes to ensure their nations data didn't transit the US unless it was terminating there, but nope, didn't happen. Brazil talked about it but didn't do it.
Anyway, this is another rubicon moment. If we don't make this explode in the Australian governments face, then the US and UK will follow suit after the testing period is over. It's really important for the international software community to reject this utterly.
Start pulling out of Australia now and make it painful, or this will happen in countries it's impossible for you to pull out of.
This is one case where the corporate capture of the US government works in our favor. Tech is an absolutely massive portion of the US economy (compared to Australia), and the tech companies will fight this tooth and nail. If the government couldn't do it in the 1990s (they tried) when tech companies were far less influential, they certainly won't be able to do it now.
This is not good for international relations at all.
If the above bothers you, then you should avoid any software written in the US too. The exact scenario you described can happen in the US, especially if you have a security clearance, but work in a regular tech job.
It potentially allows the government to turn employees into saboteurs. According to s.317C(6), a "designated service provider" can be someone who has developed software that is likely to be used in an electronic service that has one end-user in Australia. This is a very wide net and immediately includes effectively every free software developer, and the employees of every tech company. Now, there is an argument to be made that employees don't qualify (because they're acting on behalf of their employer), but that's not clear at the moment. It also includes sysadmins (or even ex-sysadmins) as people who can be "activated" as saboteurs.
It should be noted that it's very unlikely that this legislation would result in the Armageddon most people (including myself) are quite worried about. I imagine it's much more likely this power will be used against a few big players (Apple, Facebook, Google) in order to add features like being able to add additional devices to group chats (or something like that). But obviously the law gives them much more power than that, and that's a very big concern.
(And the fact that only 2 MPs voted against it tells me there's almost certainly some back-door dealings that resulted in this bill being passed.)
There appears to be two limitations on this power:
1. You cannot be compelled to do something in a foreign country that would be a crime in that country
2. In issuing the notice the relevant oversight authority must give weight to your 'legitimate' interests.
I think 1 is a huge point as it effectively constrains the jurisdiction of the law to Australia.
However, there is still significant ambiguity. For example, can I be compelled to commit a crime against a foreign country while in Australia, if I have a legitimate interest in not committing a crime against that country?
Would a company's legitimate interest in not compromising customer trust (more than the existence of this legislation doesn't already), act as a significant constraint on the issuing of TANs/TCNs?
There's also ambiguity as to whether I can reveal the existence of a TAN/TCN to my employer. The law makes certain exceptions, including the ability to publish the aggregate total of TAN/TCN received in a 6 month period and seek legal advice. So in order to seek legal advice or reasonably execute a TAN/TCN can I let my employer know?
Can the Australian government compel me to sabotage the Australian software for their uses within Australia, and if so, can the Austrian government charge me with a crime for having done it while living in Austria?
The fact that I even have to ask this kind of question enrages me. I'm considering giving up my Australian citizenship over this, it is that infuriating.
The short answer is:
1. Non-compliance with a TAN/TCN is a civil not a criminal mater
2. As I stated above the law clearly says that it is a defence for non-compliance if a TAN/TCN would compel you to commit a crime in a foreign country. The issue is whether you can be compelled to commit an act in Australia, which would be a crime in a foreign country.
3. Consideration must be given to your legitimate interests.
In short, if you get a TAN/TCN then seek legal advice.
I agree that a lot of people seem to be catastrophizing this, but it still seems like a pretty big mess.
If I end up writing a little library and it gets popular, who's to say the spooks won't decide that's where they want the backdoor, and just send me a TAN to the email on my GitHub profile? Very likely not, but it is possible and would cost me at least several thousand dollars in legal bills to figure out how to respond.
Wonder if it will be possible to be insured against receiving such a request for foreigners (and maybe even Australians) who work on software that the Australian government would like to backdoor. To cover any possible fines for noncompliance but also, if you do want to use the "it's a crime in my country" defense, to deal with the complication and expense of hiring an Australian lawyer to represent you.
Note that they can always revoke the request they gave you and request a new one. So they can fine you an infinite amount of money and drive you to bankruptcy if they want to. Now, it's possible this would be seen as an abuse of power but you'd need to go to court over it and you can't afford lawyers nearly expensive as the government's.
> If I end up writing a little library and it gets popular, who's to say the spooks won't decide that's where they want the backdoor, and just send me a TAN to the email on my GitHub profile? Very likely not, but it is possible and would cost me at least several thousand dollars in legal bills to figure out how to respond.
TCN, not TAN.
So I feel strongly enough about the tyranny and evil of the Australian government that it looks like I'm going to be giving up my Australian citizenship.
"We will not approve your application to renounce your citizenship if you do not have another foreign citizenship or it is not in Australia’s interests." [emphasis added]
What an extraordinarily evil thing for the Australian government to have done to its citizens.
Well then, some other options:
0. Do the typical Australian thing: "she'll be right mate!", and stick my head in the sand, hoping that ignoring the bad man will make him go away. This seems to work for a lot of Australians, so might work for me. Could be, I'll never be the subject of a TAN/TCN, but then again, why risk it.
1. I could change my profession. However, this would mean that over time, only the types of people who are willing to act as repressive agents of the Australian government would be found in the software industry. This is really a non-savoury outcome, as I have over 30 years in the software industry and am very proud of the good I have done in this field - I would hate to turn it over to such cunts who think its fine to spy for the Australian Fascist Overlords. I know they're out there - people like me are keeping them from taking over, completely.
(A brief moment of brevity for the poor Australians reading this: Fuck. The Australian Government is literally Auntie Jack. If I don't do what she tells me to, she's gonna jump out of my computer and rip my bloody arms off. )
2. Do the paperwork: get my second citizenship, abandon the Australian citizenship, do everything I can to protest Australia and never, ever, contribute to its well-being ever again - this means never going back, removing my assets and resources from the Australian economy, and so on. Hmmm.
3. Submit to a TAN/TCN when/if it happens, but somehow sabotage the work such that it doesn't quite work out. The True Aussie Way™.
4. Insist on working only on software that never tracks the user in any way, whatsoever. This would mean quitting my current job, which already involves tracking people (with their full approval) for productive (non-espionage/law-enforcement) purposes, and finding something with a strict no-data policy.
I guess I'm gonna go with #4. Well, #2 seems a bit more appealing, actually.
Please, I beg of you .. let me walk tall in Australia! 
 - https://www.youtube.com/watch?v=KnEOr1MgwTM
 - https://youtu.be/8PfDro1UGUo?t=158
Sorry, due to your part in voting for that bill, you're now in breach of our terms. Please return your devices as well.
Mentioning that they may need to shut down services in Australia due to the law might be enough to cause a backlash.
Our left-leaning party voted for this fucking bullshit too, remember. Jacinda Ardern probably isn't going to save you.
To do that you really need to know what the law actually says and requires. Here is a start: TCN/TAN are not limited to Australian citizens. Revoking your citizenship will not shield you from being issued a TCN/TAN, but will lessen the value of your voice in engineering change.
That has nothing to do with whether you are an Australian citizen or not. If you are a resident in Austria, these laws do not allow the government to compel you to commit a crime in Austria.
Keep this in mind: The Australian government is still ripping children from their parents.
If software that I am involved in is in any way responsible for assisting that, in any way, I would be more than furious to say the least.
Nope, its Option #2 for me. Australia can go to hell.
And if they do try it, any of your non-Australian colleagues who review your code can immediately raise the alarm.
The law is ridiculous not only because of all the points they're making, but also because it just doesn't work in a modern, distributed, company. They need to compel the entire dev team to do as they wish to avoid it being stopped at some point, and if just one of those devs are not Australian (or even not living in Australia) then the secrecy part is blown and the company can take preventative action to stop this happening.
Australia has just ensured that every single Australian tech company needs a non-Australian to review its code. An absolute decrease in Australian security. The Law of Unintended Consequences strikes agan.
Okay, so this just pushes the problem onto someone elses plate - the operator/sysadmin. I've known a few Australian operators. The law doesn't specifically target 'only people who can write code' - it applies to anyone who has access to the systems the Australian kooks and spooks want to infiltrate.
If you're already overseas (including NZ), it should be a pretty easy ride:
"You may be eligible to apply if you ... will acquire citizenship of another country as soon as your application to renounce Australian citizenship is approved" 
From what I remember, there's basically an agreement between all countries stating that a stateless person in your borders must be offered safe harbour... or something to that affect, and that might be triggering the "We will not approve your application to renounce your citizenship if you do not have another foreign citizenship" spiel.
Talk to a lawyer to get it straight though.
If you think the law effects you then I highly recommend reading the entire text, as passed by parliament: https://parlinfo.aph.gov.au/parlInfo/search/display/display....
I know less about the law than other posters, but I don't think there's much of an inference in the legislation of these notices being contingent on nationality or citizenship when you're overseas. If the bill transcends borders like that then there's surely no end. Seeing as it's as broad a net as "software serving end users in Australia", it could literally affect millions of people/nationals/workers outside Aus borders, and have catastrophic economic consequences at which point the whole insane thing unravels and the absurdity of it becomes clear.
But yeah, you and me both man, as soon as I'm able I'll try and fall on my dual citizenship, if it's not too late by then. This is infuriating both in terms of ethics and logistics
More importantly, it looks like you've been using HN primarily for political and ideological arguments. That's an abuse of this site, because it destroys the intellectual curiosity that it exists for. So we ban accounts that do this.
If you'd please review https://news.ycombinator.com/newsguidelines.html and use HN as intended from now on, we'd appreciate it.
I've been subject to these site rules myself, and felt my ire rise when it happens that I've been on the wrong side of them (with political discussions), but this particular response absolutely infuriated me and I am grateful for the rules being applied in my favour, for once.
I think it’s very likely that this law will eventually lead to everything everybody is worrying about.
I saw they were working in clauses to invoke Parliamentary Privilege so they can't be spied on.
Fuck that, there should be openness regarding discussions on any topic when they are there solely as their constituents' representatives.
Had enough of them enacting laws that don't address the people's needs and serve no real purpose for the voters they clearly do not represent. Their inaction on climate change and continued embrace of the coal industry says it all.
And anything to do with security is clearly above these clowns pay grade.
Before, engineers etc might be guilt-tripped into helping catch "bad people". But this makes it official, with penalties for refusal.
Maybe it demonstrates that engineers etc don't cooperate as freely as they once did. That would be good news, no?
The trouble is, the secrecy. So we'll never know if there was an Australian-digital-armageddon, because none of us (Australians) are allowed to discuss it.
Have you got a source for this? I read (can’t remebemer where, sorry) that most Greens senators voted against it. From memory, Di Natali and SHY were in the list.
The legislation was waved-through by Labor because there is an election coming up and they were afraid to be labelled as pro terrorists and child molesters.
This site has sources: https://alp.fail
Aussie market is not that big. Its gdp is less than a tenth of USA, smaller than Canada and a half of India. It is a good size but if a bunch of google employees stage a protest over this, google may just pull out of it because losing talent can be a bigger pain.
Don't get me wrong, I want big tech companies to retaliate since that's the only way to get the attention of the Australian government (they stopped listening to the proletariat a long time ago). But it should be done as a retaliation, because that's the only justification that I believe would be consistent and might make a difference.
This doesn't seem very meaningful? I live in the US. If the Australian government goes to me and tells me to sabotage my employer, I can tell them to pound sand.
The point is that all software engineers (in Australia) being able to be co-opted as saboteurs is a fairly "meaningful" problem and should be a concern to everyone...
Even someone's little SaaS can be asked to turn up dirt on someone. I literally couldn't comply. I don't write encryption algorithms for a living I just build websites. I can't not encrypt people's data and according to european laws I can't store most of it anyway. Here, gov, have a username, email address, and this blob of encrypted text. Enjoy the insight.
It's getting so hostile to do business in software. At least construction and engineering liabilities are clear cut. I don't even know what my risks factors are anymore and they change every month.
It took longer than expected, but the governments have finally decided it's time to ruin the internet. I am going to go be a carpenter or something.
What a shitshow.
You’re clearly smart and lucid. Me perhaps less so but I have some spare time. Who else? Where are they gathering? What can I do?
I’m talking basic communications and publicity stuff, not anything anarchistic. Helping non-tech journalists. Writing articles to help the public understand this stuff. Lobbying MPs.
Maybe I just found a way to keep myself busy...
I don't think you'd have to "break encryption" or do anything advanced, the main thing they're looking to ask is to circumvent encryption. For example sending the plaintext password for a specific user from the login form, or OS backdoor, etc., delivered through a special software update just for that user. Additionally the wording of the law does not allow for an inability for you to do it, I believe you would be compelled to hire someone that can.
How do you advertise for the position? Lie about the job and then once they are on board the government hits them with the no-tell paperwork? What a shitty person I would have to become to make that happen, and I would have no choice at that point.
Perhaps they would have a saboteur on staff they would be willing to lend. Very hard position to hire for, no doubt.
Actually I'm not sure you could hire a contractor, since you'd probably be under a secrecy constraint and wouldn't be able to tell them what needed to be done.
Honestly, not bad advice.
Given the politics and bs around the big corps and govt ministries my skillsets fit into (business analyst/pm) a trade has been something I've been considering seriously for a while now. The peace of mind and lack of toxic office cultures is really appealing. They're apprenticeships too, so you're paid as you learn.
Being in NZ, I wonder: do you know Mike Rowe, from the American TV show 'Dirty Jobs'? If not I encourage you to research him and the TV show. It's not very often I recommend television.
Just thought I'd note that. This is crazy.
This is something I'm seriously considering. I live in Europe anyway, and at this rate I have zero interest in ever living in Australia again. I won't return, and I won't do anything to support Australia in any way, if I have to go down this path.
The Australian government has truly committed a hostile act against its own citizens.
On the other hand, if I were a global company developing proprietary software with development offices in Australia I'd be pretty concerned... and complain loudly and publicly and lay down what the consequences will be. Maybe there could already have been court orders and ways to compel companies to assist at the management level (in probably any country), and maybe there could potentially be moles (from any country) hiding anywhere, but if the more tinfoil hat interpretations are correct this turns every employee on that continent into a mole, and even worse, risks accidental compromises through incompetence (beyond the specific target of a warrant/order/whatever). Right?
In the late 90s I recall hearing of crypto work being done in Australia to avoid the crypto export laws of certain other countries. If I'm remembering that correctly, its software development economy may have benefited in the past from other countries making choices like these, and I suppose it will now suffer. Why would a bank or whatever want to expose itself to that? Australian offices could totally finish up blacklisted for certain software projects.
There was a "consultation period" and 99.7% of the submissions were against it.
All it took to convince the representatives and senators was for a submission from the Australian Federal Police that it was necessary to investigate threats over Christmas.
For example, in Britain you can be arrested for modestly offending someone on Twitter, due to their speech crime laws. That's never going to commonly be the case in the US due to very strong speech protections.
Australia did away with its guns. The US is never going to follow that example. Australia's actions were not a trial for what would happen in the US.
The large counter examples to your premise are numerous.
But yes, FVEY isn't an overarching conspiracy that implements all digital authoritarianism, nor does it have a monopoly on promulgating such corruption - I doubt FVEY itself coordinated the attack on Kim Dotcom. Nor is it the only such conspiracy - Sweden isn't part of FVEY yet eagerly went after TPB and Assange.
But pointing to such agreements is a good analogy for the similar ratcheting totalitarian trends we observe across countries - how intertwined the governments are, and how willingly they give up their citizen-subjects to each other. This is the larger issue - regardless of the actual mechanics of pollination, we can be sure that after the bugs have been worked out in Australia, we'll be staring down the same exact bullshit in the US.
(And I do apologize for blowing up a thread about Australia with US centrism. The point is that we, the people, are ultimately all in this together. Looking to US-exceptionalism as a reason to write off what's happening in Australia as their own problem is a broken outlook)
That's funny, the only exceptionalism I feel we've exhibited for a while is our exceptional ability to bury our heads in the sand and deny the existence of all the inconvenient problems we have to address in the future. :/
Each nation in question has different protections, or lack thereof, when it comes to privacy, speech, property rights, et al. One size will not fit all, each country would see a different response to the same attempted legislation. The US Government has tried for two decades - with very little success - to reach for something equivalent to what Australia just rushed through in no time at all. What would completely rewrite so much US law and interpretation so rapidly as to make such a drastic change possible in the US anytime soon? Nuclear terrorism, as a society shaking event, is about the only thing that comes to mind as plausible and that's far-fetched.
USG basically tried once to mandate backdooring encryption itself - in the 90s, when the entire topic was only relevant to a small community, there was basically no low level "street crime" involving encryption, and doing so required restricting individuals' distribution of software.
The renewed push is based on telling commercial companies that they have to setup their systems to assist the police, completely in line with precedents like CALEA. The much more diffuse tech-using community is already primed for heavy handed authoritarianism based on how these companies already operate, and also in general due to being pumped full of the terrorism by the 24/7 "news" cycle. I'd hope you're right that the US has constitutional protections to backstop this, but from my perspective those "protections" serve more as coping mechanisms rather than as effective restraints on government power.
I can perhaps see a legal exception for US Free software devs who aren't working commercially, but I can just as well see a malinterpretation declaring them as engaging in commercial activity ala Wickard v. Filburn.
No it didn't. Saying it did helps prevent the US implement similar measures.
Perhaps people outside Australia should also be wary of software from companies that do business in Australia, if there's any reason to think that the Australian government may want your data.
They are so the US and other 5 eyes members can spy on their own citizens in ways that are illegal under their own laws.
These laws are terrifying for everyone, not only Australians.
There is no law in the US prohibiting me from creating an alternate login screen for one particular customer just in order to capture their login password. So as a US citizen I have no defense within Australian law against an Australian demand that I capture the password of one of my users... perhaps a parliament member of the Australian opposition.
I can choose to simply ignore the demand. The US will not extradite me for violating a foreign law that does not have an equivalent in US law. But I suppose I can never go on vacation to Australia.
> Circumventing an electronic protection
> Unauthorised access
The company providing the protection cannot by definition circumvent it or be unauthorized. If a third party decides to deliver a payload to your browser to discover your Facebook password, then they are violating the DMCS in the US. But if Facebook decides to deliver a payload to your browser to discover your Facebook password that is simply them doing business in a different fashion. This isn't a violation of US law, so refusing it do it would be a violation of Australia's very poorly-considered new law.
Now if the TAN/TCN was issued to a US based company that would be a different issue but then you as an individual would not be in violation of it.
Not that that makes it a better law, but I think for people not physically in Australia the risk of being issued an enforceable (under Australian law) TAN/TCN is quite low.
The US is particularly aggressive about not ceding legal / constitutional sovereignty to other nations or entities.
Not really, that's just a consequence of the Australian Parliament's history of very strong party discipline. It is highly unusual for all the members of a parliamentary party not to vote the same way on a bill.
Also that the backdoors will be exploited by the other bad guys.
However unlikely, the idea that I could be commandeered at any moment to betray the users of my software and ship malware to them sickens me. But I also know that the reality of this happening is almost vanishingly small. I genuinely don't know what to do.
Why do you think it’s vanishingly small?
You could somewhat trust the the current govt but you can’t trust the future. I’ve lived in Australia for a long time and the trend is clear. More surveillance is to come. Australia is very much a police state as it is.
But that doesn't help my on the other side of the equation where I need to sign contracts that directly prohibit things that I would be mandated to do under these laws (and do secretly). I will need to come up with some interesting boiler plate escape clauses that allow for it without sounding completely dodgy.
They'd be stupid to start with giants like Apple or Google.
Also you stating that you might have been forced to insert malware by the government surely breaks the rule that says you can't tell anyone too, if I'm understanding it correctly.
They can literally ask for all communications of every one of your users.
Lets go with how the law is actually written.
Say they decide hn is a den for hackers. I mean, it's right there in the name!
Hacking attracts a >3yr sentence - hence, we need the data of all hn users, they're all potential hackers!
The Director General of Security or the chief officer of an
interception agency must not give a technical assistance notice
to a designated communications provider unless the Director General of
Security or the chief officer, as the case requires, is satisfied
(a) the requirements imposed by the notice are reasonable and
(b) compliance with the notice is:
(i) practicable; and
(ii) technically feasible
Because even if the current government is harmless, the next regime might not be, and these powers are basically the equivalent of a nuclear bomb with respect to privacy. They move the pendulum far away from what many would consider reasonable for a free society.
These laws just seem so rife with loopholes and ambiguities that even as an honest law-abiding citizen with nothing of interest to hide, I find them honestly terrifying.
If they're doing these things for legitimate reasons then there would be little reason to be against having reasonable limits to scope, reasonable oversight, accountability, as well as real reporting on the actual number of citizens whose data has been accessed.
The fact these concerns and all the consultation submissions from experts in both legal and technology issues have been ignored makes me strongly fear the whole law has not taken citizens right to privacy into account at all, and that is a terrifying proposition.
I'm hoping that if more people realize the implications of this horrible law, there's more chance of the lobotomized public actually exerting some pressure on our supposed representatives to actually represent us.
It's unlikely given the media has been painfully silent on the horrible implications of this terrible law.
However, there is no guidelines on how these judgements should be made and what is / isn't acceptable. Effectively it will be left to the courts to decide through legal disputes.
I've hosted my mail there since 2002 and they've always been quite pro-privacy. But I fear that such a stance is now literally impossible for any Australian company.
However there is now a no-warrant-required method of getting information (in the form of TANs and TARs) which has no judicial overview -- previously they would've needed a warrant. This is definitely a massive concern, but given that you wouldn't have seen a warrant previously (Fastmail would get it) this is not a practical difference to you (obviously it's a massive ethical difference and so on).
But to be honest, I actually hope people stop using Australian services and big companies start backing out of the Australian market. It's the only way our dropkick government will realise how much of an own-goal this legislation was.
A technical assistance request that relates to an agency, or a technical assistance notice that relates to an agency, or a technical capability notice that relates to an agency, has no effect to the extent (if any) to which it would request or require a designated communications provider to do an act or thing for which the agency, or an officer of the agency, would be required to have or obtain a warrant or authorisation under any of the following laws:
(a) the Telecommunications (Interception and Access) Act 1979 ;
(b) the Surveillance Devices Act 2004 ;
(c) the Crimes Act 1914 ;
(d) the Australian Security Intelligence Organisation Act 1979 ;
(f) a law of the Commonwealth (other than this Part) that is not covered by paragraph (a), (b), (c) or (d);
(g) a law of a State or Territory.*
Don’t know Australian law, but for a warrant you need to demonstrate probable cause in front of a judge. And that’s a pretty high bar.
Here’s Tim Cook making that point:
With an email provider you don't need a back door to get somebody's emails.
I said that to you (a user who wouldn't be the target of a warrant) there isn't a practical difference if you're targeted. You wouldn't be able to mount a defence in court anyway.
But of course, it being easier is a very serious problem from a societal perspective.
I use fastmail as well, I like their ui a lot. I certainly treat it as the stockpile of plain text messages tied to my real life identity through my credit card that it is though.
For secure communications, you shouldn't be using email in the first place, so these new laws don't change much in that regard (in my understanding, I'm still catching up on the new laws because I have limited internet access right now, I'm happy to be corrected).
This leads to a revolving door of occasionally unsavoury characters getting into positions of great, and virtually unchecked power. Giving these figures enormous power without judicial oversight is deeply problematic. Checks and balances are not a big thing in Australia.
We have a high court. They reverse bad federal and state laws. Lots of bad immigration decisions by ministers are being overturned. Mabo happened.
EDIT: And he is also alleged to have used his already considerable discretionary powers to allow au pairs for politically connected individuals into Australia in violation of their visa conditions, with no consequences. Not exactly a ringing endorsement of the rule of law.
If there's a problem with policy, change the policy. Don't do favours for your mates if it contravenes policy. It's not fucking hard.
The fact the minister hasn't been fired is quite damning about the status of Australian politics, and highlights the need for a federal anti-corruption body.
What's worse is that this particular minister is the one forever pushing for lower immigration, greater protection for Australia's borders and showing no remorse for sick children in offshore detention - but fuck, my mate needs a French woman, who's previously worked in Australia despite only having a tourist visa, to look after his kids because he and his wife are rich enough not to have to parent their own little cunts.
shakes fist at cloud
We Aussies are pretty proud of the various improvements we have over the UK and US systems. Our independent electoral commissions minimise gerrymandering. Our preferential voting system ensures more accurate representation. Mandatory voter turnout has a moderating influence on political campaigning and avoids voter disenfranchisement issues.
But you can't look at the last decade of federal politics in the country and say it has been much other than a joke. We've just per chance had Brexit and Trump happening lately which has made it seem less ridiculous in comparison.
Leadership issues aside, we need a federal anti-corruption body and a well-worded bill of rights. As it stands, the government has far more room to move than they should, and on many issues the opposition has been either useless or complicit.
Apple is only pro privacy when it makes them more money. They already do business in China. They have a fiduciary duty to their investors to not jump the gun like that.
If you're shutting down the company, you might have to pay severance but that'd be it.
I pray they do this.
And for bonus brownie points we could have reproducible build checking (a-la certificate transparency) against the source repo, to see whether the binary is different to the official one. However, I think the threat model might have to be reconsidered (if all the developers are compromised, couldn't they upload a bad hash to the certificate transparency trail with a dummy version that only one user is given?).
I might write a blog post about this actually, though I'd need better experts than myself in IMA (which is what you'd use on Linux for this) and other secure-boot work.
The Labor party here though is afraid of creating any point of difference on anything that could in any way be considered “national security” legislation. So instead of risk a lengthy period over the summer break where they would be attacked if any kind of terrorist attack happened they caved and passed the original version.
There is nothing in the values and philosophies of the ALP such that they would not have legislated this agenda were they in government rather than opposition.
There are so many other examples of this over history, such as the GST, Australia Card, refugee policy, copyright laws.
Unfortunately, in this case, all the experts (and commenters here) seem to be in agreement that security has been significantly weakened by bringing in these laws.
If this thing goes smoothly, expect the same to be attempted in UK, US, NZ and CA.
If you live in a number of places in the US you would likely find the levels of violent crime hilariously low here in comparison, yet there was attempt to play on the fears and "make Melbourne safe again". Luckily it was one of the least successful major party election campaigns in recent years.
It's the least you can do, costs a dollar, and politicians react to getting stacks of paper more then they do emails.
This is not so far off what happens with the Greens - in the last federal election they had about a 15% first-preference vote across Australia, but ended up with only 1/150 seats in parliament.
As someone who has lived in the US and Australia... the difference would be that in the US, the Greens would get nothing, zero. And due to gerrymandering, it's equally likely that even without party C in play, you can and do easily get situations where 30% votes for party A but win a majority.
Even in our recent mid terms here, whilst the House went back to Democratic control, in the Senate the Republican vote went down 20% but they didn't just keep the same number of seats, they _increased_ their majority.
The party that may win the next election already supports the bill. They claim they would update it with a few inconsequential changes, to make it look like they're "fixing it". But that's about it.
I don't have a strong opinion of Shorten one way or the other, but I've read a lot of people express a similar POV and it strikes me as extremely naive.
If you went into politics with a view to die on your sword rather than compromise any of your values you'd have a very short career. Losing the battle to win the war is the only way to achieve anything.
I mean, be realistic. If the ALP had blocked the bill it would be political suicide for them. For now some nerds (us) are debating the issue on an obscure forum. The alternative would be for every man and his dog having our corrupt media ram the "Labor has made it easier for terrorists to kill you" story down their throat for the next few months.
They opposed the bill over the weekend and then backflipped because if there's an attack over Christmas they'll look like fools. I don't think that risk was worth selling out 25 million people, but maybe that's just me. They get attacked constantly in the media anyway, it's not going to make much difference.
In some ways that would be a good thing, because it would force a public debate about warrantless surveillance at a time when relatively few people trust the LNP government or its law-and-order rhetoric.
Given this, I'd assume the law is here to stay. The question we need to ask is how can we constructively engage politicians to minimise the flaws in the law. On that front Labor has been much more open and were instrumental in addressing some of the deeper flaws in the original legislation.
So to be clear:
1. The law specifically forbids the government requiring weakening of encryption / authentication / authorisation mechanisms.
2. The law specifically forbids the government requiring systemic vulnerabilities be introduced.
3. The law defines a consultation, review and appeal process.
4. The law prevents the government requiring someone commit a crime in a foreign jurisdiction
5. The law allows publishing the number of aggregate TAN/TCN/TAR received in aggregate in a 6 month period.
The question is where should the law be fixed and how do we engage Labor / Liberals to fix those aspects.
Personally I would like to see:
1. Better protection for software exported for use outside Australia
2. Better definition of what defines a 'systemic' vulnerability
3. Greater protection for individuals. For if a TCN/TAN could be otherwise issued to a company, then the law should not allow a notice to be issued to an individual.
The actual implementation of any capabilities though would take months even if they started requesting them tomorrow.
All they have to do is start spamming notices.
It's up to the nerds to figure out how to implement them.
In a similar vein they could compel Android/MS/IOS system updates to include trojans in search of decryption keys.
Edit: This is a good argument to only use Linux or BSD. Unless you had some sort of management contract it would be near impossible to be directly targeted with system updates. They'd have to get the signing key for your distro and intercept/rewrite package downloads. I bet you this is standard affair for high value targets. If you were paranoid you could update or mirror through a proxy.
Literally any employee would be subject to these laws. They could just quote the laws and demand that any employee installs malware or creates a backdoor admin account.
I have some idea for how this could be done (TPM-resident signing keys on each device, which have to sign all binaries before they can execute). I might end up writing a blog post about the idea.
1. Paths (like AppArmor).
2. Publisher (which I think is a signature, but is a signature of the publisher not the machine itself -- so a compromised publisher could give you a bad update silently).
3. Hash (which is _okay_ but arguably requires more maintenance of the "good hash" list than requiring a specific signature -- though the nice thing with hashes is that you can disallow old ones).
No. But there are people working hard on things like Power8-- which already exists-- and RISCV-- which don't include anything similar to Intel's ME.
Probably more to the point, Apple already designed and implemented a secure enclave that makes it much harder for them to turn over things to law enforcement like messaging content of its users. Signal similarly has a design that limits the amount of data it has to turn over.
Without a legal precedent that says you can't do such hardware/software designs, lots of companies do such designs. We've even seen a company fold rather than change their design on the request of the government to make it easier to spy on users.
Plus, if there is an Intel ME backdoor it is almost certainly only available directly to NSA-- not to FBI, not to the Treasury, definitely not to local law enforcement, and definitely not to other tech companies or politicians who have the sway to convince any of the above to give them access to some data they'd like to have.
A law that makes it possible for more government agencies to force a company to turn over data or serve up malware is a law for the worse. A law that makes it harder for companies to design secure protocols and systems in the first place is a law for the worse.
Or that Microsoft/FB arent in bed with the NSA? I would say the precedent has long since been set.
Well, Facebook isn't a very good example here. There were so many inputs/outputs into its user data that it's hard to imagine a type of inference that could not have been retrieved by an interested third party on any subset of its userbase.
If Facebook is supposed to be a metaphor for all modern general purpose computing software, your only serious conclusion is to stop using all modern general purpose computing software.
It's more like if Microsoft and FB were in bed with the NSA. And then they sent you the bill for your own surveillance. And if you didn't pay, then sent you to jail.
And there is no criminal liability for non-compliance. "Just" very hefty civil fines.
* Honest Government Ad | Anti Encryption Law - YouTube || https://www.youtube.com/watch?v=eW-OMR-iWOE
* Encryption: Last Week Tonight with John Oliver (HBO) - YouTube || https://www.youtube.com/watch?v=zsjZ2r9Ygzw
Government needs lawyers in the body, but if as a whole it lacks a broad education, it essentially lacks an education.
If only we elected like we hired.
They should be the ones leading the charge against this draconian insanity.
Also, aren't there ways of implementing targeted surveillance without weakening privacy/security very much, if at all? For example, targeting a specific user/device and making sure all exfiltrated data is encrypted with a public key belonging to the police.
If you think about logistics, the govt will probably need to come up with standard ways of implementing backdoors and API for sending data back. It won't be a whole new system for every targeted company.
Every unwilling company/individual served with a notice will be aware of those methods. How long until those methods and/or keys are leaked?
After that, the hackers have unlimited time and motivation to break what will be the world's largest honeypot.
Also, it's only a matter of time until politicians will use these new powers against each other/their political enemies. Even State Police are getting these powers with no judicial oversight.
Many of the largest data breaches have been from government departments, and in my opinion this will be no different. I know they didn't leak everything, but even the NSA with their budget couldn't keep all their data secret.
I'm currently talking to some lawyers about how flexible the 6-month window might be. (Can you give overlapping 6-month windows? What if you give a new 6-month window every day?)
Extradition treaties are usually subject to 'dual criminality' - so you would have to be breaking the country you are in as well to be extradited for violation of that same law to the EU.
And be realistic. The US hasn't even successfully managed to extradite Kim Dotcom from mighty New Zealand.