Today I watched my country's democracy die via livestream, with the words "Labor withdraws all amendments".
The US government and their agenda to spread similar laws in their country and across the world.
Labor was always on board with the core of the legislation; likely as they were aware of some unreported Five Eye's agreement that Australia will be the 'thin edge of the wedge' to introduce such laws worldwide.
Any amendments proposed wouldn't have changed the goal and was simply the basis for some political theatre to look like such a law has been considered and debated by the politicians. The outcome had already been decided a lot earlier than that point.
Voters? I don’t mean to be snarky, but while Tweets, submissions and letters may inform the content of bills in democracies, but the counts of these are not numerically representative of much, apart from the feelings of people who feel strongly about an issue.
That said, these laws sound exceedingly stupid.
For me, this was the 50tone block of concrete on the lead coffin on the rotting cadaver of a political system that serves humanity in a balanced manner.
The same interests they are always representing. Themselves. The organisations and lobbyists that got them voted in. The organisations they're looking forward to offers of high-priced consultancies and directorships after the next election.
Did you expect anything else?
>The Synod has some hesitancy about ‘safeguarding national security’ being one of the objectives of the notices, as it is not clear what additional activities this captures that are not criminal activities. For example, notices to address terrorist activities are already about enforcing criminal laws as would be notices targeting foreign espionage. We have a concern that ‘safeguarding national security’ might mean the desire of a government of the day to target civil society groups and individuals that oppose its policies or to target whistleblowers that expose wrong-doing by the government of the day. It would be good if the explanatory memorandum of the Bill includes an explanation of what non-criminal activities are intended
to be caught under ‘safeguarding national security’ under the Bill.
For context, here was the letter we sent: http://i.imgur.com/yRrZHAq.jpg
In talking with some other companies, some of them are looking at potentially moving any role that would have the ability to compromise encryption outside of the country. That way there'd be no way any employee could be legally forced to implement any backdoors or weakening of encryption. That's an extreme measure and is probably overkill right now as the loophole that states you don't have to do anything to weaken your security will likely be used as a challenge against building in any backdoors. We'll have to wait and see how things pan out.
I saw that, but another part of the bill that I've seen (on a cursory review, and as a non-professional) is the sweeping, extreme secrecy measures surrounding the execution of any part of the bill.
Basically, my understanding is that you can't tell me as a customer if you've been required to compromise my privacy.
So say you even take the extreme measure and ship some sensitive roles overseas. If for any reason that's not enough, and your government requires you to surrender some of my data, then you will be legally unable to tell me.
That will destroy all trust.
I like Atlassian and am extremely sorry to see this happening to you.
I've read an interpretation that indicates that all Australian citizen employees are now essentially compromised, as they could be compelled under penalty of jail time to insert backdoors into an application without informing their employers.
So, yeah, a great day for humanity that didn't want this.
As with most deeply technical issues, it is hard to communicate to the general population exactly what the proposed problem and solution is, so the politicians are allowed to freely pass legislation (without understanding it themselves mostly) without much opposition besides the vocal minority.
> Division 7—Limitations
> 317ZG Designated communications provider must not be required to implement or build a systemic weakness or systemic vulnerability etc.
> (1) A technical assistance notice or technical capability notice must not have the effect of:
> (a) requiring a designated communications provider to implement or build a systemic weakness, or a systemic vulnerability, into a form of electronic protection; or (b) preventing a designated communications provider from rectifying a systemic weakness, or a systemic vulnerability, in a form of electronic protection.
> (2) The reference in paragraph (1)(a) to implement or build a systemic weakness, or a systemic vulnerability, into a form of electronic protection includes a reference to implement or build a new decryption capability in relation to a form of electronic protection.
> (3) The reference in paragraph (1)(a) to implement or build a systemic weakness, or a systemic vulnerability, into a form of electronic protection includes a reference to one or more actions that would render systemic methods of authentication or encryption less effective.
These limitations would seem to imply that the bill can't require a "systemic weakness", either by introducing a new one or prohibiting the patching of an existing one, which would seem to suggest that end-to-end crypto wouldn't be affected.
Is this a correct reading? Or are there concerns that the government might, say, require end-to-end crypto to be vulnerable to a government-held golden key?
Edit: Part of the text,
> to implement or build a new decryption capability in relation to a form of electronic protection
, sounds like it's prohibiting golden-key-based schemes.
The basic gems are that I got from reading the draft legislation was:
- If you have server side encryption, & we want you to decrypt a particular person's data, then we expect you to do so - ad infinitum.
- If you do client side encryption then we expect you to put into place a system that allows us to decrypt a particular person's data. (One assumes that a modification should be made for the particular client such that their data can be gathered in an unencrypted manner).
So, irrespective of the caveats that you've mentioned, the bill still stands. The caveats you've mentioned are the standard bait-and-switch style legalese, to make it sound more palatable. I'd assume that in reality, it's up to the company (at their own legal cost) to prove that what needs to be created is in fact, a back door.
Note that an interception agency also includes "the Police Force" p9
It later states that if a provider willingly complies:
"an officer, employee or agent of the provider is not subject to any civil liability for, or in relation to, an act or thing done by the officer, employee or agent in connection with the act or thing mentioned in paragraph (b)" p17
Meaning, you're up for civil charges if you fail to respond to a non-warrant request.
And if that's the case, software really is dead in Australia. You can't trust an Australian company, even if their leadership says they've never received a request, because one of their employees may have.
* TARs and TANs both generally require that an agency be investigating a serious crime (one that takes). There are some toy protections against abuse but they're basically meaningless (the AG or chief officer needs to be "satisfied" that it's reasonable and a few other token requirements -- need I remind you that we imprison refugees in sub-human conditions without the right to a trial, so "reasonable" is a stretch).
* TCNs are even more general. They can be done purely "in the interests of national security".
They mentioned oversight of a "retired judge" and a "technology expert" in the autoplay video at the bottom of https://www.news.com.au/technology/online/security/inprincip...
I'm patiently waiting for their proposed method of reading end-to-end encrypted messages without introducing a systemic weakness.
But the meaning of words don't seem to matter anymore in the reality distortion field that is the Australian government. This is all supposedly to somehow make us more secure for Christmas.
History will not remember these people well.
I imagine that they ask for some tailored malware to be delivered to the specifically targeted device/user.
Which, of course, leads on to a somewhat less specifically targeted "Bulk equipment interference", because once we have the capability, it'll _surely_ not get misused, right? I'm eagerly awaiting the hilarious verbal gymnastics they'll come up with to make a Technical Assistance Notice compelled "Bulk equipment interference" capability some how not a "systemic weakness"... I'm sure that'll end up in linguistics textbooks and industry jokes for decades...
The govt will just secretly compel them, and their activity stays secret - except the bad guys can now hack our compromised infrastructure and there will be inevitable leaks of data and exploits, just like Wannacry which was originally an NSA exploit.
From memory, the Aust internet filter was originally introduced using similar excuses. eg stop terrorist recruitment, pedos, etc.
The copyright cartel was having "pirate" sites blocked not long after, and has been expanding it's approach since.
Seems like a similar play book in action with this.
Chilling effects is a desired outcome of this legislation.
What's the maximum sentence for copyright infringement?
There's no definition of what "render systemic methods of authentication or encryption less effective".
The Australian Government has historically been somewhat arrogant in any area of technology.
Their attitude, in this case and others, is similar to that of management at a company with a poor technology culture. "we're in charge and we're making this law, now you nerds can go sort out the details".
You'd think something like that would not be carelessly omitted by accident, no? What this means in practice is that virtually nothing they do will ever amount to that being a "systemic weakness", just like Obama kept saying post-Snowden revelations that there have been "no abuses" of intelligence powers and that nobody in the NSA did anything wrong (even after revelations of LOVEINT, etc came out).
An Australian government order for decryption could turn into another EternalBlue-type exploit affecting millions of PCs, and the government will likely still claim that wasn't a systemic issue because they "didn't intended it to be one" (as if spy agencies ever intend their backdoors to be used by rival nations - and yet that happens every time).
> access, when used in relation to material, includes:
> (a) access that is subject to a pre-condition (for example, the use of a password); and
> (b) access by way
of push technology; and
> (c) access by way of a standing request
So whilst you may not build a systemic weakness, you may be required to provide a variant of your software to a specific user. Or provide the government with a "pre-condition" such as a golden key.
The words aren't defined at all in the bill (which should be a massive red flag), but even the amendments that include definitions completely miss the point and basically imply that only something like Dual_EC_DRBG is considered a "systemic weakness".
There is a lot of doomsaying because it is very seriously, no-kidding bad. Not to mention that denying such a request should almost certainly be done with some very serious (and expensive) legal advice.
Australia may be leading the path toward a Kafka-esque state but we're not there yet.
That's a pretty big call to refuse a secret request that you're not allowed to disclose to anyone, risking a lengthy jail term without the possibility of even seeking legal advice.
War Is Peace, Freedom Is Slavery, Ignorance Is Strength.
Have a safe Christmas Australia! Papers please!!
At the end of the day, if they tell you to do it, chances are you'll have to do it. And you can't complain to anybody.
If I were to write some software of this nature these days, I'd make sure that the client would be aware of any changes in the api - sort of like a personal warrant canary. (Note that a warrant canary is legal in this legislation).
(For those wondering how they can be illegal, in Australia it's illegal to state the existence or non-existence of certain kinds of secret warrants. So a statement of a canary is, itself, illegal.)
- A person who is: ...
...may, in the person’s capacity as such a provider or employee, disclose:
(e) the total number of technical assistance notices given to the provider during a period of at least 6 months; or
(f) the total number of technical capability notices given to the provider during a period of at least 6 months; or
(g) the total number of technical assistance requests given to the provider during a period of at least 6 months.
This subsection authorises the disclosure of aggregate statistical information. That information cannot be broken down:
(a) by agency; or
(b) in any other way.
 pp50-51, http://parlinfo.aph.gov.au/parlInfo/download/legislation/bil...
I mean, a literal reading would allow you to provide minute-by-minute 6-month windows (or a new 6-month window each time you get a request) which could be used to get very detailed alerts each time a new request was given but obviously you'd get into hot water by doing that.
I have not had any communications requesting investigative cooperation from any Australian law enforcement or intelligence agency.
But I believe the bill which passed actually includes the ability to publish aggregated statistics about how many notices you've received. Removing the need for warrant canaries.
(And you wouldn't have to be a citizen, just a subject of Australian law which means that you are either a citizen, are a constitutional corporation, or physically present within Australia. Same as any other nation's laws.)
Australia, you fail at the very notion of free western civilization.
This bill does nothing to prevent the kinds of things it is intended to prevent. The apps this law targets were engineered specifically to prevent this kind of interference. The idea that passing legislation will suddenly change that, magically allowing decryption of messages is beyond idiotic.
The legal and technical barriers to getting anything useful from this legislation are huge. Not to mention the ease with which this can be bypassed (run OpenVPN and IRC on an overseas server, done).
The justification for rushing this was so that Australia could be kept 'safe' over Christmas. It's beyond difficult to describe how ridiculous that is.
Edit: Sorry, I also have to add that in the same sitting of Parliament the government also filibustered legislation that would have enabled medical evacuation of refugee children from child detention on Nauru. It's been a bad day for Human rights in Australia.
Especially since ASIO (who really wanted this bill to pass) has stated that even if the bill passed today, they wouldn't have the necessary powers before Christmas.
In terms of Australia I'm not sure what we could actually do about this. Given that it's ASIO and other government departments that want these powers and that they have tried to introduce this sort of law over the course of the last decade. Both major parties have introduced legislation such as this and both voted for it. Maybe it is time for civil disobedience, and have everyone create and distribute encryption applications for all devices, because they couldn't possibly jail everyone right? I just wonder who will be the first person jailed or the first company fined for refusing these orders.
In terms of the world at large, which country should we trust now? A lot of the Western Democracies are becoming rapidly "security" focused authoritarian, and the other countries powerful enough to stand up to them are not much better. Should we trust applications with code written in Russia? What about hardware products manufactured in China? Should we trust services running in the USA? Now we also have to be wary of any company that runs a service in the Five Eyes countries.
Sometimes I wonder if we really have it better than people in the middle ages or other earlier periods, in some ways it clearly is, but in others it's just the same smell coming from different shit.
Chilling effect? More like dipped-in-liquid-nitrogen effect.
I hope Australia will have its own Edward Snowden, but the immediate repercussions would be far more severe in Australia.
You would be knowingly putting your name to a vulnerability, and if someone asks then you have to keep it a secret and feign incompetence. Then if they revert your change you'll have to re-implement it.
If you do tell your superiors (which would be most likely what would happen, even before writing the code) then you would be in violation and could be put in jail.
If you refuse you would be put in jail, or they would go to the next person in their list.
I think you could immediately resign. It's not a slavery bill... is it?
It just seems like a hotter, drier America at this point.
New Zealand still looks lovely though. Maybe they could invade you?
And it isn't like other western countries aren't thinking of doing something similar. While this is a bad law, being smug about it is the wrong reaction.
I wish I knew more western countries who were defending privacy, and the environment for that matter. For a period it kind of looked like Germany _might_ but that hasn't stood up (Who knows, maybe the Pirate Party will get a chancellor someday). The Nordics don't seem amazing either.
What does that leave us with? Some rocky archipelago in the middle of the Pacific? Developing nations that simply don't care or lack the ability to have meaningful enforcement? I'm really struggling to think of something.
The answer from the intelligence agencies is that there must be a known specific threat in order for the threat level to be increased (from "Probable" to "Expected")
So, they're saying that it's important for this legislation to be passed for the sake of the safety of Australian citizens despite the fact there's no specific threat that's worth raising Australia's threat level for.
Add this to the huge list of WTF's surrounding this situation.
From small portion to none.
And basically Australian software developers are unemployable now.
Make no mistake, with the rise of ML governments will be able to crush social movements in the nascent stage before they become too big to stop. People will be arrested for thought crimes because they posted the wrong thing on the wrong website. And currently a large number of people would cheer because the people getting arrested are on the "other" side of the political spectrum. Be careful what you wish for
I don't support this legislation, but I have to ask, which country is doing a better job on human rights issues than Australia in your opinion? Surely not China or nearly any country in Asia, Africa, or South America? Surely not the US? Probably not much of Europe?
Australia's government blocked legislation that would help kids not die. Because they came on a boat. Which has never been the primary way illegal immigrants get into this country.
Nauru was declared a human rights travesty by the UN.
The medical board that decides whether or not it is a medical emergency that needs to be treated in Australia is staffed by lawyers and only occasionally features a doctor.
We're killing people from neglect, because they dared to take any avenue available to them to escape their homes.
If we put half the effort into assessing their case as we do into making sure they stay in a place reminiscent of WWII slave encampments, there would be no issues.
The most disturbing aspect is the strong bipartisan and public support for the ongoing abuse. Every Australian should wake up in the morning, take a long hard look in the mirror and ask themselves if they're proud of what they've become.
Is there really public support? Everyone I've talked to thinks it's a disgrace.
That being said being a "coastal elite" in a progressive area isn't necessarily a good litmus test
Other points I noticed:
- Coming across as emotional about the harm and suffering on Nauru or escaping war, they will dismiss all arguments as immature and feel like they're being an adult to you.
- Some are persuaded by increased economic activity and net welfare investment benefits but want more screening but wouldn't know how to do this effectively.
Source: Asking random people about policies. Some people you can try asking: mechanics, tradies, checkout people, business people, asking people who handout stuff for Liberal/Labor. To get a deep understanding, read their sources, any of the Murdoch rags or right wing morning shows (ie Alan Jones).
See for instance https://en.wikipedia.org/wiki/World_Index_of_Moral_Freedom#W...
But yeah, “cryptonomicon” utopias are hard to get by, these days.
Too bad, it's almost 2020 and we still can't get "treat people well" right. What hope do animals or the environment have?
My advice is that the Australian tech industry just got nuked from orbit, so come work in the USA. The pay is better, the work is more interesting and the tech companies actually have sway over policy here.
The bill seems to be a nightmare - it even says that the technical assistance request can be given orally. What the bloody ....?
To me, it reads like this - if you're a Nigerian developer working in Germany and refuse to do this for some software (after all, every software is "likely to be used" in Australia), you are still breaking the Australian law. But you need not be prosecutable if Germany does not have an extradition agreement with Australia. If you are an Australian anywhere in the world however, then refusing this makes you a criminal, probably later a fugitive. This is my understanding. Can someone confirm?
The courts of most nations would laugh out the notion of extraditing their own citizens to Australia for hosting a website and not giving the AU government a backdoor to it.
Maybe I'll just work on a farm instead of this technology madness.
I don't like the US shonkiness any more than anyone else. But these situations are not precisely equivalent, especially since this bill passed.
Six of one, half dozen of the other.
> Apple stared down the FBI in a mass murder case, because it was [legally] possible for them to do so.
So far we haven't seen the Australian government ignore its own laws so completely.
If a sickness/injury is bad enough to need to fly back to Australia, there's a pretty good chance you won't be allowed on a plane.
That's fine. You're ok with taking that chance, I'm not.
As far as the ATO is concerned, unless you discontinue both, you're considered an Australian resident for tax purposes.
Even though the US considers you a resident alien, the ATO requires you to at least look like you won't be coming back for >1 year.
After ~3 years the IRS considers me a resident for tax purposes. The ATO only cares about my income because they want to collect HECS payments.
The scary part is not knowing how the law is going to be implemented - I am hopeful that smart people work on the implementation of it in terms of practicality.
If it is an on request thing "give us the details of email@example.com" then that is doable, but if they really want backdoor access to all accounts, then that is ridiculous amount of work and a lot of security risks to worry about.
Wait and see I guess.
Sadly our government has failed us. We are the laughing stock of the whole world (except maybe China).
We got the full dictatorship version with no reporting at all.
Realistically could we just setup all code to be hosted overseas and then pay a set of reviewers in Europe to check PR's for possible backdoors?
Don't think the law let's them compell you to build the backdoor in a super secret and hidden way...
Or don't launch in Europe.
GDPR and this legislation are in direct conflict. Pick a market...
easy choice to make.
All my hosting is done in the US, but that doesn't mean any of my businesses are necessarily American.
If you specifically reject all customers attempting to sign up from an Aussie IP address, or with an Aussie physical address (if you have that), then you're on pretty firm ground to tell them to piss off if they come knocking.
But, y'know, I'm not a lawyer, and you might be subject to whatever whims any country cares to hit you with. Get some legal advice before trusting some random internet comment ;)
USA didn't like it though, and asked NZ to extradite him to face charges in the USA.
Legal battle still going, I think... but the business is dead.
I doubt Australia has that much clout, but you never know when an extradition will be the price of some favour to someone...
Time to find a new career, sorry.
I've seen zero discussion of the possible ramifications of losing all security companies in Australia. Any software company that depends on security (and which one doesn't?) would be insane in the membrane to think they could credibly work in Australia now.
All they are saying is "the bill was passed to access encrypted communications of terrorists and criminals".
No discussion of no judicial oversight either.
News orgs are shooting themselves in the foot because there's no possibility of a journalist protecting their sources anymore with this nightmare.
1 billion dollars wiped from Atlassian already. I’m hoping the markets react more and destroy the industry here.
Might want to assume that all Australian developers are now potentially compromised.
Then they will coerce a telecommunications provider to install this application on the targets machine (says nothing about having it installed on everybody's machine accidentally or otherwise).
Then they shall profit.
I wish I was being facetious.
have little hope what will save what?
Just like Yandex in Russia - legally they buy all of the software from a company in Netherlands, at least that what I heard.
Apple Inc will sell the phones at high rates to Apple Australia, so Apple Australia can claim they are making zero profit in Australia, so hence have to pay no tax.
Please, Apple, do what you know is right and disable all iPhones in Australia. Google, please do the same with Android.
If you have a website, geoblock Australia from it.
Quarantine us from the world. We are sick and will infect you all.
Just did.. won't even respond to icmp. My Tokyo and UK sites.
Actually, if it's possible, you could redirect to a page saying the reason you are blocking, that would be even better.
Seriously the world should quarantine us.
But who knows, this bill seems to be the Christmas gift that keeps on giving! Merry Totalitarian Christmas, everyone!!
And since it’s not going to happen, other countries beyond China unfortunately start to get some funny ideas, too...
This is a civil rights nightmare.
If they want to continue doing business in Australia (and they very much do) then they'll be forced to comply, which means everybody in the world is negatively affected by this insanity.
Won't surprise me at all to find some businesses (like perhaps Whisper Systems) who's "doing business in Australia" doesn't actually earn them a single cent, yet will open them up to enormous reputational damage if they continue operating in Australia after this, might just choose to take thier app/service out of the .au app stores...
(BRB, backing up my iDevices and switching auto-update off...)
Meh. 25 million people, and not a top ten economy. Australia has a powerful reality distortion field that makes it seem more important than it is. Must be the tourist marketing and the fact that it punches above its weight in producing successful entertainers.
It’s more likely that WhatsApp and other encrypted messaging apps will just get pulled from the Australian App Store (if the Australian App Store remains in place, since it’s likely to be chosen as a distribution vector for compromised software).
But more importantly, because of the high GDP per capita and low income inequality, Australians are wealthy with lots of disposable income. And so most international marketplaces see disproportionately high amounts of Australian spending when considering population size.
For instance, where I work, the top 5 spending countries are the US, Canada, Australia, UK, China in that order.
With a somewhat heavy heart, but I shall be cancelling my service there.
4 the person provides an electronic service that has one or more end-users in Australia
5 the person provides a service that facilitates, or is ancillary or incidental to,the provision of an electronic service that has one or more end-users in Australia
6 the person develops, supplies or updates software used, for use, or likely to be used, in connection with:(a) a listed carriage service; or(b) an electronic service that has one or more end-users in Australia"
I believe ProtonMail falls into these categories. As an Austrlaian and a user of your services myself, will this mean getting service "officially" cut off in Australia?
They'd need the system admins, CI infrastructure and code review team to be in a jurisdiction free of this kind of thing, and then treat all changes subject to laws like these as hostile
The alternative is sell software that everyone knows has backdoors. Pretty hard business case to make
There is also an Australian entity `Atlassian Pty Ltd` but it’s not clear to me what role that has.
To be honest, Trello is the least of your worries, with Atlassian. Authorities having unfettered access to all your code, regardless of privacy settings, is more worrying imho. Then again, GitHub is US-based and the PATRIOT Act already gives that power to US authorities, so if you care about that, self-hosting in the only way.
All it takes is one malicious npm package
Pretty much any "good" country is affiliated with "Five Eyes" in one way or another.
As a result you can get gigabit fibre in places on their UFB network for a similar price we pay for 50-100Mbps.
If the poster is coming from Australia, NZ is not so bad.
Also, broadband connectivity is very poor (compared even to India, where I live).
Switzerland probably remains the best country in the world and has strong privacy laws and a culture of neutrality. As a plus you get to be in Europe. Tech salaries are high. The anglosphere nations lack the intellectual capital amongst the population to remain critical of encroachments of privacy in the name of protection from terrorists.
Well put, lol.
You make a good case for Switzerland.
What about the Nordic countries?
However, it almost certainly does affect them.
If so, Australians can't even be employed in foreign software companies.
If your review system fails because your Aussie developer "may be compromised", it fails because your $good_country developer may also be compromised.
I doubt even _that_ would cause an uproar so long as it's timed to coincide with yet another threat to the aspirationally wealthy Australian way of life...
"Well, we need to lock up E2E encrypted messaging app developers in Nauru and Guantanamo Bay, because otherwise mortgage rates will go up and your house and investment property values will fall!"
The law requires us to deliver exploits secretly and lie to everybody about it.
Wonder how many banks and other security sensitive orgs use Jira and store all their tech specs in there.
All of them?
Good idea though. Maybe some kind of Certification?
Otherwise yes, security certification process to review existing code and then maintain as above.
And yet, that is precisely what has happened here.
Most of the discussion is about the Technical Capability Notice section (which allows the government to compel a telecommunication provider, under threat of 5 years imprisonment, to create the ability to access communications otherwise inaccessible) but very few people are talking about the Computer Access Warrant sections...
And it's possible for employees to be forced to do this, and you cannot reveal information about these technical notices to your employer -- in fact you are given immunity from civil persecution precisely for this reason. So you now have to sabotage your employer because of an order by the Australian government. Good luck keeping your job.
The most insidious part to me as a programmer, is the definition of a "Designated Communications Provider" which (amongst others) includes (S317C, item 6):
"the person develops, supplies or updates software used, for use, or likely to be used, in connection with:
(a) a listed carriage service; or
(b) an electronic service that has one
or more end-users in Australia"
and the "eligible activities" are:
(a) the development by the person of any such software; or
(b) the supply by the person of any such software; or
(c) the updating by the person of any such software"
In other words, they can just hand you a flash drive containing malware and force you to install it. You're not allowed to say no, and you're not allowed to tell anybody.
The (autoplay! grr) video summary at the bottom is pretty good.
State police forces are getting these powers. So state police, federal police and ASIO can compel devs to break their security for the investigation of any crime that attracts a penalty of 3 years jail or more.
This is not an interim arrangement either.
God this whole thing is so idiotic and scary.
What I believe, is that this bill is heavily influenced by the emerging UK law, by experiences failing decrypt on devices, a pervasive sense of panic and an election year.
Australian police and security have form here asking big when they know the outgoing government is their last chance that gets big wins. Australia card (digital ID) died in labor (party) days. Censorship died in Conroy's day (labor)
Anti corruption body changes which would actually help material cases in official corruption are being opposed and we're fed "think of the children" KP arguments which are "when did you stop beating your wife" dog whistle politics.
Is there a real problem with decrypts on bad people electronic comms? Sure. Will this law stop that? Nope.
The government has effectively made it possible that anyone and everyone who develops software or hardware used by anyone in the country, or where they feel national security comes into play, must compromise their software, and tell no one.
They can ask any intern to break the software, and not tell their employer.
It's bad enough to have a gaping hole in your security, but now they can ask people who have no idea what they're doing to create a backdoor.
All Australian software has now been rendered completely untrustworthy, and when those compromises in security are found, by the nation states who now know that Australian software will have holes in it, it will result in the very thing that this bill claims to prevent.
Our infrastructure has been opened up for attack, by any of our neighbours who have a reason to do so, whilst simultaneously gutting the economy of IT in Australia. Who wants to buy shitty backdoored Chinese software? It's the same now for Australia.
Australia's government has now opened the door for widescale cyberterrorism to have a chance at wreaking destruction.
So a NSL could request the records for who you are sending encrypted messages to but not the content of the messages and if your messaging provider can't or doesn't already gather that information they can't be compelled to start gathering such information.
If a NSL requests information which the recipient believes violates that guidelines of information which can be requested they can disclose the NSL to legal counsel and challenge the NSL in court.
"The laws of Australia prevail in Australia, I can assure you of that. The laws of mathematics are very commendable, but the only law that applies in Australia is the law of Australia."
It was planned this way by the intelligence agencies and its supporters. It always is.
And as for rushed through. Lots of stupid shit took a ton of time. Like the marriage survey that could have been done in 15 minutes.
The amendments to this stupid act do gut a lot of the stupidities (not completely), so the pressure now is to make this (and the Nauru re-settlement) the only thing that the ALP allows on the first days of parliament next year.
Write to your MPs, the shadow ministers and the cross bench.
Writing to the LNP politicians is a pointless exercise.
Actually, we're in the middle according to the data, there's a few countries with better rates:
In regards to being fined for 5 km/h over the limit, there's no evidence that small increases in speed over the limit contributes to accidents. It's excessive speed that kills, like going 100 in a 60 zone. The other big killer is distraction and driver fatigue.
As for red lights, I'm fine with the strict rules there. I've almost been hit walking across the road by red light runners.
This is much worse than the authoritarian way they handle traffic fines.
There is no legal representation, no judicial oversight and no actual definitions of essential terms in the bill.
Make no mistake, this is a dictatorship.
It takes about 4 hours or more out of your day to attend court which is obviously not possible for everyone.
Is that metaphorical or actual number? If latter, I am interested in the source.
Since I'm using Fastmail ... can anybody recommend a good alternative? I don't mind paying for a good and secure E-Mailprovider.
Protonmail looks nice, but it does not seem to offer IMAP (because mails are end2end encrypted).
Their promise has been to not use it for advertising purposes or share it with third parties. I don't see much changing here, but I would like to know if it is.
Like basically all of Australian tech right now, we're super disappointed in our politicians and their games. I spoke to a couple of senators' offices today, and they were sure it would die in amendment hell. Genius.
I'm not defending the Oz gov or companies here, but knee-jerk reactions just open you up to more mistakes. For me, the situation is still preferable to Google having my data/metadata.
So what do you value your privacy at?
Made the switch earlier this year. Webmail UI might seem clunky to some, but I use IMAP so non-issue for me. Easy to set up encryption and apparently they're powered sustainably too.
One deal breaker I know of is you can't map to your own custom domains. There's something in their FAQ which explains their rationale behind this.
Note that the most-upvoted post in the past month, critical of Google, was at the time mysteriously kicked off the front page as well.
Since it's back on the front page now, I'd guess that the HN mods decided that this was important and un-tripped the detector.
2018 -- citizens loose communication privacy protection 
2017 -- whistleblowers and dissidents are committed to mental institutions 
2016 -- citizens loose financial transaction privacy (the cashless society with finalized transition by 2020) 
1996 -- government confiscated all firearms from the hands of private, law abiding citizens
Sweden, and Canada are next.
Basically -- step-by-step methodology to run country-sized Mafia operation is being implemented.
 this article
It's relatively easy to get access to firearms in Australia, including semi-automatic pistols. 
The gun control laws mainly affected semi-automatic rifles and shotguns.
I should have said the confiscation (mandatory bayback) started with all semi-automatics and pump-action in 1996.
WRT pistols, the pistols that are allowed, have less lethal power than bow and arrow (if the below excerpt is correct).
they can then attend at a licenced firearm dealer and select a handgun which is suitable for the competition in which they intend to take part. This firearm may be a single-shot air pistol, a single-shot .22-calibre pistol or a .22-calibre revolver or self-loading pistol.
not sure if this was also the case before '96 and self-defense was already banned then.
The bolt actions that are allowed, cannot have pistol grip and must not look 'military'.
I would argue that the passing of the antiterrorism acts in 2005 was a far more severe issue than the 2016 bill -- they basically removed hebeas corupus. Shit's been going on for much longer than you think.
"Hey Joey, will you work on the fizzibizzi feature that does xyz?"
I can't, I have other stuff to do?
"What kind of stuff? This feature is the top priority for the whole team?"
I JUST CAN'T TELL YOU OKAY!!!
These backdoors are going to be the worst code possible. What kind of crap quality code do you think a single dev under threat of jail time and the pressure of not being able to communicate with his co-workers or legal representation is going to pump out?
So Division 6, section 317ZF (3) (13) is the ONLY way someone can tell the world what is happening.
Open source apps like Signal would be extremely hard to compromise since no one is going to allow a backdoor commit.