Hacker News new | comments | show | ask | jobs | submitlogin
Australian parliament passes encryption laws unamended (www.abc.net.au)
365 points by dhx 5 months ago | hide | past | web | 393 comments | favorite

Somebody over on Reddit [1] went through all the submissions (there was a consultation period) and summarised and tallied them [2]. Fully 99%+ of submissions were against the bill. A sad day for democracy indeed. A church in Tasmania was in favour, because child pornography.

1. https://www.reddit.com/r/australia/comments/a3j466/assistanc...

2. https://docs.google.com/spreadsheets/d/1dowpZ_Xtr1N_DgkHJN8i...

Lots of people reporting that the offices of MPs and senators were inundated with calls today and over the last few days. Twitter was on fire too. Ignored, just like the expert testimony before the PJCIS. Who do these fools think they were representing?

Today I watched my country's democracy die via livestream, with the words "Labor withdraws all amendments".

> Who do these fools think they were representing?

The US government and their agenda to spread similar laws in their country and across the world.

Labor was always on board with the core of the legislation; likely as they were aware of some unreported Five Eye's agreement that Australia will be the 'thin edge of the wedge' to introduce such laws worldwide.

Any amendments proposed wouldn't have changed the goal and was simply the basis for some political theatre to look like such a law has been considered and debated by the politicians. The outcome had already been decided a lot earlier than that point.

>Who do these fools think they were representing

Voters? I don’t mean to be snarky, but while Tweets, submissions and letters may inform the content of bills in democracies, but the counts of these are not numerically representative of much, apart from the feelings of people who feel strongly about an issue.

That said, these laws sound exceedingly stupid.

As Churchill said, the strongest argument against democracy is a five-minute conversation with the average voter. The voters are getting what they voted for.

There's some seriously shady things going on for this bill to have seen the light of day.

For me, this was the 50tone block of concrete on the lead coffin on the rotting cadaver of a political system that serves humanity in a balanced manner.

> Who do these fools think they were representing?

The same interests they are always representing. Themselves. The organisations and lobbyists that got them voted in. The organisations they're looking forward to offers of high-priced consultancies and directorships after the next election.

Did you expect anything else?

Don't forget the voters who elected them. Do you see the voters running to the polls and voting for someone else when crap like this gets passed? Of course not. Therefore, the voters implicitly consent to it.

Oh hey, pwnies from reddit here! It wasn't just me, it was myself and a bunch of my coworkers over at Atlassian. As one of the larger Australian tech companies, many of us are somber today to see this passed.

For context, here was the letter we sent: http://i.imgur.com/yRrZHAq.jpg

What's the impact on you going to be like?

Hard to say. The final text of the bill with the amendments that got added this week haven't been published officially yet (https://www.aph.gov.au/Parliamentary_Business/Bills_Legislat... only the first reading is available). Once it is we'll have to do a full review from legal - it's something a bunch of us are wondering internally right now. There are a lot of loopholes in the bill, so it's hard to say what things we'll be required to do, if any. The bigger impact will be on the world view of the tech scene in Australia. Needless to say this is very damaging, and there are concerns that we wont be able to handle any European data in Australia as it could be a potential violation of GDPR. Again though, that will have to wait until we finish the legal review of the bill and how it impacts us.

In talking with some other companies, some of them are looking at potentially moving any role that would have the ability to compromise encryption outside of the country. That way there'd be no way any employee could be legally forced to implement any backdoors or weakening of encryption. That's an extreme measure and is probably overkill right now as the loophole that states you don't have to do anything to weaken your security will likely be used as a challenge against building in any backdoors. We'll have to wait and see how things pan out.

> That's an extreme measure and is probably overkill right now as the loophole that states you don't have to do anything to weaken your security will likely be used as a challenge against building in any backdoors.

I saw that, but another part of the bill that I've seen (on a cursory review, and as a non-professional) is the sweeping, extreme secrecy measures surrounding the execution of any part of the bill.

Basically, my understanding is that you can't tell me as a customer if you've been required to compromise my privacy.

So say you even take the extreme measure and ship some sensitive roles overseas. If for any reason that's not enough, and your government requires you to surrender some of my data, then you will be legally unable to tell me.

That will destroy all trust.

I like Atlassian and am extremely sorry to see this happening to you.

Any internal discussions about moving out of Australia?

I've read an interpretation that indicates that all Australian citizen employees are now essentially compromised, as they could be compelled under penalty of jail time to insert backdoors into an application without informing their employers.

Even that church was not all-in:

>The Synod has some hesitancy about ‘safeguarding national security’ being one of the objectives of the notices, as it is not clear what additional activities this captures that are not criminal activities. For example, notices to address terrorist activities are already about enforcing criminal laws as would be notices targeting foreign espionage. We have a concern that ‘safeguarding national security’ might mean the desire of a government of the day to target civil society groups and individuals that oppose its policies or to target whistleblowers that expose wrong-doing by the government of the day. It would be good if the explanatory memorandum of the Bill includes an explanation of what non-criminal activities are intended to be caught under ‘safeguarding national security’ under the Bill.

I submitted comments during the review period, but I just got an automated response asking me if they could publish it -- long after all the "town hall" discussions. They clearly didn't give a fuck what the Australian public wanted.

A sad day for democracy, but this fact restores some faith in humanity.

A sad day for democracy, but this fact restores some faith in dictatorship.


Everyone is misreading this comment. OP meant: democracy failed, but the good submissions restore faith in humanity. All the people who wrote in were on the side of common sense.

The people who wrote in do not represent the voting public, they're just a vocal minority. The voting public elected these lawmakers, and will happily re-elect them.


That so many people were against it?

Yea, that's what I meant. At least the people seemed to be overwhelmingly opposed to it, and trying to vote against it. RIP to internet points on that comment, lol.

Yeah, I too, read your comment in the -ve. Thanks for the clarification.

So, yeah, a great day for humanity that didn't want this.

There was 300ish responses. The tech community and savvy individuals are strongly against it, but the vast majority of people don't care or absolutely don't understand what's at stake here.

As with most deeply technical issues, it is hard to communicate to the general population exactly what the proposed problem and solution is, so the politicians are allowed to freely pass legislation (without understanding it themselves mostly) without much opposition besides the vocal minority.

Some of the comments so far seem to suggest that this bill would require software to include backdoors. However, it looks like [the bill's PDF](https://parlinfo.aph.gov.au/parlInfo/download/legislation/bi...) includes:

> Division 7—Limitations

> 317ZG Designated communications provider must not be required to implement or build a systemic weakness or systemic vulnerability etc.

> (1) A technical assistance notice or technical capability notice must not have the effect of:

> (a) requiring a designated communications provider to implement or build a systemic weakness, or a systemic vulnerability, into a form of electronic protection; or (b) preventing a designated communications provider from rectifying a systemic weakness, or a systemic vulnerability, in a form of electronic protection.

> (2) The reference in paragraph (1)(a) to implement or build a systemic weakness, or a systemic vulnerability, into a form of electronic protection includes a reference to implement or build a new decryption capability in relation to a form of electronic protection.

> (3) The reference in paragraph (1)(a) to implement or build a systemic weakness, or a systemic vulnerability, into a form of electronic protection includes a reference to one or more actions that would render systemic methods of authentication or encryption less effective.

These limitations would seem to imply that the bill can't require a "systemic weakness", either by introducing a new one or prohibiting the patching of an existing one, which would seem to suggest that end-to-end crypto wouldn't be affected.

Is this a correct reading? Or are there concerns that the government might, say, require end-to-end crypto to be vulnerable to a government-held golden key?


Edit: Part of the text,

> to implement or build a new decryption capability in relation to a form of electronic protection

, sounds like it's prohibiting golden-key-based schemes.

There are so many loopholes in this thing. One predominant thing to keep in mind is the legal onus that is put on a company that does not comply.

The basic gems are that I got from reading the draft legislation was:

- If you have server side encryption, & we want you to decrypt a particular person's data, then we expect you to do so - ad infinitum.

- If you do client side encryption then we expect you to put into place a system that allows us to decrypt a particular person's data. (One assumes that a modification should be made for the particular client such that their data can be gathered in an unencrypted manner).

So, irrespective of the caveats that you've mentioned, the bill still stands. The caveats you've mentioned are the standard bait-and-switch style legalese, to make it sound more palatable. I'd assume that in reality, it's up to the company (at their own legal cost) to prove that what needs to be created is in fact, a back door.

Does the legislation say they can do this without justification though? Can they just ask for anyones information or does there need to be some sort of warrant?

"The Director-General of Security, the Director-General of the Australian Secret Intelligence Service, the Director-General of the Australian Signals Directorate or the chief officer of an interception agency may give a technical assistance request to a designated communications provider. • A technical assistance request may ask the provider to do acts or things on a voluntary basis..."

Note that an interception agency also includes "the Police Force" p9

It later states that if a provider willingly complies:

"an officer, employee or agent of the provider is not subject to any civil liability for, or in relation to, an act or thing done by the officer, employee or agent in connection with the act or thing mentioned in paragraph (b)" p17

Meaning, you're up for civil charges if you fail to respond to a non-warrant request.

I don't see how you're up for civil charges if you fail to respond. It's voluntary. The line about not being subject to civil liability sounds to me like your employer can't fire or sue you for undermining the security of their product if you're doing so in response to a request.

That's how I interpret it too. Though does that mean they can contact an employee directly, rather than going through the company to have the backdoor installed? That's how it sounds to me, since otherwise why would you bother with this provision.

And if that's the case, software really is dead in Australia. You can't trust an Australian company, even if their leadership says they've never received a request, because one of their employees may have.

There are three kinds of notices. Only one is voluntary (Technical Assistance Request). The other two (Technical Assistance Notice, Technical Capability Notice) are both mandatory and carry several hundred penalty unit punishments for non-compliance.

It doesn't need a warrant, and the requirements are varied. None of them require judicial review.

* TARs and TANs both generally require that an agency be investigating a serious crime (one that takes). There are some toy protections against abuse but they're basically meaningless (the AG or chief officer needs to be "satisfied" that it's reasonable and a few other token requirements -- need I remind you that we imprison refugees in sub-human conditions without the right to a trial, so "reasonable" is a stretch).

* TCNs are even more general. They can be done purely "in the interests of national security".

Does it matter? The correct answer to "decrypt this person's data now" is "sorry, we can't". Not "won't", "can't".

It has to be under suspicion of a crime that attracts over 3 years jail (which is almost anything).

They mentioned oversight of a "retired judge" and a "technology expert" in the autoplay video at the bottom of https://www.news.com.au/technology/online/security/inprincip...

Why a retired judge and not an active judge? Presumably because an active is required to obey certain standards and is legally independent. A retired judge is effective just some guy.

Because they didn't want judicial oversight. It's just going to be rubber-stamp faux-arbitration.

They were going to supply a definition of "systemic weakness", but I can't find one in the bill itself.

I'm patiently waiting for their proposed method of reading end-to-end encrypted messages without introducing a systemic weakness.

But the meaning of words don't seem to matter anymore in the reality distortion field that is the Australian government. This is all supposedly to somehow make us more secure for Christmas.

Indeed, the laws of mathematics make this impossible. Count yourself lucky to be living in a country where the laws of mathematics don't apply.

The laws of mathematics are "commendable", but they're nothing compared to Australian laws hurriedly passed 5 minutes before the Christmas holidays.

History will not remember these people well.

History will most likely remember these people as the completely incompetent board of director of the fossil fuel industry that presided over the final execution of the planet's habitable eco system. The fact that they were politicians or even the Prime Minister for 5 minutes briefly in late 2018 won't even be a footnote...

This line of argument is not helpful. What are you going to do if/when somebody shows up with a scheme that shows you're wrong, and the laws of mathematics do in fact permit such schemes?

Fix cryptography.

I'm patiently waiting for their proposed method of reading end-to-end encrypted messages without introducing a systemic weakness.

I imagine that they ask for some tailored malware to be delivered to the specifically targeted device/user.

So the UK spooks have a wonderful euphemism for this. "Equipment interference":


Which, of course, leads on to a somewhat less specifically targeted "Bulk equipment interference", because once we have the capability, it'll _surely_ not get misused, right? I'm eagerly awaiting the hilarious verbal gymnastics they'll come up with to make a Technical Assistance Notice compelled "Bulk equipment interference" capability some how not a "systemic weakness"... I'm sure that'll end up in linguistics textbooks and industry jokes for decades...

We won't see any of that hilarious verbal gymnastics because any individual would be crazy to try to fight one of these orders and face 10 years in jail.

The govt will just secretly compel them, and their activity stays secret - except the bad guys can now hack our compromised infrastructure and there will be inevitable leaks of data and exploits, just like Wannacry which was originally an NSA exploit.

According to the proposed amendments (which weren't included) that had definitions, their definition of a systemic weakness is different to everyone else (yet another example of the doublespeak that this Bill contains). A systemic weakness is a weakness that is targeted, even if in order to target it you need to weaken your entire architecture in order to fulfil it. And to paraphrase the Greens MP, "the target could be as vague as all Victorians or everyone over the age of 30 and still not be considered a systemic weakness".

As long as we don't know P!=NP we're not sure if we actually need to introduce a systemic weakness to break crypto, no?

Wonder how long it'll take for the Aust branches of the US copyright cartel to start demanding access to "pirates" comms through this.

From memory, the Aust internet filter was originally introduced using similar excuses. eg stop terrorist recruitment, pedos, etc.

The copyright cartel was having "pirate" sites blocked not long after, and has been expanding it's approach since.

Seems like a similar play book in action with this.

That’s the whole point of this legislation, and one of the reasons the legislation specifically supports the death penalty is to allow this legislation to be used by Australia to support the USA, where the death penalty still exists.

There's a secondary point to this legislation: discouraging whistleblowers by making it more difficult to both hide yourself and be hidden by whichever journalist you're working with.

Chilling effects is a desired outcome of this legislation.

Whistleblowing attracts up to a 25-year sentence, so yes this is terrible for journalists.

What's the maximum sentence for copyright infringement?

25 years assuming you are sentenced in Australia rather than extradited to the USA to be killed.

I don't understand your logic. Is the death penalty specifically mentioned in this bill somewhere?

Yes, it is specifically mentioned in this legislation, and is specifically called out as indication that the foreign government’s request warrants action under this legislation. That is to say that given the foreign government seeking information that will lead to a death penalty on conviction, the Attorney General is compelled to issue an instruction under this legislation.

The problem is that "systemic weakness" and "systemic vulnerability" are very badly defined.

There's no definition of what "render systemic methods of authentication or encryption less effective".

That is by design.

The Australian Government has historically been somewhat arrogant in any area of technology.

Their attitude, in this case and others, is similar to that of management at a company with a poor technology culture. "we're in charge and we're making this law, now you nerds can go sort out the details".

There's one itsy bitsy issue with that whole "systemic weakness" thing. It's not defined in the law.

You'd think something like that would not be carelessly omitted by accident, no? What this means in practice is that virtually nothing they do will ever amount to that being a "systemic weakness", just like Obama kept saying post-Snowden revelations that there have been "no abuses" of intelligence powers and that nobody in the NSA did anything wrong (even after revelations of LOVEINT, etc came out).

An Australian government order for decryption could turn into another EternalBlue-type exploit affecting millions of PCs, and the government will likely still claim that wasn't a systemic issue because they "didn't intended it to be one" (as if spy agencies ever intend their backdoors to be used by rival nations - and yet that happens every time).



However, the bill also requires access be provided, where access is:

> access, when used in relation to material, includes:

> (a) access that is subject to a pre-condition (for example, the use of a password); and

> (b) access by way of push technology; and

> (c) access by way of a standing request

So whilst you may not build a systemic weakness, you may be required to provide a variant of your software to a specific user. Or provide the government with a "pre-condition" such as a golden key.

Thank you for this, there is a lot of doomsaying in this thread but this reads to me that it would be possible to refuse requests based on these limitations.

The problem is that you are reading it as though the words mean what a technical person means by "systemic weakness" (such as weakening the crypto in an app in order to target a user). This is not what the words mean (and this entire bill and discussion around it is full of Orwellian doublespeak -- they redefine the word "backdoor" to mean 0-day for instance).

The words aren't defined at all in the bill (which should be a massive red flag), but even the amendments that include definitions completely miss the point and basically imply that only something like Dual_EC_DRBG is considered a "systemic weakness".

There is a lot of doomsaying because it is very seriously, no-kidding bad. Not to mention that denying such a request should almost certainly be done with some very serious (and expensive) legal advice.

Noting that you can’t seek legal advice because you’re not allowed to talk to anyone about the request.

Obviously the section on disclosure doesn't involve talking to your own legal representation (there is common law on this already). But even if there wasn't common law covering this it's explicitly allowed in Sect 317ZF.3e. You can even reveal it in a legal proceeding under Sect 317ZF.3b.

Australia may be leading the path toward a Kafka-esque state but we're not there yet.

Please note that disclosure for legal advice was not in the first reading, but added later.

There's doomsaying because this is doom.

That's a pretty big call to refuse a secret request that you're not allowed to disclose to anyone, risking a lengthy jail term without the possibility of even seeking legal advice.

War Is Peace, Freedom Is Slavery, Ignorance Is Strength.

Have a safe Christmas Australia! Papers please!!

It's interesting how the English-speaking countries seem to be doing their very best to emulate the novel "1984".

They legislated the power to hand a developer a $50K fine and put them in jail for 10 years for refusing. And you can't tell anybody else about it, for them to back you up with their technical input etc.

At the end of the day, if they tell you to do it, chances are you'll have to do it. And you can't complain to anybody.

As far as I can tell there isn't a criminal penalty for refusing, what version of the bill are you looking at? In the first reading and all the amendments I could see there is "just" a 230-odd penalty units fine (which is about $25k in NSW).

What does this mean for Zero-knowledge systems?

You must build a custom made back door. eg. Something like ProtonMail would need to inject some extra javascript so that the government could obtain a copy before encryption, I expect.

If I were to write some software of this nature these days, I'd make sure that the client would be aware of any changes in the api - sort of like a personal warrant canary. (Note that a warrant canary is legal in this legislation).

Warrant canaries are illegal in Australia, at least in the case of other kinds of secret warrants. I would be very surprised that a judge would (given the existing laws that have similar properties) consider a warrant canary legal.

(For those wondering how they can be illegal, in Australia it's illegal to state the existence or non-existence of certain kinds of secret warrants. So a statement of a canary is, itself, illegal.)

There are allowances (from what I understand) in this bill. From "Section 6 - Unauthorised disclosure of information":

- A person who is: ...

...may, in the person’s capacity as such a provider or employee, disclose:

(e) the total number of technical assistance notices given to the provider during a period of at least 6 months; or

(f) the total number of technical capability notices given to the provider during a period of at least 6 months; or

(g) the total number of technical assistance requests given to the provider during a period of at least 6 months.


This subsection authorises the disclosure of aggregate statistical information. That information cannot be broken down:

(a) by agency; or

(b) in any other way. " [0]

[0] pp50-51, http://parlinfo.aph.gov.au/parlInfo/download/legislation/bil...

Right, I forgot to mention the statistics. Yes, you can publish statistics in 6-month windows -- which is kind of what warrant canaries are supposed to provide information about -- but I'd be surprised if the "cannot be broken down" might be used to restrict the usefulness of statistics...

I mean, a literal reading would allow you to provide minute-by-minute 6-month windows (or a new 6-month window each time you get a request) which could be used to get very detailed alerts each time a new request was given but obviously you'd get into hot water by doing that.

So if I was an Australian citizen, I'd be committing a crime by saying:

I have not had any communications requesting investigative cooperation from any Australian law enforcement or intelligence agency.

No, it would be an offense to make a statement about the existence or nonexistence of a journalistic information warrant.

But I believe the bill which passed actually includes the ability to publish aggregated statistics about how many notices you've received. Removing the need for warrant canaries.

(And you wouldn't have to be a citizen, just a subject of Australian law which means that you are either a citizen, are a constitutional corporation, or physically present within Australia. Same as any other nation's laws.)

This is government-compelled labor, whose product is only of value to government, and which labors in direct opposition to the personal safety and well-being of the entire general population.

Australia, you fail at the very notion of free western civilization.

It’s also government compelled lying.

This is another thing that adds to my deep sense of shame to live in this country (sadly, that list is long and growing).

This bill does nothing to prevent the kinds of things it is intended to prevent. The apps this law targets were engineered specifically to prevent this kind of interference. The idea that passing legislation will suddenly change that, magically allowing decryption of messages is beyond idiotic.

The legal and technical barriers to getting anything useful from this legislation are huge. Not to mention the ease with which this can be bypassed (run OpenVPN and IRC on an overseas server, done).

The justification for rushing this was so that Australia could be kept 'safe' over Christmas. It's beyond difficult to describe how ridiculous that is.

Edit: Sorry, I also have to add that in the same sitting of Parliament the government also filibustered legislation that would have enabled medical evacuation of refugee children from child detention on Nauru. It's been a bad day for Human rights in Australia.

> It's beyond difficult to describe how ridiculous that is.

Especially since ASIO (who really wanted this bill to pass) has stated that even if the bill passed today, they wouldn't have the necessary powers before Christmas.

So now any of the Five Eyes intelligence agencies can have a chat with ASIO and get them to coerce companies and individuals within companies to put these back doors in. Then they can all use the same back doors, so everyone living in the USA, UK, Canada, and New Zealand can have their encryption compromised and communications intercepted. There's no way that companies will create back doors specifically just for Australia, so everyone will have access.

In terms of Australia I'm not sure what we could actually do about this. Given that it's ASIO and other government departments that want these powers and that they have tried to introduce this sort of law over the course of the last decade. Both major parties have introduced legislation such as this and both voted for it. Maybe it is time for civil disobedience, and have everyone create and distribute encryption applications for all devices, because they couldn't possibly jail everyone right? I just wonder who will be the first person jailed or the first company fined for refusing these orders.

In terms of the world at large, which country should we trust now? A lot of the Western Democracies are becoming rapidly "security" focused authoritarian, and the other countries powerful enough to stand up to them are not much better. Should we trust applications with code written in Russia? What about hardware products manufactured in China? Should we trust services running in the USA? Now we also have to be wary of any company that runs a service in the Five Eyes countries.

Sometimes I wonder if we really have it better than people in the middle ages or other earlier periods, in some ways it clearly is, but in others it's just the same smell coming from different shit.

And then somebody from inside will get a guilty conscience, but remember what happened to Snowden, and just sell the backdoor straight to Huawei or NSO or Mohamad bin Salem (salving themselves by pretending they're going to donate hundreds of millions to "improving the world", but instead will by private islands and matching citizenships to Peter Thiel's...)


While America might have the Espionage Act, we have an law (passed a year or two ago) that gives mandatory minimum sentences of >15 years for revealing information about ASIO. And sharing the information (even if it's public) carries the same penalty -- so re-tweeting such revelations is a criminal offense. As is viewing it.

Chilling effect? More like dipped-in-liquid-nitrogen effect.

I hope Australia will have its own Edward Snowden, but the immediate repercussions would be far more severe in Australia.

Realistically, if you were a developer not in the chain of command and asked to do this: Would you? Could you?

You would be knowingly putting your name to a vulnerability, and if someone asks then you have to keep it a secret and feign incompetence. Then if they revert your change you'll have to re-implement it.

If you do tell your superiors (which would be most likely what would happen, even before writing the code) then you would be in violation and could be put in jail.

If you refuse you would be put in jail, or they would go to the next person in their list.

If you think about logistics they'd have to make contact with people in the company to even find out who the devs are who are capable of making a backdoor. That would probably tip off others in the company as to what was happening anyway. You'd think they'd essentially have to serve the whole dev team with the secret order.

I think you could immediately resign. It's not a slavery bill... is it?

I wonder what the legal implications of just quitting on the spot when asked might be?

It's 100% posturing and optics. There was nothing achieved by passing this law at the last day of sitting.

When I was a kid I really wanted to see Australia. Kangaroos! Coral! Toilets that go backwards! Crocodile Dundee! (I was a kid, alright?)

It just seems like a hotter, drier America at this point.

New Zealand still looks lovely though. Maybe they could invade you?

Bit harsh, compared to America it's still saner day-to-day with healthcare, gun control, and very liveable cities with public transport.

And it isn't like other western countries aren't thinking of doing something similar. While this is a bad law, being smug about it is the wrong reaction.

I don't mean to be smug. It's just kind of sad to see what's happened to a country with enormous soft power. Same goes for the US.

I wish I knew more western countries who were defending privacy, and the environment for that matter. For a period it kind of looked like Germany _might_ but that hasn't stood up (Who knows, maybe the Pirate Party will get a chancellor someday). The Nordics don't seem amazing either.

What does that leave us with? Some rocky archipelago in the middle of the Pacific? Developing nations that simply don't care or lack the ability to have meaningful enforcement? I'm really struggling to think of something.

Which other western and non-English-speaking countries are doing similar things? This democratic-authoritarianism seems to be unique to the Five Eyes nations.

One of the best criticisms for the rushing through of this POS legislation was "if it's such a rush to get this done, why hasn't Australia's threat level been increased?"

The answer from the intelligence agencies is that there must be a known specific threat in order for the threat level to be increased (from "Probable" to "Expected")[0]

So, they're saying that it's important for this legislation to be passed for the sake of the safety of Australian citizens despite the fact there's no specific threat that's worth raising Australia's threat level for.

Add this to the huge list of WTF's surrounding this situation.

[0] https://www.nationalsecurity.gov.au/securityandyourcommunity...

  > OpenVPN
They'll probably want a backdoor in that too.

Careful criminals will surely be able to find a set of software that isn't affected. Australia isn't the US, only a small portion of software companies would have a large local presence here.

I’m sure that will change now.

From small portion to none. And basically Australian software developers are unemployable now.

The problem is that a backdoor might not be so obvious. It can be simply a wrong chosen algorithm key size, and you need to be a cryptographic expert to know that.

That would have to be a systematic weakness... except systematic weakness is probably doublespeak for "whatever the fuck we want to do" anyway.

No reason for them to be getting it.

The government's primary goal is to protect itself and continue growing like cancer. In many ways the citizens are it's greatest threat because they can vote to cut budget and the power of the political elites. These laws are a way to increase monitoring of citizens so problems can be squashed before they grow too big and threaten the government.

Make no mistake, with the rise of ML governments will be able to crush social movements in the nascent stage before they become too big to stop. People will be arrested for thought crimes because they posted the wrong thing on the wrong website. And currently a large number of people would cheer because the people getting arrested are on the "other" side of the political spectrum. Be careful what you wish for

Except that there's other countries where their governments don't seem to have these problems.

where? From what I've seen Europe, UK, USA, Canada, and especially China are all moving in this direction of more privacy intrusions. Considering the West has traditionally offered the most freedom for its citizens I'd say things are trending towards authoritarian governments

EU seems to be pretty concerned with data privacy, and they even have laws protecting it.

They have laws protecting individuals from companies, not the government. The GDPR has special exceptions for government investigations, and many EU countries have strong domestic spy agencies that spy on their citizens.

coughs in American

> This is another thing that adds to my deep sense of shame to live in this country (sadly, that list is long and growing).

I don't support this legislation, but I have to ask, which country is doing a better job on human rights issues than Australia in your opinion? Surely not China or nearly any country in Asia, Africa, or South America? Surely not the US? Probably not much of Europe?

To paraphrase our PM, speaking on medical evacuation of children, "I will do whatever is possible to prevent it."

Australia's government blocked legislation that would help kids not die. Because they came on a boat. Which has never been the primary way illegal immigrants get into this country.

Nauru was declared a human rights travesty by the UN.

The medical board that decides whether or not it is a medical emergency that needs to be treated in Australia is staffed by lawyers and only occasionally features a doctor.

We're killing people from neglect, because they dared to take any avenue available to them to escape their homes.

If we put half the effort into assessing their case as we do into making sure they stay in a place reminiscent of WWII slave encampments, there would be no issues.

It is an absolute national shame. MSF recently likened the mental health of the people on Nauru to victims of torture.[1]

The most disturbing aspect is the strong bipartisan and public support for the ongoing abuse. Every Australian should wake up in the morning, take a long hard look in the mirror and ask themselves if they're proud of what they've become.

[1] https://www.msf.org.au/article/statements-opinion/indefinite...

>The most disturbing aspect is the strong bipartisan and public support for the ongoing abuse.

Is there really public support? Everyone I've talked to thinks it's a disgrace.

My personal social circle and Sydney Inner West socailly aware bubble all thinks it's a disgrace, but I'm not kidding myself into thinking I'd need to go very far before I bumped into people who'd justify it to themselves as "necessary for the country", and not a lot further to find people actively and vocally celebrating the cruelness...

The pollies seem to think so. I don't know anyone who admitted voting for Abbott in 2013 either but a lot of people obviously did.

There have been slightly more encouraging signs recently that the tides are shifting, at least in my view. The rinsing the state Liberals got in Victoria after desperately pushing the openly racist and patently false "African youths are all gang members and everyone is afraid of being robbed" rhetoric, as well as the uptick in general awareness and number of protests makes me hope the publics apathy is morphing into a deep national shame.

That being said being a "coastal elite" in a progressive area isn't necessarily a good litmus test

Some people say the efforts by Liberal/Labor are to discourage a lot more refugees from overwhelming Australia. Resulting in increased crime, less jobs, etc. They acknowledge that some will suffer in the process.

Other points I noticed: - Coming across as emotional about the harm and suffering on Nauru or escaping war, they will dismiss all arguments as immature and feel like they're being an adult to you. - Some are persuaded by increased economic activity and net welfare investment benefits but want more screening but wouldn't know how to do this effectively.

Source: Asking random people about policies. Some people you can try asking: mechanics, tradies, checkout people, business people, asking people who handout stuff for Liberal/Labor. To get a deep understanding, read their sources, any of the Murdoch rags or right wing morning shows (ie Alan Jones).

Actually I think several latin american and european country do a better job on human rights issues. Some african countries as well.

See for instance https://en.wikipedia.org/wiki/World_Index_of_Moral_Freedom#W...

Why does it matter? It's not a zero sum game, what others are doing is completely irrelevant to the question of whether or not what we're doing is disgustingly immoral (and it is, as far as I'm concerned.)


But yeah, “cryptonomicon” utopias are hard to get by, these days.

This is a classical‘whataboutism‘ trying to deflect from the real subject by bringing up another. But keeping in line with that theme: what about detaining immigrants in Nauru, Christmans Island, Manus Island etc. under doubtful circumstances with no open access for press and NGOs?

I didn't read the comment as tu quoque, I read it as "it's a bit shit everywhere". Even Canada treats native populations badly, I don't know what things are like in the Scandinavian countries.

Too bad, it's almost 2020 and we still can't get "treat people well" right. What hope do animals or the environment have?

Wasn't the situation in Nauru that the immigrants aren't considered detained as they are free to return home as soon as they agree to do so?

If you are an Australian software engineer, you have one advantage that other nationalities do not: the E3 visa. It is a US working visa that is specifically reserved for Australians and consequently it is much easier to get than an H1B.

My advice is that the Australian tech industry just got nuked from orbit, so come work in the USA. The pay is better, the work is more interesting and the tech companies actually have sway over policy here.

I am not sure that migrating will help. If I read the bill right, it implies that every person providing any service used (or "likely to be used") in Australia is under legal obligation to insert these backdoors. I don't think it specifically mentions software developed in Australia.

The bill seems to be a nightmare - it even says that the technical assistance request can be given orally. What the bloody ....?

To me, it reads like this - if you're a Nigerian developer working in Germany and refuse to do this for some software (after all, every software is "likely to be used" in Australia), you are still breaking the Australian law. But you need not be prosecutable if Germany does not have an extradition agreement with Australia. If you are an Australian anywhere in the world however, then refusing this makes you a criminal, probably later a fugitive. This is my understanding. Can someone confirm?

Australia does not have the economy to force such a perverse violation of privacy on foreign business. If they try it, Google et al will be much better served pulling a Spain and blocking access in Oz than by complying.

The courts of most nations would laugh out the notion of extraditing their own citizens to Australia for hosting a website and not giving the AU government a backdoor to it.

Just geoblock Australia.

I've heard this from a number of reliable sources (friends in the industry based in TX and other places). Absolutely considering the leap as soon as is feasible

You've got Trump. Also the NSA.

Maybe I'll just work on a farm instead of this technology madness.

Trump won't last forever and Apple and others have been staring down three-letter agencies for a while now.

the US has already been doing this stuff for a long time, without it being legal. They can always pressure you and threaten to ruin any engineer's life if they don't do what they want. and who do you think came up with this legislation? It's US Intelligence. Australia is their testing lab, just like Macca's does.

Apple stared down the FBI in a mass murder case, because it was possible for them to do so. They won't be able to do that in Australia.

I don't like the US shonkiness any more than anyone else. But these situations are not precisely equivalent, especially since this bill passed.

I don't see how it's any different to the situations with NSLs in the US. There's a veil of secrecy and no real limits on the scope of request with very harsh penalties for non-compliance.

The US government ignores their laws, while Australia passes terrible ones.

Six of one, half dozen of the other.

> The US government ignores their laws

and yet

> Apple stared down the FBI in a mass murder case, because it was [legally] possible for them to do so.

The US government couldn't make Apple help them in public, but they just spy on everything they can themselves behind closed doors.

So far we haven't seen the Australian government ignore its own laws so completely.

but health care

Typically included in your benefits package as part of the job. You don't have to give up Australian citizenship to get an E3, so if necessary you can fly back to Australia for treatment.

>if necessary you can fly back to Australia for treatment

If a sickness/injury is bad enough to need to fly back to Australia, there's a pretty good chance you won't be allowed on a plane.

That is naive and simplistic. Sure, if you were hit by a car you probably won't be making a flight. But cancer? Elective surgery? Physical therapy? There are plenty of slow roll medical issues that can survive a 16 hour plane trip.

Sure, but it's financial ruin if it isn't one of those things, even if you survive. Who's being naive?

That's fine. You're ok with taking that chance, I'm not.

If you want to get double taxed, sure you can keep your Australian Medicare and private health insurance.

As far as the ATO is concerned, unless you discontinue both, you're considered an Australian resident for tax purposes.

Even though the US considers you a resident alien, the ATO requires you to at least look like you won't be coming back for >1 year.

My experience was that the ATO did not consider me a tax resident. Basically if you've tidied up your Australian affairs, earn 0% in Australia and 100% in the US, they aren't totally bloody-minded. I did make sure to use a specialist tax agent though.

After ~3 years the IRS considers me a resident for tax purposes. The ATO only cares about my income because they want to collect HECS payments.

I am an Australian software developer and am currently getting https://www.lifepim.com ready for release which, funnily enough has the main selling point as "Your data is private, secure and free from adverts" - what a joke.

The scary part is not knowing how the law is going to be implemented - I am hopeful that smart people work on the implementation of it in terms of practicality.

If it is an on request thing "give us the details of terrorist@blah.com" then that is doable, but if they really want backdoor access to all accounts, then that is ridiculous amount of work and a lot of security risks to worry about.

Wait and see I guess.

I would not use your software because I don't believe my data on it could possibly be private and secure. Especially after you've just said you could do an "on request thing" for certain users data.

Sadly our government has failed us. We are the laughing stock of the whole world (except maybe China).

I’m sure your customers will believe you if you say that your government did not tell you to lie about backdoors and weaknesses in your products security.

That's the scary part about this - a company is not allowed to tell people when the data was accessed

They are allowed to provide statistical information (in 6-month windows). Still completely useless in a practical sense.

No. That was an amendment that was not passed.

We got the full dictatorship version with no reporting at all.

Technically, it's not like a dictatorship at all. A dictatorship is a government where there's one person at the top with ultimate power. What you have really is more like a "cabal", much like China's government.

The section on statistics was in the first reading of the bill.

Looks like a cool product.

Realistically could we just setup all code to be hosted overseas and then pay a set of reviewers in Europe to check PR's for possible backdoors? Don't think the law let's them compell you to build the backdoor in a super secret and hidden way...

The way it’s written that could be 5 years in gaol because you let people know about it.

Not relevant, but I love the old-school spelling of "gaol". Is it still used anywhere or are you being whimsical?

Yes, Australia uses it still. e.g. Ballarat Gaol, Old Melbourne Gaol.

Ah, that's delightful.

That's the official spelling in Australia, and I think the UK.

Thanks! I don't hosting overseas would work, but then again - who knows how it would be implemented.

Don't launch in Australia.

Or don't launch in Europe.

GDPR and this legislation are in direct conflict. Pick a market...

In this case, its a market of ~25million vs a market of nearly ~500 million people..

easy choice to make.

Can launches can be targeted (legally) to a country? The site is hosted in London and am already GDPR compliant - wonder if this is means it is not under Australian laws?

If the business is registered in Australia then you're under Australian laws, regardless of where it's hosted.

All my hosting is done in the US, but that doesn't mean any of my businesses are necessarily American.

If you're not an Aussie company, and don't have any staff in Australia, then it's a long reach for them to do something to you.

If you specifically reject all customers attempting to sign up from an Aussie IP address, or with an Aussie physical address (if you have that), then you're on pretty firm ground to tell them to piss off if they come knocking.

But, y'know, I'm not a lawyer, and you might be subject to whatever whims any country cares to hit you with. Get some legal advice before trusting some random internet comment ;)

I guess the poster child for this is Kim Dotcom. Launched a file sharing service from New Zealand that didn't break any NZ laws.

USA didn't like it though, and asked NZ to extradite him to face charges in the USA.

Legal battle still going, I think... but the business is dead.

I doubt Australia has that much clout, but you never know when an extradition will be the price of some favour to someone...

Nothing bad about GDPR, since it's actually made to protect citizens.

totally agree. Which means their contradiction of the Aussie rules means...

Yup, your software just became compromised. No way in hell I'd ever use that now.

Time to find a new career, sorry.

It is now legally impossible for data to be private or secure. Your product is now dead by law.

I have to say, the coverage of this bill on the news has been atrocious.

I've seen zero discussion of the possible ramifications of losing all security companies in Australia. Any software company that depends on security (and which one doesn't?) would be insane in the membrane to think they could credibly work in Australia now.

All they are saying is "the bill was passed to access encrypted communications of terrorists and criminals".

No discussion of no judicial oversight either.

News orgs are shooting themselves in the foot because there's no possibility of a journalist protecting their sources anymore with this nightmare.

Australia doesn’t have much in the way of judicial oversight. The joys of parliamentary supremacy and a weak constitution.

To anyone with a business from anywhere else in the world. Yes please do, publicly and loudly, cease to deal with us (Australia) due to the very real possibility that all of you private and commercially sensitive communications will be monitored and recorded (Also given the five eyes agreement shared with other countries.) Australia already have a history of using their spy services for commercial gain. https://en.m.wikipedia.org/wiki/Australia%E2%80%93East_Timor...

+1 block us. Apple if you are reading this stop selling us iPhones. Australians need to feel the pain of this otherwise nothing will change.

1 billion dollars wiped from Atlassian already. I’m hoping the markets react more and destroy the industry here.

Might want to assume that all Australian developers are now potentially compromised.

Ugh, Trello is owned by Atlassian. Will this law mean we should assume Trello is compromised? Trello is based in the US, so I'm not sure how that plays out with the law.

If Australians work on it, then yes.

Possible it will go nowhere. How can Apple for example provide a backdoor for imessage which isn't a systemic weakness?

The intelligence service will request a special version of the software which will store the contents unencrypted, or decrypt the existing contents, or send information to a different server.

Then they will coerce a telecommunications provider to install this application on the targets machine (says nothing about having it installed on everybody's machine accidentally or otherwise).

Then they shall profit.

They could be compelled to send firmware updates only to specific phones with a new version of imessage that doesn't perform end-to-end encryption.

have the app store send a special version of the app or system update to robryan that as well as renders the message on the screen also sends it to the gov.

The Government simply defines systemic weakness to be something that doesn’t happen when Apple is coerced to introduce an easily exploitable hole in their security for all products.

I wish I was being facetious.

Considering that isn’t even defined in the bill that just passed I have little hope it will save it.

> have little hope it will save it.

have little hope what will save what?

I bet that the entity that sells iPhones here in Oz is different to Apple inc. and has absolutely no leverage to do anything in software.

Just like Yandex in Russia - legally they buy all of the software from a company in Netherlands, at least that what I heard.

That's how they get around tax.

Apple Inc will sell the phones at high rates to Apple Australia, so Apple Australia can claim they are making zero profit in Australia, so hence have to pay no tax.

God this is so true. I am so ashamed of our so-called representatives.

Please, Apple, do what you know is right and disable all iPhones in Australia. Google, please do the same with Android.

If you have a website, geoblock Australia from it.

Quarantine us from the world. We are sick and will infect you all.

I really hope Apple does this. Half the politicians seem to use iPads for all their computing needs.

I can’t see Apple allowing the Australian government to dictate how they handle security... it’d destroy all confidence in their brand.

They didn't let the pain-in-the-ass FBI go through their shit so hopefully they tell Australia to pound sand too.

> If you have a website, geoblock Australia from it.

Just did.. won't even respond to icmp. My Tokyo and UK sites.


Actually, if it's possible, you could redirect to a page saying the reason you are blocking, that would be even better.

Seriously the world should quarantine us.

This isn't going to help. It'd be better to refuse to do business with Australia, but be sure to show them just what they're missing out on.

No, don't geoblock us. Just refuse to do actual business in Australia. Only allow us to download apps from the U.S. where such broken legislation is not in effect.

Don't think it will help since the agencies can force telcos to mitm the store fronts.

Even this draconian bill I don't think has the power to make telcos mitm sites hosted overseas, does it?

But who knows, this bill seems to be the Christmas gift that keeps on giving! Merry Totalitarian Christmas, everyone!!

Setting up a MITM would just be a small request from a low level technical employee. Just make packets from this IP go to this other IP for this one account.

How do the App Store and play store react to bad HTTPS? Do they allow the user to trust?

While you are probably correct, the world needs to urgently stop doing any business with China first.

And since it’s not going to happen, other countries beyond China unfortunately start to get some funny ideas, too...

China is a 1.3 billion people Australia is 25 million. Big difference when it comes to cost and incentive.

Although, we’re a rich 23 million. Of course China’s middle class more than makes up for it, but there’s a reason tech companies like (liked?) Australia.

yep, I'm working on an encrypted product, and will be recommending we don't launch it in Australia. Tiny market, enormous regulatory burden. Not worth it.

I second this. Please be vocal about how Australian's are now boycotted. We need the government to freak out

As an Australian dev, I concur. I would rather our tech industry die (and I end up digging holes in a coal mine for a living) than have this country become a global spy hub used by governments to subdue their citizens.

Does this mean that if I take my iphone into an Apple Store in Australia for repair that a Genius could load unknown software (under legal compulsion) without Apple itself knowing?

They have to attempt to keep Apple from learning about it, as I understand it. I wonder what steps Apple will take to bar this kind of eventuality. If an employee makes a good faith attempt to comply with this request, which is then blocked by the overseas manufacturer, can they throw their hands up and say, "Well, I tried!"? Would this allow them to avoid the $50k fine and 10 years in jail the Government can hand out for not complying?

Technically, yes, as I understand the legislation.


This is a civil rights nightmare.

Literally zero percent chance I touch any software made in Australia now.

This immensely stupid law applies to any business that operates in Australia, which includes Google, Apple, Microsoft, Samsung, Facebook, Github, and every other major tech company on the planet.

If they want to continue doing business in Australia (and they very much do) then they'll be forced to comply, which means everybody in the world is negatively affected by this insanity.

Cutting loose ~25million potential customers might actually be a financially rational for some companies. It's not like we here in Australia are really a very big market on the global stage...

Won't surprise me at all to find some businesses (like perhaps Whisper Systems) who's "doing business in Australia" doesn't actually earn them a single cent, yet will open them up to enormous reputational damage if they continue operating in Australia after this, might just choose to take thier app/service out of the .au app stores...

(BRB, backing up my iDevices and switching auto-update off...)

Please don't turn off updates. You're going to miss out on exploit fixes, which puts you in a worse position.

If they want to continue doing business in Australia (and they very much do)

Meh. 25 million people, and not a top ten economy. Australia has a powerful reality distortion field that makes it seem more important than it is. Must be the tourist marketing and the fact that it punches above its weight in producing successful entertainers.

It’s more likely that WhatsApp and other encrypted messaging apps will just get pulled from the Australian App Store (if the Australian App Store remains in place, since it’s likely to be chosen as a distribution vector for compromised software).

The population isn't a relevant part of the argument, Mexico has 130 million people and has a smaller economy than Australia. After the top 6 or 7 economies, the next 6 or 7 are all comparable in size.

But more importantly, because of the high GDP per capita and low income inequality, Australians are wealthy with lots of disposable income. And so most international marketplaces see disproportionately high amounts of Australian spending when considering population size.

For instance, where I work, the top 5 spending countries are the US, Canada, Australia, UK, China in that order.

Of they don't get pulled, well, that tells you something too.

Fastmail, don't forget.

With a somewhat heavy heart, but I shall be cancelling my service there.

Does anyone know of a similar service hosted in Canada?

i wonder if this would affect other, non autstralian mail providers (protonmail for instance).

No it does not, as we fall solely under Swiss jurisdiction since we don't have a presence in Australia.

From the Bill itself "A person is a designated communications provider if...

4 the person provides an electronic service that has one or more end-users in Australia

5 the person provides a service that facilitates, or is ancillary or incidental to,the provision of an electronic service that has one or more end-users in Australia

6 the person develops, supplies or updates software used, for use, or likely to be used, in connection with:(a) a listed carriage service; or(b) an electronic service that has one or more end-users in Australia"

I believe ProtonMail falls into these categories. As an Austrlaian and a user of your services myself, will this mean getting service "officially" cut off in Australia?

Huzzah, another talking point to convince the team to migrate off Bitbucket. Silver lining I guess!

Isn't Atlassian Australian? Or did they move?

They’re Australian but have offices in other countries. I believe they would move for the right reasons. This seems like a pretty big reason, considering they’re targeted at enterprise. But move where? UK will have this next, America does this without any laws at much greater effect and scale.

Iceland? Switzerland?

They'd need the system admins, CI infrastructure and code review team to be in a jurisdiction free of this kind of thing, and then treat all changes subject to laws like these as hostile

The alternative is sell software that everyone knows has backdoors. Pretty hard business case to make

California. I had to agree to some changes to their ToS the other day (for Bitbucket) in which I agreed to dispute resolution under California law. I suppose that's a pretty good indication of their thinking. It's not like this legislation is unexpected or sudden.

Are the U.S. "gag orders" equivalent to this new Australian law?

No, the new law has no judicial review and has a few other things that wouldn't fly in the US. It's markedly worse (though don't get me wrong, the US definitely has it pretty bad in this area too).

I believe Fastmail is too, sadly.

It looks like the cloud services are supplied by a company incorporated in the US [1] ‘Atlassian, Inc’. They probably needed to do this when they listed on the NASDAQ.

There is also an Australian entity `Atlassian Pty Ltd` but it’s not clear to me what role that has.

[1]: https://www.atlassian.com/legal/cloud-terms-of-service

Atlassian is still very much based in Sydney. The CEOs (there's two joint CEOs), vast majority of the engineering teams and more are all just down the road from me. As with most large international tech companies, they have a number of different legal entities for regulatory, tax and other reasons.

So that means things like BitBucket / Trello are now all fair game to the Australian government?

Trello is based in NYC. I don’t know the actual corporate structure, but they could potentially be spun into a controlled company, maybe, to avoid this law somehow.

To be honest, Trello is the least of your worries, with Atlassian. Authorities having unfettered access to all your code, regardless of privacy settings, is more worrying imho. Then again, GitHub is US-based and the PATRIOT Act already gives that power to US authorities, so if you care about that, self-hosting in the only way.

There is still a substantial engineering team in Sydney

For now. I bet there's a lot of passports being dug out and resumes being polished up tonight...

Doesn't this also effect git repositories maintained by Australians? (I say this as an Australian who wants secure software)

All it takes is one malicious npm package

As an Australian software developer who has written encryption software in the past, I'm also very concerned. I'm also doubly concerned that projects will now reject my patches because of my nationality. What an amazing shitshow of a government.

I’m seriously considering moving from Australia to a country that isn’t part of the Five Eyes.

Unfortunately it's going to be way harder than you think because "Five Eyes" expand beyond just "Five Eyes" like "Nine Eyes", "Thirteen Eyes" etc.

Pretty much any "good" country is affiliated with "Five Eyes" in one way or another.

I'm quite happy in Thailand. Good quality of life, internet that's 3-10x faster than Australia, great lifestyle and very competitive tax rates.

Isn't Thailand essentially a military dictatorship?

I'm thinking about moving to NZ. How are they?

They are in Five Eyes, were instrumental in Echelon, illegally raided Dotcom... NZ is a beautiful country, but one of the weakest-willed in international terms. (Also, by all reports, internet connectivity sucks big time).

NZ actually took inspiration from our (Australia's) fibre-based national broadband network back in 2010 or so (before the current Australian Government got in and turned it into an absolute farce - instead of a new fibre network it became an upgrade to the existing old copper network, which is basically a few years off end-of-life, with the change supposed to save billions but that somehow managed to cost just as much money in the end).

As a result you can get gigabit fibre in places on their UFB network for a similar price we pay for 50-100Mbps.

> Also, by all reports, internet connectivity sucks big time

If the poster is coming from Australia, NZ is not so bad.

I think many surveillance measures in NZ are too strict. In 2015, I remember being shocked at the fact that public buses in Wellington have audio recordings on, in addition to video surveillance. I get the feeling that NZ is one of the first testbeds for new surveillance measures.

Also, broadband connectivity is very poor (compared even to India, where I live).

if you're going to move you really should get out of the anglosphere because the US is dragging down everyone with it and there's just not enough sentiment amongst the populations to move away from the US, even now.

Switzerland probably remains the best country in the world and has strong privacy laws and a culture of neutrality. As a plus you get to be in Europe. Tech salaries are high. The anglosphere nations lack the intellectual capital amongst the population to remain critical of encroachments of privacy in the name of protection from terrorists.

>lack the intellectual capital amongst the population

Well put, lol.

You make a good case for Switzerland.

What about the Nordic countries?

While true, Switzerland now shares banking data with the EU and US when required for their respective nationals. So foreign governments can and do exert pressure on them successfully.

One of 5 eyes (Australia, Canada, New Zealand, the United Kingdom and the United States)!

They are one of the five

No, it doesn't effect git repositories maintained by Australians. They have already been created.

However, it almost certainly does affect them.

Could an expat Australian dev be compelled to put backdoors in software even while overseas, under threat of being prosecuted when he returns?

If so, Australians can't even be employed in foreign software companies.

The law as written applies to any company or person that does business or has customers in Australia. This includes websites. So they don’t need anyone Australian on your team as written. However yes.

Could any developer put backdoors in under promise of a suitcase of cash?

If your review system fails because your Aussie developer "may be compromised", it fails because your $good_country developer may also be compromised.

The difference is the type of person that would do it for cash likely has other personality traits that make them at least somewhat easier to spot. If this could compel upstanding, trustworthy individuals to do the same, that's a bit harder to handle.

No. People work in jurisdictions other than their own with potentially conflicting laws all the time. If it worked the way you seem to be suggesting it does, nobody, never mind Australians, would be able to work outside their home municipality at all.

Extraordinary rendition of SV software devs.

I doubt even _that_ would cause an uproar so long as it's timed to coincide with yet another threat to the aspirationally wealthy Australian way of life...

"Well, we need to lock up E2E encrypted messaging app developers in Nauru and Guantanamo Bay, because otherwise mortgage rates will go up and your house and investment property values will fall!"

This is why Australia was formally handed over to the Illuminati in the Treaty of Westphalia.

Business opportunity for EU devs provide Australian businesses with PR and code review to ensure their software isn't backdoor'd

If an Australian developer was served with a Technical Capability Notice to build a backdoor, and then submitted code to be analysed by a third party who found it, the developer would literally be liable to be jailed for 15 years and a $50K fine for individuals or $10 million for companies.

The law requires us to deliver exploits secretly and lie to everybody about it.

Maybe set up your release process so that independent code review _can't_ be bypassed? (Review company handles building and signing the application.)

This is what I meant yes, the aussie arm of developers have no build and issue access at all

More like, biz opportunity to make products competing with Jira, Confluence et al.

Wonder how many banks and other security sensitive orgs use Jira and store all their tech specs in there.

All of them?

And if it is, then what?

Good idea though. Maybe some kind of Certification?

Well ideally you get in early and catch it in a mandatory PR process, all PR's pass through EU devs who are the only ones who can merge.

Otherwise yes, security certification process to review existing code and then maintain as above.

As if certifications would prove anything. Just look at what the German tüv certifies secure. They are missing even the most basic XSS stuff. I have no hope here.

> "Do I go home and say well I hope nothing happens and I hope that the Government's politics don't backfire on the safety of Australians? I'm not prepared to do it," Mr Shorten said.

And yet, that is precisely what has happened here.

Is there a (non-alarmist/non-defensive/non-partisan) summary available of what the bill actually contains and what its practical effects might be?

I'd recommend actually reading the bill to form your own conclusions. The main problem is that it mostly is a series of amendments, and many of them are quite unrelated.

Most of the discussion is about the Technical Capability Notice section (which allows the government to compel a telecommunication provider, under threat of 5 years imprisonment, to create the ability to access communications otherwise inaccessible) but very few people are talking about the Computer Access Warrant sections...

And it's possible for employees to be forced to do this, and you cannot reveal information about these technical notices to your employer -- in fact you are given immunity from civil persecution precisely for this reason. So you now have to sabotage your employer because of an order by the Australian government. Good luck keeping your job.

The best discussion I've found in terms of the legislation is at [1].

The most insidious part to me as a programmer, is the definition of a "Designated Communications Provider" which (amongst others) includes (S317C, item 6):

"the person develops, supplies or updates software used, for use, or likely to be used, in connection with: (a) a listed carriage service; or (b) an electronic service that has one or more end-users in Australia"

and the "eligible activities" are:

(a) the development by the person of any such software; or (b) the supply by the person of any such software; or (c) the updating by the person of any such software"

[1] https://parlinfo.aph.gov.au/parlInfo/download/legislation/bi...

So australian software developers have become pretty much toxic now?

I haven't read the whole thing, but my favorite part so far is 317E (1)(c), which says that the "listed acts" (the things the government can require you do to) include "installing, maintaining, testing or using software or equipment".

In other words, they can just hand you a flash drive containing malware and force you to install it. You're not allowed to say no, and you're not allowed to tell anybody.

I very well may end up reading the whole thing, but that's partly why i'd actually like an expert summary, because my understanding is that these are amendments to existing legislation, and as a non-expert, the ability for me to be able to understand all the other legislation and implications that it works with is probably pretty close to zero...


The (autoplay! grr) video summary at the bottom is pretty good.

State police forces are getting these powers. So state police, federal police and ASIO can compel devs to break their security for the investigation of any crime that attracts a penalty of 3 years jail or more.

This is not an interim arrangement either.

God this whole thing is so idiotic and scary.

I do not have one. I'd also love one apart from the aph one below. (It's good btw)

What I believe, is that this bill is heavily influenced by the emerging UK law, by experiences failing decrypt on devices, a pervasive sense of panic and an election year.

Australian police and security have form here asking big when they know the outgoing government is their last chance that gets big wins. Australia card (digital ID) died in labor (party) days. Censorship died in Conroy's day (labor)

Anti corruption body changes which would actually help material cases in official corruption are being opposed and we're fed "think of the children" KP arguments which are "when did you stop beating your wife" dog whistle politics.

Is there a real problem with decrypts on bad people electronic comms? Sure. Will this law stop that? Nope.

Censorship didn't die with Conroy. Australian ISPs/DNS servers are required to block The Pirate Bay, for example. Just because it's trivial to work around doesn't mean it isn't censorship

True. Alston had a lot of this story too. Brian Harradine and redneck wowserism. But what we got was less than the moral crusade and the police wanted going in.

It's over. I may as well not be a programmer anymore.

The government has effectively made it possible that anyone and everyone who develops software or hardware used by anyone in the country, or where they feel national security comes into play, must compromise their software, and tell no one.

They can ask any intern to break the software, and not tell their employer.

It's bad enough to have a gaping hole in your security, but now they can ask people who have no idea what they're doing to create a backdoor.

All Australian software has now been rendered completely untrustworthy, and when those compromises in security are found, by the nation states who now know that Australian software will have holes in it, it will result in the very thing that this bill claims to prevent.

Our infrastructure has been opened up for attack, by any of our neighbours who have a reason to do so, whilst simultaneously gutting the economy of IT in Australia. Who wants to buy shitty backdoored Chinese software? It's the same now for Australia.

Australia's government has now opened the door for widescale cyberterrorism to have a chance at wreaking destruction.

Remember that the Australian Government (whatever party happens to be in power at the time, it doesn't matter which) doesn't want technology or innovation in this country. They only want the value of dirt to remain high. So that buildings remain valuable and that we can export more natural resources.

Isn't this pretty much the same as the US and their National Security Letters? They can compel engineers/companies to do pretty much anything, and the veil of secrecy is the same.

National Security Letters can't compel engineers/companies to do pretty much anything. National Security Letters can only request non-content information. A NSL also can't compel the gathering of additional non-content information beyond that already being gathered.

So a NSL could request the records for who you are sending encrypted messages to but not the content of the messages and if your messaging provider can't or doesn't already gather that information they can't be compelled to start gathering such information.

If a NSL requests information which the recipient believes violates that guidelines of information which can be requested they can disclose the NSL to legal counsel and challenge the NSL in court.

As far as I'm aware, an NSL can't compel you to create a new architecture. This can.

I live in Australia and this is the dumbest bill I have ever seen in parliament. Australian politicians have no clue what the fuck they have just done. Rushed through in less than four days so they can go on holidays. Bigots.

To quote our last PM (well, this week anyway):

"The laws of Australia prevail in Australia, I can assure you of that. The laws of mathematics are very commendable, but the only law that applies in Australia is the law of Australia."

Oh well. Please petition your local representative to outlaw irrational numbers. We don't want these hysterical numbers breaking rational Australian laws.

War is Peace; Freedom is Slavery; Ignorance is Strength.

Oh god. I left Oz in 2008 when Turnbull was a small-l-liberal, pro-business, pro-tech guy. From what I hear from home he became another deliberately ignorant Aussie conservative.

Ha, you forget how often we change our PMs :p

When I left it was just Kevin 07, before all that started.

As far as stupid laws go, Australia defines "child pornography" to include drawings and stories of fictional characters, to the point where a man was convicted of possessing "child pornography" in the form of nude characters from The Simpsons, and a man in prison was convicted of producing "child pornography" for writing a story involving the rape of a young girl. England and Wales, Canada, NZ and France have similar laws on such imaginative artwork.

> Rushed through in less than four days so they can go on holidays.

It was planned this way by the intelligence agencies and its supporters. It always is.

I'm pretty sure it's still illegal to show a naked mannequin in Tasmania. There are plenty of stupid laws on the books. This is one. For sure! But read the guardian blog from today. The opposition is avoiding having to fight against "Mr. Stop the boats.".

And as for rushed through. Lots of stupid shit took a ton of time. Like the marriage survey that could have been done in 15 minutes.

It's a stupid law passed by stupid politicians. The only thing to do now is to demand that ALP politicians reverse it in the next sitting of Parliament.

ALP voted for it unanimously. I don't hold out much hope that they'll reverse course -- we should push for third parties in the next election.

They voted for it to cover Bill's ass on the last day of parliament and 2 weeks of Dutton and ScoMo getting dumb people scared about Xmas.

The amendments to this stupid act do gut a lot of the stupidities (not completely), so the pressure now is to make this (and the Nauru re-settlement) the only thing that the ALP allows on the first days of parliament next year.

Write to your MPs, the shadow ministers and the cross bench.

Writing to the LNP politicians is a pointless exercise.

Cop a beating over Christmas, who cares? No one is going to remember by election time anyway. The opposition had an easy win today, and they threw it back to the gov.

Can somebody write up a tutorial/guide on how to block all network communications (incoming or outgoing) with Australian IPs, on all or select ports, under common OSes (Windows, Linux, Mac, BSD).

Can't write the guide for you, but the raw material can be found here (and other places): http://www.ipdeny.com/ipblocks/data/aggregated/au-aggregated... That's a list of the (current) IPv4 Australian blocks. Each value (e.g. can be used directly as a parameter for iptables on Linux, e.g. /sbin/iptables -A INPUT -s -j DROP (to really block any communication - or use REJECT instead) A script to walk through the file works fine.

Great starting point!

As an Australian citizen who has spent many years in the US, I can say that this law is in line with the main ideology of the Australian government: extreme parentalism. You run a red light: fine for $450 in the mail. No court date, no arguments. You exceed the speed limit by 5km/h: $200 fine in the mail. No arguments. It is brutal but it's hard to deny that it works. Australia has some of the lowest per capital road deaths in the OECD. The problem is that the government wants to regulate the internet the say way they regulate road traffic. You can read up all the idiotic attempts here: https://en.wikipedia.org/wiki/Internet_censorship_in_Austral... I wonder if this means Australia will have the ability to ban apps like Telegram from the app store?

> but it's hard to deny that it works. Australia has some of the lowest per capital road deaths in the OECD

Actually, we're in the middle according to the data, there's a few countries with better rates: https://bitre.gov.au/publications/ongoing/international_road...

In regards to being fined for 5 km/h over the limit, there's no evidence that small increases in speed over the limit contributes to accidents. It's excessive speed that kills, like going 100 in a 60 zone. The other big killer is distraction and driver fatigue.

As for red lights, I'm fine with the strict rules there. I've almost been hit walking across the road by red light runners.

They are trying to secretly force tech companies into unpaid labour to destroy the security of their own products in their ham-fisted stupid attempts however.

This is much worse than the authoritarian way they handle traffic fines.

There is no legal representation, no judicial oversight and no actual definitions of essential terms in the bill.

Make no mistake, this is a dictatorship.

Oops. Actually, it's a totalitarian regime.

To be fair, I got a fine in the mail years ago for stopping in a no stopping zone. (Couldn't find a carpark and had a screaming baby in the back) The notice says you can contest in court, which I did and got off. That was back as a student, it wouldn't be worth my time to take a whole day off anymore. :(

Yeh you can elect to contest any fine in court. I've done it twice here in Aust, and had the fine thrown out both times, including a big $750 driving unregistered fine.

It takes about 4 hours or more out of your day to attend court which is obviously not possible for everyone.

Okay - a quick question: how does bitbucket deal with this, since Atlassian is an Australian company? Am I making an error here?

1 billion lost from the company already. I am hoping for them to depart Australia for good on this.

> 1 billion

Is that metaphorical or actual number? If latter, I am interested in the source.

Their stock is down 4.3% today and their market cap is around $20B

Thay may be unrelated - most stock markets went down about that much today (and I'm glaring at my own stocks at the moment - none in Atlassian, they're down an average of 4.23% as of now)

Bill Shorten is an idiot for letting this get through.

He was a push over on metadata retention, why would it have been different this time? What a joke!

I agree 100%, but we can assign just as much blame to Morrison for presenting the bill as well.

This is a big deal for people of all countries as the major tech firms will quickly build-in the required backdoors to stay in compliance -- and they won't just be there for Australian citizens; they'll be there for all of us.

Will they? Is Australia a big enough market to give up global credibility as a company?

We can only hope not.


Since I'm using Fastmail ... can anybody recommend a good alternative? I don't mind paying for a good and secure E-Mailprovider.

Protonmail looks nice, but it does not seem to offer IMAP (because mails are end2end encrypted).

From what I remember fastmail has always cooperated with law enforcement. It is not zero-knowledge so they always had access to the user data already.

Their promise has been to not use it for advertising purposes or share it with third parties. I don't see much changing here, but I would like to know if it is.

Yep, we already blogged about this. It's shit legislation, but it is unlikely to affect our customers at all. Public perception on the other hand, it's going to hurt that plenty.

Like basically all of Australian tech right now, we're super disappointed in our politicians and their games. I spoke to a couple of senators' offices today, and they were sure it would die in amendment hell. Genius.

Email is already insecure. Even if you use GPG, that's client side, and should be as safe/unsafe as it was before this law (unsafe b/c metadata or unknown vuln). So in terms of threat model, it hasn't changed much.

I'm not defending the Oz gov or companies here, but knee-jerk reactions just open you up to more mistakes. For me, the situation is still preferable to Google having my data/metadata.

The Australian state now behaves exactly like an enemy of the people would. In the same way I would not use an e-mail provider in Iran, North Korea, the US or other facist regimes I will now also not use an Australian e-mail provider.

ProtonMail is indeed great and offers a bridge for use with IMAP-compatible programs. Check out https://protonmail.com/bridge/. I believe they are working on a more integrated solution, but no news of when it'll be out have been announced.

ProtonMail costs 8€ per month, almost twice as much as Fastmail. I'm not sure yet if I'm willing to pay that much. I guess I'll check out the other mail services listed on privacytools.io

> I'm not sure yet if I'm willing to pay that much.

So what do you value your privacy at?

Considering most of my private E-mails are amazon order confirmations and other automated crap ... I really have to think about it.

It sends all letters to spam. It can only receive mail, but not send.

Paid Protonmail has a bridge to IMAP/SMTP. [0]

[0] https://protonmail.com/bridge/

Yeah but not for mobile, which I assume means you have to use their own client? Ridiculous how much computing has regressed.

GNU/Linux support when?

there is a "beta" version available for linux. This version seem to work perfectly fine on my fedora machine so far.

Posteo (https://posteo.de).

Made the switch earlier this year. Webmail UI might seem clunky to some, but I use IMAP so non-issue for me. Easy to set up encryption and apparently they're powered sustainably too.

One deal breaker I know of is you can't map to your own custom domains. There's something in their FAQ which explains their rationale behind this.

I'm very happy with Runbox.com. No idea if they're on the level or not, but I figure, everything's already compromised.

What kicked this off the front page?

Note that the most-upvoted post in the past month, critical of Google, was at the time mysteriously kicked off the front page as well.

I believe HN has a flame war detector that trips when the number of comments is greater than the number of votes, and pulls the submission off the front page. (I haven't looked, but this is probably what happened to the Google post as well.)

Since it's back on the front page now, I'd guess that the HN mods decided that this was important and un-tripped the detector.

Yeah, that was strange. But suddenly it went back from page 2 to the front page again, around pos. 15

Yep. very mysterious. I don't know if it is deliberate, but what's the front page policy?

Can anyone comment on how this affects those of us in other five eyes countries? Are we now subject to any provisions of this law by proxy?

Obviously this law and ones like it have no place in a modern, free society, but in regards to the risk with using business apps, it's just the same as before. You can not trust app's from companies incorporated in the five eyes [1]. If you are using a product made in any of the five eyes you are already compromised. By compromised, I mean you can be almost 100% sure that if the owner's of those countries want your data they will get it, and they will get it easily too. They do not need warrants, courts or judges to sign of on anything and haven't done for a long time. To clarify my position on this. Whether a law like this is actually passed or not, you should assume that every company incorporated in these countries have been forced to place backdoors in their systems. I'm not saying that every company has done this. I'm saying you should assume they have.

1. https://en.wikipedia.org/wiki/Five_Eyes

Australia -- the 1st world leader of the modern Progressive policies.

2018 -- citizens loose communication privacy protection [0]

2017 -- whistleblowers and dissidents are committed to mental institutions [1]

2016 -- citizens loose financial transaction privacy (the cashless society with finalized transition by 2020) [2]

1996 -- government confiscated all firearms from the hands of private, law abiding citizens

Sweden, and Canada are next.

Basically -- step-by-step methodology to run country-sized Mafia operation is being implemented.

[0] this article

[1] http://www.blotreport.com/australian-politics/are-the-though...

[2] https://bitsonline.com/australia-cashless-2020-payments-netw...

> government confiscated all firearms

It's relatively easy to get access to firearms in Australia, including semi-automatic pistols. [0]

The gun control laws mainly affected semi-automatic rifles and shotguns.

[0] https://www.huffingtonpost.com.au/2017/10/04/australias-gun-...

thx for the correction. You are right.

I should have said the confiscation (mandatory bayback) started with all semi-automatics and pump-action in 1996.

WRT pistols, the pistols that are allowed, have less lethal power than bow and arrow (if the below excerpt is correct).


they can then attend at a licenced firearm dealer and select a handgun which is suitable for the competition in which they intend to take part. This firearm may be a single-shot air pistol, a single-shot .22-calibre pistol or a .22-calibre revolver or self-loading pistol. …"


not sure if this was also the case before '96 and self-defense was already banned then.

The bolt actions that are allowed, cannot have pistol grip and must not look 'military'.

Australian gun control is completely unrelated to this debate. You can still get a gun license fairly easily, and it solved an actual problem (there hasn't been a mass shooting since).

I would argue that the passing of the antiterrorism acts in 2005 was a far more severe issue than the 2016 bill -- they basically removed hebeas corupus. Shit's been going on for much longer than you think.

How can someone know whether their software is compromised by this?

Officially, they can’t, but you can be absolutely certain that iMessage, WhatsApp, Signal and Telegram are going to be immediately targeted with TCNs (technical capability notice), requiring them to bundle Australian government spyware and requiring that those apps send all conversations to the spyware.

This isn't quite true. The bill allows companies to provide statistics on how many TARs, TANs, and TCNs they've been served within a 6-month window. The obvious problem is that nothing stops them from lying or just omitting that information -- because why would you admit that your software is insecure?

Employees of a company may also be served, and required not to tell their employer. So a company may not know if they are compromised.

I seriously wonder how that would work in practice?

"Hey Joey, will you work on the fizzibizzi feature that does xyz?"

I can't, I have other stuff to do?

"What kind of stuff? This feature is the top priority for the whole team?"


Also, you can't ask anyone else on the team for help implementing it.

These backdoors are going to be the worst code possible. What kind of crap quality code do you think a single dev under threat of jail time and the pressure of not being able to communicate with his co-workers or legal representation is going to pump out?

Can they quit? Or are they effectively being forced to perform labor for the government? This seems like an insanely impossible to enforce proposition.

That's something we'll have to wait and see on, see how the legal world interprets it. However, if it is interpreted that you quitting is not complying, it's fines and perhaps jail time.

I doubt you could introduce backdoors in big software (Messenger, iMessage, WhatsApp) using only one/a few employees - unless everyone who does code reviews happens to live in Australia.

Right, but then the employee can publish statistics about how many TCNs they've received.

They can't provide specifics only ranges. In Division 6, section 317ZF, Unauthorized Disclosure of Information, section 3) subsection 13) a person forced to do one of these TAN/TCN/TCR things can release a count of how many of these TAN/TCN/TCR things. BUT Note: This subsection authorises the disclosure of aggregate statistical information. That information cannot be broken down (a) by agency; or (b) in any other way.

So Division 6, section 317ZF (3) (13) is the ONLY way someone can tell the world what is happening.

Those weren't passed, it went in unamended

I don't think they were amendments -- they are included in the first reading of the bill (Sect 317ZF.13).

I downvoted you because the bill explicitly says it excludes systemic changes that compromise security. Apps will not have systemic spyware, only specific users can be targeted.

Open source apps like Signal would be extremely hard to compromise since no one is going to allow a backdoor commit.

Does this mean that they can only mandate the backdooring of a user's communication if they know who the user is? Doesn't that seem irrelevant to the concerns they've raised in the past of having apprehended a suspect but been unable to decrypt their previous communications?

Warrant canaries.

Not legal in Australia unfortunately (it's a bit more nuanced, but many types of secret warrants are already immune to warrant canaries -- so I'm sure a judge would see that these types of secret warrants probably have the same protections). However they do allow statistical information on how many requests they received in a 6-month window.

Reminds me of that book

Guidelines | FAQ | Support | API | Security | Lists | Bookmarklet | DMCA | Apply to YC | Contact