>tech firms and businesses may be penalized up to $7.2 million USD if they don’t respond to the government's requests [1]
>The legislation ... creates a new framework for law enforcement agencies to request or compel technical assistance from tech companies, even to create new capabilities such as backdoors to get around the encryption in some of their products. [2]
They request a backdoor in the encryption and if the cooperator does not cooperate, then fine the company / Australian citizen and if they enter the country again, they can go to jail.
"For example, Australia’s law enforcement could compel Apple to provide access to a customer’s iPhone and all communications made on it without the user’s awareness or consent. An engineer involved would, in theory, be unable to tell their boss about this, or risk a jail sentence."
"The Australian government could demand web developers to deliver spyware and software developers to push malicious updates, all under the cloak of “national security.” The penalty for speaking about these government orders—which are called technical assistance requests (TAR), technical assistance notices (TAN), and technical capability notices (TCN)—is five years in prison."
> Everywhere, the email service will have to give your emails to the police when they come knocking
The Australian law is broader and contains fewer checks than anything comparable in the developed world. It lets law enforcement compel, with no oversight and in secret, any Australian "to re-engineer software and hardware under their control, so that it can be used to spy on their users" [1]. (Australia has no bill of rights [2].)
The American analog is an intelligence agency getting a national security letter [3] stamped by a FISA court [4]. The order can compel disclosure of information on hand, but cannot compel a product to be re-engineered [5].
I am not Australian and have not seen any updates since it was passed, but "forcing companies to build backdoors" is a massive understatement. The government could effectively compel any employee to act as a spy, without their consent. Don't want to play along? Go directly to jail.
> The new law also allows officials to approach specific individuals—such as key employees within a company—with these demands, rather than the institution itself. In practice, they can force the engineer or IT administrator in charge of vetting and pushing out a product's updates to undermine its security. In some situations, the government could even compel the individual or a small group of people to carry this out in secret. Under the Australian law, companies that fail or refuse to comply with these orders will face fines up to about $7.3 million. Individuals who resist could face prison time.
> The Australian government has passed a new piece of legislation that, at its core, permits government enforcement agencies to force businesses to hand over user info and data even though it’s protected by cryptography.
> The problem seems to be the provision that a tech worker can be coerced by the Australian Government into creating a backdoor, and they are not authorised to disclose it to their employer.
> Is this true ? There is no way I am hiring an Australian citizen then.
No. The request or notice is served to the company, not the individual, so the company is not left in the dark.
There has been a lot of poor reporting about this law; roughly speaking, there are 3 types of requests for data allowed:
1. Technical Assistance Request - "give me this data please". Optional, no penalty to anyone for not complying.
2. Technical Assistance Notice - "give me this data if you can, or else..". Mandatory, penalty to the company if they can comply but do not comply.. but if the company would have to build a new thing to comply (e.g. they do not have the decryption key and there's no backdoor), then there's no penalty and they do not have to comply.
3. Technical Capability Notice - "give me this data or build a way to give me this data, or else..". Mandatory, and a penalty to the company if they do not comply. If they can't do the thing yet, they need to build a backdoor, unless doing so would introduce a "systemic weakness".
In all cases, it's the company being targeted. Individuals in the company only become liable for penalties if they leak information to people not involved in the investigation.
Yes, it's still a bad law that was rushed through with too little discussion. Yes, there is too much room for interpretation and too little oversight. (And yes, Australian tech companies like Atlassian are lobbying heavily to improve the situation[0][1][2].)
But we're not at the point where it's reasonable to blacklist Australian tech workers yet, thankfully.
Source: I am an engineering manager at Atlassian, a major Australian tech company; there has been a lot of internal discussion and guidance from our founders and legal team about this.
Disclaimer: I am not a lawyer, this is not legal advice, etc. Also, I am an Australian citizen.
This seems quite similar to the Australian Assistance and Access Bill [0], which also compels companies to implement new solutions that enable decryption services. This bill also makes it illegal for a compelled person to communicate this order, even to their own company.
Seems like the old trope of Australia being the squishy testbed for shitty US laws is true after all.
> I don't think you can be required to backdoor code in secret or held to account by the security agencies not to inform your employer.
This law gave the government the power to do just that. Details of implementing a backdoor in secret is close to impossible, as any developer would know. There was a post[1] made by "Alfie John" (alfiedotwtf) that outlines a scenario in which a developer is presented with a Technical Capability Notice (TCN).
> I do not expect you can have an extra-territorial obligation placed on your work conducted outside Australia. If you are working inside australia remotely I think its complex.
Australian citizens, regardless of their location are obliged to comply with these requests.
If you are presented with a TAR, TAN or TCN, you have the option to seek legal council in private or risk fines of up to AUD$7.3 million.
You risk imprisonment if you reveal details about the notice to anyone other than those who are included in the notice or to seek legal council (this is an exception within the law).
> They need to backdoor every session to comply with Australian rules, and every Australian is forced legally to comply, even if in an international company.
> allows the government to force companies or even individuals to add backdoors to their products
I think the tech media and community overstates the impact of this law. The law [0] makes it clear that the backdoor cannot introduce any systematic weakness of vulnerability, which explicitly includes "a new decryption capability in relation to a form of electronic protection".
What it allows is stuff that targets a specific person _and_ is incapable of affecting anybody else. The second part overrides the first part, so if it's not possible to target a specific person without weakening protection for everybody else, you're not required to do anything.
For example asking you to put code into your app that creates a copy of private keys and sends them to ASIO if the user's ID matches a hard-coded value would be legally okay per my reading of the law.
However adding ASIO's key to every single message would not be okay.
I'm not saying I'm in favour of the law (I'm not) but its actual effect isn't at all what people assume (I hear a lot of comments about "Australia banned encryption" and other such nonsense).
> I am not familiar with Australia privacy law, could you give me a rough idea what is look like?
I assume it's the Australian Assistance and Access Bill that's being referred to here. It has nothing to do with privacy. It's prime job (which isn't hidden - it's spelt out in the explanatory notes) is to circumvent encryption by accessing the data at the end points, where it isn't encrypted. It must be unencrypted at the end points because humans can't read or listen to encrypted data. https://searchsecurity.techtarget.com/definition/Australian-...
The bill gives several government agencies the legal right to coerce any software company to "assist" them by writing a bug that is invisible to the OS. The "access" part gives them right to coerce a software company to distribute software to any device they target (there is legal oversight on who they can target).
To fill this out with a concrete example, they could compel Google to provide a version of the Android Google Keyboard that records all key strokes and the name of the application it is are sending them to. They can then force Google to install that keyboard via their auto update mechanism. Notice that using an open source program like Signal that securely and correctly encrypts everything, and comes from a trusted source is not a useful defence against this.
Both of these powers are accompanied by an automatic gag mechanism, meaning if Google revealed they were asked to do either of these things someone would go to jail. The provisions in the act for reporting when and where these powers are used, so the voters could have some say are to put it mildly weak.
Although Australia is very clearly a country that operates around "the rule of law", in the end the only difference that has made is we know they are doing it, whereas China could deny they are doing it. In reality, I don't think China tries to deny the Great Firewall of China, or the invasive probes they force citizens to install to support their social credits system.
So yeah in my view OP is quite correct. If there are differences they revolve around how widely these things are deployed, not over whether they exist. I presume my home country, Australia, deploys them a lot less, but they go to a great deal of trouble to ensure there is no way to be sure.
> Under the laws, authorities could hack, secretly takeover, and add, copy, and delete material on computers and digital accounts anywhere in the world without the account-holder’s knowledge or consent.
Notice the "and add". Because law enforcement agencies would never frame someone innocent, right?
---
> Two years ago, the government, with the support of Labor, rushed through the ‘anti-encryption’ Telecommunications and Other Legislation Amendment (Assistance and Access) Act 2018, which forces telco and tech companies to hand over data to law enforcement authorities upon request.
> The laws were justified as necessary to prevent terrorism, but were subsequently used to raid the ABC and the home of News Corp journalist Annika Smethurst following reporting on alleged Australian war crimes in Afghanistan.
> Australian government passed a bill that requires a backdoor to all software products
That's not quite accurate. There is now a legal mechanism that allows certain government agencies to force you to add a backdoor to your product. But until you are given a notice you don't need to do anything, and you can provide aggregated statistics to your users of how many requests you've been given. There are also some weasel-word caveats (the backdoor cannot be a "systemic vulnerability" but there has been much disagreement about whether this limitation actually means anything -- in my view it's basically meaningless within the context of a single company's product).
There is currently a review process open for the TOLA Act that closes in April[1], so any fellow Australians on HN should submit their comments -- there are only 65 submissions so far (and only 27 are by individuals).
Theoretically, any Australian could be compelled by the government to sneak backdoors into their bos's software, though I haven't seen any indication that such extreme measures were taken.
Australia is quite extreme in their anti encryption laws. Their government's stance has made me distrust Australian software dealing in security, and even Australian developers working on encryption technology. Not because I don't trust Australians per se, but because their government can force good people to do bad things.
Were this law to strike in the Netherlands, I'd expect other countries to shun Dutch security software immediately as well.
Which is why this bill is a complete disaster for the Australian tech industry. Every single software company in Australia just became blackmarked and could be "potentially compromised" by the government and whoever has figured out the governments likely hamfisted and boutique backdoor solutions.
Even someone's little SaaS can be asked to turn up dirt on someone. I literally couldn't comply. I don't write encryption algorithms for a living I just build websites. I can't not encrypt people's data and according to european laws I can't store most of it anyway. Here, gov, have a username, email address, and this blob of encrypted text. Enjoy the insight.
It's getting so hostile to do business in software. At least construction and engineering liabilities are clear cut. I don't even know what my risks factors are anymore and they change every month.
It took longer than expected, but the governments have finally decided it's time to ruin the internet. I am going to go be a carpenter or something.
> Under the proposals, people who are not even suspected of a crime would face a fine of up to $50,000 and up to five years’ imprisonment for declining to provide a password to their smartphone, computer or other electronic devices.
> Furthermore, anyone (an IT professional, for example) who refuses to help the authorities crack a computer system when ordered will face up to five years in prison. If the crime being investigated is terrorism-related then the penalty for non-compliance increases to 10 years in prison and/or a $126,000 fine.
> Tech companies who refuse to assist authorities to crack encryption when asked to do so, will face up to $10 million in fines. What’s more, if any employee of the company tells anyone else they have been told to do this, they will face up to five years in gaol.
> Australia passed laws in 2018 which enable law enforcement to compel tech companies into inserting backdoors into their software
No, it didn't. The bill had language specifically intended to address these concerns. Read the bill [0]. The relevant part is under Part 15 > Division 7 > 317ZG, which you can also see at [1].
This section explicitly forbids the government from requesting that a provider "build a systemic weakness, or a systemic vulnerability, into a form of electronic protection". It also forbids the government from asking a provider to preserve such a weakness.
It also explicitly indicates that this definition includes:
- "a reference to implement or build a new decryption capability in relation to a form of electronic protection"
- "a reference to one or more actions that would render systemic methods of authentication or encryption less effective"
So no, the government did not pass a bill that allows them to request encryption backdoors.
These weren't even amendments made later, this language was present from the very first version of the bill [2].
The reporting around this was simply atrocious and made me lose a lot of respect for news sources I'd otherwise have thought were respectable. Just read Wired's article:
"Systemic vulnerability means a vulnerability that affects a whole class of technology, but does not include a vulnerability that is selectively introduced to one or more target technologies that are connected with a particular person," the Australian law says. In other words, intentionally weakening every messaging platform out there with the same backdoor wouldn't fly, but developing tailored access to individual messaging programs, like WhatsApp or iMessage, is allowed."
They cherry-pick a quote from part of the legislation but just so happen to ignore the rest of section 317ZG, which invalidates their claims.
Other publications were even worse, they couldn't even point to which parts of the law were objectionable.
If you would like to disagree with my assertions, please provide evidence-based claims, as I have.
>The legislation ... creates a new framework for law enforcement agencies to request or compel technical assistance from tech companies, even to create new capabilities such as backdoors to get around the encryption in some of their products. [2]
They request a backdoor in the encryption and if the cooperator does not cooperate, then fine the company / Australian citizen and if they enter the country again, they can go to jail.
[1] https://fee.org/articles/australia-s-unprecedented-encryptio...
[2] https://www.theguardian.com/australia-news/2020/jul/09/austr...
Since googling a bit more, this is the best overview of the legislation: https://carnegieendowment.org/2021/03/31/encryption-debate-i...
reply