(essentially repeating a recent twitter thread here)
Imagine you work in a modern software house and you get one of these ... and here I mean you, not your boss, not your coworkers, the govt knocks on your door and demands you put a back door in the thing you are working on at work ...
So you write the code ... how do you write the unit test? how do you get it past the code review? the mandatory QA tests? ... all these things are designed into our modern software design processes essentially designed to stop bad stuff like this happening ... what happens when you get caught? you lose your job, get blacklisted in the industry, after all you can't tell them the govt made you do it (on your CV/resume trying to explain why you were fired)
Equally say you run a big open source software project and you have valued contributors from Australia, people you trust and depend on ... what do you do? refuse them commit right? explicitly audit their every checkin? ask them to move on?
Suppose you buy closed source code from Australia .... you can't trust it in any way, even if you trust the company any one of their employees may have been asked to suborn the code you've paid good money for ... any smart purchaser is simply going to put Aussie software on the "do not purchase" list .....
So how do I find out which software on Android Play is written in Oz?
> modern software design processes essentially designed to stop bad stuff like this happening ... what happens when you get caught? you lose your job, get blacklisted in the industry, after all you can't tell them the govt made you do it (on your CV/resume trying to explain why you were fired)
I often wonder about this in regards to those "signed" orders in the USA, and it seems now Australia is similar.
And I wonder if we need more people going public in a very big way. i.e. Jim Smith has to put out a press release that says "I work for company X and the Government of Y country asked me to do xyz, and I refused."
Go very, very public with it, putting out press releases, etc. etc.
Obviously there are laws against that, and Jim Smith is risking a lot, but I can't imagine how things will get better until people on the front lines do stuff like this.
There's another, perhaps more insidious perspective, on this.
After the emergence of these type of laws there's going to be potential backdoors explained away with "sorry, can't tell, wink wink" and nobody will ever know for sure. What's an employer to do? Or even end users?
Every time you come across a double free bug or some complex concurrency issue that gives an attacker arbitrary write access to a process, remember that you might have been looking at a back door. Someone has an off-by-one error on an array access: is that a back door? Why do you think a backdoor is somehow noticeable in the code?
That said, this requires you to be clever and I don't think anybody can be forced to be clever with a court order, or at least what you describe offers plausible deniability
> So how do I find out which software on Android Play is written in Oz?
If the above bothers you, then you should avoid any software written in the US too. The exact scenario you described can happen in the US, especially if you have a security clearance, but work in a regular tech job.
I expect they won't ask for anything crazy like that or violate the prohibition on asking for a "systemic weakness" - one of the reasons being that they want this law to be deployed as smoothly as possible to make a good case study for their 5-Eyes mates.
Why would the government ping you? Your boss can set a secondary build pipeline, that merges his brunch before producing a release build. Unless your company requires repeatable builds, you'll never notice this.
While I understand why they didn't mention this (because it's not clear if this interpretation of the bill is correct -- given there is currently no common law around it), I would like to point out what is the most concerning thing (to me) about this legislation.
It potentially allows the government to turn employees into saboteurs. According to s.317C(6), a "designated service provider" can be someone who has developed software that is likely to be used in an electronic service that has one end-user in Australia. This is a very wide net and immediately includes effectively every free software developer, and the employees of every tech company. Now, there is an argument to be made that employees don't qualify (because they're acting on behalf of their employer), but that's not clear at the moment. It also includes sysadmins (or even ex-sysadmins) as people who can be "activated" as saboteurs.
It should be noted that it's very unlikely that this legislation would result in the Armageddon most people (including myself) are quite worried about. I imagine it's much more likely this power will be used against a few big players (Apple, Facebook, Google) in order to add features like being able to add additional devices to group chats (or something like that). But obviously the law gives them much more power than that, and that's a very big concern.
(And the fact that only 2 MPs voted against it tells me there's almost certainly some back-door dealings that resulted in this bill being passed.)
Personally I've been reading the text and trying to grasp the implications of this.
There appears to be two limitations on this power:
1. You cannot be compelled to do something in a foreign country that would be a crime in that country
2. In issuing the notice the relevant oversight authority must give weight to your 'legitimate' interests.
I think 1 is a huge point as it effectively constrains the jurisdiction of the law to Australia.
However, there is still significant ambiguity. For example, can I be compelled to commit a crime against a foreign country while in Australia, if I have a legitimate interest in not committing a crime against that country?
Would a company's legitimate interest in not compromising customer trust (more than the existence of this legislation doesn't already), act as a significant constraint on the issuing of TANs/TCNs?
There's also ambiguity as to whether I can reveal the existence of a TAN/TCN to my employer. The law makes certain exceptions, including the ability to publish the aggregate total of TAN/TCN received in a 6 month period and seek legal advice. So in order to seek legal advice or reasonably execute a TAN/TCN can I let my employer know?
If you think that this is a new thing, I recommend reading James Bamford's books about the NSA and its predecessors. It was not uncommon for technical staff to discreetly provide data to government intelligence agencies. Back in the telegraph days, that meant shlepping rolls of paper tape. Later, magnetic wire and tape. And this was often done without management knowledge. Because, you know, these were patriotic guys.
>very unlikely that this legislation would result in the Armageddon
The trouble is, the secrecy. So we'll never know if there was an Australian-digital-armageddon, because none of us (Australians) are allowed to discuss it.
From what appears in the media it looks like not so much back-door dealings as realpolitik. There is considerable domestic politics in play where the opposition (Australian Labor) party didn't want to get labelled 'soft on terrorism' by a struggling government which is looking for any message to attack the opposition over the xmas holiday period, particularly if there are any 'incidents' during this time. The opposition have requested that the legislation be reviewed and, one would hope, amended when parliament is resumed.
Have you got a source for this? I read (can’t remebemer where, sorry) that most Greens senators voted against it. From memory, Di Natali and SHY were in the list.
The legislation was waved-through by Labor because there is an election coming up and they were afraid to be labelled as pro terrorists and child molesters.
> I imagine it's much more likely this power will be used against a few big players (Apple, Facebook, Google)
Aussie market is not that big. Its gdp is less than a tenth of USA, smaller than Canada and a half of India. It is a good size but if a bunch of google employees stage a protest over this, google may just pull out of it because losing talent can be a bigger pain.
>This is a very wide net and immediately includes effectively every free software developer, and the employees of every tech company.
This doesn't seem very meaningful? I live in the US. If the Australian government goes to me and tells me to sabotage my employer, I can tell them to pound sand.
(And the fact that only 2 MPs voted against it tells me there's almost certainly some back-door dealings that resulted in this bill being passed.)
Not really, that's just a consequence of the Australian Parliament's history of very strong party discipline. It is highly unusual for all the members of a parliamentary party not to vote the same way on a bill.
Agree. Imagine also if, as a potential 'saboteur' the gov then try and sweeten the 'deal' with cash 'on the side'. Suddenly, we're also targets for moral corruption too -- just like the pollies who voted for this disaster.
I'm less worried that these clauses will be used/abused, and more worried that the mere existence of these clauses will be catastrophic to the trust of Australian suppliers to overseas customers.
I'm grappling with what to do about this law. I develop software in Australia, for a company, separately as a private software vendor and separately again as an open source contributor. From what I can understand, this law can compel me to silently insert malware into any of these. Morally I feel like I need to modify the licenses, READMEs and terms of conditions for products I sell and the contracts under which I do commercial work to clearly state that I may at any time include malware into the software I supply, if directed to by my government.
However unlikely, the idea that I could be commandeered at any moment to betray the users of my software and ship malware to them sickens me. But I also know that the reality of this happening is almost vanishingly small. I genuinely don't know what to do.
I am particularly concerned how this will affect Fastmail, an Australian company.
I've hosted my mail there since 2002 and they've always been quite pro-privacy. But I fear that such a stance is now literally impossible for any Australian company.
TCNs (which is the primary thing this article is about) won't practically affect email providers, because email providers already have your plaintext emails -- they don't need to implement new capabilities to intercept them. (As an aside, I use Mailbox.org which has a feature to auto-encrypt incoming emails to a PGP public key -- which means that only new emails would be usable with interception.)
However there is now a no-warrant-required method of getting information (in the form of TANs and TARs) which has no judicial overview -- previously they would've needed a warrant. This is definitely a massive concern, but given that you wouldn't have seen a warrant previously (Fastmail would get it) this is not a practical difference to you (obviously it's a massive ethical difference and so on).
But to be honest, I actually hope people stop using Australian services and big companies start backing out of the Australian market. It's the only way our dropkick government will realise how much of an own-goal this legislation was.
Australia has an unstable federal political system, with elections every three years or less (this is baked into the constitution, so it will be hard to amend). Imagine the US House of Representatives with the equivalent of Speaker of the US House of Representatives as the Prime Minister of Australia as you won't be far off. Unlike the UK, there isn't a strong civil service, and unlike the US, the Senate, states and courts are weaker, and there isn't a separate executive branch.
This leads to a revolving door of occasionally unsavoury characters getting into positions of great, and virtually unchecked power. Giving these figures enormous power without judicial oversight is deeply problematic. Checks and balances are not a big thing in Australia.
Apple should suspend selling any products into Australia and announce layoffs of all Australian employees for the day before the law goes into effect. The Australian market is small enough to make a stand without impacting the bottom line.
For free software, I wonder if reproducible builds plus a "certificate transparency"-style check in the updater (only allow an update once several build servers, preferentially located in separate jurisdictions, have validated the build and published the corresponding source code) could help. That is, make it impossible to push a backdoor to a single user without making it public to everyone. Making updates anonymous (that is, never sending any ID which could be used to target an update to a specific user) might also help.
One of the worst things about this bill is that the opposition knows it is full of problems and could have blocked it and forced a range of amendedments.
The Labor party here though is afraid of creating any point of difference on anything that could in any way be considered “national security” legislation. So instead of risk a lengthy period over the summer break where they would be attacked if any kind of terrorist attack happened they caved and passed the original version.
I am an Australian software developer. There is no way I am putting any backdoor into any software I write and I am willing to go to jail if needed. If all us Aussie developers tell the government to go jump this stupid law will fail.
It is not about PR with malicious code, I expect. I think the PR which will have backdoor code wold bump version of some dependency package only. Like the targeted attack on Bitcoin vallet few weeks ago. If you or your company isn't scanning dependencies you would never discover it.
How does this affect the AWS Sydney region? Will KMS and CloudHSM be under threat of a backdoor and this propagate to all systems that base themselves off these products?
It's exceptionally sad since Australia has order of preference, instant runoff and mandatory voting. Even with all those safeguards to prevent major parties and ensure equal representation, Australia still ends up with major parties and too many people who don't bother with the bottom of the ballot.
ya and it will happen every year... those in power have been trying to take control of people's lives forever but so far they have been unable since it requires physically being present. but as technology becomes seamless and is woven into the fabric of society, eventually our thoughts too wont remain private. the only thing protecting us is we are just one data point in billions...
Do you think that will just magically happen on its own?
The party that may win the next election already supports the bill. They claim they would update it with a few inconsequential changes, to make it look like they're "fixing it". But that's about it.
That means, nobody outside Australia can afford to let an Aussie anywhere near a computer, since Canberra will send them to prison if they don't spy or say anything about it.
Imagine you run a secure webmail provider where all data is truly encrypted and served up to the user that decrypts it using a 3rd party javascript library that isn't even hosted on your site.
Based on the wording of this they could compel you to target that user and serve up a javascript decryption library of the governments choice.
In a similar vein they could compel Android/MS/IOS system updates to include trojans in search of decryption keys.
Edit: This is a good argument to only use Linux or BSD. Unless you had some sort of management contract it would be near impossible to be directly targeted with system updates. They'd have to get the signing key for your distro and intercept/rewrite package downloads. I bet you this is standard affair for high value targets. If you were paranoid you could update or mirror through a proxy.
It will be interesting when we have our first outbreak of phishing, claiming to be ASIO and demanding backdoors to all IT infrastructure.
Literally any employee would be subject to these laws. They could just quote the laws and demand that any employee installs malware or creates a backdoor admin account.
Regardless of what becomes of this horrific law in practice, a whole class of workers now need to spend time on legal research, money on legal advice, and prepare for contingencies that could truly upend their lives.
Consider Signal, which is open source and not based in Australia. If AU wants to intercept a signal message, then presumably they would need to either force Google and/or Apple to push a custom app to a specific user, or take over the entire phone (again, via Google or Apple). In the first case, is the app that comes from the app store somehow verifiable, or do you need to build from source to be sure? Is there anything that can be done about the second case (which I suspect is the general intent of this law)
[+] [-] Taniwha|7 years ago|reply
Imagine you work in a modern software house and you get one of these ... and here I mean you, not your boss, not your coworkers, the govt knocks on your door and demands you put a back door in the thing you are working on at work ...
So you write the code ... how do you write the unit test? how do you get it past the code review? the mandatory QA tests? ... all these things are designed into our modern software design processes essentially designed to stop bad stuff like this happening ... what happens when you get caught? you lose your job, get blacklisted in the industry, after all you can't tell them the govt made you do it (on your CV/resume trying to explain why you were fired)
Equally say you run a big open source software project and you have valued contributors from Australia, people you trust and depend on ... what do you do? refuse them commit right? explicitly audit their every checkin? ask them to move on?
Suppose you buy closed source code from Australia .... you can't trust it in any way, even if you trust the company any one of their employees may have been asked to suborn the code you've paid good money for ... any smart purchaser is simply going to put Aussie software on the "do not purchase" list .....
So how do I find out which software on Android Play is written in Oz?
[+] [-] BLKNSLVR|7 years ago|reply
Which is absolutely brilliant.
[+] [-] grecy|7 years ago|reply
I often wonder about this in regards to those "signed" orders in the USA, and it seems now Australia is similar.
And I wonder if we need more people going public in a very big way. i.e. Jim Smith has to put out a press release that says "I work for company X and the Government of Y country asked me to do xyz, and I refused."
Go very, very public with it, putting out press releases, etc. etc.
Obviously there are laws against that, and Jim Smith is risking a lot, but I can't imagine how things will get better until people on the front lines do stuff like this.
[+] [-] xorcist|7 years ago|reply
After the emergence of these type of laws there's going to be potential backdoors explained away with "sorry, can't tell, wink wink" and nobody will ever know for sure. What's an employer to do? Or even end users?
[+] [-] saurik|7 years ago|reply
[+] [-] caf|7 years ago|reply
[+] [-] ithkuil|7 years ago|reply
That said, this requires you to be clever and I don't think anybody can be forced to be clever with a court order, or at least what you describe offers plausible deniability
[+] [-] paulie_a|7 years ago|reply
They have zero recourse.
[+] [-] jsjohnst|7 years ago|reply
If the above bothers you, then you should avoid any software written in the US too. The exact scenario you described can happen in the US, especially if you have a security clearance, but work in a regular tech job.
[+] [-] metta2uall|7 years ago|reply
[+] [-] lostmsu|7 years ago|reply
[+] [-] cyphar|7 years ago|reply
It potentially allows the government to turn employees into saboteurs. According to s.317C(6), a "designated service provider" can be someone who has developed software that is likely to be used in an electronic service that has one end-user in Australia. This is a very wide net and immediately includes effectively every free software developer, and the employees of every tech company. Now, there is an argument to be made that employees don't qualify (because they're acting on behalf of their employer), but that's not clear at the moment. It also includes sysadmins (or even ex-sysadmins) as people who can be "activated" as saboteurs.
It should be noted that it's very unlikely that this legislation would result in the Armageddon most people (including myself) are quite worried about. I imagine it's much more likely this power will be used against a few big players (Apple, Facebook, Google) in order to add features like being able to add additional devices to group chats (or something like that). But obviously the law gives them much more power than that, and that's a very big concern.
(And the fact that only 2 MPs voted against it tells me there's almost certainly some back-door dealings that resulted in this bill being passed.)
[+] [-] jeeeeb|7 years ago|reply
There appears to be two limitations on this power: 1. You cannot be compelled to do something in a foreign country that would be a crime in that country 2. In issuing the notice the relevant oversight authority must give weight to your 'legitimate' interests.
I think 1 is a huge point as it effectively constrains the jurisdiction of the law to Australia.
However, there is still significant ambiguity. For example, can I be compelled to commit a crime against a foreign country while in Australia, if I have a legitimate interest in not committing a crime against that country?
Would a company's legitimate interest in not compromising customer trust (more than the existence of this legislation doesn't already), act as a significant constraint on the issuing of TANs/TCNs?
There's also ambiguity as to whether I can reveal the existence of a TAN/TCN to my employer. The law makes certain exceptions, including the ability to publish the aggregate total of TAN/TCN received in a 6 month period and seek legal advice. So in order to seek legal advice or reasonably execute a TAN/TCN can I let my employer know?
[+] [-] bad_user|7 years ago|reply
I think it’s very likely that this law will eventually lead to everything everybody is worrying about.
[+] [-] mirimir|7 years ago|reply
[+] [-] fit2rule|7 years ago|reply
The trouble is, the secrecy. So we'll never know if there was an Australian-digital-armageddon, because none of us (Australians) are allowed to discuss it.
[+] [-] chris1993|7 years ago|reply
[+] [-] thiagocsf|7 years ago|reply
Have you got a source for this? I read (can’t remebemer where, sorry) that most Greens senators voted against it. From memory, Di Natali and SHY were in the list.
The legislation was waved-through by Labor because there is an election coming up and they were afraid to be labelled as pro terrorists and child molesters.
This site has sources: https://alp.fail
[+] [-] lawland|7 years ago|reply
Aussie market is not that big. Its gdp is less than a tenth of USA, smaller than Canada and a half of India. It is a good size but if a bunch of google employees stage a protest over this, google may just pull out of it because losing talent can be a bigger pain.
[+] [-] drngdds|7 years ago|reply
This doesn't seem very meaningful? I live in the US. If the Australian government goes to me and tells me to sabotage my employer, I can tell them to pound sand.
[+] [-] caf|7 years ago|reply
Not really, that's just a consequence of the Australian Parliament's history of very strong party discipline. It is highly unusual for all the members of a parliamentary party not to vote the same way on a bill.
[+] [-] cmroanirgo|7 years ago|reply
[+] [-] mwill|7 years ago|reply
[+] [-] zmmmmm|7 years ago|reply
However unlikely, the idea that I could be commandeered at any moment to betray the users of my software and ship malware to them sickens me. But I also know that the reality of this happening is almost vanishingly small. I genuinely don't know what to do.
[+] [-] LeoPanthera|7 years ago|reply
I've hosted my mail there since 2002 and they've always been quite pro-privacy. But I fear that such a stance is now literally impossible for any Australian company.
[+] [-] cyphar|7 years ago|reply
However there is now a no-warrant-required method of getting information (in the form of TANs and TARs) which has no judicial overview -- previously they would've needed a warrant. This is definitely a massive concern, but given that you wouldn't have seen a warrant previously (Fastmail would get it) this is not a practical difference to you (obviously it's a massive ethical difference and so on).
But to be honest, I actually hope people stop using Australian services and big companies start backing out of the Australian market. It's the only way our dropkick government will realise how much of an own-goal this legislation was.
[+] [-] AsyncAwait|7 years ago|reply
[+] [-] lawn|7 years ago|reply
[+] [-] gtbc|7 years ago|reply
This leads to a revolving door of occasionally unsavoury characters getting into positions of great, and virtually unchecked power. Giving these figures enormous power without judicial oversight is deeply problematic. Checks and balances are not a big thing in Australia.
[+] [-] ggm|7 years ago|reply
We have a high court. They reverse bad federal and state laws. Lots of bad immigration decisions by ministers are being overturned. Mabo happened.
[+] [-] jmpman|7 years ago|reply
[+] [-] cesarb|7 years ago|reply
[+] [-] robryan|7 years ago|reply
The Labor party here though is afraid of creating any point of difference on anything that could in any way be considered “national security” legislation. So instead of risk a lengthy period over the summer break where they would be attacked if any kind of terrorist attack happened they caved and passed the original version.
[+] [-] danieltillett|7 years ago|reply
[+] [-] Animats|7 years ago|reply
[+] [-] XorNot|7 years ago|reply
It's the least you can do, costs a dollar, and politicians react to getting stacks of paper more then they do emails.
[+] [-] aichi|7 years ago|reply
[+] [-] rcaught|7 years ago|reply
[+] [-] retrogradeorbit|7 years ago|reply
[+] [-] djsumdog|7 years ago|reply
[+] [-] ilrwbwrkhv|7 years ago|reply
[+] [-] mtgx|7 years ago|reply
The party that may win the next election already supports the bill. They claim they would update it with a few inconsequential changes, to make it look like they're "fixing it". But that's about it.
[+] [-] tempodox|7 years ago|reply
[+] [-] edoo|7 years ago|reply
Based on the wording of this they could compel you to target that user and serve up a javascript decryption library of the governments choice.
In a similar vein they could compel Android/MS/IOS system updates to include trojans in search of decryption keys.
Edit: This is a good argument to only use Linux or BSD. Unless you had some sort of management contract it would be near impossible to be directly targeted with system updates. They'd have to get the signing key for your distro and intercept/rewrite package downloads. I bet you this is standard affair for high value targets. If you were paranoid you could update or mirror through a proxy.
[+] [-] brokenmachine|7 years ago|reply
Literally any employee would be subject to these laws. They could just quote the laws and demand that any employee installs malware or creates a backdoor admin account.
[+] [-] banku_brougham|7 years ago|reply
[+] [-] askvictor|7 years ago|reply
[+] [-] lamerman|7 years ago|reply
[+] [-] peterkelly|7 years ago|reply
[+] [-] metta2uall|7 years ago|reply