I have migrated to Australia many years ago and I have recently become eligible to become a citizen. However I’ve heard stories of tech companies refusing to hire Australians because of the AA Bill, so I’m holding it off for now. The problem seems to be the provision that a tech worker can be coerced by the Australian Government into creating a backdoor, and they are not authorised to disclose it to their employer. I don’t want to hurt my future employability. On the one hand, if I had my citizenship then I could vote at the next elections, but on the other hand the AA Bill has been supported by all major Australian parties so I feel powerless.
"For example, Australia’s law enforcement could compel Apple to provide access to a customer’s iPhone and all communications made on it without the user’s awareness or consent. An engineer involved would, in theory, be unable to tell their boss about this, or risk a jail sentence."
"The Australian government could demand web developers to deliver spyware and software developers to push malicious updates, all under the cloak of “national security.” The penalty for speaking about these government orders—which are called technical assistance requests (TAR), technical assistance notices (TAN), and technical capability notices (TCN)—is five years in prison."
I haven't seen a compelling argument that it has extra-territorial effect; on my reading of the amendments it doesn't.
Extending your intelligence laws to cover individuals residing in other countries, who might also be citizens or permanent residents of those countries, can make for awkward dinner table discussion in diplomatic settings.
So hiring Australians working outside of Australia should be OK.
Of course, I'm not a lawyer. Or a spook. Or a diplomat.
1. You likely can't force someone to disclose all their citizenships.
2. In most countries you can't legally discriminate based on nationality. In practice publishing this comment here will likely cause you more trouble if you reject someone now, than Australian government.
3. If you apply this to all... what countries are you left with exactly where the government or LE can't force people to do something?
> The problem seems to be the provision that a tech worker can be coerced by the Australian Government into creating a backdoor, and they are not authorised to disclose it to their employer.
> Is this true ? There is no way I am hiring an Australian citizen then.
No. The request or notice is served to the company, not the individual, so the company is not left in the dark.
There has been a lot of poor reporting about this law; roughly speaking, there are 3 types of requests for data allowed:
1. Technical Assistance Request - "give me this data please". Optional, no penalty to anyone for not complying.
2. Technical Assistance Notice - "give me this data if you can, or else..". Mandatory, penalty to the company if they can comply but do not comply.. but if the company would have to build a new thing to comply (e.g. they do not have the decryption key and there's no backdoor), then there's no penalty and they do not have to comply.
3. Technical Capability Notice - "give me this data or build a way to give me this data, or else..". Mandatory, and a penalty to the company if they do not comply. If they can't do the thing yet, they need to build a backdoor, unless doing so would introduce a "systemic weakness".
In all cases, it's the company being targeted. Individuals in the company only become liable for penalties if they leak information to people not involved in the investigation.
Yes, it's still a bad law that was rushed through with too little discussion. Yes, there is too much room for interpretation and too little oversight. (And yes, Australian tech companies like Atlassian are lobbying heavily to improve the situation[0][1][2].)
But we're not at the point where it's reasonable to blacklist Australian tech workers yet, thankfully.
Source: I am an engineering manager at Atlassian, a major Australian tech company; there has been a lot of internal discussion and guidance from our founders and legal team about this.
Disclaimer: I am not a lawyer, this is not legal advice, etc. Also, I am an Australian citizen.
So garishly stupid that it can blind a boulder. So vapidly moronic that bits of ooze collected by clams are more intelligent. It's so bad that astronauts on the ISS passing over Canberra need to shield their heads with lead so the radioactive idiocy doesn't fry them.
But don't kid yourself: Australian citizenship is profoundly valuable.
I would not pass it up lightly. I was born to it and I am enormously grateful to have it.
Getting where I am now (Australian permanent resident) has been the hardest thing I have ever done in my life.
It included working casual night-shift jobs while studying to get a uni degree during the day (having an Australian degree improves your score towards a skilled visa).
For a long period I have been separated from my wife and daughter due to visa complications, it was heartbreaking.
In addition I had to give up my role as a start-up co-founder (because in order to maximise your skilled visa score, it's better if you are an employee at an Australian-based company - the start-up I was involved with was legally based overseas).
I haven't even visited my home country (Italy) since 2013, I am still in touch with family and some friends but the reality is that the connection to Italy is slowly fading away and I am long past that phase where you start to call your adoptive country "home".
Becoming an Australian citizen has been the main goal of my life in the past 8 years so I'm not going to pass on it lightly. At the moment, however, I'm taking my time to think about it.
Bad news:
This is still the words of a politician, so it's likely they're relatively empty and the changes may be trivial and won't address the fundamental distrust it has sown in Australian-developed and / or operated technologies.
Do you mean tech companies in Australia refusing to hire Australian citizens? Or foreign companies? Because the first is very illegal.
If your home country allows dual citizenship, it doesn't seem like a problem for getting a job outside Australia. If it's not a government job where they'll do security checks, just don't disclose your dual citizenship. I hold dual citizenship, and not that my company has asked or would ask me if I am, I could easily say that I'm not and there isn't a lot they can do. Even governments struggle to determine if someone is a citizen of a foreign country, as we discovered with the dual citizenship debacle in parliament.
If your home country doesn't allow dual citizenship, depending on the risk you're willing to take, you can still become a dual citizen and not notify your home country.
Either way, the benefits of being legally entitled to live in Australia for eternity, as well as the right to participate in the democratic process, outweigh any potential downsides to becoming an Australian citizen, although I've still for a few more years to wait for that.
The Australian tech sector is not that large, an ill-conceived law like this one could potentially worsen the job prospects here, to the point that one may consider working overseas. I'm not saying that it's likely, but at the same time it's not impossible.
So, yes, I was thinking primarily about foreign companies; (by the way, your argument in relation to Australian companies, "Because the first is very illegal", is not bullet-proof, because there are many things in this world that are illegal, and yet they happen).
My home country allows dual citizenship but I don't think that it would be so easy as you say to withhold this crucial piece of information from an employer: given that about half of my CV is made of positions I've held in Australia, I believe it's not that unlikely that a prospective employer may ask about my citizenship status.
Anyway, I haven't taken any decision yet, I'm just basically taking my time. I agree with you about participating in the democratic process, when I evaluate pros and cons of becoming a citizen, that's the biggest pro in my mind. Being entitled to live in Australia, on the other hand, is not a big factor in this decision, because I already have a permanent visa that lets me do that.
You mean the same democratic process that passed this bill when literally 99% of the responses within the consultation period were against it?
Or maybe you're talking about the democratic process where our opposition agreed to pass this bill even though they thought it was badly thought-out and needed amendments which were promised to happen in February but still haven't, in return for our government not allowing doctors to see sick people in our secret offshore prisons that almost nobody supports.
I'm being facetious of course, but as an Australian citizen I haven't felt represented here for a long time.
There's so much ambiguity in this, though. Can't the complying Australian employee simply nudge his/her coworker and say "hey, patch this later" and then it's just a game of back and forth with the Australian government not having their way in the end?
I can't stress enough the potential for harm in any attempt to bypass various laws.
The Australian Government even refused to allow independent Medical Doctors into their off-shore immigration detention centres for fear of the detention conditions being made public.
Australia did nothing to even consider trying to maybe help Julian Assange, an Australian citizen seeking protection from nation-backed harassment, way back when, and two Australian citizens were murdered by the Indonesian Government for drug trafficking (Australia negotiated prior to the event, but no negative action was taken afterwards). These are admittedly both divisive examples - with the intention to point out that it depends on the direction of political winds as to how the Australian Government will react.
Australia is a good place to live and the anecdotes above are specifically chosen as the far end of the bad scale, but if you choose a fight with any of the few specific issues the Government is paranoid about or sensitive to, you may face significant resources aimed at your incarceration.
Just make sure your ass is thrice covered if you're going to go up against it...
I've had long discussions with techie friends about this, and none of us can see a way that the government could actually force a dev to do anything in a way that doesn't immediately tip off the rest of the team.
I mean, your code is stored in a shared repo, right? So pushing a commit with the government-mandated changes to the shared repo is "informing others". But not pushing it means it'll never get to Prod.
Most places review code commits routinely, so how is a dev supposed to get their government-mandated changes into Prod without anyone seeing them?
If your Australian co-worker stops pushing their commits to the repo and starts trying to make changes to Prod without going through review, it's also a strong signal that something might be going on here...
In fact, if this legislation posed any kind of threat to your business, then your software development processes are broken and you're vulnerable to a ton of other, more likely, threats.
The legislation was written by a shower of technically-incompetent career politicians, with absolutely zero understanding of (or interest in) how software development works. This is the same mob of idiots of pronounced "the laws of mathematics are all very well, but we're in Australia so we obey Australian laws" when discussing their plans to break cryptography.
It's unenforceable, ridiculous, and will get changed before it ever gets used.
But as a startup tech co-founder dealing with encrypted documents, and an Australian citizen, I'm not planning to launch in Australia until it's fixed, and leaving Australia until it's fixed.
Unauthorised disclosure of information about a notice (or gained from a notice) is punishable with 5 years imprisonment -- which means that if you're suspected of being a whistleblower they can use this new legislation against you too (anything punishable with over 3 years imprisonment can be investigated in this fashion).
I wouldn't risk it. There are ways to legally provide aggregated information about the number of notices received in a 6-month period.
Also, talk to your representative and explain your concerns and push for it to be scrapped (though when I talked to the Labor senators' staffers they brushed me off and said that I wasn't interested in being informed when I disagreed with their party line). Federal elections are coming up, they're more likely to at least pretend to listen to you.
There are many scenarios where the Australian Government ends up not having it their way. For example a very likely scenario is: your commit which contains a backdoor goes to code review and then someone asks you "what is this". In theory you would say that you are not allowed to explain for legal reasons. Yet that commit is not going to be deployed.
I imagine that the government would begin at the executive level and ask "who else needs to know" and then work down the list to compel individuals or teams as required.
Similar processes already exist for other legal/police requests. If this legislation is used, companies like Telstra will have dedicated teams to comply with requests.
If your new Australian Citizen hire can build back doors into your software you've got bigger issues than hiring. Though I could see real risk associated with an Australian-based team for a global company or an Australian-based supplier.
I wouldn't advise this. Defying or subverting a lawful order can itself be a crime and you can bet the Crown Prosecutor and the Judge have seen far more attempts than you have.
The problem seems to be the provision that a tech worker can be coerced by the Australian Government into creating a backdoor, and they are not authorised to disclose it to their employer.
As I read it, the law requires warrants and court enforcement. I don't think you can be required to backdoor code in secret or held to account by the security agencies not to inform your employer. I would be very surprised if tat was legal and uncontestable.
I do expect you can be informed by your employer you have to backdoor code.
I do not expect you can have an extra-territorial obligation placed on your work conducted outside Australia. If you are working inside australia remotely I think its complex.
I think the EFF should fund your case. Take citizenship and help fight this.
> I don't think you can be required to backdoor code in secret or held to account by the security agencies not to inform your employer.
This law gave the government the power to do just that. Details of implementing a backdoor in secret is close to impossible, as any developer would know. There was a post[1] made by "Alfie John" (alfiedotwtf) that outlines a scenario in which a developer is presented with a Technical Capability Notice (TCN).
> I do not expect you can have an extra-territorial obligation placed on your work conducted outside Australia. If you are working inside australia remotely I think its complex.
Australian citizens, regardless of their location are obliged to comply with these requests.
If you are presented with a TAR, TAN or TCN, you have the option to seek legal council in private or risk fines of up to AUD$7.3 million.
You risk imprisonment if you reveal details about the notice to anyone other than those who are included in the notice or to seek legal council (this is an exception within the law).
How confident are my fellow American citizens that the American government doesn't effectively have the same power? I mean if someone showed up at your house in a black Suburban with an official-looking letter that seemed like a court order that you provide them with a backdoor and threatening you with all manner of charges if you go public. How confident are you you could walk away cleanly from that any other way?
Well I assume the first thing you do if you cop a notice is talk to a lawyer, and if the government's request is illegal, the American lawyer will tell you so. Since this legislation, the Australian lawyer is going to have to tell you to just do it.
The difference is the court order. In Australia, the individuals in the black car could show up with none of that and you'd still have to comply.
The Aussie politicians that voted for this are hurting everybody. A mining based economy with less business coming its way because of laws like this one.
The American government does theoretically have this power, but it's not like any major player is refusing to do business with Americans yet because the downside to that is massive. It's possible it could come to that eventually.
Australia is a target for retribution here because the policy is newer and they're a smaller player.
The main point for me is not whether or not they can actually coerce me, but whether or not this is going to affect my employability. I have seen in various news articles reporting that, apparently, companies based in the USA and EU are currently wary of hiring Australian developers because of this law.
Regarding your point, my understanding (I'm not a lawyer so I may be wrong) is that, in general, the law of a country applies to residents only while they are residing in the country, and it ends being applicable after they leave the country. For citizens this is certainly not the case, e.g. even though I haven't been to Italy since 2013, as a citizen I still have some rights and obligations.
So, how exactly would anyone get a back door past code review? There are practices and processes that make this infeasible regardless of the Australian Government's belief they can coerce anyone.
Every company I've felt have been worth working for in the past 10 years have had rigorous code review practices that would obstruct my ability to integrate any code without oversight.
Actually you can be compelled whether you are a citizen or not, you just have to be in the country. So unless you have to give up your prior citizenship there is no reason not to proceed.
So please apply, and then maybe one day you can vote against those who support it.
That's one of the biggest things that lawmakers here couldn't seem to understand - tech companies have high mobility across borders. Even if a law has no teeth, why would Microsoft store data in Australia when the next country over can still serve data for the region? It just creates too much risk, from a privacy and PR standpoint.
Startups will be more adverse to founding in Australia as well. It just creates a black mark on their record from the start. These data laws were very poorly planned by the Australian Government.
I think that "high mobility across borders" is an assumption based on existing trade regulations. From recent developments it's clear countries can and do force companies to do things they don't want, and companies will do it because they can't or won't lose access to consumers in those markets.
Of course, if nobody else does this, this means you may have older software on your systems or less priority in development roadmaps or whatever as your country is an edge case, and you can probably say goodbye to market leadership and have to coast on your existing advantages. However, if everybody begins to cartelize the Internet, you may not lose as much in comparison to everybody else, since you will no longer be the edge case but the common case, and it will be a bad time to start a company or store data anywhere you go at any time. Companies will simply have to live with the geopolitical reality. In this sense, the Internet devolves into a suboptimal Nash equilibrium, where everybody has data localization laws and nobody will want to loosen up because storing your citizen's information on servers in another country will leave your citizens vulnerable. If this happens, the large homogeneous markets with a single language, government, and economy (U.S/China) may have an advantage.
This is sad, and I hope they reverse this law. An open Internet is good for economic and societal dynamism (and as a civilization is tautological to organized chaos, slowing that down weakens said civilization), and I wouldn't know how to work backwards to where the Internet should be. In the meantime, maybe this will lift some open source, decentralized communications means past some threshold of viability.
> Apple has begun storing Russian user data in Russia in compliance with Russian data storage laws
I don't see how this is inherently bad.
First of all Russia's intelligence agencies get access to any data belonging to Russian citizens anyway, simply because those citizens are under Russian legislation.
I don't know the details, however note that the GDPR also imposes restrictions on exporting the data of EU citizens outside the EU.
For example exports are only allowed in countries or territories that have enough safeguards for the protection of that data.
This is important for privacy, for example if our local security agencies mishandle my data, I can sue them, I can vote for the opposition, I can convince other people to do the same, etc, however if a foreign agency mishandles my data, like those of Australia, I can do absolutely nothing about it.
And from the state's point of view, having access to the data of your citizens is also a matter of national security. I can definitely see why a rival of the USA wouldn't want the data of its citizens stored on servers located in the USA.
---
Companies that want access to the Australian market will succumb to Australian demands of course.
The problem for Australia however is that their local companies will get hurt in the international marketplace.
For example Fastmail, which competes with Google by promising better privacy, is now in a very awkward situation of having to explain how this bill is affecting them and what they are doing about it. In a market dominated by Google, hurting your local companies that compete with Google is downright stupid and will have an effect on their economy.
The Trump Administration also passed a law that affects companies that store data overseas so that they can get that data, after big companies fought such subpoenas.
Australia's lawmakers just need to amend the law so that it doesn't matter where the data is stored, as long as the company operates within their nation's borders.
I'd like to see how the Australian government handles things when MS cancels all their Windows and Office licenses.
Some customers demand to know which jurisdiction their data is stored in, so it isn't as simple as "move it somewhere friendlier".
You have control if you are running your own services on top of the main cloud providers, but if it is in O365 or GMail/GApps it used to be a different story, and this precluded their use by a bunch of .au organisations (universities, Govt departments) early on.
So now some of these orgs that need to have data stored in .au for privacy reasons (among other reasons) are subject to these new badly formed laws in some kind of twisted catch-22.
They clearly don't give a fuck about the tech industry. They sell coal and talk about stopping boats, throwing the word "pedophile" in there every now and then.
Technologists need to understand that governments do not form policies, legislate and operate in isolation. There is cooperation. Tax and trade treaties are another example.
See [1] for commentary about the international agenda in this case.
Heard of FAANG minus Amazon (they don't work here) datacenters in Russia? There is none, as well as data storages here. Everyone gives 0f about this law, only huge targets have fines of ~$1M yearly.
My understanding of the law is that the Australian government can demand assistance from Microsoft as long as Microsoft provides services to Australians. The location of the data is actually irrelevant.
Encryption isn't illegal due to the bill. In fact encryption law itself hasn't changed. The bill gives the government the ability to compel someone to circumvent encryption (backdoors, spyware etc.) if technically feasible while acting to service a warrant.
It is much worse than banning encryption as it is silent subterfuge and forcing the hand of citizens who would otherwise just be going about their day.
Laws should be able to stop people from doing certain things but forcing people to do something they had no business doing in the first place is insane.
> A technical assistance request (TAR): Police ask a company to "voluntarily" help, such as give technical details about the development of a new online service.
> A technical assistance notice (TAN): A company is required to give assistance. For example, if they can decrypt a specific communication, they must or face fines.
> A technical capability notice (TCN): The company must build a new function to help police get at a suspect's data, or face fines.
This approach is ripe for abuse. Even if a company is served with a TAN and "can't technically decrypt" then a TCN can force them to downgrade/backdoor the platform security to comply. The TAR seems token at best.
Thought experiment: Company gets served with a TCN. They task Jolene (Snr Programmer) to implement the backdoor. She does so in a way that spews information far and wide in a highly visible manner. What are the consequences for Jolene and/or the company, especially when the spooks cry foul and Jolene's lawyer/Company replies with something along the lines of "I guess she's just incompetent and did a bad job. Sorry. But we did comply with your TCN."
Jolene and some people from the company go to jail for exposing the Gestapo overreach.
The govt talks about being tough on baddies, coal keeps being sold, there's no pedophiles in my house and wow, it's Sunday so lets all watch the footy!!
It's incredible to watch the degree to which intelligence wants and needs are dictating the coming regulatory environment of internet & tech generally.
Losing access to an information stream due to routing or encryption. Matching allies' and rivals' levels of information access (a la prism). Denying them access... From the perspective of the spooks (asio, in this case) these are equivalents to exposing a microphone in Bin Laden's proverbial cave.
Meanwhile, FB & Google's revenue streams are, at this point so big and so tightly coupled with creepy ad-tech/spyware that the economy depends on privacy intiatives failing. Narrowing down a list of FB users who are >n% likely to sign up to a new candy subscription is a lot like producing a list of >n% likely to march in charlottesville or support some specific jihad. Colaboration is inevitable.
Lets not underestimate where these roads are leading.
Aussie entrepreneurs aren't too happy about this law or some of the other ones, eg. the immigration laws.
One friend (health related ml/ai) is moving from Australia to Thailand next week. He is PISSED the Aussie government wouldn't let him hire one guy who was already in the country but not a citizen. That cost 6 other domestics their job. They were sent packing last week.
He's not the first and he certainly won't be the last to move his company overseas because of the govts anti biz policies.
Australians have very few constitutionally guaranteed rights (compared to countries such as the US). The Constitution only gives us the right to vote, the right to a trial by jury, and freedom of religion (and a few others). But many more rights, including extensive privacy rights, exist in statute law and elsewhere.
The main argument against adding more rights to the Constitution, is: "we don't want to end up with obsolete rights that do more harm than good, and that are virtually impossible to get rid of, like the US with its right to bear arms".
The U.S. actually goes a step further... the only rights the constitution actually spells out are the rights of government. Most encroachments have been under the guise of "interstate commerce" or "taxation" in general...
> The powers not delegated to the United States by the Constitution, nor prohibited by it to the States, are reserved to the States respectively, or to the people.
As to the bill of rights, so long as the police are armed and can act with impunity... imho, the populace should be able to be armed. I don't personally own a firearm... I also don't spew racist rhetoric. I am a strong believer in all civil rights.
Of course “they” would say that. Easier to sell than enshrining rights in the constitution makes it impossible for us to encroach on those rights ;) tin foil stay strong
We don't actually have a constitutional freedom of religion in Australia. The first election I ever voted in this was a proposed change to the constitution and it was voted down. If the Australian government want it could establish a state religion and ban the rest - not that this would ever happen in practice.
You can't protect rights and freedoms from intrusion by the government by statute, which is kinda the whole point of having a constitution. If it's just a law saying the government can't do something, then it'll do that by first repealing that law - if all you need is a simple majority, the votes are always there.
The reason why the US constitution is so hard to amend is because of how high the bars are for the process - 2/3 in the House and in the Senate to submit amendments, and 3/4 of all state legislatures to ratify them. Or if going via state convention, then 2/3 of all state legislatures to request it, but still 3/4 to ratify anything that comes out of it.
I don't think it was a bad system originally, back before the 14th Amendment - since originally all those restrictions were on what the federal government can do, not on what the states can do. Between the states and their citizens, it was supposed to be taken care of by their respective state constitutions, which are generally much easier to amend - and even if they didn't, they wouldn't block other states from experimenting. With 14A, and the gradual incorporation of various constitutional protections on state level via it, the process to amend it needs to be more democratic IMO, and acknowledge the people, not just the states.
I find this funny because the SCOTUS basically can change the Constitution whenever they want.
The second amendment only states that the United States itself has a right to bear arms in order to defend itself (have a Militia)[0]. It didn't provide citizens the right to personal protection by guns until a 2008 Supreme Court case [1].
For what it’s worth, email is not a private protocol/platform - some degree of encryption-at-rest and privacy-respecting SOPs can give services like Fastmail a fairly good screen against private malicious actors, but you should never count on email as a means of communication to have any decent way of protecting you from state surveillance, especially when you live under the jurisdiction of the state surveilling you.
Though that’s not to say that we should accept these laws as they apply to email services lying down. Any reason to refuse to use the services of Australian companies when foreign services of similar quality exist gives those Australian companies all the more reason to press the government to reform these laws on the grounds that they’re losing valuable business for negligible gain to national interest. If the government doesn’t listen to individual constituents, it might listen to companies which are hurting in their back pockets.
I'm aware. It's the principle of the thing that bothers me. I'd love to do business with Fastmail but I don't want my communications flowing through a surveillance state that has no due process.
I recently moved to Fastmail and couldn't be happier.
Like others have said, you really should never count on email being a private medium. I switched mainly to remove my email from Google's sources of data collection on me: this is the level of privacy that is important to me. If I wanted to hide from state sponsored actors I wouldn't be using email at all.
A nice side effect of moving to Fastmail is being able to use their amazing Web UI, which is so much faster and more responsive than Gmail's super bloated interface.
There was a thread I made about ProtonMail v FastMail and this one point came up at the top. However ProtonMail’s inability to support standard clients without an awkward bridge app seems to take edge off it.
> ProtonMail’s inability to support standard clients without an awkward bridge app
Isn't that one of the pros of Protonmail? All the data is encrypted and decrypted on the client. There is no way to have mail apps access the data without a piece of software that handles the encryption.
ProtonMail's bridge program is a bit of a kludge, and their proprietary protocol (rather than seeking IETF standardization) prevents implementing the protocol in the MUA.
I'd love to have a privacy-respecting mail hoster, but the ProtonMail bridge program is too unattractive to make the switch.
(Which is not to say that IMAP itself isn't a mess, but MUAs have gotten it to work, and we'd like for whatever other protocol we move to instead to also be an open standard.)
Unless this is just a boycott of Australian tech services altogether based purely on principle, then it looks like the encryption laws might have actually helped you out on this one. They don't impact fastmail because fastmail already has access to your emails. So if you want an email provider that doesn't (protonmail?) then you almost made quite the mistake!
Readit News
Source: Sydney Morning Herald https://www.smh.com.au/business/consumer-affairs/dangerous-o...
That would be a 5-year jail sentence apparently:
"The Australian government could demand web developers to deliver spyware and software developers to push malicious updates, all under the cloak of “national security.” The penalty for speaking about these government orders—which are called technical assistance requests (TAR), technical assistance notices (TAN), and technical capability notices (TCN)—is five years in prison."
Source: EFF https://www.eff.org/deeplinks/2018/09/australian-government-...
Deleted Comment
Extending your intelligence laws to cover individuals residing in other countries, who might also be citizens or permanent residents of those countries, can make for awkward dinner table discussion in diplomatic settings.
So hiring Australians working outside of Australia should be OK.
Of course, I'm not a lawyer. Or a spook. Or a diplomat.
2. In most countries you can't legally discriminate based on nationality. In practice publishing this comment here will likely cause you more trouble if you reject someone now, than Australian government.
3. If you apply this to all... what countries are you left with exactly where the government or LE can't force people to do something?
> Is this true ? There is no way I am hiring an Australian citizen then.
No. The request or notice is served to the company, not the individual, so the company is not left in the dark.
There has been a lot of poor reporting about this law; roughly speaking, there are 3 types of requests for data allowed:
1. Technical Assistance Request - "give me this data please". Optional, no penalty to anyone for not complying.
2. Technical Assistance Notice - "give me this data if you can, or else..". Mandatory, penalty to the company if they can comply but do not comply.. but if the company would have to build a new thing to comply (e.g. they do not have the decryption key and there's no backdoor), then there's no penalty and they do not have to comply.
3. Technical Capability Notice - "give me this data or build a way to give me this data, or else..". Mandatory, and a penalty to the company if they do not comply. If they can't do the thing yet, they need to build a backdoor, unless doing so would introduce a "systemic weakness".
In all cases, it's the company being targeted. Individuals in the company only become liable for penalties if they leak information to people not involved in the investigation.
Yes, it's still a bad law that was rushed through with too little discussion. Yes, there is too much room for interpretation and too little oversight. (And yes, Australian tech companies like Atlassian are lobbying heavily to improve the situation[0][1][2].)
But we're not at the point where it's reasonable to blacklist Australian tech workers yet, thankfully.
Source: I am an engineering manager at Atlassian, a major Australian tech company; there has been a lot of internal discussion and guidance from our founders and legal team about this.
Disclaimer: I am not a lawyer, this is not legal advice, etc. Also, I am an Australian citizen.
[0]: https://www.theaustralian.com.au/business/technology/scott-f...
[1]: https://www.afr.com/technology/web/security/atlassian-leads-...
[2]: https://ia.acs.org.au/article/2019/tech-industry--fix-the-as...
It's a stupid bill.
So garishly stupid that it can blind a boulder. So vapidly moronic that bits of ooze collected by clams are more intelligent. It's so bad that astronauts on the ISS passing over Canberra need to shield their heads with lead so the radioactive idiocy doesn't fry them.
But don't kid yourself: Australian citizenship is profoundly valuable.
I would not pass it up lightly. I was born to it and I am enormously grateful to have it.
Getting where I am now (Australian permanent resident) has been the hardest thing I have ever done in my life.
It included working casual night-shift jobs while studying to get a uni degree during the day (having an Australian degree improves your score towards a skilled visa).
For a long period I have been separated from my wife and daughter due to visa complications, it was heartbreaking.
In addition I had to give up my role as a start-up co-founder (because in order to maximise your skilled visa score, it's better if you are an employee at an Australian-based company - the start-up I was involved with was legally based overseas).
I haven't even visited my home country (Italy) since 2013, I am still in touch with family and some friends but the reality is that the connection to Italy is slowly fading away and I am long past that phase where you start to call your adoptive country "home".
Becoming an Australian citizen has been the main goal of my life in the past 8 years so I'm not going to pass on it lightly. At the moment, however, I'm taking my time to think about it.
Relative to what other citizenship?
Deleted Comment
Bad news: This is still the words of a politician, so it's likely they're relatively empty and the changes may be trivial and won't address the fundamental distrust it has sown in Australian-developed and / or operated technologies.
So definitely take it with a grain of salt.
If your home country allows dual citizenship, it doesn't seem like a problem for getting a job outside Australia. If it's not a government job where they'll do security checks, just don't disclose your dual citizenship. I hold dual citizenship, and not that my company has asked or would ask me if I am, I could easily say that I'm not and there isn't a lot they can do. Even governments struggle to determine if someone is a citizen of a foreign country, as we discovered with the dual citizenship debacle in parliament.
If your home country doesn't allow dual citizenship, depending on the risk you're willing to take, you can still become a dual citizen and not notify your home country.
Either way, the benefits of being legally entitled to live in Australia for eternity, as well as the right to participate in the democratic process, outweigh any potential downsides to becoming an Australian citizen, although I've still for a few more years to wait for that.
So, yes, I was thinking primarily about foreign companies; (by the way, your argument in relation to Australian companies, "Because the first is very illegal", is not bullet-proof, because there are many things in this world that are illegal, and yet they happen).
My home country allows dual citizenship but I don't think that it would be so easy as you say to withhold this crucial piece of information from an employer: given that about half of my CV is made of positions I've held in Australia, I believe it's not that unlikely that a prospective employer may ask about my citizenship status.
Anyway, I haven't taken any decision yet, I'm just basically taking my time. I agree with you about participating in the democratic process, when I evaluate pros and cons of becoming a citizen, that's the biggest pro in my mind. Being entitled to live in Australia, on the other hand, is not a big factor in this decision, because I already have a permanent visa that lets me do that.
You mean the same democratic process that passed this bill when literally 99% of the responses within the consultation period were against it?
Or maybe you're talking about the democratic process where our opposition agreed to pass this bill even though they thought it was badly thought-out and needed amendments which were promised to happen in February but still haven't, in return for our government not allowing doctors to see sick people in our secret offshore prisons that almost nobody supports.
I'm being facetious of course, but as an Australian citizen I haven't felt represented here for a long time.
Unless you are bribing foreign government officials, committing war crimes or engaging in sex tourism, you just have to worry about local laws.
Do as I say not as I do.
I can't stress enough the potential for harm in any attempt to bypass various laws.
The Australian Government even refused to allow independent Medical Doctors into their off-shore immigration detention centres for fear of the detention conditions being made public.
Australia did nothing to even consider trying to maybe help Julian Assange, an Australian citizen seeking protection from nation-backed harassment, way back when, and two Australian citizens were murdered by the Indonesian Government for drug trafficking (Australia negotiated prior to the event, but no negative action was taken afterwards). These are admittedly both divisive examples - with the intention to point out that it depends on the direction of political winds as to how the Australian Government will react.
Australia is a good place to live and the anecdotes above are specifically chosen as the far end of the bad scale, but if you choose a fight with any of the few specific issues the Government is paranoid about or sensitive to, you may face significant resources aimed at your incarceration.
Just make sure your ass is thrice covered if you're going to go up against it...
I mean, your code is stored in a shared repo, right? So pushing a commit with the government-mandated changes to the shared repo is "informing others". But not pushing it means it'll never get to Prod.
Most places review code commits routinely, so how is a dev supposed to get their government-mandated changes into Prod without anyone seeing them?
If your Australian co-worker stops pushing their commits to the repo and starts trying to make changes to Prod without going through review, it's also a strong signal that something might be going on here...
In fact, if this legislation posed any kind of threat to your business, then your software development processes are broken and you're vulnerable to a ton of other, more likely, threats.
The legislation was written by a shower of technically-incompetent career politicians, with absolutely zero understanding of (or interest in) how software development works. This is the same mob of idiots of pronounced "the laws of mathematics are all very well, but we're in Australia so we obey Australian laws" when discussing their plans to break cryptography.
It's unenforceable, ridiculous, and will get changed before it ever gets used.
But as a startup tech co-founder dealing with encrypted documents, and an Australian citizen, I'm not planning to launch in Australia until it's fixed, and leaving Australia until it's fixed.
[0]: https://boingboing.net/2015/03/26/australia-outlaws-warrant-...
I wouldn't risk it. There are ways to legally provide aggregated information about the number of notices received in a 6-month period.
Also, talk to your representative and explain your concerns and push for it to be scrapped (though when I talked to the Labor senators' staffers they brushed me off and said that I wasn't interested in being informed when I disagreed with their party line). Federal elections are coming up, they're more likely to at least pretend to listen to you.
(edited for clarity)
Similar processes already exist for other legal/police requests. If this legislation is used, companies like Telstra will have dedicated teams to comply with requests.
If your new Australian Citizen hire can build back doors into your software you've got bigger issues than hiring. Though I could see real risk associated with an Australian-based team for a global company or an Australian-based supplier.
As I read it, the law requires warrants and court enforcement. I don't think you can be required to backdoor code in secret or held to account by the security agencies not to inform your employer. I would be very surprised if tat was legal and uncontestable.
I do expect you can be informed by your employer you have to backdoor code.
I do not expect you can have an extra-territorial obligation placed on your work conducted outside Australia. If you are working inside australia remotely I think its complex.
I think the EFF should fund your case. Take citizenship and help fight this.
This law gave the government the power to do just that. Details of implementing a backdoor in secret is close to impossible, as any developer would know. There was a post[1] made by "Alfie John" (alfiedotwtf) that outlines a scenario in which a developer is presented with a Technical Capability Notice (TCN).
> I do not expect you can have an extra-territorial obligation placed on your work conducted outside Australia. If you are working inside australia remotely I think its complex.
Australian citizens, regardless of their location are obliged to comply with these requests.
If you are presented with a TAR, TAN or TCN, you have the option to seek legal council in private or risk fines of up to AUD$7.3 million.
You risk imprisonment if you reveal details about the notice to anyone other than those who are included in the notice or to seek legal council (this is an exception within the law).
[1] https://twitter.com/alfiedotwtf/status/1070047303275175936
The Aussie politicians that voted for this are hurting everybody. A mining based economy with less business coming its way because of laws like this one.
https://boingboing.net/2017/07/15/malcolm-turnbull-is-an-idi...
Australia is a target for retribution here because the policy is newer and they're a smaller player.
Regarding your point, my understanding (I'm not a lawyer so I may be wrong) is that, in general, the law of a country applies to residents only while they are residing in the country, and it ends being applicable after they leave the country. For citizens this is certainly not the case, e.g. even though I haven't been to Italy since 2013, as a citizen I still have some rights and obligations.
Every company I've felt have been worth working for in the past 10 years have had rigorous code review practices that would obstruct my ability to integrate any code without oversight.
So... how?
So please apply, and then maybe one day you can vote against those who support it.
That's buck-wild.
For example, Apple has begun storing Russian user data in Russia in compliance with Russian data storage laws (https://venturebeat.com/2019/02/01/apple-will-reportedly-sto...), and Google is still working on its censored search engine in China.
Of course, if nobody else does this, this means you may have older software on your systems or less priority in development roadmaps or whatever as your country is an edge case, and you can probably say goodbye to market leadership and have to coast on your existing advantages. However, if everybody begins to cartelize the Internet, you may not lose as much in comparison to everybody else, since you will no longer be the edge case but the common case, and it will be a bad time to start a company or store data anywhere you go at any time. Companies will simply have to live with the geopolitical reality. In this sense, the Internet devolves into a suboptimal Nash equilibrium, where everybody has data localization laws and nobody will want to loosen up because storing your citizen's information on servers in another country will leave your citizens vulnerable. If this happens, the large homogeneous markets with a single language, government, and economy (U.S/China) may have an advantage.
This is sad, and I hope they reverse this law. An open Internet is good for economic and societal dynamism (and as a civilization is tautological to organized chaos, slowing that down weakens said civilization), and I wouldn't know how to work backwards to where the Internet should be. In the meantime, maybe this will lift some open source, decentralized communications means past some threshold of viability.
I don't see how this is inherently bad.
First of all Russia's intelligence agencies get access to any data belonging to Russian citizens anyway, simply because those citizens are under Russian legislation.
I don't know the details, however note that the GDPR also imposes restrictions on exporting the data of EU citizens outside the EU. For example exports are only allowed in countries or territories that have enough safeguards for the protection of that data.
This is important for privacy, for example if our local security agencies mishandle my data, I can sue them, I can vote for the opposition, I can convince other people to do the same, etc, however if a foreign agency mishandles my data, like those of Australia, I can do absolutely nothing about it.
And from the state's point of view, having access to the data of your citizens is also a matter of national security. I can definitely see why a rival of the USA wouldn't want the data of its citizens stored on servers located in the USA.
---
Companies that want access to the Australian market will succumb to Australian demands of course.
The problem for Australia however is that their local companies will get hurt in the international marketplace.
For example Fastmail, which competes with Google by promising better privacy, is now in a very awkward situation of having to explain how this bill is affecting them and what they are doing about it. In a market dominated by Google, hurting your local companies that compete with Google is downright stupid and will have an effect on their economy.
I'd like to see how the Australian government handles things when MS cancels all their Windows and Office licenses.
You have control if you are running your own services on top of the main cloud providers, but if it is in O365 or GMail/GApps it used to be a different story, and this precluded their use by a bunch of .au organisations (universities, Govt departments) early on.
So now some of these orgs that need to have data stored in .au for privacy reasons (among other reasons) are subject to these new badly formed laws in some kind of twisted catch-22.
That's what passes for leadership these days.
See [1] for commentary about the international agenda in this case.
[1] https://www.lowyinstitute.org/the-interpreter/disruptors-dis...
* https://en.wikipedia.org/wiki/SSLeay
Now it's the opposite?
It is much worse than banning encryption as it is silent subterfuge and forcing the hand of citizens who would otherwise just be going about their day.
Laws should be able to stop people from doing certain things but forcing people to do something they had no business doing in the first place is insane.
> A technical assistance request (TAR): Police ask a company to "voluntarily" help, such as give technical details about the development of a new online service.
> A technical assistance notice (TAN): A company is required to give assistance. For example, if they can decrypt a specific communication, they must or face fines.
> A technical capability notice (TCN): The company must build a new function to help police get at a suspect's data, or face fines.
This approach is ripe for abuse. Even if a company is served with a TAN and "can't technically decrypt" then a TCN can force them to downgrade/backdoor the platform security to comply. The TAR seems token at best.
Does this law actually address such a scenario?
The govt talks about being tough on baddies, coal keeps being sold, there's no pedophiles in my house and wow, it's Sunday so lets all watch the footy!!
Losing access to an information stream due to routing or encryption. Matching allies' and rivals' levels of information access (a la prism). Denying them access... From the perspective of the spooks (asio, in this case) these are equivalents to exposing a microphone in Bin Laden's proverbial cave.
Meanwhile, FB & Google's revenue streams are, at this point so big and so tightly coupled with creepy ad-tech/spyware that the economy depends on privacy intiatives failing. Narrowing down a list of FB users who are >n% likely to sign up to a new candy subscription is a lot like producing a list of >n% likely to march in charlottesville or support some specific jihad. Colaboration is inevitable.
Lets not underestimate where these roads are leading.
One friend (health related ml/ai) is moving from Australia to Thailand next week. He is PISSED the Aussie government wouldn't let him hire one guy who was already in the country but not a citizen. That cost 6 other domestics their job. They were sent packing last week.
He's not the first and he certainly won't be the last to move his company overseas because of the govts anti biz policies.
The main argument against adding more rights to the Constitution, is: "we don't want to end up with obsolete rights that do more harm than good, and that are virtually impossible to get rid of, like the US with its right to bear arms".
> The powers not delegated to the United States by the Constitution, nor prohibited by it to the States, are reserved to the States respectively, or to the people.
As to the bill of rights, so long as the police are armed and can act with impunity... imho, the populace should be able to be armed. I don't personally own a firearm... I also don't spew racist rhetoric. I am a strong believer in all civil rights.
The reason why the US constitution is so hard to amend is because of how high the bars are for the process - 2/3 in the House and in the Senate to submit amendments, and 3/4 of all state legislatures to ratify them. Or if going via state convention, then 2/3 of all state legislatures to request it, but still 3/4 to ratify anything that comes out of it.
I don't think it was a bad system originally, back before the 14th Amendment - since originally all those restrictions were on what the federal government can do, not on what the states can do. Between the states and their citizens, it was supposed to be taken care of by their respective state constitutions, which are generally much easier to amend - and even if they didn't, they wouldn't block other states from experimenting. With 14A, and the gradual incorporation of various constitutional protections on state level via it, the process to amend it needs to be more democratic IMO, and acknowledge the people, not just the states.
Not true.
Yeah, but they mess even that up by making it obligatory. :)
I find this funny because the SCOTUS basically can change the Constitution whenever they want.
The second amendment only states that the United States itself has a right to bear arms in order to defend itself (have a Militia)[0]. It didn't provide citizens the right to personal protection by guns until a 2008 Supreme Court case [1].
0: https://www.constituteproject.org/constitution/United_States...
1: https://en.wikipedia.org/wiki/District_of_Columbia_v._Heller
Though genuinely unsure and curious as to whether that's a separate legal (or perhaps media reporting) issue.
On an aside it appears Australia has done away with the self incrimination protection laws Is that a right in most democratic countries?
Though that’s not to say that we should accept these laws as they apply to email services lying down. Any reason to refuse to use the services of Australian companies when foreign services of similar quality exist gives those Australian companies all the more reason to press the government to reform these laws on the grounds that they’re losing valuable business for negligible gain to national interest. If the government doesn’t listen to individual constituents, it might listen to companies which are hurting in their back pockets.
Like others have said, you really should never count on email being a private medium. I switched mainly to remove my email from Google's sources of data collection on me: this is the level of privacy that is important to me. If I wanted to hide from state sponsored actors I wouldn't be using email at all.
A nice side effect of moving to Fastmail is being able to use their amazing Web UI, which is so much faster and more responsive than Gmail's super bloated interface.
Deleted Comment
And I agree about the web UI. I usually read and compose my email inside Emacs, but their web interface is very nice when necessary.
https://news.ycombinator.com/item?id=19372882
Isn't that one of the pros of Protonmail? All the data is encrypted and decrypted on the client. There is no way to have mail apps access the data without a piece of software that handles the encryption.
I'd love to have a privacy-respecting mail hoster, but the ProtonMail bridge program is too unattractive to make the switch.
(Which is not to say that IMAP itself isn't a mess, but MUAs have gotten it to work, and we'd like for whatever other protocol we move to instead to also be an open standard.)
https://mailinabox.email/