"For example, Australia’s law enforcement could compel Apple to provide access to a customer’s iPhone and all communications made on it without the user’s awareness or consent. An engineer involved would, in theory, be unable to tell their boss about this, or risk a jail sentence."
"The Australian government could demand web developers to deliver spyware and software developers to push malicious updates, all under the cloak of “national security.” The penalty for speaking about these government orders—which are called technical assistance requests (TAR), technical assistance notices (TAN), and technical capability notices (TCN)—is five years in prison."
So developer discusses with his boss. Developer A adds back door. Developer B then patches back door. Boss fires developer A. Developer A then uses this TAR crap to sue government for forcing him to do something and lose his job.
I can’t see the government being able to defend itself. We elect the government to serve the people and the decisions of the government are negatively impacting the people no matter which way you spin it.
And there have to be limitations as to how far an individual could go as to subterfuge, so if your company enforces a 2-person code review and there aren't other authorized Australian nationals at hand, you could point at process preventing you from doing so without others' knowledge (how naive this defense is, I have no idea)
You opt into participating that process by accepting the job, though. So from Australia's perspective, the way to comply with their law is to not take such jobs, and to leave if the process changes prevent you from complying.
I think you're inventing scenarios here that are too unlikely even for a pretty corrupt country. There probably exist laws in a number of countries which would technically jail you for taking some not-explicitly-illegal job. But this is absurd. Unless you're an actual lawyer giving opinion here?
I think if you trust people to not be corrupt you will wind up with corruption. A bad law is one that requires the empowered to not abuse it. A good law can't be abused. Harsh and cynical but true - reducto ad absurdum giving someone the legal power to murder anyone and relying on it to "not be abused" is a law literally bad enough to be causus beli for a civil war.
Can you explain why? It seems like a straightforward application of the law making some activity illegal, when its jurisdiction is explicitly defined as extending beyond the nation's borders. If you forget the border for a moment and just consider it all a single jurisdiction, aren't you basically saying that somebody can break the law and claim immunity from prosecution on the basis that their job requirements demanded that law to be broken?
3. You say we have code review the backdoor will be caught.
Now at this point the following might happen.
4a. make sure your code is reviewed by X.
4b. ok I guess it won't work.
4c. here is the code to put in, it has a very hard to catch bug that we can exploit.
in no way would I expect them to say
4d. well we're going to take you to court because you took a job that makes entering backdoors difficult.
on edit: improved formatting
on 2nd edit: I removed the leading No but, because I can't remember why I started off with that.
Is there a protection that prevents the government from requiring an employee take an action that may be discovered?
Or even a reason? I mean, unless the backdoor has a hard-coded URL like `www.ThisIsAGovernmentBackdoor.gov.au`, then a backdoor wouldn't seem to automatically implicate the government. Then an employer might well assume that the employee is just doing their own hacking. And presumably the employee can't say otherwise, right?
Or does the law say that employees can refuse if they fear discovery? And if so, couldn't employees always just refuse on that basis?
I'm not saying the employees can refuse, I'm saying the employees can say I will be discovered because of this reason. I naively suppose the police are like me in that they do things with a purpose in mind, and if they cannot achieve their purpose by an action they refrain from it as a waste of energy.
If their purpose is to hack company X, are informed that the way they intend to do it will be discovered and expose the tool they were going to use, then I expect they would refrain from doing that and try to find some other way. If they do not refrain then their purpose must not be to hack company X but really just to expose the tool for some reason.
However if they just say I will likely be discovered because of this reason, the police will probably just say "that's a risk we're willing to take!" and go for it.
so it's not that the job requirements demand that law be broken but rather the job requirements are such that the actions being demanded by the law will be ineffective or even worse, be caught out leading to termination of the only Australian 'asset' the government has in the team.
I suppose Australia can attempt to make a law saying any company based in Australia or selling products in Australia or with an internet presence available inside the country of Australia must stop using code review in case you ever hire an Australian citizen we want to put backdoors in your code.
Just imagining it is giving me quite the entertainment value.
Maybe the poster above was referring to the Underhanded C Contest
> The Underhanded C Contest is an annual contest to write innocent-looking C code implementing malicious behavior. In this contest you must write C code that is as readable, clear, innocent and straightforward as possible, and yet it must fail to perform at its apparent function. To be more specific, it should perform some specific underhanded task that will not be detected by examining the source code.
I highly encourage everyone to go look at the hall of fame, it was extremely eye opening when I first did!
Even knowing there is an exploit in the code, I probably would never be able to find most of them. My favorite is 2008's winner who's goal is to write a redaction program to redact text. It doesn't use any buffer/array hacks, the code is very straightforward and simple and small, and it would work in languages other than C. It's a terrifying example of how easy it is to write malicious code that would pass multiple code reviews but still has a backdoor!
Quit making me laugh, buddy. Unfortunately, I think we all know that once they get their office, they do very little to serve the people. Not sure about the case with Australia, but you can't sue the American government unless it lets you. Otherwise, it just claims sovereign immunity. Wrong as that is, it's a very good defense as it keeps them out of court. This might lead the employee to sue the employer ("I was complying with a lawful government order; you can't fire me for that!"), making Australians even more of a liability.
Employee gets fired for introducing a backdoor, but "may or may not have been" subject to one of these assistance notes (the Government won't comment either way, the employee insists they had a Technical Assistance Note). Employee sues the employer for wrongful dismissal because of the alleged unprovable TAN.
I wonder which way that court case would go... sounds like a recipe for deadlock.
Another possible concern is that the employee sues for wrongful termination, alleging they were "just following the law" (which they would have been). The employee shouldn't lose his job for following the law, the company shouldn't have such problems for trying to protect its users, and this whole mess was caused by government intervention.
But yes, it will be interesting to see how the courts rule. Not familiar with Australian law, so if anybody has thoughts about this, please feel free to enlighten me.
Considering the number of times I've seen a developer quickly patch something and deploy their private build to the customer (not maliciously, but because the customer is screaming and needs it right now and wouldn't wait for normal QA process), I don't think it would be terribly difficult for the compromised developer to create a malicious binary outside of the committed codebase.
I believe that is an incorrect interpretation of the law.
The govt can compell an entity to assist in making encrypted information available. But the entity in question is not the individual employee, but the company who owns the product or service.
If you're under the employment (i.e., not a contractor), you can't be an entity, and the employer will definitely know if they've been compelled.
But I do agree the law is stupid and erodes all trust from software owned by an Australian company.
> For the purposes of this Part, the following table defines:
> (a) designated communications provider;
> (b) the eligible activitiesof a designated communications provider
> A person is a designated communications provider if...
... Actually, there's too many to list. But here are a few examples:
> - the person provides an electronic service that has one or more end-users in Australia
> - the person develops, supplies or updates software used, for use, or likely to be used, in connection with: (a) a listed carriage service; or (b) an electronic service that has one or more end-users in Australia
> - the person manufactures or supplies components for use, or likely to be used,in the manufacture of a facility for use, or likely to be used,in Australia
> - the person is a constitutional corporation who: (a) manufactures; or (b) supplies; or (c) installs; or (d) maintains; data processing devices
Note that in the last situation they specifically mention corporations, but that prior situations do not require this. The requirements listed are to be interpreted as an OR not and AND... so ah, that's fun.
So yes, we Australians can be legally required by our Government to perform corporate espionage... and almost no-one in Australia (certainly not the public at large) seems to give a f--k.
Oh, and it's probably worth noting that you need not even be an Australian citizen to be covered, you simply need to have users in Australia. Of course, whether Australia can enforce these laws against non-citizens is another matter.
However, this legislation was specifically put together with co-operation of all members of the five eyes, so there's a reasonable possibility of extradition. The Department of Home Affairs even made a public statement confirming as much. It seems to have since been pulled from their website, but is available at:
Jurisdiction sets no limits to itself, but to other jurisdictions. Australia can request extradition of anyone from anywhere, then it's up to that jurisdiction to decide whether to comply, which may or may not be situational. If the country believes it's a problem, then it would deny the request.
>However, this legislation was specifically put together with co-operation of all members of the five eyes, so there's a reasonable possibility of extradition. The Department of Home Affairs even made a public statement confirming as much. It seems to have since been pulled from their website, but is available at: [PDF link]
I read the PDF and didn't notice any mention of extradition. Am I missing something?
Don't know anything about extradition but the law specifically mentions putting in backdoors to aid foreign nations at their request.
It also notes that this can be for economic espionage too and isn't limited to national security (for the people who like to pretend that's not what their intelligence agencies are doing)
Sorry for the ambiguity. The reference I provided was with regard to the fact the Australian Government has collaborated with other five eyes countries with this legislation, or at least the 'need' for this legislation.
This is why I simply wrote there's a reasonable possibility of extradition, rather than anything definite.
> the person provides an electronic service that has one or more end-users in Australia
I don’t think this particular clause covers an individual working for a corporation as an employee, as in that case the employee isn’t providing the service the employer is.
It reads to me like that clause is intended to cover people who produce software as sole operators of their business, or perhaps a group of people in a business partnership.
I haven’t read the rest of the act, so maybe there is a stronger clause targeting employees?
If the government can compel a company to do a thing that doesn’t necessarily mean they can compel any particular individual.
You could refuse / quit / abandon the project. Maybe they’ll just find somebody else to do it?
> contracted service provider, in relation to a designated
> communications provider, means a person who performs services
> for or on behalf of the provider, but does not include a person who
> performs such services in the capacity of an employee of the
> provider.
The statute here is always talking about a contracted service provider who has to comply with the compelled "assistance". So as an employee, you do not have to worry about being jailed for non-compliance, as an employee cannot be a "contracted service provider". But you may be fired for non-compliance by your employer (if they choose to fire you because of it), but that's between you and your employer.
I'm certainly not a lawyer, so absolutely may have misinterpreted.
However, what I've quoted above is referring to the definition for a designated communications provider, as opposed to a 'contracted service provider' - the latter of which makes sense not to include employees as they're not 'contractors'. However, technical assistance notices (which are compulsory, as opposed to 'technical assistance requests') can be served to designated communications providers, as covered by 317L.
So the fact employees aren't considered a 'contracted service provider' is therefore not relevant?
Again, just reiterating, not at all a lawyer, however at this moment in time, this is my interpretation of the legislation.
It is completely relevant, since the OP mentions that you as an australian working for a company could be compelled directly as a communications provider.
I'm saying that if you are in the employ of a communications provider or a contracted service provider, you do not have to worry about being compelled directly. I take "the person" to mean an actual person, or a legal person, but the employee of the communications provider is not a person (IANAL, so don't use me as legal advice).
THe law provides a specific provision to say that there are limitations to what the assistance can be:
> 317ZG Designated communications provider must not be required
> to implement or build a systemic weakness or systemic
> vulnerability etc.
But the issue here is whether it's possible to perform the required "assistance" but not introduce systemic weakness or systemic vulnerability. I think it's a logical contradiction, so the law is pretty damn stupid...
Systemic weakness or systemic vulnerability is redefined to not include anything that the notice can require however, rendering that particular exception pointless.
> systemic vulnerability means a vulnerability that affects a whole class of technology, but does not include a vulnerability that is selectively introduced to one or more target technologies that are connected with a particular person. For this purpose, it is immaterial whether the person can be identified.
The words "systemic weakness" means something completely different to how the industry would use it.
"We don't need you to introduce a Systemic Weakness into the whole class of 'electronics', we just need you to selectively target the specific class 'mobile phones' that are connected to John Doe 3 aka bogey-man-de-jour."
This is now request that your lawyer would happily bill by the hour arguing with their lawyers in front of a judge - to determine whether it's a correct and enforceable interpretation of that shittily written legislation.
Except you aren't allowed to tell your lawyer we asked you to do it.
No. The people who wrote the law (and handed it over to the elected politician) knows quite a lot about it. The politicians who put their face on it are mostly ignorant, if not idiots.
Politicians don't generally come home in the evening and sit down to write their own bills. They rely on "experts" to do it for them. The more we rely on a central regulatory apparatus, the more essential this is. And this is where we run into problem like this, as well as regulatory capture. But the fact remains that they've got to rely on somebody with expertise, yet where can you find such people, and how much can you trust them when they're not publicly responsible (or even known).
i believe an independent contractor is considered a service provider, and so they could be compelled to provide the gov't assistance.
I also believe that these service provider(s) are required to not disclose the fact they've provided assistance. Therefore, apple would do well to not hire any australian company for their contracting purposes (but instead, employ them as an employee).
I am not a lawyer so I wouldn't be able to comment on the meaning of "entity", I hope you are right though, and I also hope that the Australian Government would at least clarify the meaning of the provision and the legal definition of "entity" in this specific case.
Do you know what exactly constitutes a backdoor and how exactly Australian government "orders" their citizen to add this backdoor ?
I less worried about an individual writing backdoor code and more worried about sabotage by giving private keys to government, leaking sensitive data etc. while these are not strictly backdoors in technical sense I guess government can put such things under that broad category.
Another question I have in my mind is whether it would be legal to post "Australian citizens may not apply for this job" under the job posting in USA. Clearly there is a good reason to believe an Australian citizen is not good enough for tech jobs given that he comes with this baggage.
How exactly would this work? Let's say I have been coerced into making a back door, and my company has a policy of enforcing code reviews for every project. Surely, somebody would notice? Or would they count on me to do my best to obfuscate the back door? What if I "don't know" anything about obfuscation?
Good question. I think nobody knows. Most likely what happens is:
* You make the change
* You report back that you made the change and it's now pending in code review
* Your change gets rejected in code review
* Australia tells you to make the change and circumvent code review
* You tell them you have no way to do that; every change goes through code review
* Australia wants to know who reviews your code, and if your code could be reviewed by an Australian
* Your boss asks you why you haven't delivered any changes recently and why are you constantly on the phone explaining the code review process
* Australia contacts a reviewer and tells them to accept your next change or else
* You get fired before you can submit the change again
Source: Sydney Morning Herald https://www.smh.com.au/business/consumer-affairs/dangerous-o...
That would be a 5-year jail sentence apparently:
"The Australian government could demand web developers to deliver spyware and software developers to push malicious updates, all under the cloak of “national security.” The penalty for speaking about these government orders—which are called technical assistance requests (TAR), technical assistance notices (TAN), and technical capability notices (TCN)—is five years in prison."
Source: EFF https://www.eff.org/deeplinks/2018/09/australian-government-...