I believe that is an incorrect interpretation of the law.
The govt can compell an entity to assist in making encrypted information available. But the entity in question is not the individual employee, but the company who owns the product or service.
If you're under the employment (i.e., not a contractor), you can't be an entity, and the employer will definitely know if they've been compelled.
But I do agree the law is stupid and erodes all trust from software owned by an Australian company.
> For the purposes of this Part, the following table defines:
> (a) designated communications provider;
> (b) the eligible activitiesof a designated communications provider
> A person is a designated communications provider if...
... Actually, there's too many to list. But here are a few examples:
> - the person provides an electronic service that has one or more end-users in Australia
> - the person develops, supplies or updates software used, for use, or likely to be used, in connection with: (a) a listed carriage service; or (b) an electronic service that has one or more end-users in Australia
> - the person manufactures or supplies components for use, or likely to be used,in the manufacture of a facility for use, or likely to be used,in Australia
> - the person is a constitutional corporation who: (a) manufactures; or (b) supplies; or (c) installs; or (d) maintains; data processing devices
Note that in the last situation they specifically mention corporations, but that prior situations do not require this. The requirements listed are to be interpreted as an OR not and AND... so ah, that's fun.
So yes, we Australians can be legally required by our Government to perform corporate espionage... and almost no-one in Australia (certainly not the public at large) seems to give a f--k.
Oh, and it's probably worth noting that you need not even be an Australian citizen to be covered, you simply need to have users in Australia. Of course, whether Australia can enforce these laws against non-citizens is another matter.
However, this legislation was specifically put together with co-operation of all members of the five eyes, so there's a reasonable possibility of extradition. The Department of Home Affairs even made a public statement confirming as much. It seems to have since been pulled from their website, but is available at:
Jurisdiction sets no limits to itself, but to other jurisdictions. Australia can request extradition of anyone from anywhere, then it's up to that jurisdiction to decide whether to comply, which may or may not be situational. If the country believes it's a problem, then it would deny the request.
>However, this legislation was specifically put together with co-operation of all members of the five eyes, so there's a reasonable possibility of extradition. The Department of Home Affairs even made a public statement confirming as much. It seems to have since been pulled from their website, but is available at: [PDF link]
I read the PDF and didn't notice any mention of extradition. Am I missing something?
Don't know anything about extradition but the law specifically mentions putting in backdoors to aid foreign nations at their request.
It also notes that this can be for economic espionage too and isn't limited to national security (for the people who like to pretend that's not what their intelligence agencies are doing)
Sorry for the ambiguity. The reference I provided was with regard to the fact the Australian Government has collaborated with other five eyes countries with this legislation, or at least the 'need' for this legislation.
This is why I simply wrote there's a reasonable possibility of extradition, rather than anything definite.
> the person provides an electronic service that has one or more end-users in Australia
I don’t think this particular clause covers an individual working for a corporation as an employee, as in that case the employee isn’t providing the service the employer is.
It reads to me like that clause is intended to cover people who produce software as sole operators of their business, or perhaps a group of people in a business partnership.
I haven’t read the rest of the act, so maybe there is a stronger clause targeting employees?
If the government can compel a company to do a thing that doesn’t necessarily mean they can compel any particular individual.
You could refuse / quit / abandon the project. Maybe they’ll just find somebody else to do it?
> contracted service provider, in relation to a designated
> communications provider, means a person who performs services
> for or on behalf of the provider, but does not include a person who
> performs such services in the capacity of an employee of the
> provider.
The statute here is always talking about a contracted service provider who has to comply with the compelled "assistance". So as an employee, you do not have to worry about being jailed for non-compliance, as an employee cannot be a "contracted service provider". But you may be fired for non-compliance by your employer (if they choose to fire you because of it), but that's between you and your employer.
I'm certainly not a lawyer, so absolutely may have misinterpreted.
However, what I've quoted above is referring to the definition for a designated communications provider, as opposed to a 'contracted service provider' - the latter of which makes sense not to include employees as they're not 'contractors'. However, technical assistance notices (which are compulsory, as opposed to 'technical assistance requests') can be served to designated communications providers, as covered by 317L.
So the fact employees aren't considered a 'contracted service provider' is therefore not relevant?
Again, just reiterating, not at all a lawyer, however at this moment in time, this is my interpretation of the legislation.
It is completely relevant, since the OP mentions that you as an australian working for a company could be compelled directly as a communications provider.
I'm saying that if you are in the employ of a communications provider or a contracted service provider, you do not have to worry about being compelled directly. I take "the person" to mean an actual person, or a legal person, but the employee of the communications provider is not a person (IANAL, so don't use me as legal advice).
THe law provides a specific provision to say that there are limitations to what the assistance can be:
> 317ZG Designated communications provider must not be required
> to implement or build a systemic weakness or systemic
> vulnerability etc.
But the issue here is whether it's possible to perform the required "assistance" but not introduce systemic weakness or systemic vulnerability. I think it's a logical contradiction, so the law is pretty damn stupid...
Systemic weakness or systemic vulnerability is redefined to not include anything that the notice can require however, rendering that particular exception pointless.
> systemic vulnerability means a vulnerability that affects a whole class of technology, but does not include a vulnerability that is selectively introduced to one or more target technologies that are connected with a particular person. For this purpose, it is immaterial whether the person can be identified.
The words "systemic weakness" means something completely different to how the industry would use it.
"We don't need you to introduce a Systemic Weakness into the whole class of 'electronics', we just need you to selectively target the specific class 'mobile phones' that are connected to John Doe 3 aka bogey-man-de-jour."
This is now request that your lawyer would happily bill by the hour arguing with their lawyers in front of a judge - to determine whether it's a correct and enforceable interpretation of that shittily written legislation.
Except you aren't allowed to tell your lawyer we asked you to do it.
No. The people who wrote the law (and handed it over to the elected politician) knows quite a lot about it. The politicians who put their face on it are mostly ignorant, if not idiots.
Politicians don't generally come home in the evening and sit down to write their own bills. They rely on "experts" to do it for them. The more we rely on a central regulatory apparatus, the more essential this is. And this is where we run into problem like this, as well as regulatory capture. But the fact remains that they've got to rely on somebody with expertise, yet where can you find such people, and how much can you trust them when they're not publicly responsible (or even known).
i believe an independent contractor is considered a service provider, and so they could be compelled to provide the gov't assistance.
I also believe that these service provider(s) are required to not disclose the fact they've provided assistance. Therefore, apple would do well to not hire any australian company for their contracting purposes (but instead, employ them as an employee).
I am not a lawyer so I wouldn't be able to comment on the meaning of "entity", I hope you are right though, and I also hope that the Australian Government would at least clarify the meaning of the provision and the legal definition of "entity" in this specific case.
The govt can compell an entity to assist in making encrypted information available. But the entity in question is not the individual employee, but the company who owns the product or service.
If you're under the employment (i.e., not a contractor), you can't be an entity, and the employer will definitely know if they've been compelled.
But I do agree the law is stupid and erodes all trust from software owned by an Australian company.