I have migrated to Australia many years ago and I have recently become eligible to become a citizen. However I’ve heard stories of tech companies refusing to hire Australians because of the AA Bill, so I’m holding it off for now. The problem seems to be the provision that a tech worker can be coerced by the Australian Government into creating a backdoor, and they are not authorised to disclose it to their employer. I don’t want to hurt my future employability. On the one hand, if I had my citizenship then I could vote at the next elections, but on the other hand the AA Bill has been supported by all major Australian parties so I feel powerless.
"For example, Australia’s law enforcement could compel Apple to provide access to a customer’s iPhone and all communications made on it without the user’s awareness or consent. An engineer involved would, in theory, be unable to tell their boss about this, or risk a jail sentence."
"The Australian government could demand web developers to deliver spyware and software developers to push malicious updates, all under the cloak of “national security.” The penalty for speaking about these government orders—which are called technical assistance requests (TAR), technical assistance notices (TAN), and technical capability notices (TCN)—is five years in prison."
So developer discusses with his boss. Developer A adds back door. Developer B then patches back door. Boss fires developer A. Developer A then uses this TAR crap to sue government for forcing him to do something and lose his job.
I can’t see the government being able to defend itself. We elect the government to serve the people and the decisions of the government are negatively impacting the people no matter which way you spin it.
And there have to be limitations as to how far an individual could go as to subterfuge, so if your company enforces a 2-person code review and there aren't other authorized Australian nationals at hand, you could point at process preventing you from doing so without others' knowledge (how naive this defense is, I have no idea)
You opt into participating that process by accepting the job, though. So from Australia's perspective, the way to comply with their law is to not take such jobs, and to leave if the process changes prevent you from complying.
I think you're inventing scenarios here that are too unlikely even for a pretty corrupt country. There probably exist laws in a number of countries which would technically jail you for taking some not-explicitly-illegal job. But this is absurd. Unless you're an actual lawyer giving opinion here?
I think if you trust people to not be corrupt you will wind up with corruption. A bad law is one that requires the empowered to not abuse it. A good law can't be abused. Harsh and cynical but true - reducto ad absurdum giving someone the legal power to murder anyone and relying on it to "not be abused" is a law literally bad enough to be causus beli for a civil war.
Can you explain why? It seems like a straightforward application of the law making some activity illegal, when its jurisdiction is explicitly defined as extending beyond the nation's borders. If you forget the border for a moment and just consider it all a single jurisdiction, aren't you basically saying that somebody can break the law and claim immunity from prosecution on the basis that their job requirements demanded that law to be broken?
3. You say we have code review the backdoor will be caught.
Now at this point the following might happen.
4a. make sure your code is reviewed by X.
4b. ok I guess it won't work.
4c. here is the code to put in, it has a very hard to catch bug that we can exploit.
in no way would I expect them to say
4d. well we're going to take you to court because you took a job that makes entering backdoors difficult.
on edit: improved formatting
on 2nd edit: I removed the leading No but, because I can't remember why I started off with that.
Is there a protection that prevents the government from requiring an employee take an action that may be discovered?
Or even a reason? I mean, unless the backdoor has a hard-coded URL like `www.ThisIsAGovernmentBackdoor.gov.au`, then a backdoor wouldn't seem to automatically implicate the government. Then an employer might well assume that the employee is just doing their own hacking. And presumably the employee can't say otherwise, right?
Or does the law say that employees can refuse if they fear discovery? And if so, couldn't employees always just refuse on that basis?
I'm not saying the employees can refuse, I'm saying the employees can say I will be discovered because of this reason. I naively suppose the police are like me in that they do things with a purpose in mind, and if they cannot achieve their purpose by an action they refrain from it as a waste of energy.
If their purpose is to hack company X, are informed that the way they intend to do it will be discovered and expose the tool they were going to use, then I expect they would refrain from doing that and try to find some other way. If they do not refrain then their purpose must not be to hack company X but really just to expose the tool for some reason.
However if they just say I will likely be discovered because of this reason, the police will probably just say "that's a risk we're willing to take!" and go for it.
so it's not that the job requirements demand that law be broken but rather the job requirements are such that the actions being demanded by the law will be ineffective or even worse, be caught out leading to termination of the only Australian 'asset' the government has in the team.
I suppose Australia can attempt to make a law saying any company based in Australia or selling products in Australia or with an internet presence available inside the country of Australia must stop using code review in case you ever hire an Australian citizen we want to put backdoors in your code.
Just imagining it is giving me quite the entertainment value.
Maybe the poster above was referring to the Underhanded C Contest
> The Underhanded C Contest is an annual contest to write innocent-looking C code implementing malicious behavior. In this contest you must write C code that is as readable, clear, innocent and straightforward as possible, and yet it must fail to perform at its apparent function. To be more specific, it should perform some specific underhanded task that will not be detected by examining the source code.
I highly encourage everyone to go look at the hall of fame, it was extremely eye opening when I first did!
Even knowing there is an exploit in the code, I probably would never be able to find most of them. My favorite is 2008's winner who's goal is to write a redaction program to redact text. It doesn't use any buffer/array hacks, the code is very straightforward and simple and small, and it would work in languages other than C. It's a terrifying example of how easy it is to write malicious code that would pass multiple code reviews but still has a backdoor!
Quit making me laugh, buddy. Unfortunately, I think we all know that once they get their office, they do very little to serve the people. Not sure about the case with Australia, but you can't sue the American government unless it lets you. Otherwise, it just claims sovereign immunity. Wrong as that is, it's a very good defense as it keeps them out of court. This might lead the employee to sue the employer ("I was complying with a lawful government order; you can't fire me for that!"), making Australians even more of a liability.
Employee gets fired for introducing a backdoor, but "may or may not have been" subject to one of these assistance notes (the Government won't comment either way, the employee insists they had a Technical Assistance Note). Employee sues the employer for wrongful dismissal because of the alleged unprovable TAN.
I wonder which way that court case would go... sounds like a recipe for deadlock.
Another possible concern is that the employee sues for wrongful termination, alleging they were "just following the law" (which they would have been). The employee shouldn't lose his job for following the law, the company shouldn't have such problems for trying to protect its users, and this whole mess was caused by government intervention.
But yes, it will be interesting to see how the courts rule. Not familiar with Australian law, so if anybody has thoughts about this, please feel free to enlighten me.
Considering the number of times I've seen a developer quickly patch something and deploy their private build to the customer (not maliciously, but because the customer is screaming and needs it right now and wouldn't wait for normal QA process), I don't think it would be terribly difficult for the compromised developer to create a malicious binary outside of the committed codebase.
I believe that is an incorrect interpretation of the law.
The govt can compell an entity to assist in making encrypted information available. But the entity in question is not the individual employee, but the company who owns the product or service.
If you're under the employment (i.e., not a contractor), you can't be an entity, and the employer will definitely know if they've been compelled.
But I do agree the law is stupid and erodes all trust from software owned by an Australian company.
> For the purposes of this Part, the following table defines:
> (a) designated communications provider;
> (b) the eligible activitiesof a designated communications provider
> A person is a designated communications provider if...
... Actually, there's too many to list. But here are a few examples:
> - the person provides an electronic service that has one or more end-users in Australia
> - the person develops, supplies or updates software used, for use, or likely to be used, in connection with: (a) a listed carriage service; or (b) an electronic service that has one or more end-users in Australia
> - the person manufactures or supplies components for use, or likely to be used,in the manufacture of a facility for use, or likely to be used,in Australia
> - the person is a constitutional corporation who: (a) manufactures; or (b) supplies; or (c) installs; or (d) maintains; data processing devices
Note that in the last situation they specifically mention corporations, but that prior situations do not require this. The requirements listed are to be interpreted as an OR not and AND... so ah, that's fun.
So yes, we Australians can be legally required by our Government to perform corporate espionage... and almost no-one in Australia (certainly not the public at large) seems to give a f--k.
Oh, and it's probably worth noting that you need not even be an Australian citizen to be covered, you simply need to have users in Australia. Of course, whether Australia can enforce these laws against non-citizens is another matter.
However, this legislation was specifically put together with co-operation of all members of the five eyes, so there's a reasonable possibility of extradition. The Department of Home Affairs even made a public statement confirming as much. It seems to have since been pulled from their website, but is available at:
Jurisdiction sets no limits to itself, but to other jurisdictions. Australia can request extradition of anyone from anywhere, then it's up to that jurisdiction to decide whether to comply, which may or may not be situational. If the country believes it's a problem, then it would deny the request.
>However, this legislation was specifically put together with co-operation of all members of the five eyes, so there's a reasonable possibility of extradition. The Department of Home Affairs even made a public statement confirming as much. It seems to have since been pulled from their website, but is available at: [PDF link]
I read the PDF and didn't notice any mention of extradition. Am I missing something?
Don't know anything about extradition but the law specifically mentions putting in backdoors to aid foreign nations at their request.
It also notes that this can be for economic espionage too and isn't limited to national security (for the people who like to pretend that's not what their intelligence agencies are doing)
Sorry for the ambiguity. The reference I provided was with regard to the fact the Australian Government has collaborated with other five eyes countries with this legislation, or at least the 'need' for this legislation.
This is why I simply wrote there's a reasonable possibility of extradition, rather than anything definite.
> the person provides an electronic service that has one or more end-users in Australia
I don’t think this particular clause covers an individual working for a corporation as an employee, as in that case the employee isn’t providing the service the employer is.
It reads to me like that clause is intended to cover people who produce software as sole operators of their business, or perhaps a group of people in a business partnership.
I haven’t read the rest of the act, so maybe there is a stronger clause targeting employees?
If the government can compel a company to do a thing that doesn’t necessarily mean they can compel any particular individual.
You could refuse / quit / abandon the project. Maybe they’ll just find somebody else to do it?
> contracted service provider, in relation to a designated
> communications provider, means a person who performs services
> for or on behalf of the provider, but does not include a person who
> performs such services in the capacity of an employee of the
> provider.
The statute here is always talking about a contracted service provider who has to comply with the compelled "assistance". So as an employee, you do not have to worry about being jailed for non-compliance, as an employee cannot be a "contracted service provider". But you may be fired for non-compliance by your employer (if they choose to fire you because of it), but that's between you and your employer.
I'm certainly not a lawyer, so absolutely may have misinterpreted.
However, what I've quoted above is referring to the definition for a designated communications provider, as opposed to a 'contracted service provider' - the latter of which makes sense not to include employees as they're not 'contractors'. However, technical assistance notices (which are compulsory, as opposed to 'technical assistance requests') can be served to designated communications providers, as covered by 317L.
So the fact employees aren't considered a 'contracted service provider' is therefore not relevant?
Again, just reiterating, not at all a lawyer, however at this moment in time, this is my interpretation of the legislation.
It is completely relevant, since the OP mentions that you as an australian working for a company could be compelled directly as a communications provider.
I'm saying that if you are in the employ of a communications provider or a contracted service provider, you do not have to worry about being compelled directly. I take "the person" to mean an actual person, or a legal person, but the employee of the communications provider is not a person (IANAL, so don't use me as legal advice).
THe law provides a specific provision to say that there are limitations to what the assistance can be:
> 317ZG Designated communications provider must not be required
> to implement or build a systemic weakness or systemic
> vulnerability etc.
But the issue here is whether it's possible to perform the required "assistance" but not introduce systemic weakness or systemic vulnerability. I think it's a logical contradiction, so the law is pretty damn stupid...
Systemic weakness or systemic vulnerability is redefined to not include anything that the notice can require however, rendering that particular exception pointless.
> systemic vulnerability means a vulnerability that affects a whole class of technology, but does not include a vulnerability that is selectively introduced to one or more target technologies that are connected with a particular person. For this purpose, it is immaterial whether the person can be identified.
The words "systemic weakness" means something completely different to how the industry would use it.
"We don't need you to introduce a Systemic Weakness into the whole class of 'electronics', we just need you to selectively target the specific class 'mobile phones' that are connected to John Doe 3 aka bogey-man-de-jour."
This is now request that your lawyer would happily bill by the hour arguing with their lawyers in front of a judge - to determine whether it's a correct and enforceable interpretation of that shittily written legislation.
Except you aren't allowed to tell your lawyer we asked you to do it.
No. The people who wrote the law (and handed it over to the elected politician) knows quite a lot about it. The politicians who put their face on it are mostly ignorant, if not idiots.
Politicians don't generally come home in the evening and sit down to write their own bills. They rely on "experts" to do it for them. The more we rely on a central regulatory apparatus, the more essential this is. And this is where we run into problem like this, as well as regulatory capture. But the fact remains that they've got to rely on somebody with expertise, yet where can you find such people, and how much can you trust them when they're not publicly responsible (or even known).
i believe an independent contractor is considered a service provider, and so they could be compelled to provide the gov't assistance.
I also believe that these service provider(s) are required to not disclose the fact they've provided assistance. Therefore, apple would do well to not hire any australian company for their contracting purposes (but instead, employ them as an employee).
I am not a lawyer so I wouldn't be able to comment on the meaning of "entity", I hope you are right though, and I also hope that the Australian Government would at least clarify the meaning of the provision and the legal definition of "entity" in this specific case.
Do you know what exactly constitutes a backdoor and how exactly Australian government "orders" their citizen to add this backdoor ?
I less worried about an individual writing backdoor code and more worried about sabotage by giving private keys to government, leaking sensitive data etc. while these are not strictly backdoors in technical sense I guess government can put such things under that broad category.
Another question I have in my mind is whether it would be legal to post "Australian citizens may not apply for this job" under the job posting in USA. Clearly there is a good reason to believe an Australian citizen is not good enough for tech jobs given that he comes with this baggage.
How exactly would this work? Let's say I have been coerced into making a back door, and my company has a policy of enforcing code reviews for every project. Surely, somebody would notice? Or would they count on me to do my best to obfuscate the back door? What if I "don't know" anything about obfuscation?
Good question. I think nobody knows. Most likely what happens is:
* You make the change
* You report back that you made the change and it's now pending in code review
* Your change gets rejected in code review
* Australia tells you to make the change and circumvent code review
* You tell them you have no way to do that; every change goes through code review
* Australia wants to know who reviews your code, and if your code could be reviewed by an Australian
* Your boss asks you why you haven't delivered any changes recently and why are you constantly on the phone explaining the code review process
* Australia contacts a reviewer and tells them to accept your next change or else
* You get fired before you can submit the change again
Thank you for providing a better source - reality is more nuanced than what most news outlets want you to believe, but unfortunately hiring practices are influenced by public discourse, and unfortunately the prevalent message out there is "don't hire Australians"
It might be cheaper foor a business to just not hire Australians than to hire a lawyer and dedicate bizdev time to figuring out the intricacies and nuance
It is not cheaper than getting sued for discrimination. Which would be easily proven in many cases, seeing how many people are more afraid of a potential issue with another country's intelligence agencies then of publicly posting about their plans to violate their own employment laws.
You're bringing up an valid exception validated by law. It's not the default and does not apply to almost all jobs out there. It's also usually applied as "only our nationals" rather than "not those specific other nationals" which would be the case for non-Australian.
I'm not linking specific cases. (partially because you didn't specify which country you're taking any) A quick Google will bring you the specific laws, cases and lots of lawyers specifically advertising themselves to handle those cases.
You can’t be sued for discrimination based on the employees location, which is actually the issue at stake here. Citizenship doesn’t appear to be relevant.
Later posts make it clear the law is actually about country, not citizenship. Non-citizen residents of Australia have the same risk factor as citizens.
No, business hiring is influenced by risk and value. Having any of this language is a risk that's just not worth it, especially because of how ambiguous and surreptitious this is.
It's up to the citizens and their government to rectify such poor legislation.
The fact we have to ask is unacceptable in the first place! The same way you shouldn't have to ask if there is polonium in your tea. Given the easiest and most sensible solution is the same in both cases - dump it because it isn't worth the risk.
I haven't seen a compelling argument that it has extra-territorial effect; on my reading of the amendments it doesn't.
Extending your intelligence laws to cover individuals residing in other countries, who might also be citizens or permanent residents of those countries, can make for awkward dinner table discussion in diplomatic settings.
So hiring Australians working outside of Australia should be OK.
Of course, I'm not a lawyer. Or a spook. Or a diplomat.
1. You likely can't force someone to disclose all their citizenships.
2. In most countries you can't legally discriminate based on nationality. In practice publishing this comment here will likely cause you more trouble if you reject someone now, than Australian government.
3. If you apply this to all... what countries are you left with exactly where the government or LE can't force people to do something?
> 1. You likely can't force someone to disclose all their citizenships.
Yes you can, in some cases; as for instance in some cases, especially IT security, you cannot be a foreign national or have ties to some specific nationality if you do business with local governments. This requires you to know the nationality(ies) of your employees. You can still have them in your team but they cannot work on the project. The Australian law would make this a very good argument to not hire them as they cannot work on any project as they are a possibly compromised.
An example would be SpaceX which only hires US citizens due to DoD contracts.
> 2. In most countries you can't legally discriminate based on nationality. In practice publishing this comment here will likely cause you more trouble if you reject someone now, than Australian government.
I'm pretty sure that in the cryptography and IT security business the value of not having to comply with this law outweighs the cost of any discrimination lawsuits.
Government/DoD security is much different than any random company's it security. Even large corps don't care about nationality for security team, just visa status / employment rules for most projects. (Again, when not related to gov projects)
I honestly don't know how SpaceX does what it does. (Update: they are regulated as working on military stuff so it's the same as DoD rules)
I admire the consistency, but the ammount of posts I see along the lines of "we won't hire Australians anymore" and the absence of posts like "we'll be adding Australia to the list of countries we don't hire from" doesn't fill me with confidence that this is common.
Even before this change plenty of Chinese nationals would likely be employed wherever they were storing data in Australia and MS didn't care about that. I'm not aware of any MS ban on hiring Chinese either. So they were presumably fine with the threat of Chinese nationals inserting back doors, but it's a problem now because it's Australians.
> The problem seems to be the provision that a tech worker can be coerced by the Australian Government into creating a backdoor, and they are not authorised to disclose it to their employer.
> Is this true ? There is no way I am hiring an Australian citizen then.
No. The request or notice is served to the company, not the individual, so the company is not left in the dark.
There has been a lot of poor reporting about this law; roughly speaking, there are 3 types of requests for data allowed:
1. Technical Assistance Request - "give me this data please". Optional, no penalty to anyone for not complying.
2. Technical Assistance Notice - "give me this data if you can, or else..". Mandatory, penalty to the company if they can comply but do not comply.. but if the company would have to build a new thing to comply (e.g. they do not have the decryption key and there's no backdoor), then there's no penalty and they do not have to comply.
3. Technical Capability Notice - "give me this data or build a way to give me this data, or else..". Mandatory, and a penalty to the company if they do not comply. If they can't do the thing yet, they need to build a backdoor, unless doing so would introduce a "systemic weakness".
In all cases, it's the company being targeted. Individuals in the company only become liable for penalties if they leak information to people not involved in the investigation.
Yes, it's still a bad law that was rushed through with too little discussion. Yes, there is too much room for interpretation and too little oversight. (And yes, Australian tech companies like Atlassian are lobbying heavily to improve the situation[0][1][2].)
But we're not at the point where it's reasonable to blacklist Australian tech workers yet, thankfully.
Source: I am an engineering manager at Atlassian, a major Australian tech company; there has been a lot of internal discussion and guidance from our founders and legal team about this.
Disclaimer: I am not a lawyer, this is not legal advice, etc. Also, I am an Australian citizen.
I'm confused by the "systemic weakness" exception for the third case. Obviously I need to research this, but it seems that in many cases, a backdoor is, almost by definition, a systemic weakness. Of course, I wouldn't want to argue that point in front of a judge, but it would be useful to have more clarity around this.
So garishly stupid that it can blind a boulder. So vapidly moronic that bits of ooze collected by clams are more intelligent. It's so bad that astronauts on the ISS passing over Canberra need to shield their heads with lead so the radioactive idiocy doesn't fry them.
But don't kid yourself: Australian citizenship is profoundly valuable.
I would not pass it up lightly. I was born to it and I am enormously grateful to have it.
Getting where I am now (Australian permanent resident) has been the hardest thing I have ever done in my life.
It included working casual night-shift jobs while studying to get a uni degree during the day (having an Australian degree improves your score towards a skilled visa).
For a long period I have been separated from my wife and daughter due to visa complications, it was heartbreaking.
In addition I had to give up my role as a start-up co-founder (because in order to maximise your skilled visa score, it's better if you are an employee at an Australian-based company - the start-up I was involved with was legally based overseas).
I haven't even visited my home country (Italy) since 2013, I am still in touch with family and some friends but the reality is that the connection to Italy is slowly fading away and I am long past that phase where you start to call your adoptive country "home".
Becoming an Australian citizen has been the main goal of my life in the past 8 years so I'm not going to pass on it lightly. At the moment, however, I'm taking my time to think about it.
One more piece of Anecdata, Im an Australian who has decided to go for US citizenship, for several reasons but all basically due to a continuous disregard for personal liberties by our government. Australians love being told what to do, seems like 90% of the population are very satisfied to be servants of the ruling class and aspire to nothing else.
Edit: I replied to the wrong comment, meant to reply to the one above this one.
Any australian working in the US that is able to obtain PR or citizenship likely has a well paid job that provides health insurance. While I feel for the folks in the US without coverage, lack of access to affordable health care does not really apply to employed, skilled immigrants. In my experience US health care is the best on the planet, its also the most expensive.
From my perspective, US health care is way above the quality of healthcare in Australia. Price, not so much...
Australia has a very high standard health care system. Probably on a par with the UK and the U.S.
Given that insurance companies will soon be excluding "pre-existing conditions", there's a good chance you can't get insurance under a corporate plan anyway.
It depends on your criteria. But it's a wealthy country with a high standard of living, relatively safe and stable, with well-established democratic and legal systems, has relatively low corruption, safety nets for health and welfare, subsidised education and if you avoid the crocodiles it can be very pleasant in parts.
Canada meets a lot of these criteria, though the climate may not agree with everyone--though at least we don't have a plant that causes you to suicide yourself (gympie-gympie)
This is put out by the Heritage Foundation. You may want to read up on their ideologies before deciding that a rating of "good" from them is something you actually want to achieve.
For example, their affiliations are: Republican Party, Thatcherism, Reaganomics.
I think it's important to have some context here though. I can't speak for the parent commenter, but I am Australian and how I interpreted it was that our democratic system is reasonably mature, functional, and relatively free from large scale corruption.
I think the last point is the big one. Political lobbying, while still a thing, isn't as rampant as in the US for example. Bad power-grab legislation like the bill being discussed still happen, as do bad laws as a result of general incompetence, but in my experience there are far less laws that happen as a result of corporate lobbying.
A good example is the Australian tax system. There is a government provided website for filing your individual income tax return. For the vast majority of people it is prefilled, takes about 5 mins, and it's also free for everyone. Contrast this with the US where companies like Intuit lobby specifically to keep the tax code complex and to require returns prepared online be submitted through one of them so they can collect their fees.
> Bad power-grab legislation like the bill being discussed still happen, as do bad laws as a result of general incompetence, but in my experience there are far less laws that happen as a result of corporate lobbying.
I think I care a bit less about corporate welfare lobbying than infringements on my civil rights. You can fix corporate lobbying if you have real civil rights, but if you don't have the right to communicate privately, the corporations can literally just stop you from organizing, with the littlest nudges (just make the messages of dissent mysteriously not deliver). It might not even be illegal.
Bad news:
This is still the words of a politician, so it's likely they're relatively empty and the changes may be trivial and won't address the fundamental distrust it has sown in Australian-developed and / or operated technologies.
Do you mean tech companies in Australia refusing to hire Australian citizens? Or foreign companies? Because the first is very illegal.
If your home country allows dual citizenship, it doesn't seem like a problem for getting a job outside Australia. If it's not a government job where they'll do security checks, just don't disclose your dual citizenship. I hold dual citizenship, and not that my company has asked or would ask me if I am, I could easily say that I'm not and there isn't a lot they can do. Even governments struggle to determine if someone is a citizen of a foreign country, as we discovered with the dual citizenship debacle in parliament.
If your home country doesn't allow dual citizenship, depending on the risk you're willing to take, you can still become a dual citizen and not notify your home country.
Either way, the benefits of being legally entitled to live in Australia for eternity, as well as the right to participate in the democratic process, outweigh any potential downsides to becoming an Australian citizen, although I've still for a few more years to wait for that.
The Australian tech sector is not that large, an ill-conceived law like this one could potentially worsen the job prospects here, to the point that one may consider working overseas. I'm not saying that it's likely, but at the same time it's not impossible.
So, yes, I was thinking primarily about foreign companies; (by the way, your argument in relation to Australian companies, "Because the first is very illegal", is not bullet-proof, because there are many things in this world that are illegal, and yet they happen).
My home country allows dual citizenship but I don't think that it would be so easy as you say to withhold this crucial piece of information from an employer: given that about half of my CV is made of positions I've held in Australia, I believe it's not that unlikely that a prospective employer may ask about my citizenship status.
Anyway, I haven't taken any decision yet, I'm just basically taking my time. I agree with you about participating in the democratic process, when I evaluate pros and cons of becoming a citizen, that's the biggest pro in my mind. Being entitled to live in Australia, on the other hand, is not a big factor in this decision, because I already have a permanent visa that lets me do that.
> I believe it's not that unlikely that a prospective employer may ask about my citizenship status
I guess that depends on whether you want to lie to a potential employer then, or alternatively renounce your citizenship.
The difference between a PR and a citizenship though is that you have the privilege to live and work in Australia, your PR visa can technically be cancelled on good character grounds, whereas with citizenship you have the right to live and work in Australia. Unlikely to happen I'm sure, but it's there.
You mean the same democratic process that passed this bill when literally 99% of the responses within the consultation period were against it?
Or maybe you're talking about the democratic process where our opposition agreed to pass this bill even though they thought it was badly thought-out and needed amendments which were promised to happen in February but still haven't, in return for our government not allowing doctors to see sick people in our secret offshore prisons that almost nobody supports.
I'm being facetious of course, but as an Australian citizen I haven't felt represented here for a long time.
There's so much ambiguity in this, though. Can't the complying Australian employee simply nudge his/her coworker and say "hey, patch this later" and then it's just a game of back and forth with the Australian government not having their way in the end?
I can't stress enough the potential for harm in any attempt to bypass various laws.
The Australian Government even refused to allow independent Medical Doctors into their off-shore immigration detention centres for fear of the detention conditions being made public.
Australia did nothing to even consider trying to maybe help Julian Assange, an Australian citizen seeking protection from nation-backed harassment, way back when, and two Australian citizens were murdered by the Indonesian Government for drug trafficking (Australia negotiated prior to the event, but no negative action was taken afterwards). These are admittedly both divisive examples - with the intention to point out that it depends on the direction of political winds as to how the Australian Government will react.
Australia is a good place to live and the anecdotes above are specifically chosen as the far end of the bad scale, but if you choose a fight with any of the few specific issues the Government is paranoid about or sensitive to, you may face significant resources aimed at your incarceration.
Just make sure your ass is thrice covered if you're going to go up against it...
Australia's public image of being a "larrikin" place - all beer on the beach and shrimp on the barbie, is at odds with its incredibly authoritarian attitudes. I'm always amazed at Aussie enthusiasm for the "smack of firm government" and their hatred of anyone breaking the rules.
It's really strange that of all the former British settler colonies, the one that's the most republican in attitude is also the one that's most enthusiastic about maintaining the surveillance/police state parity with UK. Canada and NZ are doing much better.
The thing that's most odd about this is if you consider the history of the cause of settlement of Australia... the first settlers weren't exactly renowned for following the rules... that's why they were there in the first place.
You need to look at our country from a historical point of view. We have a lot of cultural ties with the UK. Australia did not become a country until 1901 and no it wasn't a penal colony for that whole time, There was a lot of migration primarily from the UK - to this day UK is one of our largest source of permanent migrants.
Most of Australia's laws, our parliamentary system etc was based on UK Westminster system. In the early years of our country most people were very pro British Empire. There was enormous social pressure on people to go and "fight for the empire" during World War 1 lots and lots of Australian went and fought and died in Europe, then the same thing happened in World War 2, except suddenly the Japanese were threatening us (A lot of people don't know the Japanese bombed Australia cities during WW2) and most of our military was over in Europe and Northern Africa after the fall of Singapore Australia realized how vulnerable we were and that British could not be counted on to defend us, which caused a strategic realignment behind US and things like the ANZUS treaty etc.
To this day there is still a lot of positive British sentiment in Australia. A lot of people here really like the Queen it's a little bizarre, not so evident in the city but if you go into regional country towns it is pretty pro monarchy. When I was in high school the Queen visited my area and it was crazy big parades huge event I have never seen another politician of any sort anywhere in the country get the kind of reception she did. Most people here are completely cynical about politicians but they love the queen - weird.
Australia's (and Australians') attachment to the monarchy is one of those things that will change dramatically over the next twenty-odd years as the 60+ year-old set, who have anachronistic romantic notions of the monarchy, die off.
The "royal weddings" (good lord, kill me now) do their little bit in fluffing up pro-monarchy anachronistic romantic notions in some of the younger set, but nowhere near the amount needed to sustain the 'no to a republic' vote even in the next ten years.
My assumption is that a lot of these same monarchists are fundamentally racist as a direct result of the various wars, which is semi-understandable. Humans don't tend to change their minds beyond a certain age, no matter the changing context.
There's a quote somewhere about "beliefs don't change, their proponents die out". I'm finding it applies in almost universal contexts.
> Australia's (and Australians') attachment to the monarchy is one of those things that will change dramatically over the next twenty-odd years as the 60+ year-old set, who have anachronistic romantic notions of the monarchy, die off.
Also the general opinion appears to be that we'd rather be a Republic than have Charles as our king ;)
I've had long discussions with techie friends about this, and none of us can see a way that the government could actually force a dev to do anything in a way that doesn't immediately tip off the rest of the team.
I mean, your code is stored in a shared repo, right? So pushing a commit with the government-mandated changes to the shared repo is "informing others". But not pushing it means it'll never get to Prod.
Most places review code commits routinely, so how is a dev supposed to get their government-mandated changes into Prod without anyone seeing them?
If your Australian co-worker stops pushing their commits to the repo and starts trying to make changes to Prod without going through review, it's also a strong signal that something might be going on here...
In fact, if this legislation posed any kind of threat to your business, then your software development processes are broken and you're vulnerable to a ton of other, more likely, threats.
The legislation was written by a shower of technically-incompetent career politicians, with absolutely zero understanding of (or interest in) how software development works. This is the same mob of idiots of pronounced "the laws of mathematics are all very well, but we're in Australia so we obey Australian laws" when discussing their plans to break cryptography.
It's unenforceable, ridiculous, and will get changed before it ever gets used.
But as a startup tech co-founder dealing with encrypted documents, and an Australian citizen, I'm not planning to launch in Australia until it's fixed, and leaving Australia until it's fixed.
Really? It took me about 10 seconds to come up with this: "Hey tech dude, we need a version of iOS that unlocks the encryption on this device. Be a good boy and send us an IPSW that we can install on this nasty person's phone will you?"
You don't need to release it to the public. Build it on your local device and hand it to them. Nobody needs to know.
The number of people with access to the private keys that sign iOS updates must be very limited - I wouldn't be surprised if you needed at least two people actively involved in signing every update.
On top of that, Apple is heavily siloed, and somebody working on the Calendar app won't have information on the operation of Secure Enclave, the chip that deals with authenticating fingerprints, passcodes, Apple Pay etc.
So it would be more like "Hey tech dude, can you sneak a change to the compiler your company uses to build iOS, to have it compile a backdoor into iOS, then surreptitiously login to the relevant machines and place your new compiler?"
If a developer in Apple has access to the signing keys for iOS and can decrypt anything at all on a production device, then Apple is totally screwed.
It simply cannot work like this, because a single rogue employee can (and would have by now) posted it on a forum/wikileaks/something, simply because they could.
Please note that the legislation you are referencing is completely unrelated to the Assistance and Access Act. It's talking about journalistic warrants (warrants on journalists not by journalists) which are their own shitstorm, but a very different topic.
The Assistance and Access Act does have the same "existence or nonexistence" wording as the law you referred to, so you're not wrong that a warrant canary for a notice under the new legislation would be a criminal offense. But there is no blanket law against warrant canaries per se, it's done explicitly in each new law about secret warrants.
Unauthorised disclosure of information about a notice (or gained from a notice) is punishable with 5 years imprisonment -- which means that if you're suspected of being a whistleblower they can use this new legislation against you too (anything punishable with over 3 years imprisonment can be investigated in this fashion).
I wouldn't risk it. There are ways to legally provide aggregated information about the number of notices received in a 6-month period.
Also, talk to your representative and explain your concerns and push for it to be scrapped (though when I talked to the Labor senators' staffers they brushed me off and said that I wasn't interested in being informed when I disagreed with their party line). Federal elections are coming up, they're more likely to at least pretend to listen to you.
There are many scenarios where the Australian Government ends up not having it their way. For example a very likely scenario is: your commit which contains a backdoor goes to code review and then someone asks you "what is this". In theory you would say that you are not allowed to explain for legal reasons. Yet that commit is not going to be deployed.
I imagine that the government would begin at the executive level and ask "who else needs to know" and then work down the list to compel individuals or teams as required.
Similar processes already exist for other legal/police requests. If this legislation is used, companies like Telstra will have dedicated teams to comply with requests.
If your new Australian Citizen hire can build back doors into your software you've got bigger issues than hiring. Though I could see real risk associated with an Australian-based team for a global company or an Australian-based supplier.
I wouldn't advise this. Defying or subverting a lawful order can itself be a crime and you can bet the Crown Prosecutor and the Judge have seen far more attempts than you have.
Can you imagine what would happen if there was a public case where a person got 5 years for letting the world know that the Australian government tried to force them to backdoor software? You don't really even need proof, because if he's sent to prison then his claim is true.
Right now the risk from Australia is theoretical. After that there could actually be bans from other governments about using software made in Australia.
I imagine the person would go to prison for up to 5 years and the government would chest-thump about Being Tough On Baddies.
If anything they would like it to happen. If being exposed as a stupid law was enough to scare off the major parties, it wouldn't have been made law in the first place.
The problem seems to be the provision that a tech worker can be coerced by the Australian Government into creating a backdoor, and they are not authorised to disclose it to their employer.
As I read it, the law requires warrants and court enforcement. I don't think you can be required to backdoor code in secret or held to account by the security agencies not to inform your employer. I would be very surprised if tat was legal and uncontestable.
I do expect you can be informed by your employer you have to backdoor code.
I do not expect you can have an extra-territorial obligation placed on your work conducted outside Australia. If you are working inside australia remotely I think its complex.
I think the EFF should fund your case. Take citizenship and help fight this.
> I don't think you can be required to backdoor code in secret or held to account by the security agencies not to inform your employer.
This law gave the government the power to do just that. Details of implementing a backdoor in secret is close to impossible, as any developer would know. There was a post[1] made by "Alfie John" (alfiedotwtf) that outlines a scenario in which a developer is presented with a Technical Capability Notice (TCN).
> I do not expect you can have an extra-territorial obligation placed on your work conducted outside Australia. If you are working inside australia remotely I think its complex.
Australian citizens, regardless of their location are obliged to comply with these requests.
If you are presented with a TAR, TAN or TCN, you have the option to seek legal council in private or risk fines of up to AUD$7.3 million.
You risk imprisonment if you reveal details about the notice to anyone other than those who are included in the notice or to seek legal council (this is an exception within the law).
Australian citizens, regardless of their location are obliged to comply with these requests.
Extra-territorial law application is very complex. KP is one of the few places where you can routinely expect to be prosecuted in Australia for breaches overseas. or FGM. Or, more recently the war in Syria but bear with me: do you not also recognize that there is a huge reluctance to try and enforce the law in that last regard? because it turns out simply being somewhere is not neccessarily a good basis to declare you broke the law, noting that few if any of the people seeking to come home took up arms, and specifically took up arms against Australia or her allies.
They also have to serve the request on you. Simply issuing it doesn't make it binding surely? You have to be formally notified.
Lastly, since you can reveal it to your lawyer, I would argue that it implies they believe it could be mis-applied, or you can have a case in law to contest its applicability.
And, included in the notice begs the question: do we have any indication aside from hypothetically speaking, that a TAR/TAN/TCN has or can be drafted which doesn't include the employer and IPR holder in the notice?
> Extra-territorial law application is very complex. KP is one of the few places where you can routinely expect to be prosecuted in Australia for breaches overseas. or FGM. Or, more recently the war in Syria but bear with me: do you not also recognize that there is a huge reluctance to try and enforce the law in that last regard? because it turns out simply being somewhere is not neccessarily a good basis to declare you broke the law, noting that few if any of the people seeking to come home took up arms, and specifically took up arms against Australia or her allies.
To be honest, what you have written doesn't seem to be related and/or your point is lost. However, I will try to underline my comment with the following:
If you are issued with a TAR, TAN or TCN and you reside overseas you must comply or face extradition under an extradition treaty - unless you are fortunate enough to reside in a country that does not have an extradition treaty with Australia and that country is unlikely to make deals in secret with the Australian Government. Or, you are fortunate enough to have a secondary citizenship and subsequently renounce your Australian citizenship.
> They also have to serve the request on you. Simply issuing it doesn't make it binding surely? You have to be formally notified.
If you are issued this notice, you are able to refuse under 317ZB and incur 238 penalty units or $49,980 as an individual, or 47,619 penalty units or $9,999,990 as a corporate body. There is no limit to the number of subsequent notices that are able to be issued of the same nature. In reality this means, if it is important enough, the government will continue to issue notices until you comply.
> do we have any indication aside from hypothetically speaking, that a TAR/TAN/TCN has or can be drafted which doesn't include the employer and IPR holder in the notice?
The law stipulates that a person is considered to be a "designated communications provider" under 317C.
See also, all relevant sections detailing: "an employee of a designated communications provider" and "an employee of a contracted service provider of a designated communications provider".
317ZF dictates that disclosure outside of seeking legal council incurs a penalty of 5 years imprisonment.
I'm not sure where you received your information from, but most of what you have said is contradictory to the law that was passed. Have you read the Assistance and Access Bill?
I'm not sure how much you have noticed about the Huawei executive/heir extradition process in Canada? It isn't a simple process. The govt has to establish that the alleged crime is also a crime in Canada. It is a similar process in most civilized countries. No guarantees in Thailand or the the Gulf states etc.
Don't get me wrong, it is terribly done legislation, but there is no chance it would work against someone overseas, even after they return. You'd only be in trouble if you were in Australia when served with a notice, went to the US and told the internet, and then came home.
Thanks for the cluestick. This is unworkably bad, and I look forward to Ed Husic making good on his promise to amend the law. I had not read the bill, I have only read commentaries.
I can't believe the law officer of the land permitted a bill to be drafted which requires this kind of behaviour because it feels like even resigning from your employer would be a breach of the act, since you cannot disclose you have been served with a notice in resigning. But, if you deliberately insert or attempt to insert subverting code, you are implicitly undermining the integrity of your employers code.
I repeat what I said before: This feels like a legal minefield which a competent defense could drive a tank through. Just because it passed the chambers doesn't make it right, we have the kind of system which permits the high court to overturn manifestly unjust law.
Not to implicitly believe everything said in defence of this bill could you comment on:
This law can compel employees to work in secret without the knowledge of their organisation
Media reporting that has proposed this scenario is incorrect and misleading. The industry assistance framework is concerned with getting help from companies not people acting in their capacity as an employee of a company. Requests for assistance will be served on the corporate entity itself in line with the deeming service provisions in section 317ZL. A notice may be served on an individual if that individual is a sole-trader and their own corporate entity.
A company issued a notice can disclose information about it under paragraph 317ZF(3)(a) in connection with the administration or execution of that notice. This allows an employer to disclose information to their employee and vice versa in the normal course of their duty.
Additionally, a company may disclose statistical information about the fact that they have received a notice consistent with subsection 317ZF(13). Further, companies and their specified personnel may disclose notice information for the purposes of legal proceedings, in accordance with any requirements of law or for the purpose of obtaining legal advice. The notices themselves are therefore not ‘secret’ but information about their substance is controlled to protect sensitive operational and commercial information.
The same page says this:
Penalties for individuals in the legislation are for the purpose of potential enforcement proceedings against sole-traders and individuals acting as businesses.
Which means by intent (but possibly not in words in the act) the idea was not to exclude telling your employer: the point is that sole traders and individuals can be compelled the same way companies can.
Which I read, probably hopelessly optimistically, as that a requirement would almost never be placed on you, and not simultaneously on your employer: They know you are being asked to modify the code. The chance of being unable to "disclose" to your employer here feels quite limited.
I am not a lawyer. But, I think we can all agree the track record for the Attorney General in Australia fucking it up to coin a phrase, is remarkably high.
so This law gave the government the power to do just that. Is in my non-lawyer opinion, HIGHLY contestable. I would expect somebody like Atlassian to do just that: take it up to them, pony up, and contest the legality of this.
An employee has liabilities for things done to their employers code which causes material harm. I think the canary in the mine would be huge here: resign, do not cause your employers product to be backdoored, you cannot be obligated to introduce bugs.
Could you reasonably argue that you can’t implement this feature without your boss finding out?
Let’s say I work at a place that requires mandatory peer code review. I won’t be able to slip something by my (non Australian) reviewer. Surely I could reasonably argue that the government’s request to insert a backdoor without telling anyone is impossible to comply with. How would the government be able to verify my claim that that’s the case?
How confident are my fellow American citizens that the American government doesn't effectively have the same power? I mean if someone showed up at your house in a black Suburban with an official-looking letter that seemed like a court order that you provide them with a backdoor and threatening you with all manner of charges if you go public. How confident are you you could walk away cleanly from that any other way?
Well I assume the first thing you do if you cop a notice is talk to a lawyer, and if the government's request is illegal, the American lawyer will tell you so. Since this legislation, the Australian lawyer is going to have to tell you to just do it.
The difference is the court order. In Australia, the individuals in the black car could show up with none of that and you'd still have to comply.
The Aussie politicians that voted for this are hurting everybody. A mining based economy with less business coming its way because of laws like this one.
The American government does theoretically have this power, but it's not like any major player is refusing to do business with Americans yet because the downside to that is massive. It's possible it could come to that eventually.
Australia is a target for retribution here because the policy is newer and they're a smaller player.
Saying "it is unfair I can't get away with crime too" is not a defense. And many in fact /are/ already refusing to do so. Witness many privacy laws which explicitly bar storage of citizen data in US jurisdictions - granted some have cynical "so they can access it" motivations. It was why Microsoft of all corporations, one which has been enough of a toady to be caught with NSA in variable names sued hard to demand warrant protection.
The main point for me is not whether or not they can actually coerce me, but whether or not this is going to affect my employability. I have seen in various news articles reporting that, apparently, companies based in the USA and EU are currently wary of hiring Australian developers because of this law.
Regarding your point, my understanding (I'm not a lawyer so I may be wrong) is that, in general, the law of a country applies to residents only while they are residing in the country, and it ends being applicable after they leave the country. For citizens this is certainly not the case, e.g. even though I haven't been to Italy since 2013, as a citizen I still have some rights and obligations.
The text is actually neutral on such questions. In theory, I think it could be applied to anyone in the world, regardless of citizenship or residence. However, in practice people with no connection to Australia would be likely to just ignore it.
A law enforcement officer (or another person on the officer’s behalf) may apply to an eligible Judge or to a nominated AAT member for an order (the assistance order) requiring a specified person to provide any information or assistance that is reasonable and necessary to allow the law enforcement officer to do one or more of the following:...
You have a point that they'd have more leverage against Australian citizens, especially if they don't have alternative citizenships (so that they need passport renewals) or intend to travel to Australia in future.
So, how exactly would anyone get a back door past code review? There are practices and processes that make this infeasible regardless of the Australian Government's belief they can coerce anyone.
Every company I've felt have been worth working for in the past 10 years have had rigorous code review practices that would obstruct my ability to integrate any code without oversight.
Actually you can be compelled whether you are a citizen or not, you just have to be in the country. So unless you have to give up your prior citizenship there is no reason not to proceed.
So please apply, and then maybe one day you can vote against those who support it.
