Australia warning

I finally got around to examining the arguments around Australia’s recently passed “Access and Assistance” law. You must stop doing anything with anyone in Australia.

Anyone doing any form of business with Australia must now cooperate in breaking any form of privacy if the police ask them to do so, with no initial recourse.

Yes, it is intended to target telecommunications – specifically all those forms of encryption you use every day, like the ones used to packetize your phone conversations or that keep mail servers secure. But looking at the text it seems to be deliberately vague and broad, and if a business engages in any telecommunications itself it might be described as a ‘designated communications provider’.

from ProtonMail Blog

Many others have commented regarding the scope, vagueness, and security threat since the law passed. That does not even count the many submissions which were never considered before it passed.

If you took the trouble to read some of those many links, you may have noticed almost none, except the government submissions, are from inside Australia. That is because this law might deeply harm everything which connects to the internet, far beyond Australia’s moated borders. And it affects everything in every supply chain.

The tech example

Let’s say you are a retiree, and you have a small investment with your bank which you manage online.

Most banks, stock exchanges, and other financial services anywhere in the world, use some standardized security protocols. All such businesses in Australia must now make a back door available to the police if requested. That back door can work for criminals as easily as it can for the Australian police forces.

And it means your little retirement egg in podunk nowhere is now vulnerable.

The same is true of your iPhone. Australia may want to see what is in a criminal’s device, but if Apple puts the back door in all iPhones are now vulnerable. It is true of OpenSSL, an open-source software which undergirds millions of servers all over the internet.

But worse is you cannot trust anything in your supply chain; you no longer know if what you are using is safe. Maybe that wonderful site your bank has for managing your nest egg uses a beautifully designed user interface, and one of the employees of the company making/maintaining that UI telecommutes to work from Australia.

The way the law is written, Australia’s Secret Intelligence Service has the right (even the responsibility) to target that individual, and require them to add some spyware. The employee is not allowed to notify anyone, even their boss or coworkers, about it or face an instant 5 year jail sentence. The employer will not know, your bank will not know, and you will not know that your every transaction, your every keystroke, is being recorded by the AISO.

The same is true for any chip designer whose product might eventually be in you computer mouse, your refrigerator, or the street lights in your neighborhood. It is true for any software, including any pull requests in open source as well proprietary programming. It is as true for an artist making digital sketches as it is for the janitor who happens to sweep floors in a server farm. Everyone under direct or indirect jurisdiction of Australia can be required, by law, to become an agent of the government.

You, the innocent retiree, need to prune everything in your life’s supply chain of anything/anyone connected to the country.

The research example

Let’s say you are a social scientist. Oh, I don’t know, maybe you study the health of indigenous people in Paraguay.

You can no longer collaborate with indigenous researchers in Australia. Furthermore, you need to request all data you might have shared with your Australian colleagues be immediately verifiably destroyed. Why? because health data about individuals is private, and you probably have laws and rules regarding ensuring the security of that private data.

But your Australian counterparts can no longer be legally bound by any agreement or contract regarding keeping that data private. And they cannot tell you if that privacy has been breached by the government of Australia.

Even more of a problem: you cannot trust any method of communicating with those colleagues will not instigate exactly the privacy breach you are acting to prevent – every method other than speaking with them face-to-face might be tapped and trigger the breach.

You, the researcher, need to eliminate any academic connections with Australia. You also need to re-evaluate your security protocols so no other country can suddenly put your private data at risk.

Conclulsion

This was a dumb move, the entire thing being sprung on the rest of Australia by Parliament on the last day of the last sitting of 2018, read, debated, and approved in a single day.

Much as I regret the collateral damage, anything and everything related to Australia must be considered tainted when it comes to tech. Self-defense is not collective punishment, although it sure feels like it.

NB: Another rescue from Draft Purgatory