Wednesday, 30 January 2019 10:24

Encryption law: developer lists economic, practical and ideological concerns Featured

Encryption law: developer lists economic, practical and ideological concerns Pixabay

An Australian software engineer, who works at a health tech start-up that uses encryption to protect patient data, has suggested several changes to the Federal Government's encryption legislation which was passed in December.

Jake Bloom, who formerly worked with Facebook in California, listed the following changes which, he said, should be made to the law in the event that it was not taken off the books altogether:

  • Remove the concept of a Technical Capability Notice (TCN) as it amounts to nothing more than servitude;
  • Amend the legislation such that Technical Assistance Requests (TARs) and Technical Assistance Notices (TANs) can only be served to a corporation, not an individual;
  • Narrow the scope of the legislation so that it can only be used in the case of terrorism and child sex offences, not the broad scope that currently exists;
  • Properly define a “whole class of technology”;
  • Allow the public to immediately view which companies have been served with TARs and TANs.

The bill was passed on 6 December but just 12 days later, the Parliamentary Joint Committee on Intelligence and Security said it would begin a fresh review.

The new review has asked for submissions and will submit a report by 3 April.

In November 2018, during hearings on what is officially known as the Telecommunications and Other Legislation Amendment (Assistance and Access) Bill 2018, a number of law enforcement agencies — ASIO, the Australian Signals Directorate, the Australian Federal Police and Victoria Police — said the law needed to be passed as quickly as possible, and before Christmas, though no concrete justification was offered for this.

Later, Prime Minister Scott Morrison and Home Affairs Minister Peter Dutton told the media that they would be asking the Parliamentary Joint Committee on Intelligence and Security, which was holding hearings into the bill, to speed up the process and send the bill back to Parliament as soon as possible.

Elaborating on his suggestions, Bloom pointed out that serving a TCN appeared to be illegal, as it involved engaging an individual in servitude according to the definition in section 270.4 of the Australian Criminal Code.

The section reads: "(1) For the purposes of this Division, servitude is the condition of a person (the victim) who provides labour or services, if, because of the use of coercion, threat or deception:

"(a) a reasonable person in the position of the victim would not consider himself or herself to be free:

"(i) to cease providing the labour or services; or

"(ii) to leave the place or area where the victim provides the labour or services."

Said Bloom: "Under this definition, if an individual was to be served with a Technical Capability Notice, they would be a victim of servitude, as the Commonwealth is not remunerating the individual for building the capability, the individual is not free to cease building the capability, and is operating under the threat of jail time. While I do not claim to be a legal expert, in my mind, the concept of a Technical Capability Notice seems at odds with this definition."

He said he had ideological issues with the law as well, pointing out that in a democracy, "it is important for there to be methods of communication among citizens that is free of government oversight".

But Bloom also listed economic and practical concerns with the law. In the first instance, he pointed to the government ban on Chinese vendor from playing a role in the rollout of 5G networks. "This legislation ensures that there is no doubt when it comes to Australian technology – the Australian Government is listening, and the public debate around these laws means that the international community has noticed."

He provided the example of Apple and NASA using Australian firm Atlassian's BitBucket software to store source code.

"As a result of the passage of the bill, Apple and NASA know that a capability to read their source code could be installed into BitBucket without notice," Bloom said "As a result, international firms will move away from using Australian-made software to power their business, in a huge blow to the Australian export market."

He also pointed out that the GDPR, which came into force in May last year, required immediate disclosure of improper use of user data, even if only a very few users were affected.

"This means that an Australian company that has been subjected to a TAN or a TCN cannot comply with the GDPR laws and cannot legally export to Europe," Bloom said.

"As a result, this legislation cuts off the export market for Australian software companies, and puts in jeopardy the employment of Australians overseas. There are over 300 Australians employed at Facebook, and all of them are learning world class skills that many hope to bring back to Australian shores one day. This legislation would cut off this learning pathway for Australians overseas and stymie the knowledge that they bring home with them."

As many other have, Bloom also said the law did not provide clarity on what exactly constituted a systemic vulnerability. This could lead to someone creating a backdoor unintentionally, he suggested.

"Secondly, it is accepted practice when writing software that before you can deploy your code for users to interact with it, it needs to be reviewed by another person. This renders the confidentiality clauses within the legislation useless, as at least one other person will see that a weakness, vulnerability, spyware or redundant code is being inserted," Bloom said.

"Upon discovering this, it would be raised immediately to management or leadership of the company, and would likely resolve in an immediate termination of the engineer who executed the TCN. Having worked at a large multinational company, I can tell you that the rank and file employees as well as the leadership would be more inclined to pull a product from a market altogether rather than compromise the security of the application.

"Given that Apple has previously declined to unlock iPhones for the FBI, and Facebook and Google are unwilling to comply with Chinese Government to access a market of over one billion people, I find it difficult to believe that these companies would waste time and money making a product less secure to satisfy a market that they can be successful without."

Bloom said developers would often to caught between a rock and a hard place if they were asked to comply with any compliance notice.

"...for many people, being served with a request or notice under this legislation places them into an entrapment scenario, where ignoring the notice would breach laws in Australia and complying with the notice would breach laws such as Europe’s GDPR or the USA’s HIPPA. This creates a no-win scenario where being served with a notice means fines or jail time in multiple jurisdictions, regardless of the action taken," he added.

Read 3152 times

Please join our community here and become a VIP.

Subscribe to ITWIRE UPDATE Newsletter here
JOIN our iTWireTV our YouTube Community here


Thoughtworks presents XConf Australia, back in-person in three cities, bringing together people who care deeply about software and its impact on the world.

In its fifth year, XConf is our annual technology event created by technologists for technologists.

Participate in a robust agenda of talks as local thought leaders and Thoughtworks technologists share first-hand experiences and exchange new ways to empower teams, deliver quality software and drive innovation for responsible tech.

Explore how at Thoughtworks, we are making tech better, together.

Tickets are now available and all proceeds will be donated to Indigitek, a not-for-profit organisation that aims to create technology employment pathways for First Nations Peoples.

Click the button below to register and get your ticket for the Melbourne, Sydney or Brisbane event



It's all about Webinars.

Marketing budgets are now focused on Webinars combined with Lead Generation.

If you wish to promote a Webinar we recommend at least a 3 to 4 week campaign prior to your event.

The iTWire campaign will include extensive adverts on our News Site and prominent Newsletter promotion and Promotional News & Editorial. Plus a video interview of the key speaker on iTWire TV which will be used in Promotional Posts on the iTWire Home Page.

Now we are coming out of Lockdown iTWire will be focussed to assisting with your webinars and campaigns and assistance via part payments and extended terms, a Webinar Business Booster Pack and other supportive programs. We can also create your adverts and written content plus coordinate your video interview.

We look forward to discussing your campaign goals with you. Please click the button below.


Sam Varghese

Sam Varghese has been writing for iTWire since 2006, a year after the site came into existence. For nearly a decade thereafter, he wrote mostly about free and open source software, based on his own use of this genre of software. Since May 2016, he has been writing across many areas of technology. He has been a journalist for nearly 40 years in India (Indian Express and Deccan Herald), the UAE (Khaleej Times) and Australia (Daily Commercial News (now defunct) and The Age). His personal blog is titled Irregular Expression.

Share News tips for the iTWire Journalists? Your tip will be anonymous




Guest Opinion

Guest Interviews

Guest Reviews

Guest Research

Guest Research & Case Studies

Channel News