Splunk announced it would no longer sell its software and services to organisations in Russia, and, to date, no reason, apart from some bizspeak — "[we are] continually evaluating where we are investing and focusing our company resources" — has been advanced to account for the decision.
But is fair to assume that Moscow would have asked for access to the source code of the application – and many companies are now fighting shy of granting such requests, especially given the hostile state of relations that the US enjoys (!) with many other nations.
If that same demand was made of an Australian company which had complied with a demand from the authorities to build in functionality — which can be demanded under the encryption law — there is no way it could accede to a request to provide its source code. That would mean a term behind bars.
But then it has no vulnerabilities built into its code by the US Government. Or, at least none that have been discovered so far.
For the uninitiated, or those who have been living under a rock for the last eight months, the Australian encryption law — officially known as the Telecommunications and Other Legislation Amendment (Assistance and Access) Act 2018 — was passed in December 2018.
(An inquiry is now underway by the Parliamentary Joint Committee on Intelligence and Security. The PJCIS is expected to submit a report to government by 3 April.)
Under the law, the authorities can get industry to aid in gaining access to encrypted material in three ways. A technical assistance request (TAR) allows for voluntary help by a company; in this case, its staff would be given civil immunity from prosecution.
Else, an interception agency can issue a technical assistance notice (TAN) to make a communications provider offer assistance.
Finally, a technical capability notice (TCN) can be issued by the attorney-general at the request of an interception agency; the communications minister of the day would also need to agree. This would force a company to help law enforcement, by building functionality.
But if the company or individual who is asked to build in functionality breathes so much as a word about it, then he/she/they would all end up eating dry bread and water in one of the many prisons in this big, brown land.
So, if an ambitious Australian company wants to sell its wares abroad — many already do and are much valued — and if the prospective buyer asks for an assurance that there are no doodahs in the code of the product, how does the Aussie firm offer that assurance if it has been approached and has satisfied a request for "help"?
Without that assurance — and often an inspection of the code itself — no buyer would be satisfied.
Australia has used similar logic to exclude Chinese telco equipment vendor Huawei Technologies from its 5G networks – even though Huawei has offered its source code to the authorities for inspection!
There have been muttered arguments about Communism and capitalism, and angry noises that the Australian and Chinese systems cannot be compared.
But such arguments — "trust us, we are fair dinkum Aussies" — will be worth nothing if it comes to a request for source code and the company which is seeking business abroad cannot meet the request.
The only option left will be to dig up some bizspeak the way Splunk did. This site should help.