Will the last AU based start-up please turn off the light?

It appears the Australian Federal Government is determined to do a Thelma & Louise and literally drive off a cliff into the abyss over truly mindless and ill-conceived legislation as concerns encryption, privacy and security. It has the potential to make us totally uncompetitive in global information technology markets and cut off at the knees a fledgling start-up sector which is just in the process of finding its feet. It could even damage the tourism industry.

(Note: The views expressed in this article are my own and not those of Aykira Pty Ltd)

You don’t have to look far to find almost universal disbelief to utter horror at what the Federal Government is trying to quickly pass through the legislative process and make law, namely the Telecommunications and Other Legislation Amendment (Assistance and Access) Bill 2018.

In short, the bill proposes:

  • Anybody who refuses to help the authorities crack a computer system when ordered will face up to five years jail.
  • If the crime being investigated is terrorism, the penalty for non-compliance is increased to 10 years’ jail or $126,000.
  • Tech companies will have to help authorities crack the encryption on users devices when told to help – or face up to $10 million in fines.
  • If anybody at the company tells anybody that they have been told to do it, they will face up to five years’ in jail.
  • Foreign countries can also ask Australia’s Attorney General for police to access data in your computer to help them investigate law-breaking overseas.

So far there have been over 14,000 submissions of concern just on this one Act alone, now most of these may be ‘robot-submissions’ but the sheer weight of submissions on this issue is something which cannot be ignored (and you can still submit until the 19th October). Remember 14,000 people are ultimately behind those submissions, and those are people who have actually bothered to do a submission, so the actual number of concerned people is going to be somewhat higher. (What would be really useful is if a major media organisation was to run a poll on this very issue to get a direct gauge on how concerned the general voting public is).

Another area of concern is detailed in this article, namely how such legislation would interfere with the rights and priveledges of foreign nationals who come under their own privacy regulations and this is where it gets particularly concerning. The article highlights the case of a 46-year British software developer who had his password-protected laptop and phone seized by the Australian Border Force (ABF) as he travelled through Sydney Airport. The man believes the ABF was able to crack his laptop password and inspect his files, which in essence compromised his business under the new European GDPR data privacy laws. Which in turn means he has to give privacy breach notifications to his clients that their data could have been compromised by being exposed to a foreign power…

This has truly massive business implications – anybody travelling to Australia who is under the GDPR and they have on their person PII for other EU parties (either directly or able to be accessed via the devices in question) could be put into a data breach notification situation at any time if they are asked to provide access to such devices. They will not be able to refuse under the proposed legislation and there would be no grounds for refusal.

But the trouble is, its not just the GDPR that has mandatory breach notification laws, a whole set of countries (including Canada, India, Mexico, and several US states) have breach notification legislation and new legislation is being created (in particular US privacy laws). So anybody travelling from such countries could put their very business brand and hence trading worth at risk by personally visiting Australia. This could even apply to tourists: for instance, you go on holiday to Australia with your mobile phone, which also has access to your corporate email on Google – the authorities getting access to such a device, could not only read all your corporate emails but go through all the shared folders, documents etc as well.

So not only does this bill throw the mother of all spanners in the works on free movement for purposes of lawful trade it could have a massive impact on our tourism industry to boot!

Then there is the impact such legislation would have on our fledgeling start-up community. I have been involved and watching this slowly grow over the last 8 years, it has been a struggle, for every two steps forward it’s being one step back; but if passed this bill is the death note for our start-up community. Simply put nobody will trust or take seriously anything developed in Australia, for the very simple reason they will not know if the software they are using has security compromises in it or not to comply with Australia regulations. Even if there are no compromises, how do you prove that and how do you reconcile the changes needed to keep two sets of code to comply with the local and international market needs? In short, you cannot. Best practice in software is to have everything in one code base, so you could (in true engineering style) implement an ‘Australia Snooping Switch (ASS)’ but what’s to stop a bad actor somewhere else throwing the ‘ASS’ switch for their own purposes? Nothing – and your software is compromised and everybody else knows it.

So no real world software will get developed or sold from Australia if this bill passes, as nothing that gets developed here can be truly trusted. This is particularly nasty, given all the focus in schools with STEM and computer programming, etc – the only place our Australian educated students will be able to get a proper career will be overseas, as the jobs just won’t exist here to employ those coming through the education system. What a massive own goal!

Now you may say that this is a massive over-reaction and that other countries, like the UK, have similar laws in place. Well, the UK laws (known as the UK’s Snooper’s Charter) haven’t exactly worked out as expected, as they have been successfully challenged as infringing on EU privacy rights, so need to be rewritten to comply with EU laws.

Then, of course, there is what are the criminals going to do in response to this? This one is quite simple to answer, they will evolve how they use technology to make sure such legislation is as next to useless as possible. There are ways of encrypting things and throwing them to the four winds so that it becomes unprovable it was encrypted in the first (let alone that it even existed in the first place). In short, they will adapt and as concerns stopping serious crime, we are back where we started. In fact, we are actually worse off for several reasons:

  1. The serious criminals will continue doing what they are doing, just with even less likelihood of being caught;
  2. In order to justify the new legislation, it will have to be seen to be working, so more people will be checked, monitored and otherwise ‘probed’ to show its working;
  3. Meanwhile, our privacy will keep getting eroded and those who trade in identity theft will keep cracking computers and finding more information to steal.

In short, I can see nothing this bill does which will actually deal with the core problems, which are:

  • Criminals adapt to the environment they operate in, the rewards are still there and only getting bigger;
  • Identity theft is not treated as a serious problem enough by the government – you want to cut down serious crime, stop identity theft!

The reason I mention identity theft is it is one of the key ways criminals are able to move money around, launder it and commits crimes without being caught. In effect, an innocent third party (whose identity has been stolen)  ‘commits’ the crime for the criminal, usually totally unaware of this occurring. In a cruel twist of fate, it could be the innocent third party (i.e. you) who then comes under criminal investigation and under the new legislation is asked to reveal all or be fined and go to jail. Meanwhile, the criminal goes onto their next victim.

All I can see this bill doing is making us an international IT and security laughing stock, we will literally be the country in the corner wearing a Dunces hat, we could have had it all and threw it all away chasing cyber ghosts when we should have been chasing real criminals.

If you agree with me on my analysis, please do the following:

  • Write or message your local member of parliament saying you do not want to see the bill pass,
  • Vote with your feet at the next election and do not vote for any party that has supported the bill.
  • Please share this with your friends.

There is just enough time left to change the outcome, make it happen for our future.