Wednesday, 30 January 2019 10:24

Encryption law: developer lists economic, practical and ideological concerns Featured

Encryption law: developer lists economic, practical and ideological concerns Pixabay

An Australian software engineer, who works at a health tech start-up that uses encryption to protect patient data, has suggested several changes to the Federal Government's encryption legislation which was passed in December.

Jake Bloom, who formerly worked with Facebook in California, listed the following changes which, he said, should be made to the law in the event that it was not taken off the books altogether:

  • Remove the concept of a Technical Capability Notice (TCN) as it amounts to nothing more than servitude;
  • Amend the legislation such that Technical Assistance Requests (TARs) and Technical Assistance Notices (TANs) can only be served to a corporation, not an individual;
  • Narrow the scope of the legislation so that it can only be used in the case of terrorism and child sex offences, not the broad scope that currently exists;
  • Properly define a “whole class of technology”;
  • Allow the public to immediately view which companies have been served with TARs and TANs.

The bill was passed on 6 December but just 12 days later, the Parliamentary Joint Committee on Intelligence and Security said it would begin a fresh review.

The new review has asked for submissions and will submit a report by 3 April.

In November 2018, during hearings on what is officially known as the Telecommunications and Other Legislation Amendment (Assistance and Access) Bill 2018, a number of law enforcement agencies — ASIO, the Australian Signals Directorate, the Australian Federal Police and Victoria Police — said the law needed to be passed as quickly as possible, and before Christmas, though no concrete justification was offered for this.

Later, Prime Minister Scott Morrison and Home Affairs Minister Peter Dutton told the media that they would be asking the Parliamentary Joint Committee on Intelligence and Security, which was holding hearings into the bill, to speed up the process and send the bill back to Parliament as soon as possible.

Elaborating on his suggestions, Bloom pointed out that serving a TCN appeared to be illegal, as it involved engaging an individual in servitude according to the definition in section 270.4 of the Australian Criminal Code.

The section reads: "(1) For the purposes of this Division, servitude is the condition of a person (the victim) who provides labour or services, if, because of the use of coercion, threat or deception:

"(a) a reasonable person in the position of the victim would not consider himself or herself to be free:

"(i) to cease providing the labour or services; or

"(ii) to leave the place or area where the victim provides the labour or services."

Said Bloom: "Under this definition, if an individual was to be served with a Technical Capability Notice, they would be a victim of servitude, as the Commonwealth is not remunerating the individual for building the capability, the individual is not free to cease building the capability, and is operating under the threat of jail time. While I do not claim to be a legal expert, in my mind, the concept of a Technical Capability Notice seems at odds with this definition."

He said he had ideological issues with the law as well, pointing out that in a democracy, "it is important for there to be methods of communication among citizens that is free of government oversight".

But Bloom also listed economic and practical concerns with the law. In the first instance, he pointed to the government ban on Chinese vendor from playing a role in the rollout of 5G networks. "This legislation ensures that there is no doubt when it comes to Australian technology – the Australian Government is listening, and the public debate around these laws means that the international community has noticed."

He provided the example of Apple and NASA using Australian firm Atlassian's BitBucket software to store source code.

"As a result of the passage of the bill, Apple and NASA know that a capability to read their source code could be installed into BitBucket without notice," Bloom said "As a result, international firms will move away from using Australian-made software to power their business, in a huge blow to the Australian export market."

He also pointed out that the GDPR, which came into force in May last year, required immediate disclosure of improper use of user data, even if only a very few users were affected.

"This means that an Australian company that has been subjected to a TAN or a TCN cannot comply with the GDPR laws and cannot legally export to Europe," Bloom said.

"As a result, this legislation cuts off the export market for Australian software companies, and puts in jeopardy the employment of Australians overseas. There are over 300 Australians employed at Facebook, and all of them are learning world class skills that many hope to bring back to Australian shores one day. This legislation would cut off this learning pathway for Australians overseas and stymie the knowledge that they bring home with them."

As many other have, Bloom also said the law did not provide clarity on what exactly constituted a systemic vulnerability. This could lead to someone creating a backdoor unintentionally, he suggested.

"Secondly, it is accepted practice when writing software that before you can deploy your code for users to interact with it, it needs to be reviewed by another person. This renders the confidentiality clauses within the legislation useless, as at least one other person will see that a weakness, vulnerability, spyware or redundant code is being inserted," Bloom said.

"Upon discovering this, it would be raised immediately to management or leadership of the company, and would likely resolve in an immediate termination of the engineer who executed the TCN. Having worked at a large multinational company, I can tell you that the rank and file employees as well as the leadership would be more inclined to pull a product from a market altogether rather than compromise the security of the application.

"Given that Apple has previously declined to unlock iPhones for the FBI, and Facebook and Google are unwilling to comply with Chinese Government to access a market of over one billion people, I find it difficult to believe that these companies would waste time and money making a product less secure to satisfy a market that they can be successful without."

Bloom said developers would often to caught between a rock and a hard place if they were asked to comply with any compliance notice.

"...for many people, being served with a request or notice under this legislation places them into an entrapment scenario, where ignoring the notice would breach laws in Australia and complying with the notice would breach laws such as Europe’s GDPR or the USA’s HIPPA. This creates a no-win scenario where being served with a notice means fines or jail time in multiple jurisdictions, regardless of the action taken," he added.

Subscribe to ITWIRE UPDATE Newsletter here


The much awaited iTWire Shop is now open to our readers.

Visit the iTWire Shop, a leading destination for stylish accessories, gear & gadgets, lifestyle products and everyday portable office essentials, drones, zoom lenses for smartphones, software and online training.

PLUS Big Brands include: Apple, Lenovo, LG, Samsung, Sennheiser and many more.

Products available for any country.

We hope you enjoy and find value in the much anticipated iTWire Shop.



iTWire TV offers a unique value to the Tech Sector by providing a range of video interviews, news, views and reviews, and also provides the opportunity for vendors to promote your company and your marketing messages.

We work with you to develop the message and conduct the interview or product review in a safe and collaborative way. Unlike other Tech YouTube channels, we create a story around your message and post that on the homepage of ITWire, linking to your message.

In addition, your interview post message can be displayed in up to 7 different post displays on our the site to drive traffic and readers to your video content and downloads. This can be a significant Lead Generation opportunity for your business.

We also provide 3 videos in one recording/sitting if you require so that you have a series of videos to promote to your customers. Your sales team can add your emails to sales collateral and to the footer of their sales and marketing emails.

See the latest in Tech News, Views, Interviews, Reviews, Product Promos and Events. Plus funny videos from our readers and customers.


Sam Varghese

Sam Varghese has been writing for iTWire since 2006, a year after the site came into existence. For nearly a decade thereafter, he wrote mostly about free and open source software, based on his own use of this genre of software. Since May 2016, he has been writing across many areas of technology. He has been a journalist for nearly 40 years in India (Indian Express and Deccan Herald), the UAE (Khaleej Times) and Australia (Daily Commercial News (now defunct) and The Age). His personal blog is titled Irregular Expression.

Share News tips for the iTWire Journalists? Your tip will be anonymous




Guest Opinion

Guest Reviews

Guest Research

Guest Research & Case Studies

Channel News