EmailDiscussions.com - View Single Post - Stunningly bad privacy law just passed in Australia

ioneja · 6 Jan 2019, 04:48 AM

@BritTim Agreed completely.

@Terry I'm sure that's part of the idea -- I'd like to give the lawmakers the benefit of the doubt for hopefully having good *intentions*, but sadly, in order to get those powers, they've rammed through a law that will do more harm than good.

BTW I've had a chance to look through the law a bit more, and I also re-read FastMail's response (latest blog post here for convenience: https://fastmail.blog/2018/12/21/adv...ill-australia/ ), and I believe that at least for me, FastMail has definitely not responded strongly enough.

First, to their credit, FastMail has at least raised concerns about the bill and submitted their opposition to the bill, plus contacted parliament and started working with other firms to "put forward a united call for sensible amendments to the law." BUT ultimately, FastMail "won't be making changes to [their] technology or policies."

They continue: "Law enforcement has always been able to request information from us through the Telecommunications Act with a lawful warrant. Because we have the ability to decrypt all data, there is no need to make changes that circumvent encryption."

And more: "Every warrant we receive is reviewed by senior staff for legitimacy and scope before data is provided. Each account whose data is requested must be individually identified. Responding for one user does not require us to expose or share the data of our other customers."

So this is all fine and dandy, but their statement doesn't really address the deeper issues IMO... in fact, for me, it just passes over them as if it's business as usual for their legal request process... but indeed things have changed on a fundamental level! There's far more to it.

They don't address how sweeping and profound the changes are and their theoretical and real ramifications. For example, the ease and facility of how the requests are actually different than in the past -- i.e. Technical Assistance Notices (TAN), Technical Capability Notices (TCN), and worst of all, Technical Assistance Requests (TAR), and how the scope and scale of requests has been broadened with *reduced* government accountability and oversight, along with the serious implications of how much power has been granted to those entities that submit the requests.

Not to mention the ambiguous but serious implications of Five Eyes-related intelligence agencies and how they are connected, i.e.: "...assisting the enforcement of the criminal laws in force in a foreign country, so far as those laws relate to serious foreign offences." That's a big deal. Correction. HUGE deal.

Not to mention very strong hush clauses and penalties for whistleblowers -- very few protections! And while the parties who request data, for example, are "supposed" to take into account the impact of a request on ALL parties, guess who actually determines the impact? The requesting party! Bias much? Plus, there is little to no substantive oversight of that, and the requester him/herself can be various entities in law enforcement who can also ultimately decide what requirements the requests have! It's actually stunning to read the scope of this. How it will be carried out is beyond me... in the US it would be tied up in courts for years. For all of our problems over here in the US, at least we're incredibly litigious when it comes to things like this, which can at least put a break on some crazy things for a while.

I even read that they don't even need to initially submit the request in writing if there is an "an imminent risk of serious harm to a person or substantial damage to property" -- they have 48 hours to follow up with a written request. So someone could literally "phone in" a verbal request? What?!? I mean, how lazy (or in a rush) do they have to be that they can't write out their request (and more rightly have an impartial judge sign off on it, yeah right), and create a legal paper trail with signatures on it... at the very least!?! How imminent does the "risk" have to be? WHO decides how "imminent" it is? What mechanism provides real oversight and accountability? Why not just declare martial law? Maybe the parliament has been watching too much Bourne Identity? How lousy is their law enforcement that they are waiting until the very, very, very last second to intervene, such that they can trample right over a basic written chain of authorization that involves actual human rights? I mean, I get a clear and present danger, but good grief, the person they're forcing to do their bidding over the phone probably has to write the request down anyway, so why can't the requesting party? Might cut down on confusion, right? Might cut down on a few mistakes, right? I'm surprised they didn't put in a voice dictation clause. It's just bonkers. And that's nothing compared to what else is in there. We're literally off in some Hollywood movie now with this law. But let's just say I misread all that -- so let's throw that one out... what other goodies are in there?

And, like others have commented here in this thread, the law extends to ANY service that "provides an electronic service that has one or more end-users in Australia" -- and this even applies to device manufacturers and component manufacturers! So this even theoretically impacts all the other TOOLS and INFRASTRUCTURE that FastMail uses! Now in a practical sense I don't know how that would be implemented, but just think about it... the language is so sweeping it goes all the way to "component manufacturers!"

On both philosophical and practical levels, this goes way beyond a response from FastMail where they say that they "won't be making changes to [their] technology or policies." It's an outright assault on the very nature of what their business MEANS and the very building blocks of the services they provide.

I could go on. And some folks might think I'm overreacting. Most won't notice or care. And yes, it's just academic at this point since the practical application has yet to be seen... but then again, the hush provisions are so strong that we actually wouldn't KNOW what is being done TBH. Just read what the requests can actually contain. Carried to one end of the scale of interpretation, it's quite frightening how broad and in some cases vague the law is.

Honestly, the law should never have been passed like this in any sensible democracy. It reads straight out of a totalitarian government's playbook.

And then we can talk about how the law was actually passed, and Labor's caving in to it. I don't even know what to think about what happened.

Anyway, I don't mean to go on and on (and yet, I guess I can't help it, I must be venting). I'm so surprised by what ultimately amounts to a brazen, unrestrained, audacious assault on basic rights of freedom of speech and privacy with a fundamental failure of accountability and fair oversight from a democratic country. The more I look at it, the more I'm floored by it.

As for FastMail, I feel bad for them TBH. It's not their fault. They are just going about their business trying to be a great service provider and they get this bomb lobbed at them. I think their response is very underwhelming and definitely not to the scale of the implications and even the potential unintended side-effects of this law. While their day-to-day operations may not change on the surface... they are now in a whole new ball game in terms of environment, unless this law gets amended right away. One can hope.

Not to mention about what it means down the road for the rest of the world that uses products and services from Australia and offer services sold to Australians! Yikes.

And while in the end, FastMail may choose to do nothing since most people don't know or care what's going on (the apathy problem of our society), FastMail does have to decide what their core mission and philosophy will be going forward. This is IMO a new chapter for FastMail to either make a strong stand against this vast government overreach, or maybe they'll slip into the comfortable (and financially justifiable) position of sitting back and treating it like any other business navigating normal regulations. I mean, even Microsoft and now Google are willing to compromise their own search engine products to satisfy China's censorship requirements, so if big powerful American companies are willing to compromise that much on core values, why should FastMail fight something that is clearly not their fault? They could put on a good show of it, join some digital rights groups and send letters to Parliament, and then write nice little blog posts about it to meet the minimum PR requirements to satisfy 99% of the users, right? It's just business, right?

Well, no. It's not just business IMO. It's a core value of democratic societies to protect certain human rights and due process. Even if we see those very rights being swallowed up by poorly justified, grossly overreaching, terribly worded laws like this, however well intended.

Okay, I'll call it quits on this discussion. There's a lot more. And I'm sure it can be argued in minute detail by legal experts about how I'm wrong about everything. The fact that any legal experts have to go in and parse through this vaguely written mess of a law is tragic by itself, let alone what the real-world implementation may be. At least in the US, civil liberties and digital rights groups would be taking this to the Supreme Court before it could ever be implemented. The fact that Labor crumbled like this and the law was passed with so little friction is a miscarriage of democracy IMO.

Okay, that just about wraps things up on my thoughts. Thanks to anyone who gets this far in my post! :-)

BTW, on a more positive note, I want to once again thank this forum for the great conversations and info... I've always learned a lot from you all over the years, and this is often one of the first places I find out about some of these issues. Much appreciated!

6 Jan 2019, 04:48 AM	#31
ioneja Cornerstone of the Community Join Date: Jul 2011 Posts: 713	@BritTim Agreed completely. @Terry I'm sure that's part of the idea -- I'd like to give the lawmakers the benefit of the doubt for hopefully having good intentions, but sadly, in order to get those powers, they've rammed through a law that will do more harm than good. BTW I've had a chance to look through the law a bit more, and I also re-read FastMail's response (latest blog post here for convenience: https://fastmail.blog/2018/12/21/adv...ill-australia/ ), and I believe that at least for me, FastMail has definitely not responded strongly enough. First, to their credit, FastMail has at least raised concerns about the bill and submitted their opposition to the bill, plus contacted parliament and started working with other firms to "put forward a united call for sensible amendments to the law." BUT ultimately, FastMail "won't be making changes to [their] technology or policies." They continue: "Law enforcement has always been able to request information from us through the Telecommunications Act with a lawful warrant. Because we have the ability to decrypt all data, there is no need to make changes that circumvent encryption." And more: "Every warrant we receive is reviewed by senior staff for legitimacy and scope before data is provided. Each account whose data is requested must be individually identified. Responding for one user does not require us to expose or share the data of our other customers." So this is all fine and dandy, but their statement doesn't really address the deeper issues IMO... in fact, for me, it just passes over them as if it's business as usual for their legal request process... but indeed things have changed on a fundamental level! There's far more to it. They don't address how sweeping and profound the changes are and their theoretical and real ramifications. For example, the ease and facility of how the requests are actually different than in the past -- i.e. Technical Assistance Notices (TAN), Technical Capability Notices (TCN), and worst of all, Technical Assistance Requests (TAR), and how the scope and scale of requests has been broadened with reduced government accountability and oversight, along with the serious implications of how much power has been granted to those entities that submit the requests. Not to mention the ambiguous but serious implications of Five Eyes-related intelligence agencies and how they are connected, i.e.: "...assisting the enforcement of the criminal laws in force in a foreign country, so far as those laws relate to serious foreign offences." That's a big deal. Correction. HUGE deal. Not to mention very strong hush clauses and penalties for whistleblowers -- very few protections! And while the parties who request data, for example, are "supposed" to take into account the impact of a request on ALL parties, guess who actually determines the impact? The requesting party! Bias much? Plus, there is little to no substantive oversight of that, and the requester him/herself can be various entities in law enforcement who can also ultimately decide what requirements the requests have! It's actually stunning to read the scope of this. How it will be carried out is beyond me... in the US it would be tied up in courts for years. For all of our problems over here in the US, at least we're incredibly litigious when it comes to things like this, which can at least put a break on some crazy things for a while. I even read that they don't even need to initially submit the request in writing if there is an "an imminent risk of serious harm to a person or substantial damage to property" -- they have 48 hours to follow up with a written request. So someone could literally "phone in" a verbal request? What?!? I mean, how lazy (or in a rush) do they have to be that they can't write out their request (and more rightly have an impartial judge sign off on it, yeah right), and create a legal paper trail with signatures on it... at the very least!?! How imminent does the "risk" have to be? WHO decides how "imminent" it is? What mechanism provides real oversight and accountability? Why not just declare martial law? Maybe the parliament has been watching too much Bourne Identity? How lousy is their law enforcement that they are waiting until the very, very, very last second to intervene, such that they can trample right over a basic written chain of authorization that involves actual human rights? I mean, I get a clear and present danger, but good grief, the person they're forcing to do their bidding over the phone probably has to write the request down anyway, so why can't the requesting party? Might cut down on confusion, right? Might cut down on a few mistakes, right? I'm surprised they didn't put in a voice dictation clause. It's just bonkers. And that's nothing compared to what else is in there. We're literally off in some Hollywood movie now with this law. But let's just say I misread all that -- so let's throw that one out... what other goodies are in there? And, like others have commented here in this thread, the law extends to ANY service that "provides an electronic service that has one or more end-users in Australia" -- and this even applies to device manufacturers and component manufacturers! So this even theoretically impacts all the other TOOLS and INFRASTRUCTURE that FastMail uses! Now in a practical sense I don't know how that would be implemented, but just think about it... the language is so sweeping it goes all the way to "component manufacturers!" On both philosophical and practical levels, this goes way beyond a response from FastMail where they say that they "won't be making changes to [their] technology or policies." It's an outright assault on the very nature of what their business MEANS and the very building blocks of the services they provide. I could go on. And some folks might think I'm overreacting. Most won't notice or care. And yes, it's just academic at this point since the practical application has yet to be seen... but then again, the hush provisions are so strong that we actually wouldn't KNOW what is being done TBH. Just read what the requests can actually contain. Carried to one end of the scale of interpretation, it's quite frightening how broad and in some cases vague the law is. Honestly, the law should never have been passed like this in any sensible democracy. It reads straight out of a totalitarian government's playbook. And then we can talk about how the law was actually passed, and Labor's caving in to it. I don't even know what to think about what happened. Anyway, I don't mean to go on and on (and yet, I guess I can't help it, I must be venting). I'm so surprised by what ultimately amounts to a brazen, unrestrained, audacious assault on basic rights of freedom of speech and privacy with a fundamental failure of accountability and fair oversight from a democratic country. The more I look at it, the more I'm floored by it. As for FastMail, I feel bad for them TBH. It's not their fault. They are just going about their business trying to be a great service provider and they get this bomb lobbed at them. I think their response is very underwhelming and definitely not to the scale of the implications and even the potential unintended side-effects of this law. While their day-to-day operations may not change on the surface... they are now in a whole new ball game in terms of environment, unless this law gets amended right away. One can hope. Not to mention about what it means down the road for the rest of the world that uses products and services from Australia and offer services sold to Australians! Yikes. And while in the end, FastMail may choose to do nothing since most people don't know or care what's going on (the apathy problem of our society), FastMail does have to decide what their core mission and philosophy will be going forward. This is IMO a new chapter for FastMail to either make a strong stand against this vast government overreach, or maybe they'll slip into the comfortable (and financially justifiable) position of sitting back and treating it like any other business navigating normal regulations. I mean, even Microsoft and now Google are willing to compromise their own search engine products to satisfy China's censorship requirements, so if big powerful American companies are willing to compromise that much on core values, why should FastMail fight something that is clearly not their fault? They could put on a good show of it, join some digital rights groups and send letters to Parliament, and then write nice little blog posts about it to meet the minimum PR requirements to satisfy 99% of the users, right? It's just business, right? Well, no. It's not just business IMO. It's a core value of democratic societies to protect certain human rights and due process. Even if we see those very rights being swallowed up by poorly justified, grossly overreaching, terribly worded laws like this, however well intended. Okay, I'll call it quits on this discussion. There's a lot more. And I'm sure it can be argued in minute detail by legal experts about how I'm wrong about everything. The fact that any legal experts have to go in and parse through this vaguely written mess of a law is tragic by itself, let alone what the real-world implementation may be. At least in the US, civil liberties and digital rights groups would be taking this to the Supreme Court before it could ever be implemented. The fact that Labor crumbled like this and the law was passed with so little friction is a miscarriage of democracy IMO. Okay, that just about wraps things up on my thoughts. Thanks to anyone who gets this far in my post! :-) BTW, on a more positive note, I want to once again thank this forum for the great conversations and info... I've always learned a lot from you all over the years, and this is often one of the first places I find out about some of these issues. Much appreciated! Last edited by ioneja : 6 Jan 2019 at 05:25 AM.