mark nottingham

Eight #aabill Predictions

Thursday, 6 December 2018

Australia

As I write this, the Australian Senate is in the final stages of passing the Assistance and Access Bill 2018 (with some but not all amendments).

Lots of people think that the effects of this legislation will be far-reaching and surprising. Because it’s not clear how such a hastily written, vague bill will be implemented, many of the impacts are hard to predict, but its biggest effect might be easier to discern.

That’s because its true legacy isn’t likely to be a direct impact measured in TARs, TANs and TCNs issued; rather, its lasting effect will be the reaction of various parts of Industry and the Internet.

But what will that reaction be? Here are my off-the-cuff predictions:

#1: Somebody Pulls Out

Some hardware vendor, software author, or service provider might perceive the risk of continuing to do business in Australia – therefore making them subject to this law – as too high, and as a result pull their business fully out of this country.

What risk? The thinking goes that being subject to this legislation means that they are “tainted”; there might be an overreaching TCN or TAN applied, and its very limited oversight and transparency combined with the onerous secrecy measures means that overseas buyers will lose confidence.

Australia’s not helping itself here by being such a very small market, in global terms; if a provider loses 5% of their business in the US as a result, it’s not a hard choice.

I don’t think this is very likely, though, if only because other countries are reported to be considering enacting similar legislation, and cooperating in application of these laws.

Still, this might make sense for companies who don’t already have a lot of Australian business, or who are in especially sensitive industries, such as military and government suppliers. Likewise, a motivated and very large company might decide to make a statement here, sacrificing the Australian market to prevent this approach from spreading elsewhere.

It’s also more likely if a company perceives its obligations under Australian law to conflict with those it has in overseas jurisdictions – a factor that many submissions to the committee pointed out, and that wasn’t addressed in the amendments.

Let’s set the odds of this happening in the next five years to a company whose name most people would recognise at 20%.

#2: Outsourcing Our Mates

A variant of #1 is Australian companies who serve global markets, especially when they have products or services that handle lots of sensitive data (whether that be military, corporate, government or personal).

Here, the perception of risk is much higher, because it’s an Australian company – even when the actual risk isn’t much different.

I suspect this is going to happen; the question is whether it will happen to a company whose name we’d recognise. Let’s put the odds of the latter happening in the next five years at, say, 15% – only because there aren’t that many companies that qualify.

#3: Australia Gets Clayton’s Security

An international company that serves Australia and wants to stay has another choice; it can create special, Australia-specific products and services; that way, if an “intercepting agency” asks for access to a non-Australian version, the company can tell them to get fucked (this is Australia, after all).

That Australian product (or service) is likely to have fewer guarantees around privacy and security, because it is operating in an environment that’s perceived as unfriendly to them.

Again, this is mostly about managing the perception of overseas buyers; if they know that there’s a separate Australian product, they’re more likely to believe that they’re insulated from Australian legal demands. It’s also going to be appealing to suppliers in sensitive markets.

I think this is quite likely; let’s say a 65% chance of it being done to a product or service from a supplier most people would recognise, in the next five years.

#4: Less is More

Arguably, the instruments in this legislation that the “interception agencies” really want to be using are the TARs and TANs – Technical Assistance Requests and Notices. “Assistance” means that they’re just asking for data or a capability that the provider already has lying around.

Some of that is unavoidable; for example, a Web store is always going to know what you buy, so they’ll be able to provide this if they’re served with a TAR or TAN – which have a lower bar for oversight, as compared to TCNs.

That said, a lot of what’s collected isn’t what you do, it’s extra information – sometimes called “metadata” – that helps them operate their services, or is just collected in the normal process of business. Interestingly, it’s not at all clear what kind of oversight applies to metadata, or whether a warrant is required; see my earlier post.

If consumers get nervous about these powers being misused, it might create a market for services and software that intentionally limits data collection.

A year or two ago I would have said there was little to no chance of this happening, because the vast majority of people don’t seem to care about their privacy (as evidenced by Facebook et al). However, I think the tide is turning a bit here (thanks to Facebook et al), and #aabill could contribute to a tipping point.

In a way, this is already happening; Apple is making great strides in being thoughtful about how they treat data and the capabilities of their devices. Product managers at other companies are taking notice, even if Apple’s business model isn’t the same as theirs.

This is more of a trend than a prediction, so I won’t assign a probability.

#5: Going Really Dark

The other obvious countermeasure to things like #aabill is to use encryption prolifically; not only “on the wire”, but “end to end” – i.e., between you and the people you’re communicating with, and not anyone in between.

Again, we’re already seeing this, in messaging apps like Signal and Wire. Unfortunately the design of e-mail makes it impractical for everyone to do it there; for things like file storage, it hasn’t caught on very well, and the way the Web works means you have to trust the server.

Lots of people are trying to create other “dapps” – distributed applications – but just because an application is distributed, it doesn’t mean that it honours your private data.

Still, I suspect we’re going to see renewed interest and work on end-to-end encryption where possible; the IETF’s work in mls is one recent example.

Again, this is more of a trend than a prediction, so I won’t assign a probability.

#6: Blowing the Whistle

The original bill had the wolves overseeing the henhouse; the intercepting agencies were also in charge of assuring they were “reasonable” – and if you didn’t like it, your only option was to zip your mouth and meekly complain to a secret court.

As a result, I had a suspicion that it would breed a new generation of whistleblowers; people in tech companies who saw this law being used in ways that they didn’t think were appropriate, and making that public.

While the bill goes to some lengths to punish such behaviour, I think it underestimates how easy it is to anonymously whistleblow these days (thanks, SecureDrop), nor how internationally distributed so many tech companies are. While Australia might punish their employer, the damage (in .au’s eyes) will be done.

The newly-amended bill creates a slightly more antagonistic oversight and appeal mechanism using IGIS and the Commonwealth Ombudsman, so the impetus for a whistleblower might not be so great.

On the other hand, most non-Australian developers aren’t really aware of or inclined to trust these institutions, and many companies will do the calculus and give in to these demands quietly – after all, indemnity! – rather than fight, despite their employees’ misgivings.

So, I think the likelihood of an #aabill whistleblower emerging in the next five years is reasonably good; say, 35%. Note that it might not be reported in the Australian news media, but that’s a different problem.

#7: Open Source Renaissance

Another remedy for people who perceive this legislation as overreach is to use Open Source software (and hardware); after all, who would a TAN or TCN be served upon?

Against this is the impracticality of OS for the vast majority of people, and momentum in the other direction from “cloud” services.

So I think this is extremely unlikely to move the needle for anything but a niche market. However, it does illustrate one thing - that niche market is very likely to include the terrorists and pedophiles that this legislation attempts to target.

#8: Scandal!

One last prediction for now, but it’s not of a reaction.

Last week, the Police Commissioner for Victoria, Graham Ashton, was quoted as justifying using a lawyer as an informant against their own client with:

Melbourne was in the grip of what is now widely known as the gangland wars…It was, accordingly, a desparate and dangerous time.

Which sounds a lot like do anything to get the job done – even if it violates the law. That’s not very comforting, when at the same time they’ve been given an extraordinary amount of power with limited oversight.

So, yes, I think there will be at least one #aabill scandal where these powers are seen as being misused. Let’s say 40% of it seeing daylight in the next five years (these things take time to percolate).

Bonus Round: Jobs Jobs Jobs

From Twitter:

It’s very easy to imagine this. Lots of overseas companies have been wooed to Victoria and New South Wales to open branch offices, hire teams of developers and kickstart the local startup culture. For some products and services, this will make Australia a much less appealing destination – for existing teams as well as new ones.