[alfiedotwtf]

> Designated communications provider must not be requested or required to implement or build a systemic weakness or systemic vulnerability

The key words here being systemic.

Sure, they can't create a backdoor that will allow weaken everyone's protections, but the way the whole 317ZG is written is that between the lines a "communications provider" can be compelled to provide targeted access to individuals.

For example, let's say all our phones have e2e encryption and cannot be unencrypted unless you have a password. There is scope within the act to commandeer Google/Apple (who both have offices in Australia) to push targeted updates to a specific user and save targeted plaintext data or even install a keylogger etc.

In other words, this would then give authorities access to plaintext data on the phone without a user's consent, all without being systemic weakness.

And I'm writing this based on many discussions with lawyers. I was very vocal about the AABill when most people Australian tech people didn't care, but I can tell you know that a lot of lawers were concerned and reached out.

It is commandeering Full. Stop. Want to disobey a TAR, TAN, or TCN? Go right ahead given that you say it's not FUD... but be my guest arguing with:

    9  Subsection 3LA(5)

    Repeal the subsection, substitute:

    Offences

             (5)  A person commits an offence if:

                     (a)  the person is subject to an order under this section; and

                     (b)  the person is capable of complying with a requirement in the order; and

                     (c)  the person omits to do an act; and

                     (d)  the omission contravenes the requirement.

    Penalty:  Imprisonment for 5 years or 300 penalty units, or both.

[Youden]

I'm not saying TARs, TANs or TCNs are FUD and you can ignore them, I'm saying the suggestion that they can compel the introduction of a backdoor is FUD.

The example you give, if it's possible, is an example of an existing systemic weakness. Yes, the government is free to exploit it but the government can't compel its existence.

Apple and Google are free to eliminate it, if they so choose.

FWIW, I'd consider the possibility of such a mechanism to be a problem in itself. And I don't believe it is possible today. Android, at the OS level, will only install updates with the same signature as the currently-installed version.

[alfiedotwtf]

> I'm not saying TARs, TANs or TCNs are FUD and you can ignore them

> Apple and Google are free to eliminate it, if they so choose.

Pick one.

Again, a TCN compels a provider to develop a targeted capability, or face jail time.

[Youden]

A TCN can only compel a targeted capability where doing so does not require introduction of a systemic weakness.

If the system is secured in such a way that the targeted capability isn't possible (e.g. open-source project with e2e encryption and verifiable builds), the government cannot compel introduction of a systemic weakness (e.g. stop using verifiable builds) to make it possible.

My suggestion is that Apple/Google build their software such that it is systemically secure against targeted attacks.