Lack of consulting undermined AA law
Scott Farquhar: Deep concerns about the way the encryption laws have been drafted
The federal government’s controversial encryption legislation had been undermined by an unseemly rush through the Parliament that throttled its industry consultation and a lack of awareness of the reality that the new laws created for the tech workers.
Both Atlassian co-founder Scott Farquhar and ex-Nuix CEO Eddie Sheehy say the framers of the legislation did not spend time trying to understand the commercial environment in which the laws operate, creating dilemmas in putting the laws into practice.
Mr Farquhar and Mr Sheehy were speaking at Safe Encryption Australia forum on Wednesday, hosted by InnovationAus.com and StartupAus, exploring a range of the industry concerns related to the Assistance and Access Act (AA Bill).
Mr Sheehy, who was CEO at Australian cybersecurity firm Nuix for 10 years and is now an active investor in the tech industry , argued that whoever wrote the legislation had "never run a company, never run a P&L, and never had to front a customer and say 'it's alright, trust me,' because that just doesn't work.”
“The people who wrote this just didn't take into consideration the people on the ground,” he said.
The tech industry was generally accepting of the goals of the legislation. But the laws are so poorly framed that they make those goals needlessly difficult to achieve, Mr Sheehy said.
"There's nothing more that makes the CEOs day than putting a pedophile behind bars or stopping some terrorist attack,” he said.
“Every single CEO in Australia, I suspect, would do anything they could to help law enforcement to do such a thing.
[But] they're not asking, they're telling. And they're using these draconian ideas that just won't work," Mr Sheehy said.
"The consultation process has really fallen down. They really needed to have a group of small to medium size organisations in Canberra to talk to them to help create a workable solution."
Atlassian’s Mr Farquhar shared an anecdote from his own experience trying to talk to the government about the AA Bill, and fighting a circular argument about the dangers of how it is written.
In an almost comical retelling of his discussion, Mr Farquhar said that as part of asking why there had been no consultation with Atlassian, Australia's biggest technology company – when it became clear the laws would apply to the company – he was told that the laws would only be used to target communications and messaging companies.
"We said, 'OK, then can you amend the law to say that then? Because the law says it applies to basically anything that touches the internet.' And they said 'Well, we may need to access additional things that fall outside of that.'," Mr Farquhar said.
"'Then it does apply to us?' ... 'Well it won't.' ... 'Hang on, where are we? Either consult us – if it applies to us – or write it so it doesn't apply to us!'"
"It's very dangerous to say 'trust us, even though it gives us great powers, trust us that we won't use them in adverse ways'. That leaves us in a difficult spot to be in and obviously our customers feel the same way." Mr Farquhar said.
There are deep concerns that the laws allow law enforcement and intelligence agencies to target individuals who work for tech companies without informing the leadership of those companies.
Mr Sheehy said this problem could have been understood through consultation, including the fact that every company has systems for reviewing code alterations that would render any surreptitious changes to be found immediately.
"People work in teams. There are fail safes. There are code reviews. There are log files. Nothing can be done without someone else being able to see and there's a lot of alarms going off so if bad things happen," Mr Sheehy said.
"I know a lot of people I've worked with just couldn't do this, either. They'd probably end up with a lot of personal angst and end up leaving behind friends they've made and code they've written and it would be a personal disaster for them. It's unworkable."
"I'd love to help the government to get it right. But I also don't understand why the CEO and the Chair aren't involved. If you want this to work make it work in a sensible way. And even then I don't understand how this would work," Mr Sheehy said.
"Don't assume malice when incompetence will suffice," said Mr Farquhar. "I don't think the governments intent is to conscript people, I just think the legislation is so poorly written that that ended up being the outcome rather than the intent."
But that's an even bigger cause for alarm, suggested Mr Farquhar.
"It puzzles me why the government isn't rushing to fix poorly worded legislation. They know it's poorly written and they just don't want to do it."