The Australian government has new laws on the books to hack your computer, your online accounts, and just about any piece of technology and networks you come into contact with. It can happen without a warrant and without you ever knowing. That’s just the start of it. Outraged? Good.
Earlier in August, the Parliamentary Joint Committee on Intelligence and Security (PJCIS) released a report on the Surveillance Legislation Amendment (Identify and Disrupt) Bill 2020 recommending it be passed with significant changes. Most notably, they recommended narrowing the scope of the new powers introduced by the bill, by limiting the criteria for issuing new warrants, requiring approval from a superior court judge and calling for stronger oversight and review mechanisms.
The bill was passed just over a week later by both houses. Needless to say, most of the recommendations of the PJCIS report have gone ignored, similarly to the concerns previously raised by us, Human Rights Law Center and several others. So let’s dive right in and take a closer look at the powers the legislation will grant to law enforcement. The three big powers given to the Australian Federal Police (AFP) or the Australian Criminal Intelligence Commission (ACIC) are:
- Data Disruption Warrants
- Account Takeover Warrants
- Network Activity Warrants
A DATA DISRUPTION WARRANT enables the agencies to “add, copy, delete or alter” data on devices. And while it’s called a warrant, there is an emergency authorisation process for cases when it is “not practicable” to get a warrant. So a data disruption “warrant” can be issued under something referred to as an emergency authorisation; a new power which the PJCIS insisted in their report should be reserved for a superior court judge. This was ignored and so emergency authorisations remain — which means that Australia now has a warrantless surveillance regime on the books.
A couple of additional notes on data disruption “warrants” is that they: can be issued on devices even if the individual’s identity is not known, if the device is “likely connected” to a suspected offence, or if the information could “assist” in an investigation. It should also be noted that in the final text an emergency authorisation can also be used to simply get “access to data held in a computer.” To do this, the final text allows them to use a computer, a telecommunications facility, any other electronic equipment or a data storage device.
AN ACCOUNT TAKEOVER WARRANT enables the law enforcement agencies to take control of an account, and even lock the account holder out of it. This can be done covertly and without consent, so the individual wouldn’t necessarily know what is going on until or if they are ever charged. It includes removing two-factor authentication and using one account to gain access to others (directly contradicting cyber security best practices for staying safe and secure online). The warrant is applicable for a maximum of 90 days (though extensions are possible) — so that is the length of time a law enforcement officer can impersonate you or use your accounts to monitor your activity and gather information. The emergency authorisation, overseen by a magistrate, is also available under this power.
NETWORK ACTIVITY WARRANTS allow access to networks where there is suspicion of serious online offences, although what qualifies as “serious” has a variety of definitions in the legislation. The desire to “overcome security features like encryption” on this scale should have us all extremely concerned. In their submission to the PJCIS, the Human Rights Law Centre raised alarm at the definitions used under this power, which are so dangerously overbroad they would enable widespread surveillance across social media and messaging platforms. Yes, that means if someone is suspected of using Whatsapp (for instance) for criminal purposes, the power would allow the AFP and ACIC access to all of Whatsapp. They are subject to the same secrecy and time limitation (90 days with a possible extension) as account takeover warrants. Unlike the other powers, evidence gathered this way cannot be used in court, but it can inform further warrants and inform officials where to look — this warrant allows for mass network surveillance.
And we can also note that while there are some restrictions on the extraterritorial application of these warrants, mostly that a consenting official from another country is required in order to proceed with such an investigation, the judge is allowed to authorize network activity warrants for other jurisdictions if the location of the data is unknown or cannot be reasonably determined.
The PJCIS report also insisted on increased powers of reporting for the Independent National Security Legislation Monitor (INSLM). In fact, setting the egregious scope of these new warrants aside for a moment, there are fundamental shifts that happen in these laws about how surveillance power is distributed and overseen in Australia. The distinction between a superior court and the Administrative Appeals Tribunal (AAT) is huge, and most of TOLA is now subject to the oversight of the AAT (see below section on ‘context’ for more information). All these bodies are equipped and resourced in completely different ways. The rules of evidence are different, just as the decision-makers are different; only recently there was a scandal that Christian Porter was appointing underqualified people to the AAT. The INSLM can in fact provide independence in their review, but it is not immune from politics, and reports from the office can certainly be completely ignored at the discretion of the government.
In the final text of Identify and Disrupt, the AAT is given a massive task when evaluating the merits of any application. Among countless other things, it is up to them to determine whether:
- There may be any privacy implications “to the extent known.”
- The execution of the warrant is likely to cause a person to “suffer a temporary loss of: money, digital currency, or property (other than data).”
- The public interest outweighs the importance of protecting a journalist and/or their sources.
- There are alternative ways to access the data or otherwise proceed with the investigation.
On the last point, it is not the responsibility of the officers to present that to the tribunal members, just as it is not up to them to run a full privacy impact assessment, or consult software developers or engineers before compromising a piece of equipment. Ultimately, the tribunal members of the AAT who are overseeing these overbroad hacking powers are expected to have a level of technical expertise which many actual subject experts, let alone judges, would struggle to be certain of.
One of the recommendations by the PJCIS was to introduce a public interest advocate in the decisions regarding these warrants, which was also ignored across the board. A public interest candidate is someone who would argue on behalf of the affected individual in the room where right now only a police officer and a judge get to play judge and jury. The PJCIS foresaw using this only in certain instances, but we have suggested a similar mechanism for other surveillance operations. As it stands, the Australian government remains uninterested in allowing individuals to defend their rights: there is no one to argue on your behalf, and there is never any notification to the individual (even after the fact) so you will never know if you were subject to any of these powers.
The context of Australia’s expanding surveillance regime
There was an international uproar when the Australian government passed the Assistance and Access Act, also known as TOLA. Introduced in 2018, it contains some of the broadest powers for law enforcement to intercept and monitor encrypted communications. Its only international parallel is the UK’s equally infamous Investigatory Powers Act, which is under ongoing challenges in the UK Courts over its infringement on privacy — an avenue for challenge that remains unavailable to Australians where the right to privacy continues to be ignored by the federal government (and thus out of reach for such court challenges).
But TOLA, which gave law enforcement and intelligence agencies the power to infiltrate and compromise encrypted communication channels, has been deemed to be not quite enough. It should be said that TOLA remains under review for its incompatibility with human rights and the right to privacy and freedom of expression, and is still waiting for amendments as suggested by the Independent National Security Legislation Monitor (INSLM) in June 2020. In spite of that, the Australian government went on to add two new pieces of legislation to expand its mass surveillance mandate:
- International Productions Order (IPO) Bill — even though it passed in Australia, the powers will need to be approved by the US Congress before taking effect.
- Identify and Disrupt Bill.
We can refer to both now as acts because — in what is an increasing trend in the Australian Parliament — the bills flew through both houses in a single day.
The Identify and Disrupt Act grapples with the same issue that TOLA did — the need for law enforcement to see and intercept what we do online. However, Identify and Disrupt goes much further and where it was not completely true to call TOLA an attempt at mass surveillance, Identify and Disrupt now provides that capability and overreach for both AFP and ACIC.
In the INSLM report on TOLA, Dr James Renwick, who was serving as the INSLM at the time, recommended that the powers under TOLA be extended to a federal level Independent Commission Against Corruption (ICAC) — this was a calculated decision to pressure politicians to consider what this power means when it extends to investigations of corruption at the federal level. Alas, we will continue holding our breath and waiting for the politicians to hold themselves equally accountable to the surveillance regime they’ve built for the rest of us.
Finally, it should be noted that Australia’s electronic surveillance regime will be overhauled in the years ahead following the recommendations of the Richardson Review into the National Intelligence Community, made public last year. So if you are frustrated with the system, gear up and join us for an end to mass surveillance and a fair system in Australia.
What we recommend…
- If you want to have a private confidential conversation, and you have thought about the likelihood you may be subject to surveillance, have it in person with no devices around. We know this is a challenge, particularly in COVID times, but especially for groups in climate activism and those attending protests, this is key.
- If it is possible, break your work and life across multiple devices, operating systems, and accounts so that it becomes more difficult for you to be thoroughly compromised.
- Digital security! Update your passwords regularly (use a password manager), check that you have 2FA enabled wherever possible, and keep an eye out for any suspicious activity (on your account or those of your friends and network). Always call the person or reach out over text/a second channel if you are unsure about a link/attachment/message that was sent to you. Governments are intent on compromising our digital security for their own purposes, so do your best to limit your exposure to the risks they have created for us.
- Write to your MPs to voice your concern about the lack of individual’s rights in this legislation. You can use this post to illustrate your concerns. Ask for the legislation to be referred to INSLM for a human rights impact assessment. There will be a 5 year sunset for the powers in this legislation — meaning that they will need to be revisited and reapproved by Parliament. We can turn the tides on this!
- Sign the petition! The more signatures, the louder we will echo through the halls of Parliament.
- Support our Work! You can become a member of Digital Rights Watch and/or sign up to our updates. This way you will know once there are further actions for you to take! You can also help by donating to support our work, following us on social media, and sharing our work far and wide!
Want more? Here are some additional resources…
You can listen to our Director, Lucie Krahulcova, explain the issues: