Authorities will be given the ability to take over the online accounts of Australians and hack into networks to change or delete data for alleged crimes that carry jail time of three years or more, under legislation introduced to Parliament on Thursday.
First flagged in the 2020 Cyber Security Strategy, the government introduced legislation to the House of Representatives handing significant new powers to the Australian Federal Police (AFP) and to the Australian Criminal Intelligence Commission (ACIC) to combat “online serious crimes”.
The new powers relate to criminal offences that carry maximum imprisonment of at least three years, which fall under the AFP’s jurisdiction.
In unveiling the legislation, the government has highlighted targeted crimes such as child abuse and terrorism, but the new warrants will also apply to Commonwealth crimes including theft, fraud, tax evasion, illegal gambling, forgery and piracy.
According to Digital Rights Watch program director Lucie Krahulcova, the new legislation is further evidence that Australia is in “dire need of a reckoning” on privacy and should be subject to review by the powerful Parliamentary Joint Committee on Intelligence and Security (PJCIS).
“The bill is further indication that Australia’s relationship with privacy is fraught and in dire need of a reckoning. Law enforcement does need to be equipped to do their jobs, but we must consider their record of over-broad use of similar powers in the past,” Ms Krahulcova told InnovationAus.
“The Parliament has to ask the hard questions and make the assessment whether these powers are proportionate, just and fair. This bill must be reviewed by the PJCIS.”
Electronic Frontiers Australia also raised concerns, saying the legislation is “another substantial expansion of authoritarian power in a country that lacks fundamental human rights protections for its citizens”.
The legislation introduces three new warrants, allowing authorities to disrupt data, access networks of anonymous individuals and take control of the accounts of alleged criminals and lock them out of these accounts.
“Just as online criminals are constantly changing their operations and reacting to new environments, the law must adapt in order to give law enforcement agencies effective powers of response,” the bill’s explanatory memorandum said.
The government said the new powers would address gaps in the current legislative framework to “enable authorities to collect intelligence, conduct investigations, disrupt and prosecute “the most serious of crimes”.
While the explanatory memorandum points to crimes such as child abuse, terrorism, the sale of illicit drugs and identity theft, the only threshold for the issuing of these warrants in the legislation appears to be crimes with a maximum jail sentence of at least three years.
The government said there will be necessary safeguards in place, including oversight mechanisms and controls to ensure the new warrants are used in a “targeted and proportionate manner to minimise the potential impact on legitimate users of online platforms”.
The account takeover warrants would allow the AFP or ACIC to take control of an individual’s online account to gather evidence against them and lock the person out of their account.
To issue one of these warrants, a magistrate would have to be satisfied on reasonable grounds that an account takeover is necessary to collect evidence of a serious Commonwealth offence or a serious state offence that has a federal aspect.
This would be an entirely new power for Australian authorities, which can currently only take control of a person’s account with their consent. These warrants would be used in conjunction with other warrants, the legislation said.
Under the data disruption warrants, authorities would be able to disrupt data by modifying, adding, copying or deleting in order to “frustrate the commission of serious offences online”.
This would be done covertly, and authorities would be able to conceal that they are doing it, and wouldn’t be done for the purpose of evidence gathering, but evidence collected under one of these warrants could be used for a prosecution.
A data disruption warrant would be issued by an eligible judge or a nominated member of the Administrative Appeals Tribunal, if they suspect on reasonable ground that one or more relevant offences are being, are about to be, or are likely to be committed, and involve or are likely to involve data held on a computer, and that the disruption of this data is likely to “substantially assist” in preventing these offences.
The network activity warrants will allow authorities to target alleged criminals operating online which they have little information on, such as a group of people using a service or platform to carry out a criminal activity, but whose identities are unknown.
This would allow the AFP to add, copy, delete or alter data as needed to access encrypted information relating to these networks.
This shows that the government’s existing, controversial anti-encryption powers aren’t working, Ms Krahulcova said.
“The fact that there are additional powers in the bill to circumvent encryption also tells us that the controversial Assistance and Access Act is either not working or didn’t go quite far enough for the satisfaction of these agencies. Either way, that legislation has undergone extensive reviews and assessments by the Independent National Security Legislation Monitor and is in dire need of reigning in and reform. That can’t be ignored,” she said.
These warrants would also be issued by a judge or a nominated AAT judge if they are satisfied that a group or individual is engaging in or facilitating criminal activity constituting the commission of one or more relevant offences, and accessing this data will substantially assist in the collection of intelligence.
The Inspector-General of Intelligence and Security will have oversight of these warrants.
While the legislation focuses on the warrants process, the text of the bill does outline a process for “emergency authorisation” where the data disruption powers could be granted by an “appropriate authorising officer” if there is an “imminent risk of serious violence or substantial damage to property”, if the data held is immediately necessary for the purpose of dealing with that risk, and if the circumstances are “so serious and the matter is of such urgency that disruption of data held in the target computer is warranted”.
This is of particular concern, Ms Krahulcova said.
“When we consider just how invasive the new powers are, the use of warrants is critical in ensuring both proportionality and accountability for law enforcement agencies. Yet the bill immediately seeks to weaken that legal standard by introducing emergency authorisations – that’s extremely worrying,” Ms Krahulcova said.