The government will refer legislation handing sweeping hacking powers to the AFP to the Parliamentary intelligence and security committee amid concerns the extraordinary new powers would lead to “poisoned water hole” operations and make Australia an international outlier.
The federal government last week introduced legislation handing new powers to the Australian Federal Police (AFP) and Australian Criminal Intelligence Commission (ACIC) to hack into the computers and networks of those suspected of conducting criminal activity online, specifically targeting the dark web.
The bill introduced three new warrants, allowing authorities to “disrupt” data of the suspected offenders, to access their devices and networks to identify who they actually are, and to take over their accounts covertly.
The laws were introduced without any consultation and with little fanfare from the government, and were quickly met with widespread concerns, and comparisons with the highly controversial anti-encryption powers, which were passed in a rush in the last days of Parliament in 2018.
The Law Council of Australia said the “extraordinary” powers needed to be subject to proper review and oversight and must be referred to the Parliamentary Joint Committee on Intelligence and Security (PJCIS).
A Home Affairs spokesperson confirmed the bill would be referred to the PJCIS and would be debated in Parliament after a report is tabled.
“It is important for the PJCIS to consider this critical and complex piece of legislation, the spokesperson told InnovationAus.
The new powers point to authorities wanting to conduct “poisoned water hole” operations, where police or other agencies take over an illegal platform or service on the dark web and continue to operate it in order to obtain the identities of its users.
The network activity warrants in the new bill would allow the AFP to access the device and networks of groups or individuals suspected of taking part in criminal activity online, but whose identities they do not know.
They serve to “target criminal networks about which very little is known”. These warrants would be issued by an eligible judge or member of the Administrative Appeals Tribunal.
Information obtained under one of these warrants could be the subject of derivative use, the explanatory memorandum said, which means it could be cited in an affidavit on application for another investigatory power, such as the issuing of another warrant.
These warrants could be used in combination with the new account take over warrants, which would allow the AFP and ACIC to take over the online accounts of individuals suspected of taking part in criminal activity, covertly and without consent, and would be approved by a magistrate.
The legislation unveiled last week by the government also included “minor amendments” to the Controlled Operations Act, scrapping a requirement that the illicit goods used by authorities as part of an “online controlled operation” be under their control at its conclusion.
This means that if an undercover AFP officer is posing as a drug dealer, any drugs used in the operation must still be in their control at the end of the operation.
“This is intended to address how easy data is to copy and disseminate, and the limited guarantee that all illegal content will be able to be under the control of the AFP and ACIC at the conclusion of an online control operation,” the explanatory memorandum said.
According to Deakin University senior lecturer in criminology Dr Monique Mann, these changes point to the government looking towards “poisoned water hole” operations, where authorities take control of a criminal platform or marketplace and then continue to operate it in order to gather information on its users.
“The amendments to those laws, combined with the computer network operations powers and capabilities, indicates to me that they want poisoned water hole operations,” Dr Mann told InnovationAus.
“Effectively this is giving law enforcement the ability to conduct extraterritorial government hacking of websites around the world, that they don’t know where they are, which is beyond the legal authority of Australian law enforcement,” she said.
“They will potentially be running poisoned water holes and hacking companies where they’re not sure where they are located. That has significant extraterritorial implications for due process for suspects.
“Because they’re going for an expansion of hacking and account takeovers, it shows they’re going to hack into them, take them over and continue to run them as controlled operations. This suite of powers combined in this way is for poisoned water holes, it’s pretty clear.”
One of the most prominent of these types of operations occurred when the FBI seized dark web site Playpen in 2015.
The FBI then obtained a warrant allowing it to continue to run the illegal site on a government server and distribute malware to those who logged onto it.
This allowed the FBI to identify around 150 computers in the US and more than 8,000 in another 120 countries which had accessed the platform.
This entire transnational operation was authorised with just one warrant from Eastern Virginia.