The government-funded cybersecurity research centre has thrown its support behind the proposed “extraordinary” new hacking powers for the Australian Federal Police, its position that is at odds with human rights, civil liberties and digital rights groups, as well as a group of Senators who have all raised significant concerns about the new laws.
In a submission to government, the Cyber Security Cooperative Research Centre (CSCRC) said the Identify and Disrupt Bill, which hands sweeping new powers to the AFP and the Australian Crime and Intelligence Commission (ACIC) to hack into the devices and networks of suspected criminals, is proportionate, appropriate and safe.
This is despite the Human Rights Law Centre labelling the powers “absurdly broad” and disproportionate, the NSW Council of Civil Liberties saying they are an “abuse of power” and a group of bipartisan Senators questioning a lack of focus on privacy, no judicial oversight and the potential for innocent people to be impacted.
The Identify and Disrupt Bill was quietly introduced to Parliament late last year and quickly referred to the Parliamentary Joint Committee on Intelligence and Security (PJCIS) for inquiry.
The legislation introduces three new warrants for the AFP and ACIC to “disrupt” the data of suspected criminals, access their devices and networks and take over their accounts covertly.
While the government says its focus is on “online serious crimes” including child abuse and terrorism, the warrants will also be accessible for any crime carrying a three-year jail sentence, which include theft, fraud, tax evasion and forgery.
In a submission to the PJCIS inquiry, the Cyber Security CRC offered full support for the new hacking powers.
“While the powers authorised under the bill are undoubtedly extraordinary, the CSCRC submits they are proportionate and appropriate in relation to the threats posed,” the submission said.
“Furthermore, to ensure such extraordinary powers are not misused, exploited or subject to ‘legislative creep’, the bill contains a number of key safeguards and protections,” it said.
“It presents a clear opportunity for Australia to ensure domestic laws are properly aligned with digital perpetrated activities, allowing lawful access to data and devices where it is appropriate to do so.”
The CSCRC did however say that the government needs to better define and refine the crimes the new powers will apply to.
“Under the Crimes Act such a threshold does cover a wide range of offences, so consideration should be given within the legislation to clearly specify types of crime to which the mechanisms set out in the bill could apply,” she said.
“The CSCRC submits that if offences that would and would not be captured under the regime were clearly carved out, it would serve to allay fears of misuse of the warrants for less serious crimes and perceptions of legislative creep.”
It also rejected the arguments that the new powers would jeopardise the privacy of Australians.
“An absolute right to privacy can never exist and there must always be exceptions, especially when it comes to maintaining the common good. There is no doubt that the criminal activities the bill is designed to capture all fall under such an exception.
“The CSCRC contends that while privacy is valuable it must have limitations and these limitations must correlate with the social contract all members of the community enter into, upon which modern democracies like Australia’s are built.”
The Cyber Security CRC chief executive Rachael Falk has previously supported the government’s controversial COVIDSafe contact tracing app, arguing that Australians readily hand over more significant data to the likes of Facebook than what was required by the trouble-plagued app.
In its submission, the Human Rights Law Centre painted a very different picture of the proposed powers, saying they have a “disproportionate scope” that do not have adequate safeguards.
“Australia lacks a robust human rights framework that would provide adequate protection against the abuse of the powers contained in this bill. In the absence of those safeguards, the HRLC cannot endorse the expansion of the already-considerable powers possessed by the AFP and ACIC to intrude on the privacy of Australians,” the HRLC submission said.
The law centre said the proposed network activity warrants, which would allow authorities to hack into the networks of suspected offenders without even needing to know their identities, needed to be “substantially redrafted” in order to “prevent their application to individuals that have no involvement in the commission or facilitation of a relevant offence”.
The current legislation defines an “electronically linked group of individuals” as two or more people using the same electronic service or communicating electronically.
This could lead to a situation where a relevant offence being committed on a messaging service like WhatsApp making every user of the service around the world a member of a “criminal network of individuals” under the new powers.
“On a broad, but not unreasonable, interpretation of these definitions, the effect is that a person who visits the same website as a person engaging in conduct facilitating or constituting a relevant offence is in a ‘criminal network of individuals’,” the submission said.
“This is regardless of whether the website or communication bears any relation to the offence, or whether the individuals have any knowledge of, involvement in, or connection to the offence.”
The proposed powers are “absurdly broad”, the HRLC said.
“It effectively means that, where a person engages in a relevant offence, every other user of any website they access or app that is installed on their phone could potentially have their data accessed, changed or deleted, without their knowledge, consent or opportunity to object,” it said.
“Not only does this seriously impact the privacy and freedom of expression of individuals with little or no connection to the offending conduct or target individual, it opens up vast swathes of online activity to monitoring by law enforcement without sufficient safeguards to prevent abuse. Even on a narrower interpretation, these provisions still offer expansive scope.”
The NSWCCL said that the new powers are “next in an accelerating wave, strengthening the powers of the state without any humility about the cumulative erosion of democratic freedoms they entail”.
“This bill builds on this ominous trend and takes it to a new level, providing unprecedented new powers for law enforcement to interfere and ‘disrupt’ communications of citizens without effective restraint. The abuse of power this bill enables will happen. Enough is enough,” the NSWCCL submission said.
A coalition of digital rights and civil liberties organisations said that the powers amount to “state-authorised hacking”.
A bipartisan group of Senators have also raised a number of concerns with the legislation, particularly in regard to a lack of privacy safeguards and judicial oversight and the potential for innocent people to also be impacted by them.