Federal law enforcement agencies have sought advice on the implementation of controversial account takeover powers after the watchdog found holes in their internal policies as warrants were being issued.
The lack of guidance raised questions about the admissibility of evidence collected from the use of the intrusive warrants. At least two of the warrants have been issued for investigations into child abuse material.
In a report tabled to Parliament on Monday, the Commonwealth Ombudsman said it had not identified compliance issues with the account takeover warrants established by the controversial Identify and Disrupt laws in 2021.
But the Ombudsman did find a compliance risk had been created by agencies not providing enough internal guidance on when the powers can and can’t be used.
The Australian Federal Police and Australian Criminal Intelligence Commission (ACIC) can now gain warrants to secretly take control of a person’s online account to gather evidence to further an investigation into serious offences.
The agencies have developed policies, procedures and guidance for using the power, which are reviewed by the Commonwealth Ombudsman as part of regular “health checks” on the controversial scheme.
The first checks — completed between April and June last year — found neither the AFP or ACIC had defined a key term in the legislation in their internal policies.
The Act says any account takeover can not authorise anything that is likely to cause “material loss or damage to other persons lawfully using a computer”.
“The ACIC’s and AFP’s respective guidance documents do not define the term ‘material loss or damage’,” the Ombudsman’s report said.
“There may be ambiguity as to how this requirement will be applied in practice, resulting in potential unlawful execution of a warrant (affecting evidence admissibility).”
The AFP and ACIC were both advised to seek legal advice on defining the terms for their guidance. The AFP said it had since done so and updated its material accordingly. The ACIC told the Ombudsman it would do so in future.
The use of account takeover warrants are required to be reported in the agencies annual reports.
The AFP reported it had been granted two account takeover warrants in the period for investigations into child abuse material.
ACIC did not report any account takeover warrants being used last financial year, but acknowledged the Ombudsman’s findings had led to reviews and “robust” amendments to assurance documents to help with internal processes.
The account takeover warrants were among six total issued from the Identify and Disrupt powers in the first year.
The initial legislation was heavily criticised by the Parliamentary Joint Committee on Intelligence and Security, which recommended 33 changes.
The then-Coalition government moved 60 amendments in response but resisted key recommendations for a higher threshold in the issuing of warrants in terms of the crimes they can be applied for, and for warrants to only be approved by a judge, rather than a member of the Administrative Appeals Tribunal.
Do you know more? Contact James Riley via Email.