A group of senators have raised significant concerns with the federal government’s proposed new hacking powers for the Australian Federal Police, warning that a “wide scope of innocent third parties” could be caught up by the coercive and broad scheme.
The Standing Committee for the Scrutiny of Bills, a bipartisan committee chaired by Labor, has revealed its thoughts on the Identify and Disrupt Bill, questioning a lack of focus on privacy, no judicial oversight, the potential for innocent people to be impacted and the ability for police to use the hacking powers without obtaining a warrant.
The government quietly introduced the legislation to Parliament late last year with no consultation and little fanfare. The bill hands sweeping new powers to the AFP and ACIC to hack into the computers and networks of suspected criminals.
The bill introduces three new warrants, allowing authorities to “disrupt” the data of suspected offenders, access their devices and networks even if they don’t know their identity and actually taking over their accounts covertly.
While saying the new powers are targeted at combating “online serious crimes”, the powers will apply to any crime carrying a jail time of at least three years, including theft, fraud, tax evasion, illegal gambling, forgery and privacy.
There was significant backlash to the legislation, with the Law Council of Australia calling for proper oversight and scrutiny of the “extraordinary powers”. The legislation is currently the subject of a Parliamentary Joint Committee on Intelligence and Security (PJCIS) inquiry.
A bipartisan senate committee has now raised serious concerns with the new powers, saying the “coercive” warrants have the “potential to unduly trespass on personal rights and liberties”.
In its first report of the year, the bipartisan Standing Committee for the Scrutiny of Bills said that home affairs minister Peter Dutton has a lot of explaining to do on the new powers.
“The committee considers it essential that legislation enabling coercive search powers be tightly controlled, with sufficient safeguards to protect individual rights and liberties,” the committee said in the report.
Under the powers, the AFP and the Australian Criminal Intelligence Commission (ACIC) will be able to apply for the warrants from eligible judges or a member of the Administrative Appeals Tribunal (AAT). But the senators said that only judges should be vested with this power.
“The committee has had a long-standing preference that the power to issue warrants authorising the use of coercive or intrusive powers should only be conferred on judicial officers,” it said.
“In light of the extensive personal information that could be covertly accessed, copied, modified or deleted from an individual’s computer or device, the committee would expect a detailed justification to be given as to the appropriateness of conferring such powers on AAT members, particularly part-time senior members and general members. In this instance, the explanatory memorandum provides no such justification.”
The committee is also concerned that the warrants will apply for 90 days, with an extension offer too, and a lack of focus on privacy.
“Noting the significant impact on the privacy of individuals whose information is collected or accessed under these warrants, it is unclear why privacy is a mandatory consideration in relation to account takeover warrants only and should not also apply to data disruption and network activity warrants,” it said in the report.
“Similarly, it is unclear why issuing authorities must not consider whether the warrant is proportionate having regard to the nature and gravity of the offence and the likely value of information sought to be obtained in relation to all warrants rather than being limited to network activity warrants.”
The application of the powers to crimes with jail time of three years also raised the eyebrows of the senators.
“Noting this broad range of offences, the committee considers that an explicit requirement to consider proportionality in relation to issuing each of the warrants is important to ensure that the significant coercive powers authorised under these warrants are only exercised where necessary and appropriate,” the committee said.
The legislation also allows for the authorities to take these coercive actions and conceal the fact that they did without obtaining a warrant in “emergency circumstances”.
This will be done through applying to the appropriate authorising officer, who will approve it if they reasonably suspect there is an imminent risk of serious violence to a person or substantial damage to property, and that the powers are immediately necessary.
“The committee is particularly concerned that such powers only be authorised under a warrant issued by a judicial officer. Allowing a law enforcement agency to authorise its own actions under an emergency authorisation has the potential to unduly trespass on the right to privacy, and as such the committee would expect the explanatory materials to provide a detailed justification for such provisions,” the committee said.
“In this instance, the statement of compatibility provides no such justification. In effect, it appears that these provisions allow coercive or intrusive actions to be taken which have not been authorised under an existing warrant.”
Overly “broad” definitions in the legislation means that numerous innocent individuals may be caught up by the network activity warrants, the committee warned.
“The committee is concerned that, as a result of these broad definitions, there is a potentially unlimited class of persons who may be subject to, or affected as a third party connected to a person who is the subject of, a network activity warrant,” they said.
The senators put a number of questions to Mr Dutton, including why just judges shouldn’t be able to issue the warrants, why the 90-day time period is necessary and why the value of the information isn’t considered when issuing the warrants.
Submissions to the PJCIS inquiry into the legislation will close at the end of the week.
Do you know more? Contact James Riley via Email.