Australia’s Parliament passed an amended version of the “Surveillance Legislation Amendment (Identify and Disrupt) Bill 2020” that will give more power to the Australian Federal Police (AFP) and the Australian Criminal Intelligence Commission (ACIC) to fight online crime. The bill had been proposed last year alongside other measures to address the online and digital worlds. Again, Australia is leading the way among western nations in changing how technology is regulated. The bill was changed after a Parliamentary committee heard views from stakeholders and the ruling party and main opposition party agreed on a raft of changes. Nonetheless, the basic structure survived and law enforcement agencies could request and operate under three new types of warrants: data disruption warrants, network activity warrants, and account takeover warrants.
In January, I wrote about this bill (see here for more detail and analysis) as it stood then and before the Parliamentary Joint Committee on Intelligence and Security (PJCIS) issued its advisory report on the bill, including recommendations on how to alter the legislation. As I wrote then, and this still holds true, generally:
This new legislation follows a 2018 law that allows the Australian government to order technology companies to assist in decrypting and handing over communications. Under the new bill, some of Australia‘s law enforcement agencies would be able to use new “data disruption warrants” to stop and interfere with online crimes. Additionally, agencies could use “network activity warrants” to surveil online criminal activity and may obtain “account takeover warrants” to seize online accounts to acquire evidence in the course of an investigation.
As noted, last week, Australia’s House of Representatives and then the Senate passed an amended version of the “Surveillance Legislation Amendment (Identify and Disrupt) Bill 2020” and the bill takes effect upon getting the Royal Assent from Australia’s Governor-General.
In the first of two explanatory memorandums on the revised bill, the Minister for Home Affairs Karen Andrews MP summarized the bill at a high-level:
The Surveillance Legislation Amendment (Identify and Disrupt) Bill 2020 amends the Surveillance Devices Act 2004 (SD Act), the Crimes Act 1914 (Crimes Act) and associated legislation to introduce new law enforcement powers to enhance the ability of the Australian Federal Police (AFP) and the Australian Criminal Intelligence Commission (ACIC) to combat online serious crime.
Andrews continued with the government’s rationale for expanding the powers of Australian law enforcement agencies:
- Cyber-enabled serious and organised crime, often enabled by the dark web and other anonymising technologies, such as bespoke encrypted devices for criminal use, present a direct challenge to community safety and the rule of law. For example, on the dark web criminals carry out their activities with a lower risk of identification and apprehension. Many anonymising technologies and criminal methodologies can be combined for cumulative effect, meaning it is technically difficult, and time and resource intensive, for law enforcement to take effective action. Just as online criminals are constantly changing their operations and reacting to new environments, the law must adapt in order to give law enforcement agencies effective powers of response.
- Existing electronic surveillance powers, while useful for revealing many aspects of online criminality, are not suitably adapted to identifying and disrupting targets where those targets are actively seeking to obscure their identity and the scope of their activities. Without the critical first step of being able to identify potential offenders, investigations into serious and organised criminality can fall at the first hurdle. Being able to understand the networks that criminals are involved in and how they conduct their crimes is also a crucial step toward prosecution.
- This Bill addresses gaps in the legislative framework to better enable the AFP and the ACIC to collect intelligence, conduct investigations, disrupt and prosecute the most serious of crimes, including child abuse and exploitation, terrorism, the sale of illicit drugs, human trafficking, identity theft and fraud, assassinations, and the distribution of weapons.
Then Andrews claimed:
- The Bill contains the necessary safeguards, including oversight mechanisms and controls on the use of information, to ensure that the AFP and the ACIC use these powers in a targeted and proportionate manner to minimise the potential impact on legitimate users of online platforms.
- The Bill introduces three new powers for the AFP and the ACIC. They are:
- Data disruption warrants to enable the AFP and the ACIC to disrupt data by modifying, adding, copying or deleting in order to frustrate the commission of serious offences online
- Network activity warrants to allow agencies to collect intelligence on serious criminal activity being conducted by criminal networks, and
- Account takeover warrants to provide the AFP and the ACIC with the ability to take control of a person’s online account for the purposes of gathering evidence to further a criminal investigation.
- The Bill also introduces sunset provisions for warrants and emergency authorisations under the Bill.
Of course, all the above is the ruling Liberal–National Coalition’s position on and justification for the “Surveillance Legislation Amendment (Identify and Disrupt) Bill 2020.” However, the main opposition party was mostly aligned with the government. The Deputy Leader of the opposition Labour Party, Senator Kristina Keneally, asserted during debate:
- I now want to turn to the amendments proposed by the Parliamentary Joint Committee on Intelligence and Security, and the government’s response. The government has implemented, wholly or substantially, 23 of the PJCIS’s 33 recommendations, through legislative amendments or changes to the explanatory memorandum to this bill. Significantly, these changes include strengthening the issuing criteria for warrants, including considerations for privacy, public interest, privileged and journalistic information, and financial impacts; reviews by the Independent National Security Legislation Monitor and the PJCIS; sunset powers in five years; and good-faith immunity provisions for assistance orders. These are significant recommendations, made in a bipartisan fashion by the Parliamentary Joint Committee on Intelligence and Security, and I am pleased that the government has taken them up in the form of legislative amendments to this bill.
- Of the other 10 PJCIS recommendations, four have been accepted by the government and will be incorporated into its response to the comprehensive review of the national intelligence community conducted by Dennis Richardson; these are that the Ombudsman’s powers be expanded to cover the AFP and the ACIC. The government has noted this was recommended by the Richardson review and accepted by the government and will be implemented as part of the government’s electronic surveillance reforms. The committee also recommended that the issuing authority for these warrants should be a superior court judge or an eligible judge. These are extraordinary powers, and committee members felt that they required a higher level of authorisation.
- Another recommendation that the government has accepted but is not progressing with this bill but as part of another process is the committee’s recommendation that a public interest advocate must be appointed when warrants are being sought in relation to journalists or media organisations. The minister has confirmed to me that the government notes and accepts this recommendation, noting that it is responding to this recommendation as part of its response to the Parliamentary Joint Committee on Intelligence and Security’s report on the impact of the exercise of law enforcement and intelligence powers on the freedom of the press.
- I note that three of the recommendations were rejected, in essence, by the government that go to the expansion of the PJCIS oversight of the intelligence functions of the ACIC and the AFP, as well as the expansion of the IGIS oversight of the intelligence functions of the AFP. The government takes the view that parliamentary oversight exists through the Parliamentary Joint Committee on Law Enforcement Integrity and it notes that the Richardson review did not endorse expanding the IGIS’s oversight to the intelligence functions of the AFP. While Labor acknowledges that this is the government’s position, I would nonetheless like to make clear that Labor in government would implement all of the PJCIS’s recommendations to the SLAID Bill.
- I will note that the government has added two amendments such that, when a national emergency has been declared, the minister’s power to modify administrative arrangements does not apply to account takeover warrants, bringing the bill into conformity with the Surveillance Devices Act and the Crimes Act and aligning the periods for reporting to the Ombudsman with those of other agencies, as recommended by the PJCIS. I acknowledge those amendments and advise that we are pleased to see them.
However, another opposition party voted against the bill. Senator Lidia Thorpe of the Green Party spoke against the bill, which the Green Party opposed:
- The Greens are the ones who led the push to get this legislation reviewed by the committee when the government—with the help of the opposition, mind you—tried to push this through the parliament. We tried to refer this bill to the Senate Legal and Constitutional Affairs Legislation Committee; however, this failed and it was referred to the closed shop, Labor-and-Liberal PJCIS. So the Greens aren’t allowed onto that committee to make decisions or contribute to those decisions and neither is anybody else. It’s a closed shop between Liberal and Labor, who may as well join as one and forget the rest.
- In effect, this bill would allow spy agencies to modify, add, copy or delete your data with a data disruption warrant or collect intelligence on your online activities with a network activity warrant. Also, they could take over your social media and other online accounts and profiles with an account takeover warrant. What’s worse is that the data disruption and network activity warrants could be issued by a member of the Administrative Appeals Tribunal. Really? It is outrageous that these warrants won’t come from a judge of a superior court appointed on their personal capacity. The bill also limits court oversight in decisions concerning the issuing of these warrants when criminal proceedings have already started.
- It is not clear that these powers are needed. The Richardson review recommended that law enforcement agencies not be given specific cyberdisruption powers like those in this bill. The Richardson review concluded there was not a material gap in existing investigative powers which could justify effectively placing the AFP or ACIC in the position of judge, jury and executioner. The proposal to give specific intelligence collection powers to the AFP and ACIC under network activity warrants does not clearly identify a gap in existing powers. They’re not telling us everything. They’re expecting us to make decisions without real, genuine, informed consent.
- The scope of the new powers is disproportionate compared to the threats of serious and organised cybercrime to which they are directed. There is a lack of evidence justifying the need for warrants of this nature beyond those already available to the AFP and ACIC. No other country in the Five Eyes alliance has conferred the powers on its law enforcement agencies that this bill will. What’s more, the government moved 60 amendments in the other place, as a block, at the last moment, and now we’re all here, expected to jump through hoops, without the time to scrutinise the legislation properly.
In the December 2019 “Report of the Comprehensive Review of the Legal Framework of the National Intelligence Community” (aka the Richardson Review), the reviewers argued against expanding law enforcement power to conduct cyber operations:
- Although we completely accept that disrupting criminal activities is an essential part of policing, we are reluctant to endorse a proposal that results in AFP being given access to powers that allow it to destroy property. Our concerns with this are twofold.
- First, it is a fact that offensive cyber operations are highly complex and require careful planning. This was highlighted in the submissions. A poorly planned or executed operation could have disastrous implications, and may even compromise computers that support the provision of essential services, affecting the lives or livelihood of innocent people. All agencies, including the AFP, can and do make mistakes and this would be no exception.
- Second, a more specific disruption mandate for the AFP risks compromising essential democratic rights. We are particularly concerned about empowering police officers to pass conclusive judgement and act in accordance with that judgement to destroy property.
- In fact, we do not think the lack of legislative tools is what holds the AFP back from being effective in disrupting online crime. Online cyber disruption operations are highly complex, and require special skills, equipment and training. The Parliamentary Joint Committee on Law Enforcement (PJCLE) recommended that there should be ‘dedicated agency funding with sufficient flexibility to enable law enforcement agencies to respond to the escalating challenges of cybercrime’. We agree and think this is actually the key issue. The AFP must develop the highly specialised skillset necessary to respond to the challenges posed by online crime.
As noted, the PJCIS conducted an inquiry of the bill and made 33 recommendations, some of which were incorporated into the final bill through amendments. In the second explanatory memorandum issued along with the revised bill text, the government detailed the changes:
- The amendments to the Bill will:
- require additional matters to be specified in an application for a data disruption warrant, and emergency authorisations for disruption of data, namely:
- for data disruption warrants – an assessment of how disruption of data held in a target computer is likely to substantially assist in frustrating a relevant offence;
- for data disruption warrants – an assessment of the likelihood that disruption of data held in a target computer is likely to substantially assist in frustrating a relevant offence; and
- for emergency authorisations for disruption of data – that there are no alternative methods that could be used to avoid risk of serious violence to a person or substantial damage to property that are likely to be as effective as disruption of data;
- require issuing authorities to be satisfied of additional matters before issuing a warrant or an assistance order:
- for network activity warrants – the issue of the warrant is justified and proportionate, having regard to the relevant offences;
- for assistance orders – the assistance order is reasonable and necessary to enable the warrant or emergency authorisation to be executed; and
- for assistance orders – the assistance order is justifiable and proportionate, having regard to the nature and gravity of the offence, and the likely impact of compliance on the specified person or on other persons, including persons lawfully using the computer;
- require additional matters to be considered before a warrant, emergency authorisation or an assistance order may be issued:
- for data disruption warrants – the nature of the things proposed to be authorised by the warrant;
- for data disruption warrants – the extent to which the execution of the warrant is likely to result in access to, or disruption of, data of persons lawfully using a computer, and any privacy implications (to the extent known) resulting from that access or disruption;
- for data disruption warrants – any steps that are proposed to be taken to avoid or minimise the extent to which the execution of the warrant is likely to impact on persons lawfully using a computer;
- for data disruption warrants and account takeover warrants – the extent to which the execution of the warrant is likely to cause a person to suffer a temporary loss of money, digital currency or property other than data, to the extent known;
- for network activity warrants – any privacy implications resulting from access, to the extent known;
- for account takeover warrants and emergency authorisations for disruption of data – the extent to which the execution of the warrant or emergency authorisation is likely to impact on persons lawfully using a computer, to the extent known;
- for all warrants – if the issuing authority believes on reasonable grounds that data or an account belongs to a journalist and the offence to which the warrant relates is an offence against a secrecy provision, that the public interest in issuing the warrant outweighs the public interest in protecting the confidentiality of the identity of a journalist’s source and facilitating the exchange of information between journalists and members of the public so as to facilitate reporting of matters in the public interest;
- for all warrants – specifying certain offences to which weight must be given when having regard to the nature and gravity of the conduct constituting the offence for which the warrant is sought;
- for emergency authorisations for disruption of data – whether the likely impact of the execution of the emergency authorisation on persons lawfully using a computer is proportionate, having regard to the risk of serious violence or substantial damage;
- for assistance orders – whether the specified person is or has been subject to another assistance order, to the extent known;
- impose additional limitations and requirements on the exercise of authority conferred under data disruption warrants and network activity warrants, namely:
- for data disruption warrants and network activity warrants – to return a computer or other thing removed from a premises in accordance with the warrant as soon as is reasonably practicable to do so once the computer or thing is no longer required for the purposes of doing any thing authorised by the warrant; and
- for data disruption warrants – to notify the Ombudsman where material loss or damage is caused to one or more persons lawfully using a computer, within 7 days after the person executing the warrant became aware of that loss or damage;
- amend reporting requirements and frequency of Ombudsman’s inspections from six-monthly to annually, in line with existing regimes overseen by the Ombudsman;
- provide a legislative basis for independent and parliamentary review of powers contained in the Bill; and
- introduce sunset provisions for warrants and emergency authorisations under the Bill.
- require additional matters to be specified in an application for a data disruption warrant, and emergency authorisations for disruption of data, namely:
In its report, the PJCIS summarized or quoted some of the arguments stakeholders made for and against the bill. I will not quote them all but will pick and choose some I found representative:
- The AFP Commissioner argued:
- I want to emphasise that disrupting crime is a core business for the AFP. There is a misconception that disrupting crimes means that an investigation will never proceed to prosecution. This is simply not true. Many of our disruption efforts still result in the prosecution of offenders.
- The best example of this is our unrelenting efforts in covering illegal drugs imported to Australia. We can simply seize the drugs at the border and arrest an offender or two, if we identify them at that point, but we can also take a different approach to disrupt the harmful effects of drugs in our community. We seek to discover who sent the drugs, who bought them and their distribution points. We take law enforcement action at an appropriate time, but we also disrupt the immediate impact of drugs entering our community, identify a larger number of offenders and have a better chance of reducing future harm.
- But, in the online environment, we’re far more restricted in how we can track illegal activities in this way. We can assume an identity and interact with offenders. We can get targeted warrants to intercept their communications and access their data, and, with the TOLA industry assistance framework, we can get help to open the front door. But we’ve still got one hand tied behind our back because we cannot identify what their distribution point is and what criminal network they belong to; understand what they are communicating, due to encryption; move things around inside their network – that is, modify data – or take control of their distributors to collect evidence. And, in many cases, we may not even know where the distribution network is.
- The Law Council said the Bill represented a change in focus for the AFP and ACIC, saying:
- The bill proposes major and, respectfully, novel expansions of the existing powers of the AFP and ACIC, which merit detailed scrutiny. The new powers depart sharply from the traditional focus of investigative powers on the collection of admissible evidence of specific offences.
- The powers were described as extraordinary by the Law Council because:
- They go further than collecting evidence for prosecution into a realm where they are actively doing things to that data, either by way of preventing access or by destroying it, which would include destroying other peoples’ property, their computers and so on, so that’s a big next step. It’s extraordinary in this other way because of the operation of computers. Computers now do everything for us. They are so directly involved in all of our personal, business and other lives that there’s a vast field of information there available for people to collect if they’re authorised to do that.
- The Cyber Security Cooperative Research Centre (CSCRC) said:
- We are now at a critical point where we as a society need to decide what kind of world we want to live in. Central to this must be the notion that all crime, whether committed online or offline, should be treated the same and the rule of law must be applied equally. If passed, this legislation will play a key role in countering serious cyber-enabled crime…While the powers contained within the bill are undoubtedly extraordinary they are proportionate and appropriate in relation to the scale and seriousness of the threat posed.
- The CSCRC further outlined the requirement of the powers, noting ‘as it stands bad has the upper hand. The criminals are the ones with power’.
- The Office of the Australian Information Commissioner (OAIC) said the powers were ‘wide-ranging and coercive in nature’. Specifically the OAIC said:
- These powers may adversely impact the privacy of a large number of individuals, including individuals not suspected of involvement in criminal activity, and must therefore be subject to a careful and critical assessment of their necessity, reasonableness and proportionately. Further, given the privacy impact of these law enforcement powers on a broad range of individuals and networks, they should be accompanied by appropriate privacy safeguards. The OAIC considers that the Bill requires further consideration to better ensure that any adverse effects on the privacy of individuals which result from these coercive powers are minimised, and that additional privacy protections are included in the primary legislation.
In making its recommendations, he PJCIS noted that online crime is a pervasive, vexing issue and the bill presents a “world-leading and novel” approach. However, the committee argued the government could have done a much better in explaining the bill through the Explanatory Memorandum and in fleshing out technical details:
- The Committee accepts evidence the threat environment from serious cyber- enabled crime is severe and Australian authorities do not currently have the tools to address the threat. It is international, complex, and technologically advanced. The Committee accepts evidence there is a requirement for powers such as these due to the effects of anonymising technology and the dark web in particular. The Committee accepts evidence serious crime is being enabled by these technologies and the Australian Federal Police (AFP) and Australian Criminal Intelligence Commission (ACIC) are currently unable to prevent the harm. The Surveillance Legislation Amendment (Identify and Disrupt) Bill 2020 (the Bill) is world-leading and novel but it also needs to be subject to serious consideration and review. The Committee accepts it is one among many measures being considered to counter these threats.
- The Committee supports these powers and the Bill conditional on the amendments as outlined below. As identified by many submissions to this inquiry, the key issues at the micro level are the articulation and definition of necessity and proportionality with these powers. While almost all submissions generally supported the intent of the Bill, many submissions thought the Bill was either poorly defined or differed substantially from the Explanatory Memorandum (EM). On this latter point, the Committee strongly recommends Government clearly articulate these key issues in the EM as if it had done so then it is likely the inquiry process would have occurred more smoothly as people’s understanding of what the Bill is would have been likely stronger. This is particularly the case for the debate on relevant offences and issuing authorities which are the two key issues from a technical and legislative perspective.
© Michael Kans, Michael Kans Blog and michaelkans.blog, 2019-2021. Unauthorized use and/or duplication of this material without express and written permission from this site’s author and/or owner is strictly prohibited. Excerpts and links may be used, provided that full and clear credit is given to Michael Kans, Michael Kans Blog, and michaelkans.blog with appropriate and specific direction to the original content.
Photo by Pawel Czerwinski on Unsplash
Photo by Thandy Yung on Unsplash