Australian law enables state-authorised hacking and surveillance

By Monique Mann, Deakin University, and Angus Murray, University of Southern Queensland

Introduced into law in the face of widespread criticism, Australia’s new ID Act gives policing and intelligence agencies reach beyond their borders. Legislators have granted three new powers: data disruption warrants, network activity warrants and account takeover warrants.

These powers add to the digital arsenal of federal authorities. Data disruption warrants allow the Australian Federal Police or the Australian Criminal Intelligence Commission to “modify, add, copy or delete data to frustrate the commission of serious offences online”. A network activity warrant enables the monitoring of the computer-related activities of criminal groups, such as covertly monitoring WhatsApp chats or iMessage texts.

And, if there is suspicion that a serious crime is taking place, agencies can take control of someone’s online accounts using an account takeover warrant, locking a user out of services such as email and social media, and operating the accounts themselves.

These three powers have been coupled with assistance orders which serve to force businesses and individuals to help facilitate warrants. Refusing or failing to assist law enforcement can lead to up to ten years jail.

Not only are these new abilities intrusive, they are a shift in the focus of federal law enforcement agencies. Traditionally, the remit of the AFP and the ACIC has been to collect admissible evidence of specific crimes. Now, with the assistance of the Australian Signals Directorate, federal law enforcement authorities are going on the offensive.

Cause for concern

It would be expected that federal police could only hack or surveil people suspected of very serious crimes. In reality, practically anyone can be surveilled as part of an “electronically linked group” under the ID Act. Australia’s Human Rights Law Centre says the ID Act defines the group so “absurdly” broadly that any WhatsApp user or iPhone owner could be monitored as a result of one person committing a crime over WhatsApp on an iPhone.

Even the threshold of a suspected act to be considered a ‘serious crime’ has attracted criticism. The rationale for introducing these powers was to prevent and disrupt the worst crimes in society, such as child exploitation, human trafficking and terrorism. With the Act’s definition of ‘serious crime’, many other offences that are unrelated to the rationale of introducing these powers also meet the test. While these crimes ought to be investigated and prosecuted, these new powers bring the proverbial sledgehammer to walnuts.

Network activity warrants can be issued irrespective of whether the identities (or, indeed, location) of the individuals in the electronically linked group can be ascertained. Warrants can be issued even where details of the relevant offences cannot be clearly made out, or where it’s unclear whether group composition has changed over time.

This means Australian agencies may not only surveil and disrupt the online activities of Australian citizens, but internet users overseas, effectively extending their reach beyond borders. And requiring judicial officers to authorise operations outside of their lawful jurisdiction to do so.

All of these concerns were raised prior to the ID Act passing as law. The Parliamentary Joint Committee on Intelligence and Security (PJCIS) also made many substantive recommendations, many of which were dismissed.

With the parliamentary oversight process largely sidelined, it raises the question: who is watching to ensure responsible use of these powers? The more secret the use of a power is, the harder it is to ensure it is being used responsibly.

Policy fixes

There were many policy suggestions made by the PJCIS that could have improved the ID Act. It is not too late for policymakers to bring these recommendations back.

Policing agencies require specific oversight and monitoring, and should transparently report on offences for which warrants were sought under the ID Act. Such warrants should only be issued by Federal or Supreme courts. And the Act should be subject to an early review by Australia’s Independent National Security Legislation Monitor.

A “public interest advocate” could be appointed to review warrants being sought in relation to a journalist or media organisation.

Australia only recently reviewed its national intelligence laws and is yet to undertake much of the reform required to put its recommendations into action. A recommendation that the Australian Signal Directorate’s cybercrime function not be extended to apply onshore has been ignored in the introduction of the ID Act.

The powers granted under the ID Act are expansive, and are only one addition in the ever-growing arsenal of power being conferred onto Australian law enforcement agencies. It will be important to monitor how, and for what purpose, these new powers are used. There should also be proper consideration as to whether these powers should remain after their sunset period lapses.

Originally published under Creative Commons by 360info™. 

Monique Mann is a Senior Lecturer in Criminology at the School of Humanities and Social Sciences and a member of the Alfred Deakin Institute for Citizenship and Globalisation at Deakin University. She is Vice-Chair of the Australian Privacy Foundation and Vice-President of Liberty Victoria.

Angus Murray is a Partner and Trade Marks Attorney at Irish Bentley Lawyers, an Adjunct Lecturer at the University of Southern Queensland and a Vice-President of the Queensland Council for Civil Liberties.

Monique Mann and Angus Murray declared no conflicts of interest in relation to this article.