Privacy and security in Australia hang in the balance as the Surveillance Legislation Amendment (Identify and Disrupt) Bill 2021, also known as the “hacking” bill, makes its way past the Parliament. The bill adds to Australia’s expanding surveillance regime, threatens digital rights, and should not have passed.
Imagine that the data on your devices could not only be collected and copied, but also added to and modified (data disruption warrant). To make matters worse, imagine if any or all of your online accounts could be controlled by law enforcement without your knowledge, and you could potentially also be locked out of those accounts (account takeover warrant). Further, any network you interact with and all your electronic communications, whether on email, social media, or messaging platforms, could be intercepted (network activity warrant). Not only would all of this be done without your consent or knowledge, but the fact of access by law enforcement could also be concealed. This is how three new warrants under the Identify and Disrupt bill, or the hacking bill, jeopardise people’s data, privacy and security in Australia.
Indeed, any device, online network or account, including social media profiles, used by people in Australia, could now be susceptible to hacking by Australian law enforcement agencies. The Identify and Disrupt Bill confers hacking powers on the Australian Federal Police (AFP) and the Australian Criminal Intelligence Commission (ACIC), enabling them to add, copy, delete or modify data, control online accounts and access communications data, through a data disruption warrant, an account takeover warrant, and a network activity warrant.
And, in total disregard for public outcry, this is all happening despite the fact that Australians have been demanding the government do more to protect their data.
This blog walks through why this legislation undermines human rights, and other attempts to expand surveillance and undermine encryption. The global community must be vigilant in tracking what’s happening in Australia to ensure human rights are not violated. Australia is a member of the intelligence-sharing alliance Five Eyes, comprising the US, UK, Canada, Australia and New Zealand. The Five Eyes have often come together to attack encryption, and the fate of digital rights in Australia is bound to have global consequences.
Problems with the “hacking” bill: extensive surveillance and no privacy protections
The scope of surveillance by law enforcement under these new warrants is egregious and will destroy any semblance of online privacy for Australians. Broadly, there are two overarching issues with the Identify and Disrupt Bill:
- it grants extremely broad and invasive hacking powers to law enforcement agencies, and therefore enables widespread surveillance; and
- it lacks effective protections for privacy; even where there are certain safeguards, the exceptions carved out are so broad, that any protection is rendered meaningless.
Warrantless surveillance is a recipe for human rights violations
One example demonstrating both these problematic characteristics of the hacking bill is the process of emergency authorisation. In addition to getting a warrant to disrupt data or takeover an account by getting a warrant, law enforcement can also exercise these powers by obtaining an emergency authorisation. This effectively means that it is possible for law enforcement agencies to surveil and control data without a warrant. Enabling such alarming invasion of privacy is a violation of human rights and inconsistent with the principles of necessity and proportionality.
Inadequate oversight and scrutiny of invasive surveillance
Further, it is deeply problematic that actions by law enforcement that would have an adverse impact on human rights are not only permitted, but are also not subjected to the strictest form of scrutiny. The PJCIS had recommended that the issuing authority for emergency authorisations must be a superior court judge (either of the Federal Court or a State or Territory Supreme Court). However, the bill still allows oversight of emergency authorisation by an eligible Judge or nominated Administrative Appeals Tribunal (AAT) member for data disruption and by a magistrate for account takeover. The AAT lacks credibility and quasi-judicial bodies such as the AAT have different, often less stringent, procedural requirements.
An attack on encryption is an attack on human rights
The Identify and Disrupt bill also solidifies Australia’s attack on encryption and makes people’s private communications extremely vulnerable. Where there is suspicion of criminal activity, the network activity warrant empowers law enforcement agencies to gain access to any network, including electronic communications in any form. This could include end-to-end encrypted messaging platforms such as Signal and WhatsApp, where messages cannot be accessed by any third party other than the sender and the recipient/s, not even the service provider itself.
The Identify and Disrupt bill, in tandem with the Telecommunications and Other Legislation Amendment (Assistance and Access) Act 2018 (TOLA) will severely imperil encryption, which is crucial for the protection of privacy, free expression, national security and the economy. Authorities can issue a “technical capability notice” under TOLA to compel service providers to develop the ability to decrypt communications, and thereafter, a network activity warrant under the Identify and Disrupt bill would enable access to such communications, rendering the digital realm devoid of any secure channels.
But wait! There are even more attempts to ramp up surveillance and attack encryption Australia
Digital rights in Australia are facing a multitude of attacks. In addition to TOLA and the Identify and Disrupt Bill, there are two more pieces of legislation that seek to undermine encryption:
- Telecommunications Legislation Amendment (International Production Orders) Bill 2020 (IPO Bill) and the
- Online Safety (Basic Online Safety Expectations) Determination 2021 (draft BOSE)
The IPO Bill, which the government passed, would enable Australia to share communications data with other governments, and is a step towards a bilateral agreement with the US under their Clarifying Lawful Overseas Use of Data Act 2018 (CLOUD Act). The types of production orders include interception of data, access to stored communications, and access to telecommunications data. This raises serious concerns about the government’s expanding surveillance powers, and foreign access to powers under TOLA.
The draft BOSE attacks services using encryption by requiring that they take steps to implement processes to detect and address unlawful and harmful content. Yet again, online privacy and security and free expression are targeted without regard for the inevitable human rights costs.
Let’s stop the growing trend of surveillance in Australia
There is an urgent need to reverse legislative trends in Australia that are insidiously transforming the country into a surveillance state with inadequate accountability that seriously undermines human rights. Help us raise the alarm. What happens in Australia is certain to have global implications.