Australian Police Can Now Spy On Citizens, Disrupt Their Computers, Take Over Their Online Accounts, and Change Their Data

Posted on Oct 4, 2021 by Glyn Moody

Privacy News Online has just written about a troubling proposal by Apple to carry out surveillance directly on iPhones. In Australia, the situation is even worse. There, the government has just rushed through the Surveillance Legislation Amendment (Identify and Disrupt) Bill 2020, which gives the Australian Federal Police (AFP) and the Australian Criminal Intelligence Commission (ACIC) three new powers for dealing with online crime, summarized here in a post from the encrypted mail service Tutanota:

1. Data disruption warrant: gives the police the ability to “disrupt data” by modifying, copying, adding, or deleting it.

2. Network activity warrant: allows the police to collect intelligence from devices or networks that are used, or likely to be used, by those subject to the warrant

3. Account takeover warrant: allows the police to take control of an online account (e.g. social media) for the purposes of gathering information for an investigation.

The two Australian law enforcement bodies AFP and ACIC will soon have the power to modify, add, copy, or delete your data should you become a suspect in the investigation of a serious crime.

The Australian Digital Rights Watch group calls this a “new mass surveillance mandate“. Perhaps the most detailed description of the law’s new powers comes from the Australian Parliamentary Joint Committee on Intelligence and Security (PJCIS), which produced a 189-page review of the legislation, also available online by section. It draws on numerous submissions made to PJCIS from a wide range of stakeholders. One of the most authoritative voices, which features prominently throughout the report, is the Law Council of Australia, which represents some 65,000 Australian lawyers. The PJCIS report quotes the Law Council’s summary of why these powers are “extraordinary” in their reach:

They go further than collecting evidence for prosecution into a realm where they are actively doing things to that data, either by way of preventing access or by destroying it, which would include destroying other peoples’ property, their computers and so on, so that’s a big next step. It’s extraordinary in this other way because of the operation of computers. Computers now do everything for us. They are so directly involved in all of our personal, business and other lives that there’s a vast field of information there available for people to collect if they’re authorised to do that.

One obvious problem is that the new law allows the police to change data on a person’s system, potentially allowing the authorities to plant false evidence. As Tutanota points out, quoting Angus Murray, Chair of Electronic Frontiers Australia’s Policy Team:

In theory, at least, the police could put something like child exploitation images onto your computer. While something like this is not the intention of the bill, there are also no significant safeguards against it.

A major concern is precisely the lack of safeguards. Remarkably, no judicial oversight is required for either the data disruption or network activity warrants. Instead, permission can be given by a member of Australia’s Administrative Appeals Tribunal, a rather nebulous body that seems ill-equipped to protect people’s privacy and fundamental rights. Indeed, the Law Council of Australia, and even the PCJIS itself, recommended that the new warrants should only be issued by judges, generally senior ones, given the far-reaching powers they confer.

Unfortunately, the Australian government refused to make this change. As The Guardian reports, it did make some minor amendments to the new law, including a sunset clause so that its powers would expire after five years, as well as a public interest test designed to project journalists.

The new law represents what is perhaps the most intrusive surveillance frameworks for a democratic nation, surpassing the powers granted to the police in the US and Europe. The fear has to be that the authorities in those countries will now push to expand their own ability to spy on citizens, and to take over their systems.

In that context, it’s worth noting one reason why the Australian government was able to get this legislation passed so easily, with the backing of most MPs. Back in 2020, the Australian minister for home affairs at the time, Peter Dutton, insisted that the new law he was proposing would target “terrorists, paedophiles and drug traffickers operating in the dark web”. And he promised the new powers would apply “to those people, and to those people only“. But in the final law, those new powers allow the police to investigate any offense which is punishable by imprisonment of at least three years. That low threshold means the intrusive new capabilities can be used against far less serious crimes than terrorism or child abuse, such as piracy, bankruptcy and tax evasion.

It is a classic example of a slippery slope, where something that begins as highly targeted and limited to one sphere, gradually expands to include a far wider range of activities. It is precisely the fear this blog raised in the context of Apple’s move to carry out client-side surveillance. The claim is that this will only ever be used in the fight against Child Sexual Abuse Material (CSAM). But the example of Australia shows that once these supposedly restricted powers are implemented, they are soon extended far beyond their original scope. It’s too late to stop Australia’s terrible new law, which is a seriously retrograde step for privacy protections in that country, but there’s still hope that Apple’s foolish plan can be halted.

Featured image by Lilla Frerichs.