Home Affairs Minister Karen Andrews likened proposed changes to the Critical Infrastructure Bill to the fire codes and building regulations that are in place to protect people and assets from fires – saying the nation is facing clear threats from ransomware and cyber attacks. Responding to the concerns of three global technology industry associations about…
A group of international technology associations, including the Australian Information Industry Association, have written to Home Affairs Minister Karen Andrews with concerns about government fast-tracking parts of the Critical Infrastructure Bill. The Washington DC-based Information Technology Industry Council, the Cyber Coalition and the AIIA have urged government not to fast-track troubling provisions of the Security…
Opinion: When it comes to sweeping new national security powers, Australia does not have a Opposition political party.
Time and time again over the last decade, the two major parties have been in lockstep on a series of significant, technology-focused powers handed to authorities ostensibly for national security reasons, with Labor sometimes raising concerns but waving through the new powers anyway.
Labor leader Anthony Albanese.
Often these national security-focused bills relate to handing authorities more powers over data and to crack down on technologies such as encrypted messaging.
This has happened with metadata retention laws, anti-encryption powers and most recently last week with the broad hacking powers handed to authorities to, among other things, covertly take control of online accounts and “disrupt” data.
Labor has shown an abject unwillingness to stand up and push even for amendments to any piece of legislation that the government says relates to national security.
Whatever you think of the necessity and proportionately of these new powers, it’s a disservice to all Australians that we don’t get a substantial debate about these laws, and an Opposition that we can be comfortable in knowing will push back against the possibility of government over-reach.
Just last week, two pieces of legislation – the hacking powers and one allowing spy agencies to pick up domestic data – sailed through Parliament with bipartisan support, despite concerns around their scope, necessity and the rushed process behind their introduction.
Labor unsurprisingly supported the Identify and Disrupt bill, despite several MPs echoing the concerns of civil and digital rights and legal experts.
And just the next day it was revealed that the national security committee, the Parliamentary Joint Committee on Intelligence and Security (PJCIS), had conducted a five-day secret inquiry into a new piece of legislation allowing spy agencies to inadvertently or unavoidably intercept communications by Australians in Australia.
The legislation was given the green light by the committee with some slight changes, and had bipartisan support before independent MPs or the general public had even seen it.
Again, it marked a significant expansion of the state’s powers, particularly in terms of technology, and one that warranted a real debate over the need for such powers, not a closed-door inquiry by a committee that features only members from the two major parties.
The passing of those laws typified Parliament’s approach to any technology-focused national security laws in the last decade.
The Coalition will propose new laws and claim they are needed to protect Australia and Australians, ranging from a crackdown on encryption to a data-sharing deal with the US.
The government will always focus on how these powers will help to crack down on terrorists and pedophiles. Hard to argue with that. But they won’t mention that these powers will be applicable to far less significant crimes.
If we’re lucky, the legislation will be referred to the bipartisan PJCIS for inquiry, which will hear from a range of groups concerned about the expansion of powers.
The committee will then likely table its report including recommendations touching on the fringes of these issues, and then rubber stamp the bill. Both major parties will point to this process as Parliament working as it should.
But even when the government doesn’t meet all the recommendations of the PJCIS – as is what happened with the Identify and Disrupt bill last week – Labor will still be too afraid to vote against the legislation or to even move amendments to meet the national security committee’s calls.
It was one of Prime Minister Scott Morrison’s more outlandish stretching of the truth earlier this year when he claimed that two national security-related pieces of legislation did not have bipartisan support.
Even for a Prime Minister who regularly plays hard and fast with the truth, this was particularly erroneous, with Labor of course offering unwavering support for these pieces of legislation.
Labor will always end up supporting these types of technological encroachments, and the Coalition knows it. And it’s to the detriment of all Australians to not even have a proper Parliamentary debate on these issues.
On the recent foreign intelligence bill, Greens Senator Lidia Thorpe labelled the process as being in “contempt of democracy”.
It’s hard to argue with, and it’s a term that could be applied to the process behind any national security legislation in recent years.
The federal government has reignited its efforts to sign an expedited data-sharing deal with the US, with nearly $10 million provided for the scheme over the next four years.
On Wednesday afternoon, the powerful bipartisan national security committee called for 23 changes to legislation which will underpin such a deal with the Biden administration, paving the way for its passage through Parliament with amendments.
This week’s federal budget included $9.6 million over four years to assist with the exchanging of data between Australia and the US for the investigation of “serious crime”, including $1.5 million in 2021-22.
This will be through an agreement under the US government’s Clarifying Lawful Overseas Use of Data Act (CLOUD Act), with the two countries entering into negotiations in late 2019.
The government’s plan to share data with the US took another step forward and received $10 million in the budget.
Such an agreement would allow for expedited data sharing between American companies and Australian authorities, and vice versa, without contact with local authorities.
The International Production Orders (IPO) Bill, providing the legislative basis for such an agreement to be signed, was introduced to Parliament in March last year and quickly referred to the Parliamentary Joint Committee on Intelligence and Security (PJCIS) for inquiry.
Despite being told it was “vital” to table its report by the Winter sittings last year, the inquiry was repeatedly delayed and stalled.
On Wednesday afternoon the PJCIS finally released its report on the IPO scheme, calling for a suite of major changes to the legislation before it is passed by Parliament.
These changes include that any proposed agreement with another country must be published and tabled prior to it being signed, with 15 sitting days given for Parliament to block it. The PJCIS also recommended that a data-sharing agreement can be renewed for three years without going through the Parliamentary process, but only if there are no changes to it.
The committee also called for improved safeguards in the bill, including prohibitions on foreign governments accessing data on Australian citizens or residents and strengthened safeguards around data handling.
International production orders should only be allowed for the “prevention, detection, investigation or prosecution of serious crime, including terrorism”, the PJCIS said.
Foreign governments that Australia is looking to ink deals with should have a demonstrated respect for the rule of law, international human rights obligations and have clear procedures and restrictions, the report said.
The legislation should also define “urgent circumstances”, under which a data request can be made over the phone rather than in writing, as when there is an imminent risk to a person or property and such a request is necessary for dealing with it.
Both oversight agencies – the Commonwealth Ombudsman and the Inspector-General of Intelligence and Security – need to be sufficiently resourced to conduct these roles, the PJCIS urged.
Any agreement signed by Australia, such as under the CLOUD Act, would be subject to another PJCIS rule after three years, under the committee’s plans.
Once these amendments are included, the PJCIS said it would give the data-sharing legislation the green light.
The PJCIS heard widespread concerns around the IPO scheme and the prospect of Australia entering into a hastened data-sharing deal with the US, and potentially other countries in the future.
The Australian Privacy Foundation told the committee the legislation was “deeply flawed” and created a “framework for future abuses” which would “erode privacy and civil liberty protections”.
The International Civil Liberties and Technology Coalition also said that the IPO legislation “does not provide adequate safeguards to protect human rights” and that it requires “significant revisions”.
Civil society has been “completely sidelined and ignored” in the inquiry into the government’s proposed new hacking powers, after no civil or digital rights groups were invited to the only public hearing, Deakin University senior lecturer Dr Monique Mann says.
The Parliamentary Joint Committee on Intelligence and Security (PJCIS) is conducting an inquiry into the Identify and Disrupt Bill, which hands sweeping powers to the Federal Police and Australian Criminal Intelligence Commission to hack into the devices and networks of suspected criminals to ‘disrupt’ their data and covertly take over their accounts.
The PJCIS held its only public hearing as part of its inquiry last week, with those providing evidence including the Human Rights Legal Centre, the Cyber Security Cooperative Research Centre (CSCRC) and the Uniting Church.
But no civil or digital rights organisations were invited to appear before the committee.
Hacking powers: Digital rights groups are watching closely
Deakin University senior lecturer and Australian Privacy Foundation surveillance committee chair Dr Monique Mann said the lack of civil society participation at the hearing was troubling.
“It’s pretty disappointing that you have the PJCIS inviting mostly pro-law enforcement, pro-government hacking advocates, across a lot of the usual suspects,” Dr Mann told InnovationAus.
“It was good to see the Law Council and HRLC, but I think there was a real lack of civil society representation, particularly given four leading civil society organisations put in a joint submission with expertise specifically in these topics, from law and academia,” she said.
“It’s really disappointing to not have engagement with civil society, particularly when you have people invited to speak at the hearing such as the Uniting Church. I would question where their substantive expertise in matters of national security and surveillance law is.”
The Identify and Disrupt legislation introduces three new warrants, allowing authorities to access and disrupt data of suspected criminals, access the networks of suspected criminal groups and take over their accounts and continue to run them.
While the government has said the warrants will be used for “online serious crimes” such as child abuse and terrorism, they will be accessible for any crime carrying a jail sentence of at least three years, which includes fraud, tax evasion and forgery.
Leading civil organisations Liberty Victoria, Electronic Frontiers Australia, Australian Privacy Foundation and the Queensland Council for Civil Liberties made a joint submission to the inquiry, raising significant concerns with the legislation and their extraterritorial application.
None of these groups were invited to address the committee directly, while many who were invited, including the Uniting Church and the Cybersecurity CRC, were supportive of the bill.
The PJCIS secretariat confirmed to InnovationAus that there are no plans for any further hearings.
Representatives from the Law Council of Australia and the Human Rights Law Council (HRLC) did address the PJCIS, raising significant concerns with the sweeping new powers. After this, the only other organisation to raise a number of issues with the legislation was the Communications Alliance.
The HRLC has labelled the powers in the bill as “absurdly broad” and disproportionate”.
It’s important for civil society to be able to offer input on these important pieces of legislation, Dr Mann said.
“It’s easy to become very discouraged about the process of introducing new laws. Civil society organisations work very hard in terms of defending, upholding and advocating the rights of citizens, so it’s very disappointing to have these perspectives founded in subject matter expertise completely sidelined or ignored from these kinds of forums,” she said.
Other organisations asked to appear at the hearing that were generally in support of the new powers were the Carl Ryan Foundation, a charity focusing on the safety of children online, the Uniting Church of Australia, and the Cyber Security Cooperative Research Centre (CSCRC).
In its submission to the inquiry, the CSCRC said the powers were proportionate, appropriate and safe.
A number of government departments and agencies also appeared before the hearing, including representatives from the Department of Home Affairs, the Australian Federal Police, the Inspector-General of Intelligence and Security and the Commonwealth Ombudsman.
In the joint submission, the coalition of civil liberties groups raised concern with how the new hacking powers will apply extraterritorially, with the warrants accessible by authorities when they don’t know who the suspected criminal is and where they are based.
“These powers effectively extend the reach of Australian law enforcement outside of the sovereign jurisdiction of Australia with significant extraterritorial impacts,” the submission said.
“In absence of a clear transnational regulatory structure supporting transnational government hacking operations in cases where the physical location of the target computer and suspect is not known these proposed laws should be reconsidered,” it said.
These concerns “strike at the heart” of the government’s legislation, and concerns about it being raised may have been why the groups weren’t invited, Dr Mann said.
“The Identify and Disrupt powers will enable Australian law enforcement agencies to conduct extraterritorial government hacking outside of the sovereign state of Australia, which is against the rule of law,” she said.
“Having critical people with expertise in this saying that would have absolutely struck at their proposal from the start – there’s no way they would’ve proceeded without recognising that.”
Without hearing from critical voices, the new hacking powers will likely be greenlit by the powerful committee and proceed easily through Parliament, she said.
“I can very much anticipate when the report is released it’s largely going to endorse these new powers, and they’re just going to pass into law like all the others,” Dr Mann said.
“They’re moving to introduce new laws that have very significant human rights implications in situations where there’s not sufficient oversight or accountability, in a really knee-jerk way and justifying them because of evil wrongdoers on the internet. But the laws aren’t limited to that application, they define a broad range of different things and could apply to journalists and academics.”
A number of other organisations have also been critical of the proposed powers, with the NSW Council of Civil Liberties labelling them a “catch-all formula for abuse” and “next in an accelerating wave, strengthening the powers of the state without any humility about the cumulative erosion of democratic freedoms they entail”.
A group of Senators also raised concerns that a “wide scope of innocent third parties” could be caught up in the coercive powers.
The Standing Committee for the Scrutiny of Bills also questioned a lack of focus on privacy, no judicial oversight and the ability for the powers to be accessed without a warrant in an emergency.
The federal government’s proposed new powers for authorities to covertly take control of an individual’s online account are “antithetical” to democratic law and lack any due process, according to Twitter.
The Identify and Disrupt Bill, which hands sweeping new powers to the Australian Federal Police (AFP) and Australian Criminal Intelligence Committee (ACIC) to “disrupt” and hack into the computers and networks of suspected criminals, is currently the subject of a Parliamentary Joint Committee on Intelligence and Security (PJCIS) inquiry.
The legislation introduces three new warrants which would allow authorities to “disrupt” the data of suspected criminals, access devices and networks even if they don’t know their identities and take over their accounts covertly.
Takeover powers: Twitter says the proposed laws are ‘antithetical’ to democratic laws
The warrants apply to any criminal offence carrying a jail sentence of at least three years, covering a broad swathe of offences.
In its submission to the PJCIS inquiry, social media giant Twitter focused on the account takeover warrants, saying they would create significant extraterritorial issues and if introduced, would be “divorced from standard due process requirements” and “antithetical to core legal principles enshrined in democratic law and procedural fairness”.
“Twitter is concerned that the proposed bill will allow law enforcement direct access to data regardless of the location of the server, without requiring knowledge of such access being provided to the service provider, and in the case of account takeover warrants, absent the agreement of an appropriate consenting official of the relevant foreign country where the warrant would be enforced,” the Twitter submission said.
“The account takeover warrant will apply extraterritorially with Australian law enforcement being authorised to take control of an online account regardless of where the account data is located and without consent from foreign governments or officials.”
The tech company said it was unclear what its own rights and obligations will be under the scheme, which could see Australian authorities secretly take control of one of their users’ accounts, and how it will impact the privacy of their users.
“There is no consideration or reference in the bill of the implications of law enforcement agencies accessing a service without the knowledge of the service provider. We are very concerned about the implications for Twitter’s own obligations as a company, as well as the rights and privacy implications for the users of Twitter and other online services,” Twitter said.
The government has also not considered the impact of these new powers on innocent third parties that may interact with an account that is being secretly operated by the AFP, Twitter said.
“It does not appear that the bill has contemplated any processes to consider and protect the rights of any third-party users who may interact with the account that has been subject to an account takeover warrant,” it said.
“This again raises a number of inherent privacy concerns and potential violations of substantive rights, as well as potential conflict of laws if these third party users are outside of Australia.”
“Therefore, we recommend that the government institute the necessary protections and procedures to address these issues in order to preserve democratic processes, extend privacy protections, and enshrine procedural fairness within the context of the bill.”
In a separate submission, the Communications Alliance also raised concern with the “potential for far-reaching consequences” with the new powers and called for amendments requiring that the relevant service provider be consulted before a warrant is issued, and to require independent judicial oversight and authorisation of warrants.
The Department of Home Affairs also made a submission to the PJCIS inquiry, confirming that it plans for the account takeover warrants to be used in conjunction with other warrants.
“An account takeover power could be used in conjunction with a controlled operation which would authorise the AFP or the ACIC to assume the account holder’s identity, engage in ongoing interactions with associates to elicit information and assist in the identification of offenders and collection of evidence of the offending,” the Home Affairs submission said.
“Enabling the AFP and ACIC to take control of an online account in these circumstances is an extremely valuable tool and would facilitate better evidence-gathering against criminals, mapping of their criminal networks and potential identification of victims.”
The federal government’s proposed new hacking powers for the Australian Federal Police are a “catch-all formula for abuse” and resemble something from the Hollywood film Minority Report, the NSW Council for Civil Liberties says.
The federal government late last year quietly introduced legislation to Parliament handing broad new powers to the AFP and Australian Crime and Intelligence Commission (ACIC) to hack into the computers and networks of suspected criminals.
The legislation introduces three new warrants that will allow authorities to “disrupt” the data of suspected criminals, access their devices and networks even if they don’t know their identities and take over their accounts covertly.
The warrants will be issued for any suspected offence carrying jail time of at least three years, covering a wide spread of crimes.
Sweeping powers: The erosion of civil liberties in the name of ‘crime prevention’
The legislation was quickly referred to the Parliamentary Joint Committee on Intelligence and Security (PJCIS), with submissions to the inquiry closing last week. Some submissions were released publicly by the committee on Monday.
In its submission, the NSW Council for Civil Liberties (NSWCCL) said it was time to draw a line in the sand over increasing laws that erode privacy under the guise of preventing “serious crime”.
The council said the latest legislation is the “next in an accelerating wave, strengthening the powers of the state without any humility about the cumulative erosion of democratic freedoms they entail”.
“This bill builds on this ominous trend and takes it to a new level, providing unprecedented new powers for law enforcement to interfere and ‘disrupt’ communications of citizens without effective restraint,” the NSWCCL submission said.
“The abuse of power this bill enables will happen. Enough is enough.”
The NSWCCL said that the data disruption warrants and account takeover warrants are “crime prevention” tools that resemble something from the science-fiction movie Minority Report.
The powers will apply to a wide range of potential crimes – any carrying at least three years of jail time – not just those referenced by the government in announcing the laws, the submission said.
“This is an extraordinary catch-all encompassing fauna importation, fraud and importantly, such vaguely worded offences as ‘communication and other dealings with inherently harmful information by current and former Commonwealth officers’,” the NSWCCL said.
“These secrecy provisions have already been used to intimidate whistleblowers in several high-profile cases over the last few years. They are framed in a way that prevents vital information regarding government wrongdoing from ever coming to the attention of the public.”
The NSWCLL said that the data disruption warrants, and account takeover warrants, are “crime prevention” tools that resemble something from the science-fiction movie Minority Report.
“We cannot accept a new species of warrant that is based on the notion that the role of law enforcement is to stop possible future offences from being committed where the breadth of their application is so wide,” the NSWCCL said.
“The elastic notion of ‘suspicion’ as the trigger for these laws will permit a generalised, permanent state of surveillance because there is never likely to be a time when there will not be a suspicion of these activities occurring online somewhere.”
In a separate submission, a coalition of digital and civil rights groups including Liberty Victoria, Electronic Frontiers Australia, the Australian Privacy Foundation and the QLD Council of Civil Liberties, said the powers in the legislation amount to “state-authorised hacking”.
“Australians do not have sufficient safeguards of their fundamental rights to protect them from abuse of power by authorities,” the groups said.
The groups said that the new warrants should only apply to national security concerns.
The Commonwealth Ombudsman also made a submission to the PJCIS, calling for privacy to be included as a key consideration when determining whether a warrant should be issued.
“Requiring issuers to consider privacy or less intrusive means of obtaining information or disrupting activity ensures that they have turned their mind specifically to the balance between the right to privacy and the safety of the Australian community when deciding whether to authorise the use of particular power,” the Ombudsman said.
The release of the handful of submissions comes after a group of senators also raised significant concerns about the identify and disrupt bill, including that a “wide scope of innocent parties” could be caught up in the broad and coercive scheme.
The Standing Committee for the Scrutiny of Bills questioned a lack of focus on privacy, the lack of judicial oversight, the potential for innocent people to be impacted and the ability for the powers to be used without a warrant in an emergency.
