Bills Digest No. 2, 2021–22

Surveillance Legislation Amendment (Identify and Disrupt) Bill 2020

Home Affairs

Author

Claire Petrie

Go to a section

Introductory Info Date introduced: 3 December 2020
House: House of Representatives
Portfolio: Home Affairs
Commencement: Sections 1 to 3 commence on Royal Assent. Schedule 1 and Schedules 3–5 commence the day after Royal Assent. Schedule 2 commences immediately after commencement of Schedule 1.

Purpose of the Bill

The primary purpose of the Surveillance Legislation Amendment (Identify and Disrupt) Bill 2020 (the Bill) is to amend the:

  • Surveillance Devices Act 2004 (Cth) (SD Act) to create two new warrants—data disruption warrants and network activity warrants—which may be issued to law enforcement officers in the Australian Federal Police (AFP) and the Australian Criminal Intelligence Commission (ACIC) and
  • Crimes Act 1914 (Cth) to provide the framework for the new account takeover warrant, which may be issued to AFP and ACIC officers, and to provide that in granting or varying authorisation for controlled operations, an authorising officer does not need to be satisfied that illicit online content will be under the control of law enforcement at the end of the operation.

The Bill also makes consequential amendments to ten other Acts. These include amendments to the Inspector-General of Intelligence and Security Act 1986 (Cth) to provide the Inspector-General of Intelligence and Security with oversight over the AFP and ACIC in respect of activities related to network activity warrants.

Structure of the Bill

The Bill has five Schedules:

  • Schedule 1 amends the SD Act to provide for the issuing of data disruption warrants, and makes related amendments to the Telecommunications (Interception and Access) Act 1979 (TIA Act)
  • Schedule 2, Part 1 amends the SD Act to provide for the issuing of network activity warrants. Part 2 makes consequential amendments to ten Acts
  • Schedule 3 amends the Crimes Act to provide a framework for the issuing of account takeover warrants
  • Schedule 4 amends provisions of the Crimes Act in relation to controlled operations and
  • Schedule 5 makes minor amendments to the SD Act and TIA Act.

Background

The Bill is aimed at modernising Australia’s law enforcement and intelligence legal framework to better equip the AFP and ACIC to deal with serious cyber-enabled crime, and particularly aims to address the challenges posed by increasing criminal use of the dark web and anonymising technologies.[1] In its 2019 report on the Impact of New and Emerging Information and Communication Technology, the Parliamentary Joint Committee on Law Enforcement described the dark web as:

…that part of the internet that is hidden from the view of typical search engines such as Google and Yahoo, and is only accessible by means of additional networking protocols and special software.

The dark web allows users and website operators to remain anonymous or untraceable. It is sometimes used to facilitate cybercrime through dark web markets where those using them can purchase stolen information or illicit goods. Dr John Coyne explained:

The internet is comprised of two parts: the part that is indexed by search engines and that which isn't (the deep web). A small portion of this deep web is comprised of what has become known as the 'dark web'. In these areas of the internet exist secure networks of various sizes. These networks, and their data, are protected by a range of technology including encryption. Within some of these dark web networks are buyers and sellers who combine to create dark markets: more often than not dealing in illicit commodities.[2]

In its submission to the Parliamentary Joint Committee of Intelligence and Security’s (PJCIS) review of the Bill, the Department of Home Affairs states:

Criminals are using the dark web to commit serious crimes, including buying and selling stolen identities, trading in illicit commodities and producing and disseminating child abuse material. The encryption underpinning the dark web, and the increased use of anonymising technologies allow criminals, including terrorists and other malicious actors to hide from law enforcement. This has made committing serious crimes at volume and across borders easier than ever before.

Current electronic surveillance powers, while essential for investigating many aspects of online criminality, are not suitably adapted to identifying and disrupting serious crime where anonymising technologies are being used – including at scale – to conceal the identities and illegal activities of offenders…

This Bill addresses gaps in the current suite of electronic surveillance powers to enable the AFP and the ACIC to discover, target, investigate and disrupt the most serious of crimes, including child abuse, terrorism, and drug and firearms trafficking.[3]

Cyber Security Strategy

An emphasis on investigating and disrupting cyber crime, including on the ‘dark web’, forms part of Australia’s Cyber Security Strategy 2020, released in August 2020. As part of this Strategy, the Government committed to ensuring law enforcement has the necessary powers and capabilities to perform such activities.[4] This included a commitment to invest $124.9 million to strengthen law enforcement’s counter cyber crime capabilities, with $89.9 million of this intended for the AFP to ‘set up target development teams and bolster its ability to go after cyber criminals’.[5]

The Cyber Security Strategy emphasises the increasing scale and sophistication of cyber threats, in the context of greater reliance by Australians on the internet and internet-connected devices:

Between 1 July 2019 and 30 June 2020, the [Australian Cyber Security Centre (ACSC)] responded to 2,266 cyber security incidents at a rate of almost six per day. This does not include other incidents referred to the police and support organisations. The true volume of malicious activity in Australia is likely to be much higher. According to one expert analysis, cyber incidents targeting small, medium and large Australian businesses can cost the economy up to $29 billion per year, or 1.9% of Australia’s gross domestic product (GDP). Further, it is estimated that a four week interruption to digital infrastructures resulting from a significant cyber incident would cost the economy $30 billion (1.5% of Australia’s Gross Domestic Product) and around 163,000 jobs.[6]

The Strategy also includes a focus on increasing the cyber resilience of Australia’s critical infrastructure, with proposed reforms to the regulatory framework for critical infrastructure currently before Parliament.[7]

Richardson Review

The report of the Comprehensive Review of the Legal Framework of the National Intelligence Community (Richardson Review), led by Dennis Richardson, former head of ASIO, was released on 4 December 2020, together with the Commonwealth Government Response to the Comprehensive Review of the Legal Framework of the National Intelligence Community (Government Response), December 2020. The report made 203 recommendations, 13 of which were classified.

One recommendation was the enactment of a consolidated Electronic Surveillance Act, in which the existing SD Act, Telecommunications (Interception and Access) Act 1979, and parts of the Australian Security Intelligence Organisation Act 1979 (ASIO Act) are replaced with a single Act governing the use of federal telecommunications interception powers, covert access to stored communications, computers and telecommunications data, and the use of optical, listening and tracking devices.[8] The report noted that ‘reform of this nature will not be a simple or quick undertaking’ and would require two to three years of ‘very detailed work and drafting before being considered by Parliament’.[9] As part of this recommended reform, the report suggested the adoption of the oversight framework under the SD Act, which provides for the Commonwealth Ombudsman to oversee all aspects of each Commonwealth, state and territory agencies’ use of the powers under that Act.[10]

The report noted that the ‘need to disrupt security threats and criminal activity was a common theme in the Review’. It expressed doubt about the need for either ASIO or the AFP to be given a specific, legislated ‘disruption’ mandate, noting the ‘nebulous, and potentially very broad, nature of the concept of “disruption”’.[11]

The Government accepted most of the public recommendations, including the recommendation for a consolidated Electronic Surveillance Act. The Government Response stated:

The Government supports holistic reform of the legislative framework governing electronic surveillance and will develop legislation that achieves the principles and objectives underpinning each of Recommendations 76 to 132. However the policy development and drafting process requires a degree of flexibility, particularly as it is impossible to foresee all legal and operational issues that may arise in a rapidly evolving technological and national security environment. As such, the Bill ultimately put forward may not adopt the precise language of the Review. During this process, the Government will consult widely with key stakeholders including state and territory agencies, oversight bodies, public interest groups and the public.[12]

While proceeding with these broader plans for reform, the Department of Home Affairs states the current Bill is ‘intended to address specific and time critical gaps in the existing legal framework preventing law enforcement agencies from identifying and disrupting serious crime online, particularly that perpetuated on the dark web’.[13]

The Government Response disagreed with the Richardson Review’s position that the AFP does not need new powers to disrupt online offending. It argued that the current powers of both the ACIC and AFP are ‘increasingly ineffective against mass campaigns of cyber-enabled crime’, and that legislative reform is needed to enhance the ability of these agencies to discover and disrupt serious criminality online:

Such powers should be targeted at activities that have a direct and real impact on Australia’s most vulnerable and are usually orchestrated by the most sophisticated of criminal networks (eg. online child sexual abuse, the sale of illicit drugs and firearms and terrorism activities). Any new powers should also be proportionate to the identified risk, and subject to robust safeguards and oversight.[14]

The Government Response also emphasised the importance of ACIC—in addition to the AFP—in discovering serious and organised crime activity perpetrated online, pointing to ACIC’s criminal intelligence capabilities as enabling it to identify priority cybercrime and cyber-enabled crime targets.[15]

Committee consideration

Parliamentary Joint Committee on Intelligence and Security

The Bill has been referred to the Parliamentary Joint Committee on Intelligence and Security (PJCIS) for inquiry and report, with submissions due by 12 February 2021. Twenty-three submissions had been published at the time of writing, and a public hearing was held on 10 March 2021. Details are available at the inquiry homepage.

Senate Standing Committee for the Scrutiny of Bills

The Scrutiny of Bills Committee reported on the Bill on 29 January 2021.[16] The Committee noted that the authorisation of coercive search powers has the potential to unduly trespass on personal rights and liberties, and that any legislation enabling such powers should be tightly controlled, with sufficient safeguards. It raised a range of concerns about the Bill, and requested further advice from the Minister on all of these matters. The Minister’s response was considered by the Committee in its report dated 17 March 2021.[17] Key issues raised in these reports are set out below.

Authorisation of coercive powers

The Committee raised a number of concerns in relation to the Bill’s provision for authorisation of coercive powers under the proposed warrants:

  • the issuing authority for a data disruption or network activity warrant may be a nominated member of the Administrative Appeals Tribunal (AAT)—the Committee stated its ‘long-standing preference that the power to issue warrants authorising the use of coercive or intrusive powers should only be conferred on judicial officers’[18]
  • the explanatory memorandum does not provide sufficient explanation of why it is considered necessary and appropriate to issue each type of warrant for an initial 90-day period as opposed to a shorter period[19]
  • the Bill does not require, consistently across all warrants, that the issuing authority must consider whether the warrant is proportionate, as well as the extent of possible interference with the privacy of third parties[20]
  • the broad scope of offences which may be ‘relevant offences’ for the purposes of the warrants[21] and
  • provisions in the Bill that seek to correct the effect of a defect or irregularity in relation to a warrant or emergency authorisation do not provide guidance on the types of defects or irregularities the provisions are intended to relate to.[22]

The Minister’s response stressed the suitability of AAT members to assess applications for data disruption and network activity warrants due to their experience and independence.[23] In respect of the initial 90-day issue period, the Minister stated this was consistent with the period for surveillance device warrants and computer access warrants, and noted that this was a maximum period which could vary depending on the circumstances.[24] In relation to the factors to be considered when issuing the various warrants, the Minister stated that these considerations had been ‘specifically designed with regard to the objective and contemplated operation of each of the warrants’.[25]

The Committee reiterated its scrutiny concerns regarding the appropriateness of non-judicial office holders issuing data disruption and network activity warrants, and of not requiring the issuing authority to consider the extent of possible interference with the privacy of any person. It also requested the explanatory memorandum be amended to include information provided by the Minister.[26]

Emergency powers

The Committee also raised concern about provisions in the Bill which allow coercive action to be taken without a warrant—specifically, in emergency circumstances and in order to conceal things done to execute the warrant.[27]

The Minister’s response stated that an emergency authorisation will only be issued in circumstances where the level of seriousness and urgency is such that disruption of data or account takeover activity is ‘immediately necessary for dealing with that risk’. The Minister further noted that information gathered under an emergency authorisation is subject to strict use and disclosure provisions, and pointed to existing provisions in the SD Act providing for emergency authorisations in relation to surveillance devices and access to data held in a computer.[28] In respect of concealment activities, the Minister stated that concealment of the execution of the warrants in the Bill is ‘vital to the effective exercise of powers and maintaining the covert nature of the investigation or operation’, and that additional external approval requirements were not necessary as concealment activities are incidental to the granting of the original warrant.[29]

The Committee requested an addendum to the explanatory memorandum containing the key information provided by the Minister, and reiterated its concern about both the emergency authorisation and concealment provisions.[30]

Effect on third parties

The Committee further raised concerns about the Bill’s effect on the privacy rights of third parties, noting the potential for coercive powers in the Bill to adversely affect third parties who are not suspected of wrongdoing, through:

  • authorising entry onto third party premises and access to third party computers, communications and account-based data
  • compelling third parties to provide information through assistance orders and
  • the broad definition of ‘criminal network of individuals’.[31]

The Minister’s response noted the potential impact on the privacy of third parties, but noted that the issuing authority is required to undertake a proportionality test before deciding to issue a data disruption warrant or network activity warrant. The Minister further stated that the term ‘criminal network of individuals’ needs to be ‘broad enough to cover unwitting participants in criminal activity, so that this crucial intelligence can still be collected’.[32] 

The Committee requested key information provided by the Minister be added to the explanatory memorandum and reiterated its scrutiny concerns regarding these issues.[33]

Use of information obtained through warrant process

The Committee also expressed concern about the breadth of the exceptions to the restrictions on the use, recording or disclosure of protected information.[34] The Minister’s response stated that the exceptions provided for in the Bill:

… are necessary either to enable the warrants to be effective, or to enable strong oversight and accountability mechanisms, or to enable proper and appropriate judicial processes to be carried out, or to enable information sharing necessary for agencies to carry out their functions or in emergency circumstances.[35]

The Committee requested the information provided by the Minister be included in the explanatory memorandum, and left it to the Senate as a whole to decide the appropriateness of the proposed exceptions.[36]

Reversal of burden of proof

The Committee expressed concerns about provisions in the Bill enabling evidentiary certificates to be issued in connection with information obtained in connection with data disruption, network access or account takeover warrants, and their potential to, in reversing the evidential burden of proof, interfere with the common law right to be presumed innocent until proven guilty.[37] It also queried the reversal of the evidential burden of proof in connection with the offence for use or disclosure of protected information.[38]

The Minister’s response noted that evidentiary certificates will only cover factual matters including the manner in which evidence was obtained and by whom, and would not cover the actual evidence itself. The Minister noticed the certificates:

… will protect sensitive AFP and ACIC capabilities by preventing prosecutors from being required in the first instance to disclose the operation and methods of law enforcement unless a defendant seeks to dispute the veracity of the methods used to gather information against their interest. The courts will retain the ability to test the veracity of the evidence put before it should there be founded grounds to challenge the evidence.[39]

While noting the Minister’s advice, the Committee reiterated its concerns that evidentiary certificates may impose a ‘significant burden on persons seeking to challenge the validity of certain actions, in particular things done in the execution of warrants and steps taken to conceal them’. The Committee also noted the Minister’s response ‘indicates that evidentiary certificates may cover how evidence that goes directly to the culpability of an offence was obtained, even if the certificates may not cover the evidence itself’. The Committee requested key information be included in the explanatory memorandum and drew its scrutiny concerns to the attention of Senators.[40]

In respect of the reversal of the evidential burden of proof in connection with a protected information offence, the Minister advised that the Bill requires the defendant to adduce evidence that suggests a reasonable possibility they have not unlawfully used or disclosed protected information. The Minister noted the defendant would be best placed to explain their motivations when using or disclosing information, whereas to disprove the matter the prosecution would:

… need to understand the information held by the defendant, including the defendant's state of mind and motivations. This would be significantly more difficult and costly, if not impossible, for the prosecution to disprove.[41]

The Committee requested this information be added to the explanatory memorandum and stated that in light of the information provided by the Minister, it had no further comment.[42]

Delegation

The Committee additionally raised concerns about the broad delegation of administrative powers by the chief officer of ACIC.[43] The Minister advised that differences between the ACIC and AFP in the level of officer able to give an emergency authorisation reflects ‘differences in the organisational structures and staffing arrangements of those agencies’.[44] The Committee requested this information be included in the explanatory memorandum and reiterated its concerns.[45]

Policy position of non-government parties/independents

No non-government parties or independents appear to have commented on the Bill at the time of writing.

Position of major interest groups

Government agencies

The Commonwealth Ombudsman, responsible for oversight of law enforcement agencies’ use of certain covert powers, including those proposed in the Bill with respect to data disruption and account takeover warrants, has noted that the Department of Home Affairs consulted it throughout the Bill’s development and ‘incorporated the majority of our feedback’.[46] While it noted the Bill introduces oversight by the Inspector-General of Intelligence and Security (IGIS) over the AFP and ACIC in respect of network activity warrants, marking a ‘convergence of our offices’ stakeholder bases’, the Ombudsman stated it ‘considers this proposal consistent with the broader delineation of our respective roles’.[47] However, it raised concern about the consistency of certain powers across the different warrant schemes proposed in the Bill, stating:

In some instances, the Bill demonstrates a prioritisation of internal legislative consistency, rather than consistency between similar covert power types. It is our view that it may be more appropriate to align new covert powers more broadly with existing covert powers, particularly in regard to:

  • issuing officers for account takeover warrants
  • consideration of privacy impacts for data disruption warrants, and
  • requiring an affidavit in support of an account takeover warrant.[48]

The AFP supports the Bill, arguing that it will ‘enhance the options available to the AFP and the ACIC to overcome technological obstacles and take appropriate action against those who harm the Australian community’. It has stated that the proposed powers:

… while new in the context of the online environment, have an equivalent effect to existing law enforcement responses, and are appropriate when considering the complexity and increasingly global scale of cyber-enabled crime. There are also extensive oversight provisions, ensuring our use of these powers is transparent and held to a high standard.[49]

The ACIC also supports the Bill, arguing that the amendments will complement its existing powers by providing ‘new avenues to gather information and respond to serious crime occurring online and criminals using dedicated encrypted communication platforms’.[50] The ACIC stated:

While the [Telecommunications and Other Legislation Amendment (Assistance and Access) Act 2018] greatly assisted law enforcement to combat [serious and organised crime] groups at the time it was enacted, further advancements in agencies’ powers are required to meet technology developments. Criminal use of the Dark Web and anonymising technologies is a prime example of how powers available to Australian law enforcement must be updated to keep pace with developments in technology.[51]

The Inspector-General of Intelligence and Security (IGIS), which has oversight responsibilities in relation to the activities of Australia’s security agencies, noted that:

… in practice, there may not always be a clear delineation between IGIS’s oversight of the network activity warrant framework detailed in Schedule 2, and the Ombudsman’s oversight of the data disruption warrant and account takeover warrant frameworks in Schedules 1 and 3. IGIS notes, however, that the information sharing provisions, and the other provisions in Schedule 2 of the Bill, aimed at addressing concurrent jurisdiction between IGIS and other integrity bodies, is intended to ensure that the risk of duplication of oversight between IGIS and the Ombudsman is appropriately managed and minimised.[52]

The IGIS expressed concern that the ‘cascading definitions’ which determine the scope of the Bill are ‘complex and potentially unclear in scope’, and stated that this could create challenges for oversight.[53] It also raised concerns about the extent to which privacy implications may be considered in the issue of network activity warrants as well as the absence of a maximum timeframe for law enforcement agencies to report to the Minister.[54] The Office of the Australian Information Commissioner (OAIC) suggested that the Bill requires further consideration ‘to better ensure that any adverse effects on the privacy of individuals which result from these coercive powers are minimised, and that additional privacy protections are included in the primary legislation’.[55] It made seven recommendations for amendments to strengthen these protections.

Human rights, legal and civil liberties groups

A joint submission to the PJCIS inquiry by the Queensland Council for Civil Liberties, Liberty Victoria, Electronic Frontiers Australia and the Australian Privacy Foundation recommended the Bill be withdrawn, and not reintroduced until a ‘Federal enforceable human rights framework’ is introduced into Australian law.[56] It raised particular concern about the proposed data disruption warrants, arguing:

…it is a dangerous step to enable law enforcement to modify what would be evidence in a criminal proceeding. We appreciate that the intention is to frustrate and prevent the distribution of child exploitation material, as that is the example given in the Explanatory Memorandum; however, this inherently causes evidence to be altered and this needs to be addressed…

Secondly, law enforcement has a poor record of the consequences of modification or deletion of digital information. The Bill has few, if any, safeguards to protect innocent parties from adverse consequences associated with the disruption of data that may result in significant, though unintended, harm…[57]

The Law Council of Australia made a substantial submission to the inquiry, in which it expressed concern that the necessity of the proposed powers ‘has not been clearly or adequately established’, and that the Bill ‘proposes to reject a core recommendation’ of the Richardson Review, being that law enforcement agencies should not be conferred with specific cyber‑disruption powers in the nature of the proposed data disruption warrant regime.[58] The Law Council further argued that the scope of the proposed powers is ‘disproportionately broad compared to the threats of serious and organised cybercrime to which they are directed’.[59] It made 57 recommendations to amend the Bill, primarily to ensure the proportionality of the proposed measures.

The Human Rights Law Centre has similarly stated that Australia lacks a ‘robust human rights framework that would provide adequate protection against the abuse of the powers contained in this Bill’, and expressed concern about the disproportionate scope of the proposed powers and lack of evidence justifying the need for additional warrants beyond those currently available.[60]

The NSW Council for Civil Liberties has expressed concern with the breadth of the application of the proposed warrants, the ‘widening of spy agency remits to allow intelligence gathering on Australian citizens’, and the risk of abuse of power contained in the Bill.[61]

Telecommunications groups

Amazon Web Services (AWS), a cloud computing platform operating in and outside Australia, has noted that the data disruption and account takeover warrants proposed by the Bill are ‘formulated for fundamentally different objectives’ than current warrants; intended not for the purpose of gathering evidence but ‘to allow law enforcement agents to effectively stand in the (online) shoes of persons suspected of engaging in potential criminal activity’. It argues that the issue of such warrants will involve an ‘elevated risk to the liberty and privacy of citizens whose online accounts are impacted by law enforcement activities’.[62]

While not stating a clear position on the Bill, AWS made recommendations for improvements, including to clarify and constrain the scope of the assistance order powers, introduce a ‘good faith’ immunity for online account providers in relation to the execution of account takeover warrants, and restrict the power to issue warrants to judicial officers.[63]

The Communications Alliance has stated that its members (including carriers, carriage service providers, search engines and digital platforms) support the intent of the Bill, but believe that some aspects ‘require further work in order to meet the requisite tests of proportionality, effectiveness, practicality and feasibility’.[64] In particular, it recommended changes to require judicial issuing of warrants only, and for the issuing process to be ‘informed by independent technical advice’.[65]

Email provider Fastmail has expressed concern about the changes, arguing that data surveillance laws are not given effective oversight or accountability. It has called for better alignment across the different Acts which provide for coercive powers, and recommended the introduction of a consultation process where the target computer is not owned by the person suspected of the offence. It has also queried the potential interaction of the Bill with legislation relating to foreign law enforcement powers, such as the Mutual Assistance in Criminal Matters Act 1987 and the Telecommunications Legislation Amendment (International Production Orders) Bill 2020.[66]  

Twitter has stated support for the Government’s goal of disrupting bad actors and removing illegal content from the internet, but has ‘overarching concerns across the relevant sections of the Bill that these three types of warrants can be implemented without providing proper notification to service providers’.[67] Focusing primarily on account takeover warrants as most relevant to its own service, Twitter has expressed concern about the safeguards in place, noting that there is ‘no consideration or reference in the Bill of the implications of law enforcement agencies accessing a service without the knowledge of the service provider’, and about the use of magistrates rather than judges or AAT members to issue the warrants.[68] It raised concerns about the privacy concerns and rights of third party users who may interact with an account subject to an account takeover warrant, and urged the Government to ‘amend the Bill to reflect practices that are consistent with established norms of privacy, free expression, and the rule of law’.[69]

DIGI, an industry association founded by Google, Twitter and Verizon Media, argued that the Bill should be viewed as an extension of the Telecommunications and Other Legislation Amendment (Assistance and Access) Act 2018 (Assistance and Access Act) because the current Bill ‘provides law enforcement with greatly expanded powers that increases the incentive to use the tools available to them under the Assistance and Access Act’. It argued that the current reviews of the Assistance and Access Act should be completed before the Bill proceeds.[70] DIGI further argued the Bill ‘does not adhere to the principles of proportionality or necessity’, pointing to issues including the broad scope of the Bill and its potential impact on service providers, lack of provision for service provider notification of an access request; the potential impact on encryption; and lack of privacy protections and procedural fairness in place.[71]

The Australian Information Industry Association expressed support for the intent behind the legislation but recommended the Government ‘ensure that the guardrails and thresholds associated with this legislation are managed appropriately’, keeping in mind both the civil liberty implications of the Bill as well as the ‘feasibility and implications of assistance and compliance for the technology sector on both an individual and global level’.[72] It recommended amendments including the introduction of immunity from prosecution for assisting entities (and employees) who are acting in good faith, cost recovery for ‘private entities for the costs that they incur in implementing assistance orders’, and mandatory consultation with any relevant company, service provider or related entity before applying for a warrant.[73]

Other groups

The Cyber Security Co-operative Research Centre has expressed support for the measures in the Bill, arguing that while ‘undoubtably extraordinary’ they are ‘proportionate and appropriate in relation to the threat posed’ and accompanied by appropriate safeguards against the misuse of powers and legislative creep.[74]  

The Synod of Victoria and Tasmania, Uniting Church of Australia, supports the passage of the Bill, noting that it is ‘especially needed in light of technology corporations continuing to develop online tools that assist in carrying out’ serious crimes and human rights abuses facilitated online.[75] It has further stated that the AFP and ACIC must put into place policies, procedures and best practice guides to ensure full compliance with the requirements and safeguards contained within the Bill.[76]

The Carly Ryan Foundation, a harm prevention group aiming to promote internet safety and prevent crime against children, expressed support for the Government’s ‘commitment to innovating alternative pathways to reduce online crime’ and stated it supports ‘in principle the aims of the Bill to enhance law enforcement’s ability to protect children and disrupt crimes against children from occurring’. It further stated that it believes the Bill includes appropriate oversight and accountability of the warrant powers.[77]   

The Police Federation of Australia has stated it strongly supports the Bill, pointing to the need for police powers to ‘keep up with evolving criminal threats as crime is increasingly transferred to the digital world’.[78]

Concerns and commentary in respect of specific aspects of the Bill are discussed below under ‘Key issues’.

Financial implications

The Explanatory Memorandum states that the Bill will have no financial impact, as all financial impacts for the 2020–21 financial year will be met from existing appropriations. It states that any ongoing costs will be considered in future budgets.[79]

Statement of Compatibility with Human Rights

As required under Part 3 of the Human Rights (Parliamentary Scrutiny) Act 2011 (Cth), the Government has assessed the Bill’s compatibility with the human rights and freedoms recognised or declared in the international instruments listed in section 3 of that Act. The Government considers that the Bill is compatible.[80]

Parliamentary Joint Committee on Human Rights

The Parliamentary Joint Committee on Human Rights reported on the Bill on 3 February 2021.[81] The Committee noted the proposed powers and warrants in the Bill could promote multiple rights, by facilitating the investigation, disruption and prevention of serious crimes against persons, including protecting children from harm. However, the Committee also noted that the measures engage and limit other rights, in particular the right to privacy, by authorising the AFP and ACIC to take various actions which may interfere with a person’s privacy.[82] In assessing the proportionality of the measures, the Committee queried whether the safeguards in place were adequate, noting:

  • warrants may be issued not only by judicial officers but also by AAT members, who may not have all the attributes of permanent independent judicial authority[83]
  • the mandatory considerations for issuing authorities in granting warrants are not consistent across each warrant, with the issue of privacy limited to account takeover warrants and the issue of proportionality limited to network activity warrants[84]
  • it is unclear how statutory conditions on warrants which limit interference with data and property may interact with the ability for issuing authorities to specify things authorised by the warrant[85]
  • the broad range of exceptions to the statutory protections on the use or disclosure of protected information raise concerns about the adequacy of the safeguard
  • it is unclear whether the specified time of five years before which protected information must be destroyed is an appropriate period of time[86] and
  • the limited access to review and lack of provision for public interest monitors.[87]

The Committee also raised questions as to:

  • whether the measures in the Bill limit the right to an effective remedy for a person whose right to privacy is violated by the proposed warrants[88]
  • whether the provision for assistance orders is compatible with the right to privacy, noting that the issuing authority is not required to be satisfied the order is justifiable and proportionate with respect to all warrants (only data disruption warrants)[89]
  • whether, in allowing protected information obtained under the warrants to be disclosed to foreign countries in certain circumstances (such as in connection with the AFP’s existing functions under the Australian Federal Police Act 1979), the Bill interferes with the rights to privacy, life, and the prohibition against torture or cruel, inhuman or degrading treatment or punishment.[90]

The Committee stated it had not yet formed a concluded view on these matters and requested further advice from the Minister.

The Minister’s response was considered by the Committee in its report dated 17 March 2021.[91] The Minister advised:

  • by providing for the independent scrutiny of warrant applications, the Bill provides an ‘important mechanism’ in ensuring that warrants issued are reasonable and proportionate, and that the power is consistent with Australia’s international human rights obligations—however, international human rights law does not specifically require it to be a judicial authority that authorises investigatory powers. Additionally, decisions to issue a warrant are open to judicial review[92]
  • the considerations required to be taken into account by issuing authorities ‘have been specifically designed with regard to the objective and contemplated operation of each of the warrants’, each enabling some form of proportionality assessment[93]
  • the additional conditions an authority may impose go only to the conditions subject to which things may be done under the warrant (proposed subparagraph 27KD(1)(b)(ix) in the SD Act and proposed subparagraph 3ZZUQ(1)(b)(ix) of the Crimes Act); so the statutory conditions on warrants which limit interference with data and property are not overridden by any such additional conditions[94]
  • the exceptions to the restrictions on the use, recording or disclosure of protected information are designed to be limited to only that which is necessary[95]
  • the lack of provision for public interest monitors is consistent with the approach for surveillance device warrants and computer access warrants in the SD Act, with public interest monitors recognised under the TIA Act only currently existing within Victoria and Queensland[96]
  • under the Bill, persons of interest or those who are subject to the new covert warrants in the Bill do not have to be notified of the use of powers against them unless there is a specific requirement under law to do so, consistent with the practice for covert warrants under the SD Act and other relevant Commonwealth laws. While the use of a covert warrant will impact a person’s privacy, the limitation is reasonable, necessary and proportionate to safeguard the Australian community from serious crime, and balanced with strict safeguards including restrictions on the use and disclosure of information obtained under a warrant, and ‘robust oversight and reporting requirements’.[97]

The Committee concluded that ‘questions remain’ as to whether there are sufficient safeguards in place to ensure the proposed measures in the Bill are a proportionate limitation on the right to privacy, pointing in particular to the ability for AAT members to issue warrants and the absence of a requirement that privacy and proportionality be considered before all types of warrants are issued. The Committee also noted that some exceptions to the restrictions on the use and disclosure of protected information are broadly framed ‘which may weaken the safeguard value of these restrictions’, and noted the limited access to effective review given the covert nature of the powers. The Committee recommended amendments be made to assist the proportionality of the measure.[98]

On the issue of assistance orders, the Minister advised that the criteria to which the issuing authority must be satisfied prior to granting the order, reflect the criteria relevant to the supporting warrant—the Minister noted that this would ensure any activity required by the assistance order does not extend beyond the scope of the warrant.[99] The Committee recommended the strengthening of these criteria to assist the proportionality of the measure, by requiring the issuing authority to be satisfied the assistance order is ‘justifiable and proportionate, having regard to the relevant offences and the extent to which the privacy of any person is likely to be affected’.[100]   

In regard to information sharing with foreign governments, the Minister pointed to safeguards in place through the mutual assistance framework, with provision of any evidential material to a foreign country subject to the requirements of the Mutual Assistance in Criminal Matters Act 1987. The Minister also pointed to additional protections in place in the ACC Act as well as in ACIC and AFP policy.[101] The Committee concluded that questions remain about the strength of the safeguards in place and considered:

  • the proportionality of the measure with the right to privacy may be assisted by amendments to provide that when considering disclosure of protected information to a foreign country, an individual’s right to privacy is considered, and by requiring the authorised officer to be satisfied that adequate privacy protections are in place and
  • the compatibility of the measure with the right to life and the prohibition against torture or cruel, inhuman or degrading treatment or punishment may be assisted were the Bill amended to provide that where there are substantial grounds for believing there is a real risk that disclosure of information to a foreign country may expose a person to the death penalty or to torture or cruel, inhuman or degrading treatment or punishment, protected information must not be shared with that country.[102]

Key provisions

Schedule 1—Data disruption warrants

Schedule 1 of the Bill primarily amends the SD Act to provide for the issuing of data disruption warrants to allow law enforcement officers of the AFP or ACIC to obtain access to data held in a target computer and ‘disrupt’ this data, in order to frustrate the commission of a relevant offence. Item 13 of Schedule 1 inserts proposed Division 5 in Part 2 of the SD Act, setting out the requirements and features of such warrants.

The SD Act does not currently contain any simplified outlines to explain the provisions of the SD Act, and the Bill does not propose to insert a simplified outline for proposed Division 5 of Part 2.

What the warrant authorises

A data disruption warrant authorises the doing of specified things in relation to a ‘target computer’. These include using the computer, a telecommunications facility or other electronic equipment or data storage device to:

  • obtain access to data held in the target computer to determine whether it is covered by the warrant and
  • ‘disrupt’ this data at any time while the warrant is in force, where doing so is likely to assist in frustrating the commission of one or more relevant offences.[103]

Disrupting data held in a computer is defined as adding, copying, deleting or altering data held in the computer.[104]

The warrant may also authorise (amongst other things):

  • adding, copying, deleting or altering other data in the target computer, if necessary, to achieve one of the above purposes
  • using another computer or a communication in transit to access or disrupt the relevant data (if it is reasonable to do so)
  • intercepting a communication passing across a telecommunications system for the purpose of doing any thing specified in the warrant and
  • any other reasonably incidental thing.[105]

The warrant also authorises the doing of any thing reasonably necessary to conceal the fact that a thing has been done under the warrant.[106]

The warrant must authorise the use of necessary and reasonable force to do the things specified in the warrant, and must state whether entry to premises (where permitted) is authorised to be made at any time of the day or night, or only during stated hours.[107]

Restrictions on interference with lawful use of computer

The warrant may not authorise the disruption of data, or doing of a thing, that is likely to materially interfere with, interrupt or obstruct a communication in transit or other persons’ lawful use of a computer, unless it is necessary to do one or more of the things specified in the warrant. The warrant also may not cause other material loss or damage to other persons lawfully using a computer unless the loss or damage is ‘justified and proportionate’, having regard to the offences covered by the warrant.[108]

The Department states that while the SD Act already provides for computer access warrants which authorise similar activities, the purpose of the data disruption warrant is different:

Computer access warrants in the Surveillance Devices Act allow access to a computer but only for the purpose of gathering evidence. Data disruption warrants allow agencies to proactively remove content or redirect activity in order to prevent further harm from occurring. Unlike other warrants, the main purpose of activity undertaken through data disruption is not gathering evidence for a prosecution, but rather frustrating the commission of further offences.[109]

The AFP has stated that the warrants will provide it with ‘additional tools to be proactive in targeting and frustrating serious offending’, arguing that in situations where there are otherwise limited opportunities to identify, arrest and prosecute offenders, due to the lack of evidence or data to connect the offending to a specific location or individual, ‘the only option may be to take proactive disruptive action rather than investigative action, to prevent the continuation of the criminal activity’.[110]

Relevant offences

The term relevant offence is already defined under subsection 6(1) of the SD Act, and includes the following:

  • a federal offence, or state offence with a federal aspect,[111] punishable by a maximum term of at least three years imprisonment
  • certain specified offences under the Financial Transaction Reports Act 1988, Anti-Money Laundering and Counter-Terrorism Financing Act 2006, Fisheries Management Act 1991 and Torres Strait Fisheries Act 1984 and
  • an offence prescribed by the Regulations.[112]

This means that while most offences falling within the scope of the definition will be punishable by at least three years’ imprisonment, the Government may make Regulations prescribing any other offence as being a ‘relevant offence’.

Application requirements

Proposed section 27KA sets out the application requirements for a data disruption warrant. A law enforcement officer[113] of the AFP or ACIC may apply to an eligible Judge[114] or to a nominated AAT member[115] for the warrant if they suspect on reasonable grounds:

  • one or more relevant offences of a particular kind have been, are being, are about to be or are likely to be committed
  • those offences involve or are likely to involve data held in a target computer[116] and
  • disruption of data held in the target computer is likely to substantially assist in frustrating the commission of one or more relevant offences.

An application must usually be accompanied by an affidavit setting out the grounds on which the warrant is sought.[117] However, the affidavit requirement may be postponed by 72 hours after the making of the application in circumstances where immediate disruption of data is likely to ‘substantially assist’ in frustrating the commission of the relevant offence, and it is impracticable for an affidavit to be prepared or sworn before the warrant application is made.[118]

A target computer does not have to be a particular, identified computer—proposed subsection 27KA(6) states that it may be a particular computer, a computer on particular premises, or a computer associated with, used by or likely to be used by, a person (whose identity may or may not be known).

Issuing and revoking of warrant

To issue a data disruption warrant, an eligible Judge or nominated AAT member must be satisfied:

  • there are reasonable grounds for the suspicion founding the warrant application
  • the disruption of data to be authorised is justifiable and proportionate, having regard to the relevant offence(s)
  • in the case of an unsworn application, it would have been impracticable for an affidavit to have been sworn or prepared before the application was made and
  • in the case of a remote application,[119] it would have been impracticable for the application to have been made in person.[120]

Proposed subsection 27KC(2) sets out matters to which the Judge or AAT member must have regard in determining whether the warrant should be issued. These include the nature and gravity of the conduct; the likelihood that the authorised disruption will frustrate the commission of the relevant offence(s); the existence of any alternative means of frustrating the commission of the relevant offence(s); and any previous data disruption warrant issued in respect of the offence.

A warrant may only be issued for up to 90 days, though this can be extended by up to 90 days at a time on application by a law enforcement officer.[121] An eligible Judge or nominated AAT member may also vary any of the other terms of the warrant on application by a law enforcement officer.[122]

A data disruption warrant may be revoked by an eligible Judge or nominated AAT member on their own initiative at any time.[123] Where the chief officer of the relevant law enforcement agency is satisfied that access to, and disruption of data under the warrant is no longer required, they must revoke the warrant and take steps to ensure that access to and disruption of data is discontinued.[124]

Emergency authorisations

The SD Act currently provides for the issuing of emergency authorisations in lieu of warrants in certain circumstances, and for a limited period of time. Item 15 of Schedule 1 inserts proposed subsection 28(1C) to enable an AFP or ACIC officer to apply for emergency authorisation for the disruption of data, if the officer reasonably suspects:

  • an imminent risk of serious violence to a person or substantial damage to property exists
  • disruption of data is immediately necessary for the purpose of dealing with that risk
  • the circumstances are so serious and the matter is of such urgency that the disruption is warranted and
  • it is not practicable in the circumstances to apply for a data disruption warrant.

An application is made to an appropriate authorising officer,[125] who may give the emergency authorisation if satisfied there are reasonable grounds for the suspicion founding the application.[126] An emergency authorisation for disruption of data held in a computer is subject to the following conditions:

  • the authorisation must not be executed in a manner that results in damage to data, unless the damage is justified and proportionate, having regard to the risk of serious violence or substantial damage and
  • the authorisation must not be executed in a manner that causes a person to suffer a permanent loss of money, digital currency or property (other than data).[127]

The emergency authorisation may authorise anything that a data disruption warrant may authorise.[128]

Subsequent approval by Judge/AAT member

Existing subsection 33(1) provides that within 48 hours of an emergency authorisation being given, the appropriate authorising officer must apply to an eligible Judge or nominated AAT member for approval of the authorisation.

An eligible Judge or nominated AAT member may approve the emergency authorisation under proposed section 35B if satisfied there were reasonable grounds to suspect: a risk of serious violence to a person or substantial damage to property; disruption of data held in the target computer mentioned ‘may have helped to reduce the risk’; and it was not practicable in the circumstances to apply for a warrant.

If the Judge or AAT member does approve the giving of the emergency authorisation, they may issue a data disruption warrant that provides for the continued access to, and disruption of, data held in the relevant target computer, as if it were a standard application for a data disruption warrant. However, if satisfied that since the application for emergency authorisation, the activity that required access to, and disruption of data, has ceased, they may order the access and disruption activities also cease.[129]

If the Judge or AAT member does not approve the authorisation, they may order that access to, and disruption of data held in the relevant target computer cease.[130] While they may also order that any information obtained from the exercise of powers under the emergency authorisation be dealt with in a specified manner, they may not require the information be destroyed.[131] Furthermore, even if not satisfied that an emergency authorisation was warranted at the time of the application, the Judge or AAT member may issue a data disruption warrant if they are of the view that it is currently justified.[132]

Protected information offences

Part 6, Division 1 of the SD Act provides for restrictions on the use, communication and publication of protected information—this is defined under existing section 44, and includes any information obtained from the use of a surveillance device under a warrant or emergency authorisation, or obtained from access to data under a computer access warrant or emergency authorisation, as well as information relating to applications for, and issue of, such warrants/authorisations. It also includes information obtained by a law enforcement officer without the authority of—and in contravention of the requirement for—a warrant or authorisation.

A person commits an offence if they use, record, communicate or publish any protected information otherwise than as permitted by the SD Act. This is punishable by imprisonment for a maximum of two years, with an aggravated offence, punishable by imprisonment for a maximum of ten years, where the use, recording, communication or publication of the information endangers the health or safety of any person or prejudices the effective conduct of an investigation into a relevant offence.[133]

Item 28 of Schedule 1 amends section 44 to provide that protected information also includes any information (other than data disruption intercept information) obtained from access to, or disruption of data under, a data disruption warrant or relevant emergency authorisation.[134] Item 31 of Schedule 1 extends the definition to information obtained extraterritorially, purportedly under a data disruption warrant or emergency authorisation, but which does not comply with the requirements in respect of foreign country agreements (discussed further below).

Item 35 of Schedule 1 inserts proposed subsection 45(6A) which permits the communication of protected information by an Ombudsman official to an IGIS official for the purpose of the IGIS official exercising powers, or performing functions or duties, as an IGIS official.

Use as evidence

Proposed section 65C, inserted by item 51 of Schedule 1, provides that evidence obtained from access to, or disruption of data, under either a data disruption warrant or emergency authorisation, is admissible as evidence in a proceeding relating to a relevant offence.[135]

Records and reporting requirements

Secure record keeping

Existing section 46 of the SD Act requires records or reports comprising protected information to be kept in a secure place that is not accessible to people who are not entitled to deal with the record or report. Any such report or record must be destroyed as soon as practicable if it is not required for a civil or criminal proceeding or other authorised usage, or otherwise within five years after the making of the record or report. Items 36 to 38 of Schedule 1 amend section 46 to extend these requirements to data disruption intercept information.

Reporting to Minister and Ombudsman

Existing provisions in the SD Act require law enforcement agencies to report to the Minister on warrants issued and authorisations given under the Act,[136] and to notify the Ombudsman of certain things done under control order, control order access and computer access warrants.[137]

Item 40 of Schedule 1 inserts proposed subsection 49(2D) which sets out specific matters which must be included in a report to the Minister in relation to a data disruption warrant or emergency authorisation for disruption of data held in a computer. This includes:

  • the names of any persons involved
  • the benefit of the use of the warrant or authorisation in frustrating criminal activity
  • details of the access to, and disruption of, data under the warrant or authorisation and
  • compliance with any applicable conditions.

Item 41 of Schedule 1 inserts proposed section 49C to require the chief officer of a law enforcement agency to notify the Ombudsman of the issuing of a data disruption warrant if a thing mentioned in proposed subsection 27KE(2) (which sets out all activities which may be specified under the warrant) has been done. The notification must be done within seven days of the relevant thing done.

The AFP and Australian Crime Commission must also include in their annual report the kinds of offences targeted by data disruption warrants issued during the year in response to applications made by or on behalf of law enforcement officers of the agency.[138]

Protection of data disruption technologies or methods

Proposed section 47B provides that in a proceeding, a person may object to the disclosure of information on the grounds that the disclosure could ‘reasonably be expected to reveal details of data disruption technologies or methods’.[139] The person conducting or presiding over the proceeding may order that the information is not required to be disclosed if they are satisfied the ground of objection is made out, taking into account whether disclosure of the information is necessary for the fair trial of the defendant, or is in the public interest.[140]

If so satisfied, the person presiding over or conducting the hearing is required to make orders prohibiting or restricting publication of information that could reasonably be expected to reveal details of data disruption technologies or methods, except to the extent that the person considers the interests of justice require otherwise.[141]

This is the equivalent to existing provisions of the SD Act aimed at protecting surveillance device and computer access technologies and methods.[142]

Schedule 2—Network activity warrants

Schedule 2 primarily amends the SD Act to provide for the issuing of network activity warrants, authorising the AFP or ACC to access data held in computers that will substantially assist in the collection of intelligence that relates to criminal networks of individuals.

Item 9 of Schedule 2 inserts proposed Division 6 into Part 2 of the SD Act, dealing with the issuing of a network activity warrant.

What the warrant authorises

A network activity warrant authorises the doing of specified things in relation to a target computer. These may include:

  • entering specified premises and
  • using the target computer, a telecommunications facility, any other electronic equipment or a data storage device

for the purpose of obtaining access to data held in the target computer at any time while the warrant is in force, to determine whether the relevant data is covered by the warrant.[143] Data is covered by a warrant if access will substantially assist in the collection of intelligence in relation to the group and/or offences in relation to which the warrant applies.[144]

If necessary to achieve this purpose, the warrant may authorise adding, copying, deleting or altering other data in the target computer. Where reasonable in all the circumstances, having regard to any other equally effective methods of obtaining access to relevant data, the warrant may also authorise using any other computer or a communication in transit (including adding, copying, deleting or altering other data in the computer or communication) to access the relevant data.[145] It may also authorise intercepting communications, using surveillance devices, removing computers or other things from premises, for the purposes of doing any thing specified in the warrant, and may authorise any other reasonably incidental thing.[146]

As with a data disruption warrant, a network activity warrant must authorise the necessary and reasonable use of force against people and things, and if authorising entry to premises, must state whether this is confined to stated hours of the day or night or whether entry is authorised at any time.[147]

Action which cannot be authorised

The warrant may not authorise the addition, deletion or alteration of data, or doing of a thing, that is likely to materially interfere with, interrupt or obstruct a communication in transit or other persons’ lawful use of a computer, unless it is necessary to do one or more of the things specified in the warrant. The warrant also may not cause other material loss or damage to other persons lawfully using a computer—unlike under a data disruption warrant, there is no qualification that such loss or damage be permitted if it is ‘justified and proportionate’.[148]

The Department provides the following explanation of how a network activity warrant is different from existing warrants:

Existing warrants, such as computer access warrants in the Surveillance Devices Act, allow the collection of evidence, rather than intelligence. Network activity warrants allow agencies to target criminal networks about which very little is known to discover the scope of the network and its offending. Network activity warrants provide a discovery tool that can be used in conjunction with other investigatory powers to further a single investigation.[149]

Application requirements

Proposed section 27KK sets out the application requirements—the chief officer of the AFP or ACIC may apply to an eligible Judge or nominated AAT member for a warrant if they suspect on reasonable grounds:

  • a group of individuals is a criminal network of individuals and
  • access to data held in a computer used (or likely to be used) from time to time, by any of the individuals in the group will substantially assist in the collection of intelligence relating to the group or any of its members, which is relevant to the prevention, detection or frustration of one or more kinds of relevant offences.

For the purposes of the warrant application, it is immaterial whether: the identities of individuals in the group can be ascertained; the target computer or its location can be identified; or there are likely to be changes from time to time in the group’s composition.[150]

A warrant application must usually be accompanied by an affidavit setting out the grounds on which it is sought. However, the application may be made before an affidavit is prepared or sworn if the chief officer of the AFP or ACIC believes that immediate access to data held in the target computer will substantially assist in the collection of the relevant intelligence, and it is impracticable for an affidavit to be prepared or sworn before a warrant application is made.[151] The affidavit must subsequently be provided within 72 hours of making the application, whether or not the warrant has been issued.[152]

Criminal network of individuals

A criminal network of individuals is defined as a group of two or more individuals who are ‘electronically linked’ (each using the same electronic service as at least one other member in the group and/or communicating electronically with at least one other individual in the group) where one or more individuals in the group:

  • have engaged, are engaging or are likely to engage in conduct that constitutes a relevant offence or
  • have facilitated, are facilitating, or are likely to facilitate, the engagement by another person (whether or not they are in the group), in conduct that constitutes a relevant offence.

It is immaterial for the purpose of this definition, whether or not the identities of individuals in the group or the details of the relevant offences can be ascertained, or whether there are likely to be changes, from time to time, in the group’s composition.[153]

Issuing and revoking of warrant

An eligible Judge or nominated AAT member may issue a network activity warrant if they are satisfied of the following:

  • there are reasonable grounds for the suspicion founding the warrant application
  • in the case of an unsworn application—it would have been impracticable for an affidavit to be prepared or sworn before the application was made and
  • in the case of a remote application—it would have been impracticable for the application to have been made in person.[154]

In determining whether the warrant should be issued, the Judge or member must have regard to matters specified in proposed subsection 27KM(2)—these include the nature and gravity of the conduct constituting the kinds of offences in relation to which information will be obtained under the warrant; the extent to which access to data will assist in the collection of relevant intelligence; the proportionality of things authorised by the warrant against the likely intelligence value of any information sought to be obtained; the extent to which the execution of the warrant is likely to result in access to data of persons who are lawfully using a computer; and any previous network activity warrant issued in relation to the same group.

A warrant may only be issued for a maximum of 90 days,[155] though may be extended for a further 90 days multiple times.[156] An eligible Judge or nominated AAT member may also vary any of the terms of the warrant on application by a law enforcement officer.[157]

A network activity warrant may be revoked by an eligible Judge or nominated AAT member on their own initiative at any time.[158] Where the chief officer of the law enforcement agency is satisfied that access to data under the warrant is no longer required, they must revoke the warrant and take steps to ensure that access to data is discontinued.[159]

Protected information offences

Information obtained from access to data or use of a surveillance device under a network activity warrant (other than network activity warrant intercept information) is classified as protected network activity warrant information.[160] This term also captures: information relating to the warrant itself (such as application or expiry information); any information likely to enable identification of a criminal network of individuals (or individuals within the network) or a computer or premises specified in the warrant; or any other information obtained by a law enforcement officer in contravention of the requirement for a network activity warrant.[161]

Offences

It is an offence for a person to use, record, communicate or publish protected network activity warrant information other than as permitted under the SD Act, with a maximum penalty of two years’ imprisonment.[162] It is an aggravated offence, punishable by a maximum penalty of ten years’ imprisonment, where the use, recording, communication or publication of information:

  • endangers the health or safety of any person or
  • prejudices the effective conduct of an investigation into a relevant offence.[163]

Permitted use and disclosure

Proposed subsections 45B(4)–(10) set out circumstances in which protected network activity warrant information may be used, recorded or disclosed, without contravening one of the offence provisions. This includes:

  • where the information has been lawfully disclosed in proceedings in open court[164]
  • where the person believes that use or communication of the information is necessary to help prevent or reduce the risk of serious violence to a person or substantial damage to property[165]
  • where the communication is to the agency head of ASIO or an intelligence agency and is of information that relates or appears to relate to any matter within the functions of that organisation/agency[166]
  • for the collection, correlation, analysis or dissemination of criminal intelligence by the AFP or ACIC (other than where information was obtained from the use of a surveillance device under the warrant) or the making of reports in relation to criminal intelligence[167]
  • for the purposes of an IGIS official exercising powers or performing functions or duties in that capacity[168]
  • during the making of an application for a warrant (or for the variation or extension of a warrant)[169]
  • where the information is communicated between an Ombudsman official and IGIS official in their official capacities.[170]

Use as evidence

Protected network activity warrant information may not be admitted in evidence in any proceedings, other than as permitted under proposed section 45B.[171] In particular, proposed subsection 45B(10) provides that it may be admitted in evidence in:

  • a criminal proceeding for an offence against proposed subsections 45B(1) or (2) (relating to the unlawful use or disclosure of protected network activity warrant information) or
  • a proceeding that is not a criminal proceeding.[172]

Other exceptions include where

  • it is in connection with the administration or execution of the SD Act[173] or
  • it is necessary to do so for any of the purposes set out in proposed subsection 45B(5)—these include: in connection with a warrant application, or in a proceeding relating to an unlawful use or disclosure offence under proposed subsections 45B(1) or (2).

Records and reporting requirements

Network activity warrants are subject to similar record-keeping and reporting requirements under the SD Act to those which apply to data disruption warrants.

Proposed section 46AA, inserted by item 20 of Schedule 2, requires the chief officer of the AFP and ACIC to keep records and reports comprising protected network activity warrant information or network activity warrant intercept information in a secure place not accessible to people not entitled to deal with the record or report. Any such report or record must be destroyed as soon as practicable if it is not required for a civil or criminal proceeding or other authorised usage, or otherwise within five years after the making of the record or report. Proposed subsection 46AA(2) imposes the same requirements on other agencies which receive records or reports obtained in connection with a network activity warrant (other than the IGIS).

Schedule 3—Account takeover warrants

Schedule 3 amends the Crimes Act to provide for the issuing of account takeover warrants, authorising the AFP or ACIC to take control of an online account. Item 4 of Schedule 3 inserts proposed Part IAAC into the Crimes Act which contains the framework for issuing, using and monitoring account takeover warrants.

What the warrant authorises

An account takeover warrant must authorise the doing of specified things in relation to a target account.[174] It may authorise:

  • taking control of a target account at any time while the warrant is in force and
  • using a computer, a telecommunications facility, any other electronic equipment or a data storage device for this purpose

if doing so is necessary, in the course of the investigation to which the warrant relates, for the purpose of enabling evidence to be obtained of the commission of the alleged relevant offence(s) in respect of which the warrant was issued.[175]

Proposed section 3ZZUL provides that a person takes control of an online account if they take one or more steps that result in them having exclusive access to the account. The provision provides examples of such steps:

  • using existing account credentials (such as a username, password or PIN, security question or answer or biometric form of identification)[176] to alter one or more account credentials
  • removing a requirement for two-factor authentications and
  • altering the kinds of account credentials required to access or operate the account.

If necessary for the purpose of taking control of the target account, the warrant may also authorise:

  • accessing account-based data to which the target account relates
  • adding, copying, deleting or altering account credentials to which the target account relates or
  • adding, copying, deleting or altering data in a computer.[177]

It may also authorise:

  • using a communication in transit—and if necessary, adding, copying, deleting or altering data in the communication—if, having regard to other methods of taking control of the target account which are likely to be as effective, it is reasonable in all the circumstances to do so[178]
  • copying any relevant account-based data covered by the warrant and to which the target account relates, or copying any account credentials to which the target account relates[179]
  • any other reasonably incidental thing[180] and
  • any thing necessary to conceal the fact that a thing has been done under (or in relation to) the warrant.[181]

Action which cannot be authorised

The warrant may not authorise the addition, deletion or alteration of data, or doing of a thing, that is likely to materially interfere with, interrupt or obstruct a communication in transit or other persons’ lawful use of a computer, unless it is necessary to do one or more of the things specified in the warrant. The warrant also may not cause other material loss or damage to other persons lawfully using a computer—unlike under a data disruption warrant, there is no qualification that such loss or damage be permitted if it is ‘justified and proportionate’.[182]

The Department provides the following explanation of how the account takeover warrants are intended to be used in conjunction with existing powers:

There is no other explicit power in the Crimes Act authorising an officer to take control of an online account. The account takeover power only authorises the taking control of the account. If the agency needs to use the account in order to conduct other activities, such as using the account to represent themselves as the original account holder and communicate with others, another appropriate authorisation or warrant will have to be sought. Account takeover warrants are intended to be used in conjunction with other powers, for example controlled operations.[183]

Relevant offences

Relevant offence is defined in proposed section 3ZZUK as a ‘serious Commonwealth offence’ or ‘serious State offence that has a federal aspect’. These terms take on the same meaning as they have under existing Part IAB of the Crime Act, relating to controlled operations.

Existing section 15GE defines a serious Commonwealth offence as a Commonwealth offence that is punishable on conviction by imprisonment for a period of three years or more, and which involves a matter mentioned in subsection 15GE(2). This includes a wide range of matters, including theft, fraud, tax evasion, currency violations, controlled substances, illegal gambling, extortion, money laundering, bribery or corruption of a public official, bankruptcy and company violations, harbouring of criminals, forgery, illegal importation or exportation of fauna, espionage, sabotage or threats to national security, misuse of a computer or electronic communications, people smuggling, dealings in child abuse material, violence, and firearms. It also includes a matter prescribed by the regulations for the purpose of the provision. Subsection 15GE(3) further specifies that certain terrorism and child sex offences under the Criminal Code Act 1995 are ‘serious Commonwealth offences’.

A serious State offence that has a federal aspect means a State offence that has a federal aspect and which would be a serious Commonwealth offence if it were a Commonwealth offence.[184] State offences have a federal aspect where they potentially fall within Commonwealth legislative power (either because of the elements of the offence or the circumstances in which it was committed), or where the AFP’s investigation of them is incidental to its investigation of a Commonwealth or Territory offence.[185]

Application requirements

A law enforcement officer of the AFP or ACIC[186] may apply to a magistrate for the issue of an account takeover warrant if they suspect on reasonable grounds:

  • one or more relevant offences have been, are being, are about to be or are likely to be committed
  • an investigation into those offences is being, will be, or is likely to be conducted and
  • taking control of one or more online accounts (the ‘target accounts’) is necessary, in the course of that investigation, for the purpose of enabling evidence to be obtained of the commission of those offences.[187]

An application may be made by way of written application or, where the applicant has reason to believe the delay caused by making a written application may affect the success of the investigation, orally in person, or by telephone, email, fax or any other means of communication.[188] Regardless of the means by which the application is made, it must provide sufficient information to enable the magistrate to decide whether or not to issue the warrant.[189]

Issuing and revoking of warrant

A magistrate may issue an account takeover warrant if satisfied there are reasonable grounds for the suspicion founding the application for the warrant.[190] Proposed subsection 3ZZUP(2) sets out matters to which the magistrate must have regard in deciding whether a warrant should be issued—these include:

  • the nature and gravity of the alleged relevant offence(s) in respect of which the warrant is sought
  • the existence of any alternative means of obtaining the evidence sought to be obtained
  • the extent to which the privacy of any person is likely to be affected
  • the likely evidentiary value of any evidence sought to be obtained and
  • any previous account takeover warrant sought or issued in connection with the same online account or same alleged relevant offence(s).

A warrant may only be issued for up to 90 days, though can be extended for a further 90 days multiple times.[191]

A magistrate may vary the terms of a warrant on application by a law enforcement officer,[192] and may revoke a warrant on their own motion.[193] The chief officer of the relevant law enforcement agency must also revoke the warrant if satisfied that taking control of the account is no longer required.[194] If an account takeover warrant ceases to be in force, and it is lawful for the account holder to operate the account, the executing officer must take all reasonable steps to ensure the account holder is able to do so.[195]

Emergency authorisations

Proposed Division 3 of proposed Part IAAC provides for the issuing of emergency authorisations. These are similar to the emergency authorisations provided for in respect of data disruption warrants. A law enforcement officer may apply to an appropriate authorising officer for an emergency authorisation to take control of an online account, if in the course of an investigation into one or more relevant offences, the law enforcement officer reasonably suspects:

  • an imminent risk of serious violence to a person or substantial damage to property exists
  • taking control of the account is immediately necessary for the purpose of dealing with that risk
  • the circumstances are so serious and the matter is of such urgency that taking control of the account is warranted and
  • it is not practicable in the circumstances to apply for an account takeover warrant.[196]

The appropriate authorising officer may give the emergency authorisation if satisfied there are reasonable grounds for the suspicion founding the application.[197] An emergency authorisation is subject to the following conditions:

  • the authorisation must not be executed in a manner that results in damage to data, unless the data is justified and proportionate, having regard to the risk of serious violence or substantial damage to property and
  • the authorisation must not be executed in a manner that causes a person to suffer a permanent loss of money, digital currency or property (other than data).[198]

The emergency authorisation may authorise anything that an account takeover warrant may authorise.[199]

Subsequent approval by magistrate

The appropriate authorising officer must apply to a magistrate for approval of the authorisation within 48 hours of giving it.[200] Proposed section 3ZZVB sets out matters to which the magistrate must have regard before deciding the application for approval, ‘being mindful of the intrusive nature of taking control of the online account’.

The magistrate may either:

  • give the approval, if satisfied there were reasonable grounds to suspect that there was a risk of serious violence or substantial property damage, taking control of the online account may have helped reduce the risk and it was not practicable in the circumstances to apply for a warrant—and either:
    • issue an account takeover warrant as if the application for approval were an application for the warrant or
    • order the cessation of taking control of the online account, if satisfied the activity that required this has now ceased or
  • not approve the giving of the authorisation, in which case the magistrate may either:
    • order the cessation of taking control of the online account or
    • if of the view that the situation has changed such that the use of an account takeover warrant is now justified, issue a warrant as if the application for approval were an application for the warrant.[201]

The magistrate may make orders regarding the information obtained from or in relation to the exercise of powers under the emergency authorisation; however, they are not able to order the destruction of the information.[202]

Proposed section 3ZZVD provides that if an emergency authorisation is approved by a magistrate, any evidence obtained under it is not inadmissible in any proceeding only because the evidence was obtained prior to the approval.

Protected information offences

Proposed section 3ZZVH contains offences for unauthorised use or disclosure of protected information. The base offence is punishable by a maximum of two years’ imprisonment, while the aggravated offence (where the use or disclosure endangers the health or safety of any person, or prejudices the effective conduct of an investigation into a relevant offence) is punishable by a maximum of ten years’ imprisonment.

Protected information is any information obtained under an account takeover warrant or emergency authorisation, or information relating to the process of obtaining the warrant/authorisation.[203]

Proposed subsections 3ZZVH(3)–(5) set out the exceptions to the offence—that is, the circumstances in which the use or disclosure of protected information is permitted. This includes use or disclosure in connection with the AFP’s and ACIC’s functions; by a person who reasonably believes it to be necessary to help prevent or reduce the risk of serious violence to a person or substantial damage to property; in connection with legal proceedings arising out of or related to proposed Part IAAC; or in connection with the performance of functions or duties, or the exercise of powers, by a law enforcement officer or intelligence agency head/staff member; and for the purposes of the admission of evidence in a proceeding that is not a criminal proceeding.

Protection of account takeover technologies and methods

Proposed section 3ZZVK provides that in a proceeding, a person may object to the disclosure of information on the ground that its disclosure could reasonably be expected to reveal details of account takeover technologies or methods. The person presiding over the hearing, if satisfied the ground of objection is made out, may order that it not be disclosed. However, they must take into account whether disclosure is necessary for the fair trial of the defendant or is in the public interest.

This provision is similar to that proposed in respect of the disclosure of data disruption technologies and methods, discussed above.

Records and reporting requirements

Record keeping

The chief officer of the AFP or ACIC is required to secure every record or report comprising protected information, and ensure they are not accessible to people not entitled to deal with them. Any such record or report must be destroyed:

  • as soon as practicable after being made, if the chief officer is satisfied that no related civil or criminal proceeding has been or is likely to be commenced, and the material contained in the record or report is not likely to be required for another permitted purpose and
  • within five years of being made, and within each five years thereafter, unless, before the end of that period, the chief officer is satisfied that it is still required for one of the purposes above and certifies to that effect.[204]

The chief officers are also required to retain copies of all applications made for account takeover warrants, emergency authorisations and assistance orders, orders made, and relevant records.[205] 

Reporting

The chief officer of the AFP and ACIC must report every six months to the Minister and the Ombudsman on matters specified under proposed section 3ZZVL. These include:

  • the number of applications for account takeover warrants (and variations to warrants) made during the previous six months, and the number of applications approved and refused, as well as relevant dates of these
  • the number of warrants revoked during the previous six months, and dates of the revocations
  • for each warrant ceasing during the period—the date it ceased to be in force, whether it expired or was revoked, whether it was executed (and if so, details of this, including the benefit of the execution to the investigation of the relevant offence, and how the information obtained under the warrant was used), and if it was not executed, the reason for this
  • the number of applications for emergency authorisations made, and number of authorisations given or refused during the period, and the dates of these.

The chief officers must also report annually to the Minister providing account takeover warrant data from the previous financial year. This includes the types of relevant offences in respect of which warrants or emergency authorisations were sought, the number of arrests made on the basis (wholly or partly) of information obtained under warrants/authorisations, and the number of prosecutions commenced for relevant offences in which information obtained under warrants/authorisations was given in evidence (and the number in which a person was found guilty).[206]

Register of warrants

Proposed section 3ZZVP requires the chief officer of the AFP and ACIC to keep a register of applications for account takeover warrants and emergency authorisations made by the agency. This is to contain details including the date, the nature of the application, the name of the magistrate who issued or refused to issue the warrant/authorisation, name of the applicant, and details of any warrants/authorisations issued.

The register is specified not to be a legislative instrument.[207] The Explanatory Memorandum notes that this is intended to provide an overview for the Ombudsman who has the power to inspect records in respect of account takeover warrants.[208] This appears largely the same as the register requirements under existing section 53 of the SD Act, which will apply to data disruption and network activity warrants.

Compensation

Proposed section 3ZZWA provides that the Commonwealth is liable to pay compensation if a person suffers loss of or serious damage to property, or personal injury, in the course of or as a direct result of the execution of an account takeover warrant.  

This does not apply if the person suffered the loss, damage or injury in the course of, or as a direct result of, engaging in any criminal activity.[209]

Schedule 4—Controlled operations

Currently, Division 2 of Part IAB of the Crimes Act sets out the requirements for authorisation of controlled operations. This includes a requirement that, in granting or varying authority to conduct a controlled operation, an authorising officer (or where applicable, the AAT) must be satisfied that the operation will be conducted:

…in a way that ensures that, to the maximum extent possible, any illicit goods involved in the controlled operation will be under the control of an Australian law enforcement officer at the end of the controlled operation.[210]

Schedule 4 amends these provisions to specify that such a requirement does not apply to the extent that the controlled operation is conducted online, with the effect of this being that illicit goods or content involved in an online operation do not have to be under the control of law enforcement at the operation’s completion. The Explanatory Memorandum states that the amendments acknowledge:

…how easy data is to copy and disseminate, and that there may be limited guarantee that all illegal content (the illicit goods) will be under law enforcement’s control at the end of an operation conducted online.[211]

Key issues

Scope of Bill

Definition of relevant offence

The threshold for bringing offences within the scope of the warrant regimes has been a concern raised by the Scrutiny of Bills Committee and various stakeholders.

The Human Rights Law Centre (HRLC) has questioned the scope of the offences, disputing the claim in the Explanatory Memorandum that they target ‘activity of the most serious nature’.[212] The HRLC argues that the range of offences for which warrants may be sought is much broader than this, with the definitions of ‘relevant offence’ in both the SD Act and Crimes Act being sufficiently broad to capture ‘relatively minor criminal activities, such as theft, as well as the activities of individuals acting in the public interest, such as whistleblowers’.[213] It has recommended the Bill be amended to increase the maximum term of imprisonment specified in the definition of relevant offence, to ensure warrants are only available where their use is proportionate to the severity of the alleged offence.[214]

The joint submission to the PJCIS inquiry by the Queensland Council for Civil Liberties, Liberty Victoria, Electronic Frontiers Australia and the Australian Privacy Foundation (joint civil liberties submission) similarly pointed to the broad definition of relevant offence in the Crimes Act and expressed concern that the Bill’s powers will operate in contexts other than just national security. It recommended the definition be redrafted to include an exhaustive list of specific serious offences, and noted:

We respectfully accept that some of these offences may warrant the use of intrusive law enforcement power; however, we do not accept that the significant power authorised by the Bill should be applied to an existing definition of “serious commonwealth offence”. More specifically, we do not accept that State-authorised hacking is appropriate in the context of tax or bankruptcy offences. We are also concerned that the Bill’s operation can be further expanded by the executive, through the regulations prescribing a “relevant offence”.[215]

The NSW Council for Civil Liberties similarly recommended the application of the proposed warrants be restricted to the specific offences ‘which are ostensibly the areas of concern as set out by the Minister’: child sexual abuse, terrorism, trafficking of drugs and firearms.[216]

The Cyber Security Cooperative Research Centre considers that the three year minimum term of imprisonment is ‘sufficiently high and is indicative of serious criminal offending’. However, it also notes that under the Crimes Act the threshold ‘does cover a wide range of offences’, and suggests that consideration should be given within the legislation to clearly specify types of crime to which the warrants could apply.[217]

The Scrutiny Committee suggested that in light of the broad scope of the offences captured by the Bill, it should be an express requirement that the issuing authority for a warrant consider proportionality in deciding whether to issue the warrant, to ensure that the significant coercive powers authorised under the proposed warrants are only exercised where necessary and appropriate.[218]

Criminal network of individuals

The HRLC has raised concerns about the scope of the proposed network activity warrants, which authorise access to data held in a computer used (or likely to be used) from time to time, by any of the individuals in a criminal network of individuals. The HRLC has argued that the definition of this term (and the related definition of electronically linked network of individuals), outlined above under Key provisions, is ‘absurdly broad’. Its submission to the PJCIS inquiry notes:

On a broad, but not unreasonable, interpretation of these definitions, the effect is that a person who visits the same website as a person engaging in conduct facilitating or constituting a relevant offence is in a “criminal network of individuals”. This is regardless of whether the website or communication bears any relation to the offence, or whether the individuals have any knowledge of, involvement in or connection to the offence.[219]

The HRLC has argued that these definitions effectively mean that where a person engages in a relevant offence, every other user of any website they access, or app installed on their phone, ‘could potentially have their data accessed, changed or deleted, without their knowledge, consent or opportunity to object’.[220] It has suggested that ‘even on a narrower interpretation’, the provisions still offer expansive scope, and has recommended the ‘substantial redrafting’ of the definitions to prevent their application to individuals with no involvement in the commission or facilitation of a relevant offence.[221]

In contrast, the Cyber Security Cooperative Research Centre argued that the definition is fit-for-purpose, ‘especially as it relates to dispersed groups of persons communicating online’. It supported the fact that the definition does not require individuals within the group to consider themselves members, or that the group be formalised sufficiently to form a membership base, arguing ‘this is especially relevant in relation to, for example, dark web paedophile groups, which may be dispersed all over the world with members that ensure their identities remain obscured at all times’.[222]

Protection of parliamentary privileges and immunities

The Bill provides that the powers proposed in connection with each of the three warrants (including in relation to emergency authorisations) do not affect parliamentary privileges and immunities relating to each House of the Parliament and the members and committees of each House.[223]

Oversight mechanisms

The Bill proposes that the Commonwealth Ombudsman will have oversight over data disruption warrants and account takeover warrants, and the IGIS will have oversight over the use of network activity warrants.

Ombudsman

The Bill provides that the Commonwealth Ombudsman will have oversight over data disruption warrants, in the SD Act, and account takeover warrants, in the Crimes Act. The Ombudsman is excluded from an oversight role in relation to network activity warrants.[224]

Proposed Division 7 of proposed Part IAAC of the Crimes Act, inserted by item 4 of Schedule 3 of the Bill, provides the Ombudsman with the power to conduct inspections of AFP and ACIC records, and obtain relevant information, to assess the agencies’ compliance with the account takeover warrants regime.[225] These powers are largely the same as the Ombudsman’s inspection powers under Division 3 of Part 6 of the SD Act (which will apply to data disruption warrant records), as well as to the Ombudsman’s existing inspection powers in the Crimes Act in respect of delayed notification search warrants, control orders and controlled operations.[226]

Under both the Crimes Act and SD Act provisions, a person is not excused from complying with the Ombudsman’s request for assistance on the grounds that doing so would contravene a law, be contrary to the public interest or tend to incriminate the person, though restrictions apply to the further use or admissibility of any information provided.[227] Failure to comply with a request to attend before the Ombudsman, to provide information or answer questions, is an offence, punishable by a maximum of six months’ imprisonment.[228]

The Ombudsman must make a written report to the Minister every six months on the results of each inspection, which must subsequently be tabled in Parliament.[229]

Inspector-General of Intelligence and Security

The Bill provides the IGIS with oversight over the use of network activity warrants. Section 8 of the IGIS Act sets out the intelligence agency inquiry functions of the Inspector-General. Item 56 of Schedule 2 inserts proposed subsections 8(3A) and (3B) which extend these functions to include inquiring into matters—to the extent that they relate to an intelligence function of ACIC or the AFP—such as:

  • the agency’s compliance with federal, state and territory laws and with Ministerial directions or guidelines
  • the propriety of particular activities of the agency, and the effectiveness and appropriateness of its procedures relating to the legality or propriety of its activities
  • any matter that relates to an act or practice of that agency, referred to the IGIS by the Australian Human Rights Commission and
  • in relation to ACIC, the agency’s compliance with directions or guidelines, policies or other decisions made by the Board of ACIC or the Inter-Governmental Committee established by the Australian Crime Commission Act 2002.

Item 55 of Schedule 2 inserts a proposed definition of intelligence function into subsection 3(1) of the IGIS Act, which means:

  • the collection, correlation, analysis, production and dissemination of intelligence obtained by ACIC or the AFP from the execution of a network activity warrant or
  • the performance of a function, or exercise of a power, conferred on a law enforcement officer of ACIC or the AFP by the network activity warrant provisions of the SD Act.

Amendments to the SD Act require the chief officer of the AFP or ACIC to notify the IGIS of:

  • the issue of a network activity warrant, within seven days[230]
  • any extensions or variations to the warrant, within seven days[231]
  • the revocation of the warrant[232] and
  • a thing done to conceal the doing of a thing under the warrant (as provided for under proposed subsection 27KP(8)), where this is done more than 28 days after the warrant ceases to be in force.[233]  

The IGIS’s inspection functions are set out under section 9A of the IGIS Act. These are broad, and include conducting inspections of intelligence agencies as the Inspector-General considers appropriate for the purpose of giving effect to the objects of the Act. Item 65 of Schedule 2 inserts proposed subsection 9A(2) to provide that for the purposes of conducting an inspection of ACIC or the AFP, the Inspector-General and their staff may enter and remain on any premises (at all reasonable times); are entitled to reasonable facilities and assistance that the agency head is capable of providing; are entitled to full and free access at all reasonable times to any information, documents or property of the agency; and may examine, copy or take extracts from any information or documents.

Item 71 of Schedule 2 inserts proposed Part IIIA into the IGIS Act which provides for information sharing with integrity bodies—these are the Ombudsman, Australian Human Rights Commission, Information Commissioner, Integrity Commissioner and the Inspector-General of the Australian Defence Force.[234]

Call for a Public Interest Monitor

A number of submitters to the PJCIS inquiry called for additional oversight in the form of a Public Interest Monitor. The NSW Council for Civil Liberties argued that such an office should have the power to contest warrants, and would provide a ‘necessary counterbalancing of the extraordinary new powers’.[235]

Extraterritoriality

A data disruption warrant or network activity warrant may be issued in respect of data held in a computer in a foreign country or on a foreign vessel or aircraft that is outside of Australia, but only if an appropriate consenting official of the foreign country agrees to the access (and where applicable, disruption) to be authorised by the warrant.[236] As soon as practicable after the commencement of access to, or disruption of data held in a computer under the authority of a warrant issued in such circumstances, the chief officer of the relevant agency to which the warrant relates must give the Minister evidence in writing that the foreign official has agreed to the access (and, where applicable, disruption).[237]

The foreign country consent requirement does not apply where the persons responsible for executing the warrant will be physically present in Australia, and the location where the data is held is unknown or cannot reasonably be determined.[238] There are also exceptions where the vessel on which the relevant computer is located is:

  • outside Australia’s Territorial Sea but within Australia’s contiguous zone,[239] and the relevant offences to which the warrant relates are offences relating to the customs, fiscal, immigration or sanitary laws of Australia[240] or
  • outside Australia’s Territorial Sea but within the limits of the Australian fishing zone,[241] and the relevant offences to which the warrant relates are offences against specified provisions of the Fisheries Management Act 1991 or the Torres Strait Fisheries Act 1984.[242]

Evidence obtained as a result of extraterritorial computer access under a data disruption warrant is not admissible unless the court is satisfied the access or disruption was agreed to by an appropriate consenting official of the foreign country.[243]

Commentary

The joint civil liberties submission argued that extending the reach of Australian law enforcement outside of Australia raises due process risks for suspects located outside of Australia which may jeopardise prosecutions. The submission suggested that ‘in the absence of a clear transnational regulatory structure supporting transnational government hacking operations in cases where the physical location of the target computer and suspect is not known these proposed laws should be reconsidered’.[244]  

Twitter also expressed concern that the account takeover warrant can apply extraterritorially but does not have the same requirement to obtain the agreement of a consenting official in a foreign country. It stated:

If the Account Takeover Warrant is to be used to access an online account regardless of the location of the server, and executed without the knowledge of a service provider, or foreign official, then all due process requirements and safeguards that typically surround warrant processes have essentially been removed.[245]

Assistance orders

The proposed warrant regimes in respect of all three warrants provide for the making of assistance orders. The issuer (an eligible Judge or nominated AAT member, in the case of a data disruption or network activity warrant, and a magistrate in the case of an account takeover warrant), may, on application, make an assistance order requiring a specified person to provide any reasonable and necessary information or assistance to allow the law enforcement officer to:

  • in the case of a data disruption warrant, disrupt, access or copy data held in a computer subject to the warrant or emergency authorisation or convert the data into documentary or another intelligible form[246]
  • in the case of a network activity warrant, access data held in a computer subject to the warrant, copy data held in the computer onto a data storage device or convert data into documentary form or another form intelligible to the law enforcement officer[247] or
  • in the case of an account takeover warrant, take control of an online account that is the subject of the warrant or authorisation.[248]

The specified person must be either:

  • a person reasonably suspected of having committed a relevant offence
  • the owner or lessee of the computer or holder of the account, as applicable (or an employee or contractor of such a person)
  • a person who uses or has used the computer/account or
  • a current or former system administrator for the system including the computer, or for the electronic service to which the account relates.[249]

They must have relevant knowledge of the computer or account (as applicable), of the relevant computer network or electronic service to which the account relates, or of measures applied to protect data held in the computer or account-based data.[250]

A person failing to comply with an assistance order commits an offence if they are capable of doing so. There is a maximum applicable penalty of 10 years’ imprisonment and/or 600 penalty units ($133,200).[251]

Commentary on problems posed by compelling individuals to assist law enforcement

The HRLC has argued that the ability for law enforcement to compel individuals to answer questions or provide assistance that could expose them to legal ramifications ‘contradicts the right to freedom from self-incrimination, a longstanding legal doctrine that has been recognised in both common law and international human rights law’.[252] It has suggested that the wording of the proposed power is sufficiently broad to allow an assistance order to compel an individual to assist law enforcement to obtain evidence which is against their legal interest, and has recommended the Bill be amended to ensure adequate safeguards for the freedom against self-recrimination.[253]

The Communications Alliance has noted that communications platform providers could be captured in the potential net of ‘recipients’ of assistance orders, and has argued that such orders would be more appropriately directed at the business user of such platforms that holds or manages the relevant account, or the platform provider corporation, rather than an individual employee or officer. It has further stated:

If, as a last resort, an assistance order is directed at an individual employee or officer (rather than the business user or the platform corporation), this may give rise to a conflict between the order and the employee’s work responsibilities/terms of employment. It may also create difficult situations regarding the extent to which communications and approval within the employer organisation is prevented because of the legal constraints pertaining to protected information. The Bill should address these issues by requiring that the technology provider organisation be the target of technical assistance requests and, where an individual is compelled to provide assistance, by facilitating and paying for independent legal advice and to protect the employee from possible adverse consequences (both in terms of damages and employment) arising from compliance with the order.[254]

Amazon Web Services has recommended amendments to the assistance order provisions to:

  • make clear that where assistance is sought from an individual the assistance request should be both reasonable and proportionate, as is required under the Telecommunications and Other Legislation Amendment (Assistance and Access) Act 2018
  • require the issuing authority who considers an assistance order application to have to consider specified matters, including technical feasibility
  • include a prohibition against warrants being executed in a manner that would require a person to implement or build a systemic weakness into a form of electronic protection or prevent a person from rectifying a systemic weakness and
  • provide a defence for an individual who refuses to comply with an assistance order where doing so might breach a foreign law, or cause another person to breach a foreign law—it pointed to subsection 317ZB(5) of the Telecommunications Act 1997 as an example of such a defence.[255]

Twitter has stated it is unclear whether the legislation would require service providers and their employees to comply with assistance orders, and has argued that if so, such an order ‘is likely to place service providers, like Twitter, in a position where compliance would directly conflict with obligations under laws of other countries where they operate’.[256]

Inconsistency of warrant provisions

As noted above, the Commonwealth Ombudsman has suggested that a number of inconsistencies across the procedures and requirements for the three proposed warrant schemes, should be addressed. These include:

  • the vesting of authority in magistrates to issue account takeover warrants, rather than eligible Judges and nominated AAT members—the Ombudsman has noted that while magistrates are responsible for overseeing the use of overt powers in the Crimes Act, eligible Judges and nominated AAT members are more appropriate for the use of covert powers[257]
  • the absence of a requirement for issuers to consider privacy impacts when determining whether to issue a data disruption warrant[258]
  • the requirement for account takeover warrants to provide ‘sufficient information’ to enable the magistrate to make a determination, rather than an affidavit setting out the grounds of the application as is required for the data disruption and network activity warrants, as well as other current warrants under the Crimes Act and SD Act[259] and
  • the absence of a requirement for the AFP or ACIC to report on details of coercive assistance orders given in the course of executing data disruption and account takeover warrants, despite this being a requirement for network activity warrants.[260]

Judicial review

Decisions made in regard to warrants under the SD Act and Crimes Act are subject to judicial review, though not merits review. The Department’s submission to the PJCIS inquiry notes that a reference in the Statement of Compatibility with Human Rights in the Explanatory Memorandum to these powers being exempt from review under the Administrative Decisions (Judicial Review) Act 1977 is incorrect.[261]

However, the Department also notes:

As these are covert powers, in practice the challenge to these decisions will likely only be after the particular investigation has become overt. To make information available in order to bring about such a challenge, the Bill ensures that protected network activity warrant information (which are not for evidence collection and therefore have strict prohibitions on adducing information in evidence) may be admitted into evidence in proceedings that are not criminal proceedings. This is an important exception to the general secrecy provisions that apply to covert intelligence gathering activities. The Bill also applies the same exception to information gathered under an account takeover warrant.[262]