Crimes Legislation Amendment (Ransomware Action Plan) Bill 2022

Introductory Info

Date introduced: 17 February 2022
House: House of Representatives
Portfolio: Home Affairs
Commencement: The day after the Act receives Royal Assent.

Purpose of the Bill

The Crimes Legislation Amendment (Ransomware Action Plan) Bill 2022 (the Bill) makes amendments to the Criminal Code Act 1995 (Criminal Code), Crimes Act 1914 and Proceeds of Crime Act 2002 (POCA) to:

expand and modernise computer offences in the Criminal Code (Schedule 1)
add digital currency and digital currency exchanges to the monitoring and freezing power regime in the POCA that currently applies to financial institutions (Schedule 2) and
create new powers to seize digital assets that are reasonably suspected to be evidential material or tainted property under the Crimes Act and the POCA (Schedule 3).

Structure of the Bill

The Bill consists of three schedules:

Schedule 1 makes amendments to Part 10.7 of the Criminal Code, creating new offences and amending the geographical jurisdiction that applies to that Part.
Schedule 2 makes amendments to the POCA to define digital currency exchanges as financial institutions under the Act. This extends the application of existing powers to monitor, freeze, restrain and confiscate proceeds and instruments of crime to digital currency exchanges.
Schedule 3 makes amendments to both the Crimes Act and the POCA to create new powers to seize digital assets that are evidential material or tainted property.

Background

What is Ransomware

The Oxford English Dictionary defines ransomware as:

A type of malicious software designed to block access to a computer system until a sum of money is paid.[1]

‘Ransomware’ has acquired a broad meeting and now refers to any form of malicious cyber-attack via software with the objective of putting the victim in a position where they can be extorted. While this includes cryptoviral extortion (malware that encrypts the data of the target, rendering it inaccessible to the owner until a ransom is paid and the information decrypted), it now also colloquially refers to other methods of extortion, such as threats to make confidential information acquired by unauthorised attacks public, or malware that impairs the operation of physical assets (such as gas pipelines, or other industrial equipment). Falk and Brown define ransomware as:

Ransomware is a form of malware designed and deployed by state and non-state cybercriminals who seek out vulnerabilities in the computer systems of organisations, both large and small, locking up, encrypting and extracting data, and rendering computers and their files unusable. Attacks are accompanied by a demand for ransom to be paid in return for decrypting and unlocking systems.

Increasingly, ransomware attacks include an extortion element that usually involves threats to leak stolen data publicly or on the dark web if payment isn’t made (known as ‘hack and leak’) to exert pressure on the victim to pay the ransom.[2]

Over the past decade, the global prevalence of ransomware has increased, aided by the proliferation of cryptocurrencies such as bitcoin that allow for the payment of ransoms globally in a way that is difficult (both legally and operationally) for law enforcement to track and disrupt as they do with transfers and withdrawals in the conventional financial system.[3]

Ransomware in Australia

The Australian Cyber Security Centre and other observers have noted a steady increase in ransomware attacks on Australian entities.[4] Known recent targets of ransomware attacks in Australia since 2020 include:

Toll Holdings[5]
BlueScope Steel[6]
Lion Dairy and Drinks[7]
Regis Healthcare[8]
Law in Order[9]
Nine Entertainment[10]
Eastern Health[11]
PRP Diagnostic Imaging[12]
Carnegie Clean Energy[13]
Segafredo Zanetti[14]
Jones Day[15]
UnitingCare Queensland[16]
JBS Foods, which is reported to have paid a $14.2 million AUD ransom as a result of the ransomware attack[17]
CS Energy[18]

Many ransomware attacks go unreported, as most businesses are not obligated to report being the target of cyber-attacks. The cybersecurity firm, CrowdStrike reported in its 2020 Crowdstrike Global Security Attitude Survey that two-thirds of Australian entities surveyed had experienced a ransomware attack in the 12‑month period to November 2020, and 44 of those organisations had paid a ransom.[19]

The recent passage of the Security Legislation Amendment (Critical Infrastructure) Act 2021 has introduced mandatory reporting requirements for critical infrastructure assets,[20] however this scheme has only been in place since December 2021.

The Australian Strategic Policy Institute (ASPI) published Exfiltrate, Encrypt, Extort: The Global Rise of Ransomware and Australia’s Policy Options on 13 July 2021, which concluded:

Ransomware isn’t an abstract possibility. In Australia, the threat’s right here, right now and isn’t going away. Unless a concerted effort is made to mitigate the risk, the problem could continue to get worse.

There’s a key role for the Australian Government to play in leading the way, but tackling ransomware is a shared responsibility. While there’s no doubt that organisations must take responsibility for ensuring that their cybersecurity posture is up to scratch, there are practical and easily implementable steps the government can take to provide clarity, guidance and support.

The ongoing ransomware attacks that continue to strike unabated around the world must act as a red flag. And, because we’ve been warned, we need a plan.[21]

The ASPI report recommended the introduction of a mandatory reporting scheme for ransomware incidents.[22] A Private Member’s Bill introduced on 21 June 2021, the Ransomware Payment Bill 2021, proposed to legislate a reporting scheme for ransomware payments.

Ransomware Action Plan

On 13 October 2021, the Minister for Home Affairs released Australia’s Ransomware Action Plan (RAP).[23] The RAP noted the ‘increasingly prevalent’ global threat of ransomware, and that ransomware attacks had increased in Australia over the previous 12 months by 15%.[24] The RAP further noted ransomware attacks on Australia’s critical infrastructure:

For example, during the height of the COVID-19 pandemic in 2020, ransomware campaigns targeted Australia’s aged care and healthcare sectors. The ‘Maze’ ransomware encrypted valuable information, such as sensitive personal and medical information, so that it could no longer be used. This reckless activity threatened the operation of health facilities and caused very real health and safety risks to our community. These incidents demonstrate the importance of strong cyber security, particularly in the protection of critical infrastructure.[25]

The RAP then identified two elements of the plan, the second being that the Australian Government will:

Deliver additional legislative reforms to build Government’s situational awareness of the ransomware threat while further criminalising ransomware (including by developing aggravated offences for attacks against Australia’s critical infrastructure) and ensuring law enforcement can track, seize or freeze ransomware gangs’ proceeds of crime.[26]

The RAP set out further details under ‘legislative reforms’:

Introducing a specific mandatory ransomware incident reporting to the Australian Government

Introducing a stand-alone offence for all forms of cyber extortion

Introducing a stand-alone aggravated offence for cybercriminals seeking to target critical infrastructure (as proposed to be regulated by the Security Legislation Amendment (Critical Infrastructure) Bill 2020)

Modernising legislation to ensure that cybercriminals are held to account for their actions, and law enforcement is able to track and seize or freeze their ill-gotten gains.[27]

The Bill seeks to implement some of the objectives identified in the RAP, among other amendments. In particular:

proposed section 479.1 in the Criminal Code creates a new aggravated offence in relation to critical infrastructure[28]
proposed section 477.4 in the Criminal Code creates a new stand-alone offence of cyber extortion[29]
Schedule 2 to the Bill extends the application of the proceeds of crime regime to digital currency exchanges, allowing freezing, monitoring and other orders to be issued to digital currency exchanges
Schedule 3 to the Bill amends the POCA and the Crimes Act to allow for the seizure of digital assets.

However, the Bill does not introduce a specific mandatory ransomware incident reporting scheme to the Australian Government. A mandatory ransomware incident reporting scheme was implemented for critical infrastructure assets in the Security Legislation Amendment (Critical Infrastructure) Act 2021.[30]

As examined in the Key issues and provisions section of this Bills Digest, it should be noted that the proposed changes to the Criminal Code in Schedule 1 represent an increase in the breadth and severity of computer-based offences in Part 10.7 of the Criminal Code generally, rather than just those related to ransomware activity.

Committee consideration

At the time of writing, the Bill has not been referred to a Committee for inquiry.

Senate Standing Committee for the Scrutiny of Bills

The Senate Standing Committee for the Scrutiny of Bills considered this Bill in Scrutiny Digest 2 of 2022.[31] The Committee noted two main concerns with the Bill:

The reversal of the evidentiary burden of proof for elements of proposed section 476.3 (Geographical Jurisdiction), Item 1, Schedule 1 of the Bill.
Significant matters in delegated legislation: the proposed power to expand the scope of the definition of ‘digital asset’ by delegated legislation and to provide for any method of seizure by delegated legislation for the purposes of the new seizure powers proposed in Schedule 3.

The Committee requested the Minister’s advice on both of these matters. At the time of writing this Digest, the Minister’s response had not been received by the Committee.[32]

Both of the concerns raised by the Committee are discussed in further detail in relevant Key Issues and Provisions section of this Digest.[33]

Policy position of non-government parties/independents

No non-government party or independent has as of yet made public statements on the Bill.

Labor has previously introduced a Private Member’s Bill, the Ransomware Payments Bill 2021, (the Private Member’s Bill) which proposed to implement a mandatory reporting scheme for ransomware payments. Labor also introduced an identical Bill into the Senate as the Ransomware Payments Bill 2021 (No. 2). As noted above, mandatory reporting of ransomware incidents was an element of the subsequently announced RAP, which is not included in the Bill. In moving the Private Member’s Bill in the House, Tim Watts MP noted the high costs of ransomware to the Australian economy and national security generally:

There is an urgent need for this bill.

The Australian Cyber Security Centre has labelled ransomware the 'highest cyber threat' facing Australian businesses.

Indeed, it's more than just a threat to business; ransomware is a significant national security threat in its own right.

Former head of MI6 Alex Younger recently wrote in the Financial Times that: 'We have to recognise that (ransomware) is not merely a criminal problem but a national security and geopolitical one, too.'

Consistent with this, FBI director Christopher Wray has compared the national security threat of ransomware to 9/11 and said it will treat ransomware payment investigations with the same priority level as terrorism.

This national security threat is escalating at a dramatic pace.[34]

In a press release responding to the announcement of the RAP in October 2021, Labor announced it ‘will examine the details of today’s announcement closely’.[35] On 26 October 2021, following Senate Estimates hearings,[36] Labor criticised the lack of additional funding provided by the Government to implement the RAP and the delay in the introduction of the compulsory notification scheme.[37]

Position of major interest groups

There being no committee inquiry at the time of writing, and no public consultation on the Bill, the Library has not been able to identify any interest group commentary on the actual Bill at the time of writing.

It is widely accepted that ransomware is an urgent and serious policy challenge. The 2021 Lowy Institute Poll found that ‘cyberattacks from other countries’ was the highest rated threat amongst those surveyed, with 62% of respondents identifying it as a ‘critical threat’.[38] The Cyber Security Industry Advisory Committee described ransomware as ‘one of Australia’s fastest escalating threats’ in March 2021.[39]

Some stakeholders have expressed support for the mandatory reporting scheme element of the RAP, which was a core policy recommendation of the ASPI report.[40] The Insurance Council of Australia noted in response to the RAP that:

The ICA supports the reporting of ransomware payments which allows clearer identification of risk…Government policy guidance around ransomware coverage would enable the insurance industry to provide cyber cover aligned with the Government’s broader policy goals in this area.[41]

The Bill however does not implement this element of the RAP.

Financial implications

The Explanatory Memorandum states that there is no financial impact associated with the Bill.[42]

Statement of Compatibility with Human Rights

As required under Part 3 of the Human Rights (Parliamentary Scrutiny) Act 2011 (Cth), the Government has assessed the Bill’s compatibility with the human rights and freedoms recognised or declared in the international instruments listed in section 3 of that Act. The Government considers that the Bill is compatible.[43]

Parliamentary Joint Committee on Human Rights

The Parliamentary Joint Committee on Human Rights considered the Bill in Human Rights Scrutiny Report No. 2 of 2022,[44] referring to its previous concerns expressed in relation to the Crimes Legislation Amendment (Economic Disruption) Regulations 2021 in Report No 10 of 2021.[45] Those Regulations concerned amendments to the POCA scheme.

Key Issues and Provisions

Schedule 1 – Amendments to the Criminal Code

Schedule 1 makes a number of significant amendments to Part 10.7 of the Criminal Code concerning computer offences, in particular by:

replacing section 476.3 (‘geographical jurisdiction’) with a new definition, creating an expanded geographic scope of computer offences under Part 10.7
creating a new offence of ‘extorting victim of unauthorised access’ (proposed section 477.4)
increasing the maximum penalty for the following offences:

section 478.1 ‘Unauthorised access to, or modification of restricted data’ from 2 years to 5 years imprisonment
section 478.2 ‘Unauthorised impairment of data held on a computer disk etc.’ from 2 years to 5 years imprisonment
section 478.3 ‘Possession or control of data with intent to commit a computer offence’ from 3 years to 5 years imprisonment
section 478.4 ‘Producing, supplying or obtaining data with intent to commit a computer offence’ from 3 years to 5 years imprisonment.

expanding section 478.3 to apply if a person has an intention to commit an offence under section 478.1 and section 478.2, rather than just the more serious offences under Division 477
expanding section 478.4 to provide that a person commits an offence if they solicit the supply, production or obtaining of data, in addition to actually supplying, producing or obtaining data, as well as expanding the section to apply to offences under section 478.1 and section 478.2 rather than just the more serious offences under Division 477
creating a new offence of ‘dealing with data obtained by unauthorised access or modification’ (proposed section 478.5)
creating a new aggravated offence for offences that impact critical infrastructure assets (proposed section 479.1)
creating a new aggravated offence where an offence against section 478.4(1) (producing, supplying or obtaining data) is done under arrangement for payment, or solicited under arrangement to make or receive a payment (proposed section 479.2).

Section 476.3 Geographical jurisdiction

Item 1 repeals and replaces the existing section 476.3 of the Criminal Code, which concerns the geographical jurisdiction of computer offences under Part 10.7. Currently, section 476.3 applies the geographical jurisdiction definition provided by section 15.1 of the Criminal Code, known as ‘Category A’ extended geographical jurisdiction, to computer offences under that Part.

Under the existing definition, offences under Part 10.7 only occur if:

the conduct constituting the alleged offence occurs wholly or partly in Australia or on board an Australian aircraft or ship
the conduct constituting the alleged offence occurs wholly outside Australia and a result of the conduct occurs wholly or partly in Australia or on board an Australian aircraft or ship
the conduct constituting the alleged offence occurs wholly outside Australia and at the time of the alleged offence the person is an Australian citizen or a body incorporated under Commonwealth, state or territory law or
the conduct is an ancillary offence to an alleged offence that occurs wholly or partly in Australia or on board an Australian aircraft or an Australian ship.

New section 476.3 in item 1 retains these elements, but provides for an additional basis of jurisdiction via proposed paragraph 476.3(1)(d) and proposed subsection 476.3(2). Under these new provisions geographical jurisdiction is applied and an offence is committed if the conduct occurs wholly outside Australian territory if three conditions are met:

the conduct constituting the alleged offence relates to unauthorised modification of or access to data, impairment of electronic communication or impairment of the reliability, security or operation of data and
at the time of the unauthorised access, modification or impairment, that data is under the control or ownership of a resident of Australia that is physically present in Australia or a body corporate incorporated by or under a law of the Commonwealth or a state or territory (even if the relevant computer or device in which the data is held is not in the possession of the resident or relevant body corporate) and
at the time of the unauthorised access, modification or impairment, that data is reasonably capable of being accessed within Australia.

This expanded jurisdiction effectively means that in addition to conduct that is already covered by the existing application of section 15.1, conduct constituting an offence that is done entirely outside Australia, where the result of that conduct does not occur in Australia, is an offence if it involves the data of Australian residents or bodies corporate.

The Explanatory Memorandum states:

Amending the geographical jurisdiction provision in this section is necessary to ensure law enforcement agencies and prosecutorial bodies have the legal authority to investigate and prosecute offences under Part 10.7 of the Criminal Code where the conduct occurs outside of Australia but impacts persons in Australia.

The amended geographical jurisdiction provision reflects the borderless nature of cybercrime, changes in criminal methodology, and the evolving landscape of electronic communication and data storage. In particular, the data of individuals and bodies corporate based in Australia is often hosted or held within computers (e.g. data storage centres) outside of Australia. For example, this provision will capture conduct involving individuals who set up personal email accounts or Australian companies who engage with offshore companies for the purposing of managing their data needs. Often the location of specific data is indeterminate due to the globalisation of information technology infrastructure and data storage practices.[46]

Proposed subsections 476.3(4)-(6) create a defence where:

the alleged offence occurs in a foreign country
the person is not an Australian citizen
proposed paragraph 476.3(1)(d) does not apply and
there is no law of that foreign country that creates a corresponding offence.

Key Issue: Reversal of the evidential burden of proof

The Senate Standing Committee for the Scrutiny of Bills noted that the defence provided in proposed subsections 467.3(4)-(6) is an offence-specific defence (rather than being an element of the offence) that as a result placed the evidentiary burden on the defendant rather than the prosecution:

1.108 The committee notes that the Guide to Framing Commonwealth Offences provides that a matter should only be included in an offence-specific defence (as opposed to being specified as an element of the offence), where:

it is peculiarly within the knowledge of the defendant; and

it would be significantly more difficult and costly for the prosecution to disprove than for the defendant to establish the matter.

1.109 While in this instance the defendant bears an evidential burden (requiring the defendant to raise evidence about the matter), rather than a legal burden (requiring the defendant to positively prove the matter), the committee expects any such reversal of the evidential burden of proof to be justified. The reversals of the evidential burden of proof in proposed subsections 476.3(4) and 476.3(6) have not been addressed in the explanatory materials.[47]

The Committee requested that the Minister provide advice addressing this issue, and that the advice explicitly address the Guide to Framing Commonwealth Offences.

At the time of writing this Digest, the Minister’s response had not been received by the Committee.[48]

Key Issue: Application to Australian multinational corporations

The expanded scope of section 476.3 proposed in item 1 would apply the protection of Part 10.7 to any data held by any Australian body corporate anywhere in the world, used for any purpose. The Explanatory Memorandum highlights the need for this section in relation to Australian bodies corporate using international data services.[49]

The expanded jurisdiction however would also extend Part 10.7 offences to conduct targeting Australian bodies corporate operating in foreign countries, where the offending and the consequences of offending occur completely outside Australia as they relate to those bodies corporates’ activities internationally.

This would effectively extend the protection of Australian criminal law to such bodies corporate internationally, and may introduce unforeseen complexities in applying this expanded jurisdiction to the data of large multinational corporations with Australian and non-Australian subsidiaries.

Key Issue: Difficulties in enforcement

The majority of serious ransomware attacks are thought to originate outside Australia, particularly in states where law enforcement cooperation with Australia is difficult, notably Russia.[50]

The expanded geographic jurisdiction ensures that ransomware attacks committed by foreign nationals are more reliably offences under Australian law. However, identifying, extraditing and prosecuting international cyber-criminals for offences under this Part of the Criminal Code remains extremely practically difficult.[51]

Proposed section 477.4 – Extorting a victim of unauthorised access

Item 2 inserts a new offence into Division 477 (serious computer offences) of the Criminal Code, proposed section 477.4 ‘extorting a victim of unauthorised access’.

This offence criminalises the making of a threat to a victim of unauthorised access, modification, or impairment of data, where the threat relates to that data and is made with the intention of compelling the victim to do or omit to do an act. The Explanatory Memorandum notes:

This new offence criminalises all forms of extortion in relation to a victim of a computer offence. The offence captures conduct which involves the computer or data in the possession or control of, or owned by another person (the victim), and at or after the time of the unauthorised access, modification or impairment, the person makes a threat to the victim with the intention of compelling the victim to do or omit to do an act.[52]

While the offence engages on another computer offence occurring to the victim, it does not require the person making the threat to be the person who conducted the unauthorised access, modification or impairment of data in relation to which the threat is made. The Explanatory Memorandum notes that this ‘ensures that groups of individuals of criminal syndicates face criminal liability where individuals compromising the group perform specific roles’.[53]

The Explanatory Memorandum further provides that:

A threat is taken to be any threat which is unreasonable. For example, this includes, a demand for payment that is related to the unauthorised access, modification or impairment of data. The offence is not intended to criminalise conduct which would comprise a reasonable threat, such as a threat to take legal action or exercise legal rights.[54]

The threat must be made using a carriage service, which is defined as ‘a service for carrying communications by means of guided and/or unguided electromagnetic energy’.[55] Threats made by other means do not constitute an offence under this proposed section.

It is not necessary that the threat be credible, or that the victim be actually compelled to do the act that the threat attempted to compel. A fraudulent threat where a person makes a threat in regards to data that was accessed by a completely unrelated third party is still an offence under this proposed section.

The maximum penalty for this offence is 10 years imprisonment. The Explanatory Memorandum justifies the severity of the penalty arguing:

This conduct carries significant risk to the wellbeing of Australians and the viability of Australian businesses. A single ransomware attack can have devastating long term personal and financial impacts. This punishment therefore reflects the severity of the conduct and the impact it has on victims, and will punish and deter cybercriminals who engage in extortion.[56]

Other offences under the Criminal Code that are punishable by 10 years imprisonment include:

using a postal or carriage service to make a threat to kill[57]
various offences related to trafficking firearms in Part 9.4[58]
cultivating or selling controlled plants[59]
the war crime of enlisting children below the age of 15 in armed conflict.[60]

Increased penalties to various computer offences

Items 3, 4, 6, and 10 increase the maximum penalties for various offences under Part 10.7 from 2 or 3 years to 5 years:

section 478.1 ‘Unauthorised access to, or modification of restricted data’ from 2 years to 5 years[61]
section 478.2 ‘Unauthorised impairment of data held on a computer disk etc.’ from 2 years to 5 years[62]
section 478.3 ‘Possession or control of data with intent to commit a computer offence’ from 3 years to 5 years[63]
section 478.4 ‘Producing, supplying or obtaining data with intent to commit a computer offence’ from 3 years to 5 years.[64]

All these offences are in Division 478 ‘other computer offences’, contrasted with the ‘serious computer offences’ in Division 477. The Explanatory Memorandum provides that:

Increasing penalties within Part 10.7 of the Criminal Code appropriately reflects the criticality of data and the need to maintain its availability, integrity, reliability and confidentiality. These penalties have not been amended since the introduction of the Cybercrime Bill 2001. The conduct captured by these offences is increasingly prevalent and serious in nature. The increased penalty is intended to appropriately punish and deter persons engaging in conduct that results in unauthorised access to, or modification of, restricted data.[65]

The Explanatory Memorandum further argues that these amendments align penalties with existing penalties in regard to other offences under the Criminal Code including mail theft under section 471.3. It states:

Given how data is used by Australians and Australian businesses, including in relation to communicating by email, this penalty should align with s 471.3 as it criminalises like conduct.[66]

Key Issue: Section 478.1 principally applies to non-ransomware offending

The offences in Part 478 do not, largely, concern ransomware attacks or other serious cybercriminal activity. Other elements of the Bill and the existing Part 10.7 cover more serious conduct, such as 477.1 (unauthorised access, modification or impairment with intent to commit a serious offence), proposed section 477.4 (extorting a victim of unauthorised access) and the aggravated offences under proposed Division 479.

Instead, section 478.1 provides for a criminal penalty for any knowing unauthorised access to restricted data. This covers a very wide range of circumstances and conduct, some far removed from cyber criminal activity for profit.

Key Definitions

‘Unauthorised access’ means any access that exceeds a person’s lawful authorisation to access data.[67] This applies to external international cyber criminals, but also applies to insiders who exceed their limited authorisation to access data in the course of employment or other relationship.

‘Restricted data’ means data that is held in a computer and to which access is restricted by an access control system associated with a function of the computer, where an ‘access control system’ includes a password or similar security measure.[68] Restricted data does not need to be restricted from the person accessing it for it to qualify under this definition.

Consequently, a person can cause unauthorised access to restricted data even if the person can technically access the data, if that access is not authorised in the course of their employment. This was noted by Hayne J in DPP v Murdoch in considering how these terms applied to the now repealed Victorian offence of ‘computer trespass’:

In my view, the section does not distinguish between what are colloquially known as ‘hackers’ (defined in the 2nd edition of the Oxford English Dictionary as ‘a person who uses his skill with computers to try and gain unauthorised access to computer files or networks’) and persons who have some authority of some kind to enter the computer system. Rather the section invites attention to whether the particular entry or gaining of access to the computer system was with or without lawful authority. Where, as is the case here, the question is whether the entry was with permission, it will be important to identify the entry and to determine whether that entry was within the scope of the permission that had been given.[69]

Consequently, the prosecution of section 477.1 and 478.1 offences and comparable state and territory criminal offences has more frequently involved ‘insiders’ rather than ‘external hackers’. Urbas noted that:

most early computer crime prosecutions in Australia were brought against employees who had exceeded their authorised access … by contrast, instances of external unauthorised access, which is arguably what is most meant by the term ‘hacking’, appear to be less often prosecuted. This may be a function of variables such of the availability of evidence and the identification of offenders rather than just the applicability of criminal laws.[70]

Dizon further observed that, globally:

Some studies have shown, however, that these anti-hacking statutes have mostly been used against disloyal and disgruntled employees and only seldom in relation to anonymous hackers who break into a company’s computer system…[71]

The relatively few reported cases which include judicial examination of section 478.1 all involved internal actors and unauthorised access to email accounts:

Randall v Chief of Army,[72] which concerned the prosecution of an Army warrant officer who, as a systems administrator, allegedly accessed the email accounts of various superiors and peers
Anders & Anders (No.2),[73] a family law case which concerned the admissibility of emails acquired by one party in a family law case by unauthorised access to the other party’s email account after separation
Secure Logic Pty Limited v Paul William Noble (No. 3),[74] where the NSW Supreme Court noted that the employer’s attempt to surveil the email account of an employee may constitute an offence against section 478.1.

The Explanatory Memorandum notes that ‘courts will ultimately have discretion to determine appropriate sentences, up to the maximum penalty, based on the seriousness of the offending’.[75] The High Court has repeatedly stressed the importance of the statutory maximum for offending as a yardstick for determining appropriate sentences,[76] with courts required to give effect to increases in statutory maximums by increasing current sentencing patterns.[77]

Consequently, increases in the maximum penalties in this Part may result in longer sentences of imprisonment for all relevant offending, not just offending related to ransomware attacks.

Amendments to section 478.3 - possession or control of data with intent to commit a computer offence

Section 478.3 of the Criminal Code provides that a person commits an offence if they have possession or control of data with the intention that the data be used, by them or another person, in committing an offence against Division 477 (which sets out serious computer offences) or facilitating the commission of such an offence.

Items 5 and 7 propose to widen the scope of offences to which section 478.3 applies from the serious computer offences in Division 478 to also include the offences under sections 478.1 and 478.2. This would expand the range of offences covered by section 478.3, including to any form of unauthorised access, modification, or impairment to restricted data under section 478.1, rather than just where such action is done with intent to commit a serious offence under section 477.1.

The Explanatory Memorandum states that this item ‘expands the range of computer offences’ noting:

This amendment will criminalise conduct where a person is in possession of a program designed to allow unauthorised access to a victim’s computer (without modifying the data to cause an impairment or impairing the electronic communication of that computer) and that person intends to use the software to access and observe the victim’s restricted information.[78]

The Explanatory Memorandum further provides that ‘sections 478.1 and 478.2 are also related to the security, integrity and reliability of data’ in addition to the serious computer offences in 477 as part of the rationale for extending section 478.3 to these sections.[79]

Amendments to section 478.4 – soliciting the production, supply, or obtainment of data with intent to commit a computer offence

Item 8 proposes to expand the scope of section 478.4 from providing that an offence is committed where:

the person produces, supplies or obtains data with the intention of the data being used, by them or another person, in committing a serious computer offence

to:

the person produces, supplies or obtains data, or solicits the production, supply or obtaining of data, with the intention of the data being used, by them or another person, in committing a computer offence.

The Explanatory Memorandum provides that ‘solicit’ has its ordinary meaning, and clarifies that the section applies both to malware developers or vendors who solicit potential buyers, and to potential buyers who make enquiries to purchase malware.[80]

Item 9 proposes to expand the scope of section 478.4 to also apply to offences under sections 478.1 and 478.2 on the same terms as the amendment to section 478.3 discussed above. Item 10 proposes to increase the penalty to a maximum of 5 years imprisonment.

The cumulative effect of these three amendments could be for example that a person that makes enquiries regarding the purchase of malware for low level offending under section 478.1 (unauthorised access or modification that is not for the commission of a serious offence), commits an offence under this section punishable by up to five years imprisonment.

As discussed in previous sections, this may extend to a wide range of offending that is not related to ransomware attacks. It would also cover interpersonal offending, such as solicitation for spyware to install on the phone of an adult child by their parent.

Proposed section 478.5 - dealing with data obtained by unauthorised access or modification

Item 11 inserts proposed section 478.5 which creates a new offence of dealing with data obtained by unauthorised access or modification. The Explanatory Memorandum notes:

The offence criminalises conduct that involves obtaining, releasing or modifying (for example, deleting) data of a victim that has been obtained by unauthorised access or modification. For example, a cybercriminal may combine the encryption of a person’s computer, or the act of exfiltrating the victim’s data, with threats to release or on-sell stolen sensitive data for the purpose damaging the victim’s reputation or financial gain. This tactic is effective even if victims have adopted robust digital backups because it leverages the value of the private information rather than the tactic of encrypting a computer system alone.[81]

The offence has the following elements:

physical elements:

that a person obtains, or causes any access, modification or release of data held in a computer dishonestly (which in the context of a physical element means in a way that is a departure from the standards of ordinary people)[82]
the person does so using a carriage service and
the data has been obtained by unauthorised access to or modification of data held on a computer (whether or not by the person)

fault elements:

the person obtains, or causes any access, modification or release of the data dishonestly (which in the context of fault elements means the person knows the conduct to be dishonest)
there is no fault element for the use of the carriage service, as absolute liability applies to that physical element (proposed subsection 478.5(2))
the person is reckless as to whether the data was obtained by unauthorised access or modification of data held on a computer.

Definition of dishonest

Proposed subsection 478.5(3) and (4) insert a definition of dishonest for the purposes of this offence:

(3) For the purposes of subsection (1), dishonest means:

(a) dishonest according to the standards of ordinary people [the objective limb]; and

(b) known by the defendant to be dishonest according to the standards of ordinary people [the subjective limb].

(4) In a prosecution for an offence against this section, the determination of dishonesty is a matter for the trier of fact.

This definition of dishonesty is known as the Feely/Ghosh test, due to its original formulation in the UK Court of Appeal cases in R v Feely [1973] QB 530 and R v Ghosh [1982] EWCA Crim 2.[83] It is identical to the definition of dishonest in other parts of the Criminal Code.[84]

The offence carries a maximum penalty of imprisonment for 5 years.

Key Issue: Application to journalists and ‘innocent third parties’

While the Explanatory Memorandum frames this offence in the context of ransomware attacks and other cybercriminal activity,[85] the text of the offence is not restricted to such activity. Rather it applies to any dishonest dealing with information obtained by unauthorised access or modification.

The text of proposed section 478.5 does not directly provide an exemption or defence for innocent third parties. Rather the Explanatory Memorandum states the view that the activities of innocent third parties would not be dishonest, and therefore would not be captured by the offence:

Conduct that is not intended to result in criminal liability under this offence includes the following:

a cyber security firm is engaged and authorised to conduct incident response on behalf of a client in relation to a ransomware or cyber security incident and, in the course of doing so, obtains data online relating to their victim client or other persons or entities;
a cyber security firm obtains stolen data for the purposes of advising clients or the public on incident response or on cyber security controls;
a person obtains information in the public interest, such as a journalist conducting research in a professional capacity. As community expectations in relation to public interest may change over time, the element of dishonesty will ensure that the application of this offence is able to adapt with community expectations in relation to this offence and determine whether the data that is obtained or released is on legitimate public interest grounds;
a company that engages in open source intelligence gathering on breached or stolen data and provides reports to industry or law enforcement either voluntarily or as part of a paid service. [emphasis in original][86]

This is a different approach to other offences in the Criminal Code that concern the dissemination of information that would otherwise be criminal, which do have explicit defences, but do not include a dishonesty element in the offence. For example, no offence is committed against the abhorrent violent material scheme where:

the material relates to a news report, or a current affairs report, that:

is in the public interest; and
is made by a person working in a professional capacity as a journalist;…[87]

These defence sections include a range of other explicit defences, including for academic, scientific, medical or historical research, or that the material relates to the development, performance, exhibition or distribution, in good faith, of an artistic work.[88]

Impacts

This means whether academic research, journalistic activity, the legitimate operation of cyber security firms or other persons who deal with data acquired as a result of unauthorised access is criminal or not becomes dependent on a case by case determination of dishonesty according to the standards of ordinary people.

This may create substantial uncertainty for journalists and other such persons in what kind of reporting or disclosure is criminal and what is not. In turn, this may have a ‘chilling effect’ on the activities of whistleblowers, journalists and other innocent third parties. While this activity may be not found by the trier of fact to be dishonest according to the standards of ordinary people, this may only come after a lengthy criminal investigation and prosecution.

Key Issue: Offence does not require the person to know that the data was obtained via unauthorised access

The construction of this offence does not require that the person knows that the information was acquired via unauthorised access, only that they are reckless to the fact that it was.[89] Recklessness is defined under section 5.4 of the Criminal Code:

A person is reckless with respect to a circumstance if:

he or she is aware of a substantial risk that the circumstance exists or will exist; and
having regard to the circumstances known to him or her, it is unjustifiable to take the risk.

A great deal of data available online may have originally been obtained by unauthorised access, which a subsequent party may not be aware of. This may introduce risks for persons who republish or otherwise deal in data who may be found to have been reckless to the fact that the material was obtained via unauthorised access at some point in the past.

Proposed section 479.1 Aggravated offence—critical infrastructure assets

Proposed section 479.1 creates an aggravated offence for a person who commits an offence against section 477.2, 477.3, 478.1 or 478.2 and that offence relates to a critical infrastructure asset. The underlying offences are:

section 477.2—unauthorised modification of data to cause impairment
section 477.3—unauthorised impairment of electronic communication
section 478.1—unauthorised access to, or modification of, restricted data
section 478.2—unauthorised impairment of data held on a computer disk et cetera.[90]

The additional (aggravating) fault element is:

the person intends to cause an impact (whether direct or indirect) on:

the availability, integrity or reliability of a critical infrastructure asset; or
the confidentiality of information about or stored in, or the confidentiality of, a critical infrastructure asset.[91]

The fault element is one of intention, and the maximum penalty is imprisonment for 25 years. The Explanatory Memorandum justifies the severe penalty stating:

This new aggravated offence ensures that any computer offence against Australia’s critical infrastructure carries an appropriate penalty and deters would be offenders. A significant disruption or attack on Australia’s critical infrastructure could have significant consequences for Australia’s economy, security and sovereignty. The offence captures conduct where a person commits an underlying offence, and intends to cause an impact, whether direct or indirect, on the availability, integrity or reliability of a critical infrastructure asset or on the confidentiality of information about or stored in, or confidentiality of the critical infrastructure asset.[92]

What is a critical infrastructure asset?

Proposed subsection 479.1(7) defines ‘critical infrastructure asset’ as having the same meaning as in the Security of Critical Infrastructure Act 2018 (SOCI Act). Section 9 of the SOCI Act defines a ‘critical infrastructure asset’:

a critical telecommunications asset; or
a critical broadcasting asset; or
a critical domain name system; or
a critical data storage or processing asset; or
a critical banking asset; or
a critical superannuation asset; or
a critical insurance asset; or
a critical financial market infrastructure asset; or
a critical water asset; or
a critical electricity asset; or
a critical gas asset; or
a critical energy market operator asset; or
a critical liquid fuel asset; or
a critical hospital; or
a critical education asset; or
a critical food and grocery asset; or
a critical port; or
a critical freight infrastructure asset; or
a critical freight services asset; or
a critical public transport asset; or
a critical aviation asset; or
a critical defence industry asset; or
an asset declared under section 51 to be a critical infrastructure asset; or
an asset prescribed by the rules for the purposes of this paragraph.

Taken together, this definition covers a large portion of the Australian economy, and also a large portion of the Australian labour force in the energy, education, healthcare, superannuation, transport and grocery sectors.

What is an ‘impact’?

Proposed paragraph 479.1(1)(b) provides that the offence is proved where both the underlying offence is committed and where:

the person intends to cause an impact (whether direct or indirect) on:

the availability, integrity or reliability of a critical infrastructure asset; or
the confidentiality of information about or stored in, or the confidentiality of, a critical infrastructure asset.

The Explanatory Memorandum provides various examples of what such an impact might be on pages 11-12, and identifies malicious cyber-attacks via malware on telecommunications providers, banks, and electricity utilities as examples. The Explanatory Memorandum states that the intent of this definition is to align with the definition of ‘relevant impact’ in the SOCI Act.[93]

As discussed earlier in this digest however, most of the recorded offending of the underlying offences to date has not been by cyber-criminals who gained unauthorised access to data via malware, but rather existing insiders who exceeded the limits of their authorisation to access restricted data.

This may interreact in uncertain ways with the confidentiality of information ‘about or stored in’ a critical infrastructure asset under proposed paragraph 479.1(b)(ii). What qualifies as information ‘about’ a university, a critical hospital, or a critical superfund?

The Law Council raised this issue in its submission to the Parliamentary Joint Committee of Intelligence and Security’s inquiry into the Security Legislation Amendment (Critical Infrastructure Bill) 2020 (SLACI Bill), raising the lack of a ‘materiality’ requirement in the proposed definition of ‘relevant impact’:

The definition of a ‘relevant impact’ does not quantify the requisite degree of impact (for example, by reference to its duration and the extent to which it impairs the functioning of the asset). It therefore covers any degree of impact on the availability, integrity or reliability of an asset, or the confidentiality of information or data held in, or which relates to, the asset. The notification requirement in proposed section 30BD also does not prescribe a threshold for the degree of impact of a cyber security incident on the functioning of the relevant asset. This means that even minimal and temporary disruptions to the availability of an asset may require reporting.[94] [emphasis original]

There is no materiality element in proposed subsection 479.1(b), meaning that petty or inconsequential impacts on confidentiality may still engage the aggravated offences. It is also unclear how closely related to the critical infrastructure asset information needs to be in order to be information ‘about’ a critical infrastructure asset.

Example

Person A is a system administrator employed by a critical hospital. Person A is in a relationship with Person B, who is also an employee of the hospital. Person A accesses the email account of Person B and finds evidence of a workplace affair between Person B and Person C, another employee of the critical hospital.

Person A prints out the relevant email chains, and then places them up on hospital noticeboards anonymously. Person A likely has committed an offence under section 478.1, but it is unclear if they have committed the aggravated offence under 479.1, as while they intended to have an impact on the confidentiality of information stored within the critical asset’s email system, it is unclear if this personal correspondence between employees qualifies as ‘information about or stored in’ a critical infrastructure asset.

Key Issue: Maximum penalty

The maximum penalty for an offence under section 479.1 is 25 years imprisonment.

Current offences that carry a 25-year maximum penalty include:

serious terrorism offences and other national security offences such as espionage[95]
various war crimes and crimes against humanity[96]
sexual offences outside Australia involving children[97]
trafficking, cultivating, manufacturing or selling marketable quantities of controlled drugs. [98]

The maximum penalty is reserved for the most serious offending,[99] and will likely apply to prosecutions of persons responsible for serious, malicious cyber attacks that seriously impair critical infrastructure and have widespread impacts on Australian society or the economy.

However, when considering low level offending against this section, such as unauthorised access that impacts on the confidentiality of the information of a critical infrastructure asset, courts must have regard to the maximum penalty in imposing a sentence, with a majority of the High Court noting in Markarian v The Queen:

careful attention to maximum penalties will almost always be required, first because the legislature has legislated for them; secondly, because they invite comparison between the worst possible case and the case before the court at the time; and thirdly, because in that regard they do provide, taken and balanced with all of the other relevant factors, a yardstick.[100]

Courts must have regard to increases and decreases in the statutory maximum sentences for conduct, and must give effect to the intention of the legislature when increasing maximum penalties:[101]

The action of the Legislature in almost tripling the maximum sentence for a particular type of offence must be taken by the courts as reflecting community standards in relation to the seriousness of that offence, and the courts are required to give effect to the obvious intention of the Legislature that the existing sentencing patterns are to move in a sharply upward manner.[102]

Key Issue: Application to whistleblowing activity

‘Critical infrastructure assets’ include a large (and flexible) array of employers, institutions and entities within Australia. As discussed above, subsection 479.1(1)(b) does not require a ‘material’ impact on the confidentiality of information about the critical infrastructure asset, and it does not require that the impact on the confidentiality of information be in the course of an attempt to impair the availability, integrity or reliability of a critical infrastructure asset.

Further, there is no defence that the impact on the confidentiality of information be in the public interest. An insider who exceeds their authorisation to access restricted data and commits an offence under section 478.1, and then releases that information to a journalistic or other source, would have an impact on the confidentiality of information about a critical infrastructure asset.

Again, this information being released may have no impact on the availability, integrity or reliability of that critical infrastructure asset, the test is simply that the information be ‘about’ the critical infrastructure asset. This may cover a wide range of misconduct.

EXAMPLE: Person D is an employee of an Australian university. Person D exceeds their authorisation to access restricted information that reveals internal communications where university Ethics Committee rejected applications for doctorate thesis’ and research on the basis that it would offend a foreign government that provides funding to that University. Person D releases this information to an Australian journalist, who then publishes the information.

Person D may have committed an offence under section 478.1 by unauthorised access to restricted information. As the person intends for that access to have an impact on the confidentiality of the information, and the information is ‘about’ the university (which is a critical infrastructure asset) they also commit an offence against proposed section 479.1.

Additionally, the journalist may be guilty of an offence under new proposed section 478.5 (dealing with data obtained by unauthorised access) if the trier of fact is satisfied that the journalist was dishonest in obtaining or dealing with the data.

Relevantly, the maximum penalty for an offence against proposed section 479.1, at 25 years imprisonment, is much higher than any of the maximum penalties for offences against the secrecy provisions in Part 5.6 of the Criminal Code. These are the offences that apply to the disclosure of secret Commonwealth information, which generally range between 3 to 7 year’s imprisonment as a maximum penalty.

As a result, the Commonwealth may pursue charges under proposed section 479.1 against persons who leak or disclose secret material, in addition to secrecy charges under Part 5.6. As discussed below, the Minister has wide discretion to prescribe what is and what is not a critical infrastructure asset, and consequently it may be possible for a future government to declare various government agencies to be ‘critical infrastructure assets’ to apply this offence to disclosure of information by employees where such disclosure is the result of unauthorised access.

Key Issue: definition of ‘critical infrastructure asset’ is subject to ministerial discretion

Under section 9 of the SOCI Act, the Minister has a wide discretion to provide that certain assets are (or are not) critical infrastructure assets by determination. This includes the power to prescribe an asset in the rules (which are subject to parliamentary disallowance as a legislative instrument).[103]

It also includes the power under section 51 for the Minister to declare a particular asset to be a critical infrastructure asset, where:

the asset is not otherwise a critical infrastructure asset; and

the asset relates to a critical infrastructure sector; and

the Minister is satisfied that the asset is critical to:

the social or economic stability of Australia or its people; or

the defence of Australia; or

national security; and

there would be a risk to:

the social or economic stability of Australia or its people; or

the defence of Australia; or

national security;

if it were publicly known that the asset is a critical infrastructure asset.

Importantly, this declaration is not a legislative instrument, and is not subject to disallowance by either House of Parliament.[104] This may create the circumstances where an alleged offender is unaware (and could not have been aware) prior to offending, they were committing an aggravated offence under section 479.1 due to the asset being a declared critical infrastructure asset under section 51 of the SOCI Act.

The scope of this aggravated offence then depends in part on the operation of delegated legislation and on other determinations, not subject to parliamentary oversight. The Commonwealth Guide to Framing Offences notes that this is generally undesirable.

Section 479.2 aggravated offence – producing, supplying or obtaining data under arrangement for payment

Proposed section 479.2 creates an aggravated offence where:

a person commits an offence against section 478.4(1) by producing, supplying or obtaining (or soliciting the production, supply or obtainment[105]) of data with the intention that the data be used in committing, or facilitating the commission of an offence against this Division 477 or section 478.1 or 478.2,[106] (the underlying offence) and
the person does so under an arrangement for payment.

The Explanatory Memorandum provides that:

This offence seeks to criminalise the ransomware business model, including sale, purchase, lease or commission arrangements in relation to data that is used in the commission of an offence against section 478.4(1). It captures conduct such as ransomware-as-a-service, whereby a person produces data with the intent that the data be used in the commission of an offence against Division 477 or sections 478.1 or 478.2, and that person supplies the data to another person for payment.[107]

The fault element for this offence is that the person was reckless to the circumstances of the arrangement of payment.[108] Proposed subsection 479.2(2) provides that there are no fault elements for committing the underlying offence beyond those of that underlying offence. Proposed subsection 479.2(6) also provides that ‘payment’ may include a reference to giving or receiving property.

A conviction against section 479.2 may be made even if the person has not been convicted of the underlying offence under subsection 478.4(1). The trier of fact may impose the underlying offence as an alternative verdict if they are not satisfied that the person is guilty of the aggravated offence, but is satisfied beyond reasonable doubt of the underlying offence.

The maximum penalty for this offence is proposed to be 10 years imprisonment.

Key Issue- Application to other offending

The Explanatory Memorandum discusses this provision in relation to ransomware as a service, and other examples of sophisticated cyber-criminal activity. The proposed aggravated offence does clearly criminalise such conduct.

However, it also criminalises any attempt to solicit the production, obtainment or supply of information for the commission of an offence under promise of payment. This applies to Ransomware as a Service (RAAS) providers and other criminal providers but will also apply to persons who attempt to solicit the supply of malware for reasons other than for commercial gain.

Schedule 2 – cryptocurrency exchanges

The POCA provides law enforcement with wide-reaching powers to monitor, freeze, restrain and confiscate the proceeds and instruments of crime. Schedule 2 makes amendments to the POCA to expand various elements of the POCA legislative framework to apply to cryptocurrency exchanges in addition to financial institutions.

The Explanatory Memorandum refers to the 2021 Final Report of the Select Committee on Australia as a Technology and Financial Centre, which observed a growth in the cryptocurrency and digital asset[110] market and the increasing prevalence of cryptocurrency possession in Australia. In the context of this growth, the Explanatory Memorandum states:

The amendments will ensure that existing information gathering powers and freezing orders available in relation to financial institutions can also be exercised in relation to digital currency exchanges.

These reforms will enhance law enforcement agencies’ investigative powers to ensure they can identify where digital currencies may be associated with criminal offending and then freeze relevant accounts to prevent that digital currency from being dissipated (and potentially reinvested in further criminal activity) before restraint action can be taken under the POCA. This measure is part of a suite of measures the Government intends on introducing to modernise law enforcement powers and legal frameworks to ensure that law enforcement agencies can continue to deprive criminals of the benefits of their crime.[111]

Items 1-9 make amendments to various freezing order provisions in the Crimes Act to expand the language of the sections to include the term ‘transactions’. The effect will be to ensure these provisions also apply to dealings that occur on cryptocurrency exchanges (which will be brought within the definition of financial institution by item 13).

Item 10 expands the definition of ‘account’ under the Act to include an account relating to digital currency, including an account provided as part of a digital currency exchange. Item 11 further provides that it is immaterial if the balance of the account is expressed as an amount of digital currency, Australian currency or other currency.

Item 12 inserts definitions of digital currency and digital currency exchange into section 338 of the POCA. The definition of digital currency adopts the same definition as under the Anti-Money Laundering and Counter Terrorism Financing Act 2006. A digital currency exchange means a registrable digital currency exchange service as defined under that Act.

Item 13 expands the definition of financial institution to include a corporation to which paragraph 51(xx) of the Constitution applies that provides a digital currency exchange. This expands the scope of the proceeds of crime regime to such bodies, and also implicitly amends other Acts that rely on the concept of financial institution and related concepts from the POCA.[112]

Item 14 details the transitional procedures.

Schedule 3 – seizing digital assets

As the Explanatory Memorandum explains the Crimes Act and the POCA establish the legal basis upon which law enforcement agencies can seize evidential material or tainted property.[113]

Schedule 3 proposes amendments to the Crimes Act and the POCA to allow for the seizure of digital assets, where the digital asset is evidential material or tainted property. The Explanatory Memorandum states the rationale of these amendments is:

Law enforcement agencies are seeing an increase in criminals’ use of digital assets to facilitate their offending and as a means to hold and distribute the benefits derived from their offending, including in the context of ransomware, money-laundering and other predicate offending. The provisions will complement existing search and seizure powers by including provisions that specifically address some of the unique issues and complexities that arise in search for and seizure of digital assets. This will ensure that the powers available to law enforcement reflect the operational environment and are suitably adapted and extended to prevent the dissipation of proceeds of crime so that it is available for subsequent restraint and forfeiture action under the POCA.[114]

Definition of ‘digital asset’

Items 1 and 12 propose to insert identical definitions of ‘digital asset’ into subsection 3C(1) of the Crimes Act and section 338 of the POCA respectively:

digital asset means:

a digital representation of value or rights (including rights to property), the ownership of which is evidenced cryptographically and that is held and transferred electronically by:

a type of distributed ledger technology; or
another distributed cryptographically verifiable data structure; or

a right or thing prescribed by the regulations;

but does not include any right or thing that, under the regulation is taken not to be a digital asset for the purposes of this Part.

The Explanatory Memorandum provides that this is intended to be a broader definition than the definition of ‘digital currency’ in Schedule 2:

[…] for the definition of ‘digital assets’ in relation to this measure, the intention is not to limit the search and seizure powers to digital currency which is administered or facilitated by a digital currency exchange, but to confirm the ability of law enforcement agencies to seize digital assets that are capable of having a value and could be subject to restraint and confiscation under the POCA.[115]

This then may apply to digital assets such as non-fungible tokens for art works and other similar unique digital assets.

Key Issue: definition can be altered by disallowable legislative instrument

The second limb of the definition of ‘digital asset’ allows the regulations to prescribe any ‘right or thing’ as a digital asset, and to exclude any right or thing, from the definition.

The ‘any right or thing’ wording is very broad, and practically allows the regulations to extend the POCA and Crimes Act seizure provisions to nearly anything. The Explanatory Memorandum justifies this wording arguing it ‘is designed to provide flexibility to tailor the definition as technology changes and in the use of digital assets in criminal offending changes’.[116]

Regulations under these Acts are disallowable by either House of Parliament via normal disallowance procedures under section 44 of the Legislation Act 2003.

The Senate Standing Committee for the Scrutiny of Bills noted concern with these significant matters in delegated legislation stating:

… the committee has generally not accepted a desire for administrative flexibility to be a sufficient justification, of itself, for the inclusion of significant matters in delegated legislation. The committee's scrutiny concerns in this instance are heightened noting the definitions relate to the exercise of coercive powers. [117]

The Committee requested the Minister’s detailed advice concerning the necessity of leaving this to delegated legislation, and whether the Bill could be amended to include further high-level guidance on the face of the primary legislation.[118]

At the time of writing this Digest, the Minister’s response had not been received by the Committee.[119]

New digital asset seizure provisions

Items 7 and 11 insert proposed section 3FA into the Crimes Act and proposed section 228A into the POCA respectively. These sections provide additional powers to seize digital assets under a warrant.

In relation to proposed section 3FA, the Explanatory Memorandum provides that this section is necessary arguing:

These new provisions are intended to complement existing search and seizure powers by specifically addressing some of the unique issues and complexities that arise in search for and seizure of digital assets. This includes only requiring that the executing officer or constable assisting ‘finds one or more things that suggest the existence of the digital asset’ before seizure of that digital asset can be effected.[120]

The Explanatory Memorandum explains this provision in detail on pages 20-23. In short, proposed section 3FA:

details the three criteria that an executing officer or constable assisting must be satisfied of, in order to seize a digital asset in relation to a warrant for a premise or for a person. The criteria are: that they find one or more things that suggest the existence of a digital asset, that they reasonably suspect the digital asset to be evidential material or tainted property, and they reasonably suspect that seizing the asset is necessary to prevent the digital asset’s concealment, loss, destruction or use in committing an offence
specifies that ‘seizing’ includes transferring the digital asset from a digital wallet (or other such thing) to a digital wallet controlled by the Australian Federal Police or a state or territory police service, or in circumstances otherwise prescribed by the Regulations
provides time limits on seizing digital assets
specifies that seizure may be done remotely rather than at the premises or in the presence of the person specified in the warrant.

The other items in Schedule 3 make various consequential amendments to the existence of the new powers under sections 3FA of the Crimes Act and 228A of the POCA.

Items 2–5 insert references to section 3FA into various elements of section 3E about when a warrant can be issued. The effect of the amendments will be to require the warrant to expressly include reference to law enforcement’s ability to seize digital assets under the terms of that warrant.
Items 6 and 10 rename the general warrant powers under section 3F of the Crimes Act and section 228 of the POCA to distinguish them from the new additional powers under proposed sections 3FA and 228.
Items 8-9 do for the POCA scheme, much the same as items 2–5, by requiring that a warrant issued under the POCA expressly refer to the ability to seize digital assets.

Key Issue: Method of seizure may be determined by legislative instrument.

Proposed subsection 3FA(3) of the Crimes Act and proposed subsection 228A(2) of POCA respectively provide for additional methods of seizure for digital assets. This relevantly includes

transferring the digital asset in circumstances prescribed by regulations made for the purposes of this paragraph.

This allows new methods of seizure to be prescribed by disallowable legislative instrument in similar terms to how the Minister may prescribe the definition of ‘digital asset’ as described above. The Explanatory Memorandum noted that this is ‘designed to provide flexibility to expressly prescribe other ways in which digital assets can be seized'.[121]

The Senate Standing Committee for the Scrutiny of Bills noted similar concerns to the ability to determine the methods of seizure as they did with the ability of the Minister to define ‘digital asset’ described above and similarly asked for the Minister’s advice on:

why it is considered necessary and appropriate to leave key elements of the definition of 'seizing' a digital asset to delegated legislation and
whether the Bill could be amended to include further high-level guidance regarding these matters on the face of the primary legislation.[122]

At the time of writing this Digest, the Minister’s response had not been received by the Committee.[123]