3.1
As described in Chapter One data disruption warrants (DDW) will allow the Australian Federal Police (AFP) and the Australian Criminal Intelligence Commission (ACIC) to disrupt criminal activity that is being facilitated or conducted online by using computer access techniques.
3.2
Following the setting out of some general comment this chapter will set out in more detail the following:
Determining the application
What an application must contain
What a data disruption warrant authorises
Extension, variation and revocation of a data disruption warrant
Revocation and discontinuance of access and disruption under warrant
General comment on data disruption warrants
3.3
The Department of Home Affairs (Home Affairs) characterised the data disruption power as follows:
The power to disrupt data under a data disruption warrant will allow the AFP and the ACIC to prevent the continuation of serious criminal activity and minimise harm to victims. These warrants could be used to disrupt or deny access to a computer that is being used for illegal purposes, or to illegal content. For example, removing content or altering access to content (such as child abuse material) could prevent the continuation of serious criminal activity, minimise harm to potential victims and be the safest and quickest option where offenders are in unknown locations or obfuscating their identity.
Data disruption warrants will assist when the use of anonymising technologies or the dark web has constrained the ability of the AFP or the ACIC to respond to the criminal activity. For example, where the use of anonymising technologies has meant that offenders are too numerous, well-hidden or inaccessible for law enforcement to successfully use existing powers. The purpose of this warrant is to offer an alternative pathway for law enforcement to respond to serious crime online and minimise harm to victims, particularly where it is not feasible to pursue the traditional methods of investigation and prosecution.
3.4
Whilst acknowledging the DDW as ‘unique for Commonwealth law enforcement’ the AFP said that the DDW was a:
logical extension of the AFP’s existing, extensive disruption activity. The AFP already seeks to delay, divert or otherwise complicate the commission of criminal activity, or the operations of a criminal entity, to prevent or reduce crime-related harm in Australia. Enforcement, disruption and prevention are closely interrelated and complementary in fulfilling the AFP’s objectives of protecting the community and causing maximum damage to the criminal environment.
3.5
The AFP said DDWs would be highly beneficial for child exploitation investigations as they could target services distributing child abuse material. The AFP provided an example of an online service utilised by over 600,000 persons that facilitates the sharing of child abuse material and the server hosts were suspected to be in Australia. The AFP said currently the removal of the content would require cooperation of the suspect, but with a DDW they could disable offenders’ ability to utilise the site for criminal activity.
3.6
The AFP said DDWs would be highly beneficial for cyber crime investigations by protecting the Australian community from the harmful effects of malware such as Remote Access Trojans (RATs). The AFP said currently their warrant powers only permit evidence collection and nothing could be done in one situation to remove a RAT from victim devices. The AFP said a DDW would allow the AFP to gain access to servers used by criminals distributing malware, then they could modify data in the computer making changes to the RAT software which would cause the removal of the R AT from the victims’ computers.
3.7
The ACIC said serious and organised crime was transnational by its very nature which, in combination with the effect of anonymising and encrypted technologies, meant offenders were both often anonymous and outside the jurisdiction of Australia. They said disruptions that were either short of, or in addition to, prosecution were sometimes the most practical way to prevent harm and fight crime.
3.8
The ACIC said disruption in a digital environment to disrupt serious criminals was comparatively limited to the physical domain where Australian agencies could already lawful disrupt serious criminal activity through activities like interdicting drug shipments, freezing assets, confiscating proceeds of crime or restricting travel.
3.9
The ACIC said data disruption powers such as would be provided by DDWs would allow the ACIC or AFP to halt the distribution of child exploitation material immediately when observed. They said DDWs could be used to block payments before rather than after the collection of evidence which could prevent additional offending occurring.
3.10
The ACIC provided detailed examples of how DDWs would enable the ACIC to interfere with the data held on online criminal networks or devices in order to frustrate the commissioning of serious criminal offences. They said this would be ‘particularly powerful’ in the context of criminal activity that was largely conducted online such as the distribution of child exploitation material.
3.11
The ACIC contextualised DDWs within the broader Bill and provided a hypothetical example whereby intelligence gathered from a network activity warrant (NAW) was used to inform a DDW application. This DDW could then be used to make it difficult for offenders to continue using encrypted handsets for example. They said this could include changing passwords to prevent users’ access to the platform, introducing malware onto the devices connecting to the platform, and denial of service attacks to prevent the server hosting the platform from operating. The ACIC said data disruption powers could also allow the ACIC to remove details of where to deposit money for those seeking to buy drugs or re-directing funds transfers.
3.12
The ACIC said DDWs could enable evidence to be obtained and information gathered by virtue of disruption could be used in both the prosecution of offenders or to support further investigations under subsequent evidence gathering powers.
3.13
The Uniting Church in Australia, Synod of Victoria and Tasmania (the Uniting Church) specifically supported the DDW and pointed to the:
Lack of co-operation by many technology corporations with law enforcement agencies and their lack of pro-active efforts to ensure their services are not being used to facilitate serious human rights abuses or crimes.
3.14
In supporting this argument the Uniting Church quoted a survivor of child sexual abuse as follows:
From infancy until I was 15, I was trafficked and used in child sexual abuse material which continues to be shared widely across the internet. I spent hours every day searching for my own content, reporting thousands of accounts and posts sharing CSAM. When platforms don't actively look for or prevent this content from being uploaded, the burden falls to me to have these images removed. Each time one account gets taken down, five more like it take its place. It's like a hydra, a monster that I can never defeat. I'm not strong enough to take it down myself. It's costing me my well-being, safety and maybe even my life. I'm tired. I shouldn't find photos of myself as a child being raped when I'm just scrolling through my feed.
Survivor of child sexual abuse.
3.15
The Queensland Council for Civil Liberties, Liberty Victoria and Electronic Frontiers Australia (QCCL et al) had two fundamental issues of concern in relation to DDWs. These are:
It is a dangerous step to enable law enforcement to modify what would be evidence in a criminal proceeding; and,
Law enforcement has a poor record of the consequence of modification or deletion of digital information.
3.16
The Law Council provided a detailed history and discussion of the Richardson Review and suggestion that, rather than suggest the AFP be granted disruptive powers to combat cyber-enabled crime, the Review recommended:
the AFP should obtain assistance from the Australian Signals Directorate (ASD) to improve its technical capabilities, which could be deployed in the exercise of the AFP’s existing investigatory powers.
3.17
At the public hearing Home Affairs agreed that the government did not support the particular recommendation by Mr Richardson and explained that the DDW powers had been drafted very narrowly so as to address some of the concerns raised by Mr Richardson. Home Affairs said:
The government did disagree with that recommendation, but, in framing the actual breadth of the offence, you would have noted that Mr Richardson's report was quite critical of the ability to destroy or damage computers. I think the quote—and I don't have the Richardson report in front of me, sorry—was about 'zapping computers' and in effect being 'judge, jury and executioner'. I would say that that legislation, as framed, if we're talking particularly about the data disruption warrant, does not do that. It's quite limited in the damage that it can do, and it can't do any damage to physical property or cause a monetary loss. It can't damage, as I said, other property. It's focused narrowly on disrupting data, so there's been an effort made to actually really focus on what we are about here. I think the operational examples from the AFP and others, which I can go to, show that it really goes to that ability to target data and not do that substantial or major damage that Richardson was referring to.
Applications for data disruption warrants
Who may apply for a data disruption warrant
3.18
Proposed section 27KA sets out that a law enforcement officer of the Australian Federal Police or the Australian Crime Commission (or another person on the law enforcement officer’s behalf) may apply for the issue of a DDW if the law enforcement officer suspects on reasonable grounds that:
(a) one or more relevant offences of a particular kind have been, are being, are about to be, or are likely to be, committed; and
(b) those offences involve, or are likely to involve, data held in a computer (the target computer); and
(c) disruption of data held in the target computer is likely to substantially assist in frustrating the commission of one or more relevant offences that:
(i) involve, or are likely to involve, data held in the target computer; and
(ii) are of the same kind as the relevant offences referred to in paragraph (a).
3.19
An application may be made to an eligible judge or nominated AAT member. The Bill contains provisions for unsworn applications and for remote applications.
3.20
Relevant offence is set out in the Definitions section (section 6) of the SD Act and means:
(a) an offence against the law of the Commonwealth that is punishable by a maximum term of imprisonment of 3 years or more or for life; or
(b) an offence against a law of a State that has a federal aspect and that is punishable by a maximum term of imprisonment of 3 years or more or for life; or
(c) an offence against section 15 of the Financial Transaction Reports Act 1988; or
(ca) an offence against section 53, 59, 139, 140 or 141 of the Anti‑Money Laundering and Counter‑Terrorism Financing Act 2006; or
(d) an offence against section 100, 100A, 100B, 101, 101A or 101AA of the Fisheries Management Act 1991; or
(da) an offence against section 46A, 46C, 46D, 49A or 51A of the Torres Strait Fisheries Act 1984; or
(db) if a surveillance device warrant, a computer access warrant, or a tracking device authorisation, is issued or given (or is sought) for the purposes of an integrity operation in relation to a suspected offence against the law of the Commonwealth, or of a State or Territory, that is punishable by a maximum term of imprisonment of 12 months or more or for life—that offence; or
(e) an offence that is prescribed by the regulations.
3.21
Issues relating to the definition of relevant offences are discussed in Chapter 2 of this report.
3.22
Noting the broad authority given to apply for a DDW the Law Council, whilst accepting that the AFP and ACIC may adopt internal policies to limit the class of people who may apply for DDW, preferred that such matters should be dealt with in primary legislation and not reliant on executive discretion in the exercise of powers. The Law Council said:
A more judicious and focused statutory authorisation of applicants, which is limited to AFP and ACIC members of who possess a prescribed level of seniority and expertise, will offer greater assurance in relation to the rigour and consistency of quality of applications for data disruption warrants.
3.23
In response to this suggestion, as part of an argument against only allowing senior officers to apply for DDWs, Home Affairs, citing advice from the AFP, said:
it is strongly preferable that warrant applications are not restricted to only ‘senior’ or commissioned officers. It is important to ensure that, in all circumstances, the most appropriate person is able to apply for a warrant. This will be the person who has the relevant detailed knowledge about the investigation or operation should the issuing authority have questions in the course of considering the application. This will not necessarily be an officer who holds a senior rank in his or her agency.
3.24
In addition Home Affairs said:
The AFP has mandatory training requirements to ensure all AFP members who are eligible to apply for warrants, or authorise the use of powers, are familiar with their legislative obligations. This training provides all information required for members to understand the powers available under legislation, their statutory obligations and threshold requirements, any reporting obligations and oversight, the importance of legislative compliance and adverse consequences for non-compliance, and how to find assistance and resources to meet their obligations. The AFP’s training is regularly inspected by the Ombudsman.
The ACIC advises that to achieve the highest standard of compliance with reporting, accountability and oversight measures associated with the Surveillance Devices Act and the Telecommunications Interception and Access Act 1979 (TIA Act) (and any other legislation providing the ACIC with similar powers), the agency has an Excellence in Compliance Strategy and training scheme. This consists of mandatory annual training and assessment requirements for staff who will be applicants for warrants and who need to access any information captured by a surveillance device or a telecommunications intercept or authorisation.
3.25
Of note, the issue of internal application processes was addressed in part in other chapters of this report relating to the other powers. Substantively the arguments have much in common.
Determining the application
3.26
Proposed section 27KC provides that an eligible Judge or a nominated AAT member may issue a DDW if satisfied:
(a) that there are reasonable grounds for the suspicion founding the application for the warrant; and
(b) the disruption of data authorised by the warrant is justifiable and proportionate, having regard to the offences referred to in paragraph 27KA(1)(c); and
(c) in the case of an unsworn application—that it would have been impracticable for an affidavit to have been sworn or prepared before the application was made; and
(d) in the case of a remote application—that it would have been impracticable for the application to have been made in person.
3.27
In determining whether a DDW should be issued, the eligible Judge or nominated AAT member must have regard to:
(a) the nature and gravity of the conduct constituting the offences referred to in paragraph 27KA(1)(c); and
(b) the likelihood that the disruption of data authorised by the warrant will frustrate the commission of the offences referred to in paragraph 27KA(1)(c); and
(c) the existence of any alternative means of frustrating the commission of the offences referred to in paragraph 27KA(1)(c); and
(d) any previous warrant sought or issued under this Division in 1 relation to the alleged relevant offences referred to in 2 paragraph 27KA(1)(c).
3.28
The Law Council, after referring to the Richardson Review’s characterisation of data disruption as different from electronic surveillances as it involves ‘active intervention to frustrate the commission of an offence’, cautioned against using consistency with the SDA as an argument for the proposed issuing authorities for a DDW and recommended:
the Bill should be amended to provide that the issuing authority for a data disruption warrant is a judge of a superior court of record (specifically, a judge of a State or Territory Supreme Court or the Federal Court of Australia) who is appointed by the Attorney-General in their personal capacity.
3.29
The Law Council pointed out that the third Independent National Security Legislation Monitor (INSLM) made recommendations in the of issuing authorities for the mandatory industry assistance orders under Part 15 of the Telecommunications Act 1997 that there be independent issuing, by a new Investigatory Powers Division of the AAT, headed by a retired judge, comprising senior and experienced members with access to independent technical expertise.
3.30
The Law Council said that consideration should be given to expanding this kind of regime to:
all warrant-based powers conferred on investigative and intelligence agencies, subject to one matter of qualification. As with some current and previous AAT appointments, the members of any new Investigatory Powers Division should only be superior court judges, who are appointed to that Division in their personal capacities. This would be the Law Council’s preference for the composition of a specialist division of the AAT for the issuance of warrants authorising coercive and intrusive powers.
3.31
The Law Council submitted that determining data disruption warrants are ‘likely to require complex judgments of fact and law’ and recommended:
a regime of public interest advocates to act as contradictors in all applications for data disruption warrants should be established.
3.32
In relation to this the Uniting Church said:
if you suddenly introduce a public interest monitor—as far as I can tell, the purpose there would be to only consider the right of privacy—then who advocates for the victims of human rights abuses such as the potential of being murdered, raped, tortured, subjected to sexual abuse? Do we have a victim's advocate who appears as well, who puts forward the case as to why the warrant is needed to prevent these other very serious human rights abuses from taking place?
3.33
In addition Home Affairs referred to the Ministerial response to the Parliamentary Joint Committee on Human Rights and said:
the warrants in the Bill are supported by a range of safeguards, stringent thresholds and oversight arrangements to protect the rights of an affected person and provide for independent scrutiny and review of decisions relating to the warrants. These measures will mitigate any need for public interest advocates to act as contradictors for all warrants.
What an application must contain
3.34
A DDW must state the eligible Judge or nominated AAT member issuing the warrant is satisfied of the matters referred to in subsection 27KC(1) and has had regard to the matters referred to in subsection 27KC(2); and specify: a number of things including information on applicant, the relevant offence and a number of details around the target computer and any premises the computer is on.
3.35
A warrant may only be issued for a period of no more than 90 days.
What a data disruption warrant authorises
3.36
Proposed section 27KE sets out the doing of specified things (subject to any restrictions or conditions specified in the warrant) in relation to the relevant target computer.
3.37
The things that may be specified include any of the following that the eligible Judge or nominated AAT member considers appropriate:
(a) entering specified premises for the purposes of doing the things mentioned in this subsection;
(b) entering any premises for the purposes of gaining entry to, or exiting, the specified premises;
(i) the target computer; or
(ii) a telecommunications facility operated or provided by the Commonwealth or a carrier; or
(iii) any other electronic equipment; or
(iv) a data storage device;
for the following purposes:
(v) obtaining access to data (the relevant data) that is held in the target computer at any time while the warrant is in force, in order to determine whether the relevant data is covered by the warrant;
(vi) disrupting the relevant data at any time while the 1 warrant is in force, if doing so is likely to assist in frustrating the commission of one or more relevant offences covered by the warrant;
3.38
In addition to the above the warrant may authorise a number of actions to achieve the purpose mentioned in subparagraph (c)(v) or (vi) such as adding, copying or altering other data in the target computer.
3.39
The warrant may also authorise a number of specified activities to obtain access to data held in a target computer.
3.40
Proposed sub-section 27KE(7) sets out a number of acts that are not authorised by a DDW as follows:
Subsection (2) does not authorise the addition, deletion or alteration of data, or the doing of any thing, that is likely to: 20
(a) materially interfere with, interrupt or obstruct:
(i) a communication in transit; or
(ii) the lawful use by other persons of a computer;
unless the addition, deletion or alteration, or the doing of the thing, is necessary to do one or more of the things specified in the warrant; or
(b) cause any other material loss or damage to other persons lawfully using a computer, unless the loss or damage is justified and proportionate, having regard to the offences covered by the warrant.
3.41
Equivalent to existing provisions of the computer access warrant regimes in the SD Act and ASIO Act proposed paragraph 27KE(8)(a) provides that all data disruption warrants must authorise the use of force against persons and things, where such force is reasonably necessary to do any act or thing authorised under the warrant.
3.42
The Law Council made a number of detailed argument in relation to its concerns around the following:
Meaning of ‘disruption’ of data and ‘frustration’ of offences;
Causation of material loss or damage to lawful computer users;
Telecommunications interception;
Use of force against persons and things; and,
Temporary removals of computers and other things from premises.
Meaning of ‘disruption’ of data and ‘frustration’ of offences
3.43
The Law Council gave a detailed argument around its concerns about the lack of a statutory definition for ‘disruption’ of data and ‘frustration’ of the commission of an offence. The Law Council recommended that these terms be statutorily defined or, in alternative (non) preferred option, recommended:
Proposed paragraph 27KA(3)(b) (item 13 of Schedule 1) should be amended to provide that the statement of facts and grounds accompanying all applications for data disruption warrants must specify the following matters:
the acts or types of acts of data disruption that are proposed to be carried out under the warrant;
-the anticipated impacts of those specific acts or types of acts of disruption on the commission of the relevant offence (that is, how they are intended to frustrate that offence); and
the likelihood that the relevant acts or types of acts of disruption will achieve that objective.
3.44
In relation to ‘disruption of data’ Home Affairs disagreed with the Law Council’s assessment and said the Bill:
includes a definition of ‘disrupting data’ in subsection 6(1) of the Surveillance Devices Act (item 8 of Schedule 1 of the Bill). This definition provides that disrupting data means adding, copying, deleting or altering data held in a computer in relation to data disruption warrants and emergency authorisations for disruption of data. There are strong safeguards that expressly prohibit causing loss or damage to data that is not justifiable and proportionate or causing any permanent loss of money, digital currency or property other than data under a data disruption warrant or emergency authorisation.
3.45
In relation to the term ‘frustrate’ Home Affairs said the term takes on its ordinary meaning and the:
deliberate decision was made not to define what ‘frustrate’ means beyond the ordinary meaning, which provides sufficient clarity while also providing the operational flexibility the AFP and ACIC require to make effective use of data disruption warrants. Data disruption action taken by the AFP or the ACIC may ‘frustrate’ criminal offending in more than one way, and it may not be possible to specify the particular nature of the frustration at the time of applying for the warrant. For example, the action of removing illegal material from a website may frustrate criminal offending by preventing a person from selling that material, preventing a person from accessing that material, reducing the risk of harm to victims of that material, damaging a criminal organisation’s reputation for providing that material, eventually having an impact on the production of such material, or having other flow-on effects.
Causation of material loss or damage to lawful computer users
3.46
Whilst proposed sub-section 27KE(7)(a) replicates equivalent provisions for computer access warrants under the SDA and ASIO Act the Law Council pointed out proposed sub-section 27KE(7)(b), in authorising ‘the AFP or ACIC to do acts or things under a warrant that cause material loss or damage to persons lawfully using a computer’, was a major departure from equivalent provisions under the computer access warrant regimes’.
3.47
The Law Council set out a number of concerns with this power as follows:
the necessity of the power has not been demonstrated;
the thresholds for the exercise of the power are disproportionately low to the gravity of its impacts on individual rights and liberties;
there is over breadth in the purposes for which the power may be exercised, in that the AFP and ACIC may cause material loss or damage for the purpose of carrying out any activity under the warrant, not only data disruption;
the conferral of the power to cause material loss or damage to lawful computer users would, as the Richardson Review cautioned, place law enforcement officers in the role of 'judge, jury and executioner' in relation to decisions about whether to extinguish or significantly infringe the private property rights of non-suspects;
the conferral of a broad power to cause material loss or damage to lawful computer users under data disruption warrants, and the prohibition on such activities under computer access warrants, may create propriety risks for the AFP and ACIC in selecting the particular type of warrant to be used in the investigation of cyber-enabled offences; and
if the AFP or ACIC requested ASD to carry out a disruption activity under a data disruption warrant that has been issued to the AFP or ACIC, there may be a mismatch in the scope of multiple statutory immunities that would apply to ASD staff members in these circumstances. An ASD staff member may have a wider immunity in relation to acts done under data disruption warrants than they would if they had done the same acts for the purpose of performing ASD’s own functions under paragraph 7(1)(c) of the Intelligence Services Act 2001 (Cth) (ISA) to prevent and disrupt cybercrime outside Australia, via electronic means.
3.48
Home Affairs provided a detailed response to the concerns raised by the Law Council. They made an important point regarding the impossibility of guaranteeing no material loss or damage to persons who are not suspects saying that introducing:
an absolute prohibition on causing material loss or damage to persons who are not suspects or persons of interest makes the situations above impractical to target with a data disruption warrant, and will encourage criminals to adapt their methodologies to respond to this gap in law enforcement’s coverage. Due to the sophistication of modern computer systems and networks, it will be difficult if not impossible to make targeted changes that are guaranteed to impact only intended computers. For this reason, a proportionality requirement has been inserted into the Bill, in addition to the prohibition on causing damage to data unless that damage is justified and proportionate.
3.49
In addition Home Affairs pointed out:
an affected person has an avenue to challenge decisions made in regards to warrants through judicial review. Australian courts will retain their jurisdiction to review administrative decisions through the original jurisdiction of the High Court and in the Federal Court of Australia by operation of section 39B of the Judiciary Act 1903, or under the ADJR Act. In addition, where a person suffers loss of, or serious damage to, property or personal injury as a result of the execution of a warrant (or emergency authorisation), the Commonwealth is liable to compensate that person.
3.50
Home Affairs also responded in detail to other suggestions by the Law Council, which is found in Submission 9.1. In regard to consequential amendments to the Criminal Code and IS Act in relation to ASD, Home Affairs said ASD members could only avail themselves of limitation of liability provisions in Division 476 of the Criminal Code and section 14 of the IS Act to the extent that they were acting in proper performance of ASD’s functions. They noted per section 7(1)(e) of the IS Act this was nothing more than what the AFP or ACIC have the power to do themselves.
3.51
Home Affairs said in relation to the Law Council’s recommendation relating to notifying the Ombudsman of any loss or damage caused the AFP and ACIC are required to notify the Ombudsman about the exercise of actions undertaken for the purposes of a DDW which would involve notice of actions undertaken that have caused loss.
3.52
Home Affairs said additional annual reporting requirements was inconsistent with the policy intent of Ministerial reporting when combined with annual public reporting requirements for DDWs.
3.53
In response to the Law Council’s recommendation for raising the threshold for causing loss or damage, limiting actions and additional requirements for warrant applications, Home Affairs said consideration could be given to this matter. Home Affairs said this would be similar to the consideration for the issue of NAWs in proposed paragraph 27KM(2)(f). Home Affairs additionally noted in some cases it would be impracticable or impossible to make a distinction between what is data disruption activity and what is things authorised under the warrant necessary to enable the disruption. Home Affairs said for this reason it was important the ability to cause material loss or damage was not limited to the data disruption activities exclusively.
Telecommunications interception
3.54
Proposed paragraph 27KE(2)(h) of the Bill provides a disruption warrant authorises the interception of telecommunications, for the purpose of doing any act specified in the warrant. It replicates equivalent provisions for law enforcement and ASIO computer access warrants.
3.55
Whilst acknowledging that data disruption ‘may require the incidental interception of telecommunications’ the Law Council raised concerns that:
once an interception power is authorised under a computer access warrant or data disruption warrant, it could be exercised, without any specific external authorisation or supervision, in a very broad range of circumstances during a warrant operation. For example, a warrant that authorised the interception of telecommunications, without any warrant-specific conditions or limitations being applied to further limit the purposes of interception, would permit an agency to:
intercept a person’s voice or text-based communications for the purpose of determining whether they are, or will be, present at particular premises to which covert entry is sought under the warrant; or
disable or ‘hijack’ security systems at those premises which are connected to the internet, such as surveillance cameras or digital authentication points, for the purpose of covertly entering and exiting those premises under the warrant.
3.56
In addition the Law Council raised concerns the intersection of the breadth of the telecommunications intercept power the power under the TIA to make subsequent use and disclosure of interception information obtained under a disruption warrant.
3.57
The Law Council said:
Any power to intercept telecommunications under a computer access warrant, data disruption warrant, network activity warrant or an account takeover warrant should be limited to a subset of specific activities authorised under the warrant. This should cover the specific purpose of gaining access to relevant data, and in the case of disruption warrants, performing a data disruption activity. As a minimum, there should be no power to intercept telecommunications for the purpose of gaining entry to, or exiting, premises under the warrant.
3.58
The Department of Home Affairs made the reasonable and foundational point that:
Computer access capabilities do not work in a vacuum and require some degree of knowledge and interaction with the telecommunications system before execution. As a result, it will often be necessary for law enforcement agencies to intercept communications to make access to or disruption of data practicable or technically possible, and to be able to maintain the necessary covert nature required to ensure these activities are both possible and effective.
3.59
In addition Home Affairs said that
data disruption warrants and network activity warrants cannot authorise the collection of evidence or intelligence by interception. If the AFP or the ACIC require interception to do anything more than facilitate execution of a data disruption or network activity warrant—for example, if the AFP or the ACIC want to gather evidence by interception—those agencies must seek a separate interception warrant from an eligible issuing authority under the TIA Act; and
without the ability to intercept communications under a data disruption warrant or network activity warrant, it will be difficult to implement what is proposed under the warrant. In particular, interception must be available for the purpose of entering or existing premises, as it can prove essential in preventing the target of the warrant from being alerted through an electronic security system (such as, an alarm or camera) that they are under law enforcement surveillance. Interception could also be essential to alerting the AFP or the ACIC where a target could become aware of an investigation against them through, for example, an automated email being sent when an account or computer is accessed from a new or unknown IP address, or through any other automated notification when new or irregular activity occurs with an online account.
Use of force against persons and things
3.60
Commenting on the drafting of proposed paragraph 27KE(8)(a) the Law Council said:
If an issuing authority decides to issue a data disruption warrant, they will have no discretion in the authorisation of force.
3.61
In response Home Affairs pointed out that force can only be used ‘where necessary and reasonable to do the things specified in the warrant’ and that the
ability to use force under warrant is required due to the eventualities that officers may face while executing a warrant. For example, it may be necessary to use force against a door or a cabinet lock to access a thing on the premises or to use force to install or remove a computer from a premises. In the case of force against a person, its use is constrained on the face of the legislation to circumstances where force is required to execute the warrant—for example, if a person is in physically preventing an officer from accessing a computer or other thing that needs to be used for the purposes of obtaining access to the relevant data under warrant. Use of force may also be necessary to ensure the safety of AFP and ACIC officers in the event a person acts aggressively.
Temporary removals of computers and other things from premises
3.62
Proposed paragraph 27KE(2)(f) and subsection 27KE(3) of the Bill authorise the temporary removal and return of a computer or any other thing from warrant premises, for the purpose of doing any act or thing specified in the warrant under subsection 27KE(2).
3.63
The Law Council, echoing concerns previously raised about equivalent temporary removal provisions under law enforcement and ASIO computer access warrants, had four main concerns around the temporary removal powers as follows:
Importance of statutory time limits for removal;
Need for a clear statutory obligation to return items after a warrant expires;
Ambiguity and overbreadth in the meaning of ‘other things’ that may be removed; and,
Removal of computers or things that may cause interference or loss.
3.64
In response to these concerns Home Affairs said the power to remove items from a premises was limited by things that are, in some way, needed to execute the warrant. Home Affairs said this could include data storage devices or a piece of paper with passwords, for example.
Extension and variation of data disruption warrant
3.65
Proposed section 27KF allows for the extension and variation of a DDW.
1
A law enforcement officer to whom a data disruption warrant has been issued may apply, at any time before the expiry of the warrant:
a.
for an extension of the warrant for a period of no more than 90 days after the day the warrant would otherwise expire; or
b.
for a variation of any of the other terms of the warrant.
3.66
The Law Council recommended that:
Proposed subsections 27KD(2) and 27KF(1) (item 13 of Schedule 1) should be amended to provide that the total maximum duration of a data disruption warrant is 90 days, inclusive of any extensions if the warrant is initially issued for a period of less than 90 days.
If the AFP or ACIC consider that there is a need to carry out further data disruption activities after the 90-day total maximum period of effect for a data disruption warrant, then they should be required to seek a new warrant.
3.67
Home Affairs pointed out that the proposed section did not mean that all warrants would be issued for 90 days and noted that the extension power provided for the flexibility needed in the warrant process to account for ‘extended investigations and unexpected circumstances.’
3.68
In addition, Home Affairs pointed to the reporting and oversight mechanisms in relation to extensions stating that:
The AFP and the ACIC are required to report to the Minister for Home Affairs on the number of extensions and variations made to a warrant along with the reasons for why they were granted. The Ombudsman is empowered to inspect the AFP and the ACIC’s records to determine the extent of their compliance with requirements for data disruption warrants. This will necessarily involve inspecting records made in relation to extensions and variations of warrants.
Revocation and discontinuance of access and disruption under warrant
3.69
Proposed section 27KG allows for revocation of a DDW and 27KH allows for discontinuance of access and disruption under a DDW. No specific concerns were raised about this proposed section.
Emergency authorisation
3.70
Proposed section 35B inserts the power for a Judge or nominated AAT member to approve giving of an emergency authorisation for disruption of data held in a computer.
3.71
This may be done in the following circumstances if the eligible Judge or nominated AAT member if satisfied that there were reasonable grounds to suspect that:
(a) there was a risk of serious violence to a person or substantial damage to property; and
(b) disruption of data held in the target computer mentioned in that subsection may have helped reduce the risk; and
(c) it was not practicable in the circumstances to apply for a data disruption warrant.
3.72
The Law Council raised detailed and nuanced concerns with accompanying recommendations in relation to emergency authorisation for DDWs.
3.73
The Law Council’s primary concern was in relation to the appropriateness of emergency authorisations for data disruption powers. They argued that DDWs were ‘a materially different power to conducting electronic surveillance for investigatory purposes’ and had the potential to cause harm to non-suspects and should, therefore, should not be subject to the regime of emergency authorisations.
3.74
In the even that emergency thresholds remained available in relation to DDWs the Law Council outlined further concerns as follows: Thresholds for emergency authorisations;
Thresholds for emergency authorisations;
Obligations if issuing authority does not retrospectively approve an authorisation; and,
‘Appropriate authorising officers’ for emergency data disruption powers.
3.75
Home Affairs gave equally detailed responses to the Law Council’s concerns. In relation to the primary recommendation that emergency authorisation not be available for DDWs Home Affairs stated that
the ability to disrupt data, and the ability to take control of an account in emergency situations is important for ensuring that the AFP and the ACIC will be able to respond to rapidly evolving and serious threats in a timely and effective manner.
3.76
Home Affairs set out this reasoning in more detail providing a string argument for the continuation of emergency authorisation being available in relation to a DDW:
The modern criminal environment is fluid and fast-paced, and criminal plans can escalate rapidly in response to numerous external factors. The AFP advises that, due to criminals’ use of anonymising technology and encryption, it could be that the AFP becomes aware of an escalation of criminal planning or intent with short notice—for example, in the counter-terrorism space, where there is significant risk to the community if offenders are not disrupted. In a situation where a code word is posted to alert criminal network members to commence criminal activities, an emergency authorisation for the disruption of data could be utilised to remove the code word, reduce its visibility to criminal network members, and disrupt the plot for criminal offending. Emergency authorisations will allow the AFP to more effectively react to changes that pose a significant risk to community safety.
3.77
Home Affairs provided detailed responses to the Law Council’s recommendations should the emergency authorisation power remain in relation to DDWs.
Extraterritoriality
3.78
Proposed section 43C of the SDA provides for the extraterritorial execution of data disruption warrants, which are similar to existing provisions of the SD Act in relation to surveillance device warrants and computer access warrants.
3.79
The Law Council raised a concern that this could represent an overlap with ASD’s function to prevent and disrupt cybercrime outside of Australia. They said that they were
concerned that the duplication created by proposed section 43C of the SDA creates a risk of conflict or inconsistency in the offshore disruption activities undertaken by ASD, the AFP and ACIC, including as a result of significant differences in applicable authorisation thresholds and processes and oversight mechanisms.
Any duplication of powers to disrupt cyber-enabled crime by persons or organisations outside Australia could also jeopardise the security and effectiveness of offshore disruption operations (for example, if de-confliction and coordination mechanisms are inadequate or ineffective). It may also lead to inefficiencies in the use of public resources by multiple agencies in conducting substantially similar disruption operations outside Australia.
3.80
Home Affairs explained that the roles of the AFP and ACIC using DDWs to take action against offenders—who are in Australia or who are Australian was in contrast to that of ASD’s role in preventing and disrupting, by electronic or similar means, cybercrime undertaken by people or organisations outside Australia. They said that:
Australian offenders regularly interact with data held offshore, and conversely, the Australian community can be harmed using data hosted offshore. Transnational serious and organised crime groups operate with complete disregard for borders, and are increasingly choosing to conduct their activities in countries that are not favourable for Australian law enforcement activity. Removing the ability to access or disrupt data offshore with the permission from the relevant foreign country (as is proposed in relation to data disruption warrants and network activity warrants) will significantly constrain the AFP and the ACIC’s ability to investigate serious criminality and access the information required to identify offenders or disrupt online criminal activity.