On 3 December, the Australian federal government presented a bill in parliament. The new piece of legislation is looking to give law enforcement agencies enhanced powers to tackle cybercrime. Privacy advocates, however, are concerned about “scope creep”. They fear the account hacking powers would be too invasive and may not be curbed adequately.
New Legislation in the Making
The Minister for Home Affairs, Peter Dutton, first flagged “new ways to investigate and shut down cybercrime, including on the dark web” at the launch of Australia’s Cyber Security Strategy 2020, in August. This strategy vouched to invest $1.67 billion in the next 10 years. The aim of the strategy is to achieve “a more secure online world for Australians”.
Like elsewhere in the world, Australians are being targeted by various malicious cyber actors. The strategy report mentions nation states and state-sponsored hacking groups, financially motivated criminals, issue-motivated groups and individuals, and terrorist groups and extremists. Moreover, there’s the dark web. This anonymous part of the internet makes it easier for cybercriminals to commit serious crimes, including child abuse and terrorism.
“If our law enforcement agencies are to remain effective in reducing cybercrime, their ability to tackle the volume and anonymity enabled by the dark web and encryption technologies must be enhanced”, said the report. “As part of this Strategy, the Australian Government will work to ensure law enforcement has the powers and capabilities to investigate and disrupt cybercrime, including on the dark web.”
Enhanced Powers to Tackle Cybercrime
The legislation presented would hand significant new powers to the Australian Federal Police (AFP) and the Australian Criminal Intelligence Commission (ACIC). “As technology has changed, so too has the tradecraft of criminals”, said Peter Dutton when he introduced the new bill yesterday. “Multiple layers of technologies that conceal the identities, IP addresses, jurisdictions, locations and activities of criminals are increasingly hampering investigations into serious crimes.”
He argued that the existing computer access warrants are not designed to address the various types of new threats. Furthermore, malicious actors are pulling out all the stops to stay anonymous. Therefore, enhanced powers are needed to handle serious criminal acts online. More specifically, the proposed bill would provide the AFP and the ACIC with three new powers. As quoted by Minister Peter Dutton, these are:
- First, the bill grants new powers to collect intelligence through access to online networks. This power will allow investigators to identify offenders and the scope of their offending online, including on the dark web.
- Second, the bill will allow agencies to disrupt criminal activity where they see it occurring online. This will allow authorities to limit ongoing criminal activity and protect individuals from further victimization.
- Finally, the bill will allow agencies to take control of a person’s online account for the purpose of gathering evidence to expose online criminality.
Privacy Advocates Concerned
Privacy advocates, however, are concerned. The legislation focuses mainly on the warrants process. There will be three types of warrants: network activity warrants, data disruption warrants and account takeover warrants. Consequently, the extra powers are quite extensive.
With a data disruption warrant, for example, the AFP and ACIC will be allowed to “covertly access computers to disrupt data”. They could also, if necessary, “add, copy, delete or alter that data”. A network activity warrant will permit them to access data in order to collect intelligence. Furthermore, they will be able to take the necessary actions to conceal their access. Lastly, the account takeover warrant will include “exclusive access to the account”. This would most often be achieved by changing the account’s password and thus locking the person out.
Although each of the powers given will be “accompanied by robust safeguards”, the bill also introduces the possibility of an emergency authorization. This is a tricky legal term, when it comes to privacy, as it weakens the set standards. What it means is that a law enforcement officer could, in certain circumstances, ask authorization from an appropriate authorizing officer, instead of from a judge. This could be the chief officer, deputy commissioner or an authorized senior executive of the AFP. Or the chief officer or an authorized executive level member of the ACC.
It is unknown when the bill will be passed. Next week is the last sitting week of 2020.