Facebook or Twitter posts can now be quietly modified by the government under new surveillance laws

A new law gives Australian police unprecedented powers for online surveillance, data interception and altering data. These powers, outlined in the Surveillance Legislation Amendment (Identify and Disrupt) Bill^[1], raise concerns over potential misuse, privacy and security.

The bill updates the Surveillance Devices Act 2004^[2] and Telecommunications (Interception and Access) Act 1979^[3]. In essence, it allows law-enforcement agencies or authorities (such as the Australian Federal Police and the Australian Criminal Intelligence Commission) to modify, add, copy or delete data when investigating serious online crimes.

The Human Rights Law Centre says the bill has insufficient safeguards for free speech and press freedom^[4]. Digital Rights Watch calls it a “warrantless surveillance regime^[5]” and notes the government ignored the recommendations of a bipartisan parliamentary committee to limit the powers granted by the new law^[6].

What’s more, legal hacking by law enforcement may make it easier for criminal hackers to illegally access computer systems via the same vulnerabilities used by the government.

What’s in the law?

The bill introduces three new powers^[7] for law-enforcement agencies:

1. “data disruption warrants” allow authorities to “disrupt data” by copying, deleting or modifying data as they see fit

2. “network activity warrants” permit the collection of intelligence from devices or networks that are used, or likely to be used, by subject of the warrant

3. “account takeover warrants” let agencies take control of an online account (such as a social media account) to gather information for an investigation.

There is also an “emergency authorisation” procedure that allows these activities without a warrant under certain circumstances.

How is this different to previous laws?

Previous legislation, such as the Telecommunications (Interception and Access) Act 1979^[8] and the Telecommunications Act 1997^[9], contained greater privacy protections^[10]. Those laws, and others such as the Surveillances Devices Act 2004^[11], do permit law-enforcement agencies to intercept or access communications and data under certain circumstances.

Read more: Australia's privacy laws gutted in court ruling on what is 'personal information'^[12]

However, the new bill gives agencies unprecedented interception or “hacking” powers. It also allows “assistance orders”, which could require selected individuals to assist government hacking^[13] or face up to ten years in prison.

Why do police argue this bill is required?

According to the Department of Home Affairs, more and more criminal activity^[14] makes use of the “dark web” and “anonymising technologies”. Previous powers are not enough to keep up with these new technologies.

In our view, specific and targeted access to users’ information and activities may be needed to identify possible criminals or terrorists. In some cases, law enforcement agencies may need to modify, delete, copy or add content of users to prevent things like the distribution of child exploitation material. Lawful interception is key to protecting public and national security in the fight of global community against cybercrimes.

How does lawful data interception work?

“Lawful interception” is a network technology that allows electronic surveillance of communications, as authorised by judicial or administrative order. There are standards (which means regulations and rules) for telecommunication and internet service providers to achieve this, such as those recommended by the European Telecommunications Standards Institute^[15].

Law-enforcement agencies may require^[16] service providers to hand over copies of communications data, decrypted data, or intercepted data without notifying users. Service providers may also have to make available analytical tools such as graphs or charts of target behaviours.

What are the privacy concerns?

The Office of the Australian Information Commissioner and others have also raised privacy concerns^[17]. The bill may impact third parties who are not suspected in the investigation of criminal activities. In particular, the bill can authorise access to third party computers, communication and data.

The Human Rights Law Centre argues the proposed broad powers can potentially compel^[18] any individual with relevant knowledge of the targeted computer or network to conduct hacking activities. In some cases this may clash with an individual’s right to freedom from self-incrimination.

Read more: How the world's biggest dark web platform spreads millions of items of child sex abuse material — and why it's hard to stop^[19]

Enabling law enforcement agencies to modify potential evidence in a criminal proceeding is also a major issue of concern. The detection and prevention of inappropriate data disruption will be a key issue.

The implementation of the new warrants needs to be in line with Privacy Act 1988^[20] which was introduced to promote and protect the privacy of individuals and to regulate Australian government agencies and organisations. Where some agencies may have exemption against the Privacy Act, it is important to balance^[21] between public safety and privacy impacts^[22].

What are the security issues and impacts?

The Identify and Disrupt Bill is a part of an extensive set of Australian digital surveillance laws, including the Telecommunications and Other Legislation Amendment (Assistance and Access) Act 2018 (TOLA), and the Telecommunications (Interception and Access) Amendment (Data Retention) Act 2015 (the Mandatory Metadata Retention Scheme).

Under the Identify and Disrupt Bill, access can be gained to encrypted data which could be copied, deleted, modified, and analysed even before its relevance can be determined. This significantly compromises users’ privacy and digital rights.

Modern encryption can be very hard to crack, so hackers often exploit other vulnerabilities in a system to gain access to unencrypted data. Governments too are reportedly using these vulnerabilities^[23] for their own lawful hacking.

Specifically, they depend on “zero-day exploits^[24]”, which use software vulnerabilities that are unknown to software vendors or developers, to hack into a system. These vulnerabilities could be exploited for months or even years before they are patched.

Read more: From botnet to malware: a guide to decoding cybersecurity buzzwords^[25]

A conflict of interest may arise if law enforcement agencies are using zero-day exploits for lawful hacking. To protect citizens, we would expect these agencies to report or disclose any software vulnerabilities they discover to the software manufacturers so the weakness can be patched.

However, they may instead choose not to report them and use the vulnerabilities for their own hacking. This puts users at risk, as any third party, including criminal organisations, could exploit these so-called zero day vulnerabilities.

It’s not an abstract concern. In 2016, the CIA’s secret stash of hacking tools^[26] itself was stolen and published, highlighting the risk of these activities. The Chinese government has claimed the CIA was hacking targets in China^[27] for more than a decade using these and similar tools.

Government use of hacking tools may result in worse cyber security overall. The warrant powers given to Australian law enforcement agencies may protect public safety and national interests, but they may also provide powerful means for adversaries to access government data.

This includes the data and online accounts of targeted individuals like state officials, which may significantly impact national security. This possibility needs to be considered in light of the passing of the new bill.

Whilst the justification of the bill for public safety over personal privacy can be debatable, there is no doubt that the security aspects should not be undermined.

References

1. ^{^} Surveillance Legislation Amendment (Identify and Disrupt) Bill (www.aph.gov.au)
2. ^{^} Surveillance Devices Act 2004 (www.homeaffairs.gov.au)
3. ^{^} Telecommunications (Interception and Access) Act 1979 (www.comlaw.gov.au)
4. ^{^} insufficient safeguards for free speech and press freedom (www.hrlc.org.au)
5. ^{^} warrantless surveillance regime (digitalrightswatch.org.au)
6. ^{^} limit the powers granted by the new law (parlinfo.aph.gov.au)
7. ^{^} three new powers (tutanota.com)
8. ^{^} Telecommunications (Interception and Access) Act 1979 (www.legislation.gov.au)
9. ^{^} Telecommunications Act 1997 (www.alrc.gov.au)
10. ^{^} greater privacy protections (research-management.mq.edu.au)
11. ^{^} Surveillances Devices Act 2004 (www.comlaw.gov.au)
12. ^{^} Australia's privacy laws gutted in court ruling on what is 'personal information' (theconversation.com)
13. ^{^} assist government hacking (www.homeaffairs.gov.au)
14. ^{^} more and more criminal activity (www.aph.gov.au)
15. ^{^} European Telecommunications Standards Institute (www.etsi.org)
16. ^{^} require (lims.utimaco.com)
17. ^{^} raised privacy concerns (www.oaic.gov.au)
18. ^{^} potentially compel (www.hrlc.org.au)
19. ^{^} How the world's biggest dark web platform spreads millions of items of child sex abuse material — and why it's hard to stop (theconversation.com)
20. ^{^} Privacy Act 1988 (www.legislation.gov.au)
21. ^{^} balance (www.oaic.gov.au)
22. ^{^} privacy impacts (www.natlawreview.com)
23. ^{^} using these vulnerabilities (www.europarl.europa.eu)
24. ^{^} zero-day exploits (www.fireeye.com)
25. ^{^} From botnet to malware: a guide to decoding cybersecurity buzzwords (theconversation.com)
26. ^{^} secret stash of hacking tools (www.washingtonpost.com)
27. ^{^} hacking targets in China (www.bbc.com)