Australian Police. logo outside building showing surveillance bill targeted at cybercriminals

Australian Police Now Empowered to Hack and Spy on Cybercriminals, Despite Failure To Pass Key Safeguard Measures

A new system of warrants grants Australian police broad powers to infiltrate and even modify the online accounts of suspected cybercriminals, in the name of combating dark web transactions and “anonymization technology.” But the Identify and Disrupt bill passed without key safeguards that would have restricted these measures to cases involving very serious crimes, raising fears that issues such as trademark offenses and tax payments could trigger invasive spying.

Cybercriminals can have accounts taken over, data deleted under new law

The new bill allows for three types of warrants to be issued that can be used to digitally breach the accounts of cybercriminals. To qualify for a warrant, the investigation must be into a crime that is “punishable by a maximum term of three years or more.” There are also no prescribed categories of crimes; “all commonwealth offences” appear to be fair game.

The warrants are available to the Australian Federal Police (AFP) and the Australian Criminal Intelligence Commission. Each warrant provides for a specific type of activity: data disruption, network activity, and account takeover. A “data disruption” warrant allows investigators to modify, add, copy or delete information in an account they surreptitiously break into, and to use found evidence to prosecute a case. A “network  activity” warrant provides for digital spying on suspected cybercriminals; this information cannot directly be used as evidence but can serve as a basis for warrants for more intensive surveillance. And an “account takeover” warrant allows law enforcement agencies to simply take possession of an investigation subject’s account; use of it for undercover investigation or gathering further evidence on cybercriminals will require a separate warrant.

Lack of safeguards in present form of the bill

The passage of the bill comes after months of debate over how extensive these powers should be and what safeguards should be put in place to prevent abuse, a debate that seems to have almost entirely been thrown out the window at this point. The bill is supported by Australia’s center-left Labor Party, and the center-right Liberal Party had proposed a number of safeguards. These are now being introduced as proposed amendments by the home affairs minister. These include a sunset clause that puts an end to the warrants after five years, and stronger criteria for obtaining a warrant such as requiring that requests specify exactly what it is for and demonstrate that it is a “reasonable and proportionate” measure.

The Liberal Party is also seeking a clause to protect journalists in the wake of the 2018 raid on News Corp reporter Annika Smethurst due to her reporting on a plan by the Defence and Home Affairs ministers to implement broad domestic surveillance programs. Smethurst based the reporting on a classified document leaked to her by a member of the Defence Department, which the government used as a justification for the raid of her home and seizure of the contents of her phone.

Initial debate about the bill had centered on the use of it for specific categories of serious crimes with a focus on cybercriminals. When the idea was introduced in 2020, prior home affairs minister Peter Dutton had called for it to apply only to “terrorists, pedophiles and drug traffickers” that operate online. The “scope creep” of the bill to any commonwealth offense (roughly equivalent to a federal offense in the United States) with a max penalty of three years or more ropes in quite a variety of unrelated crimes of a much less serious nature. The present form of the bill sailed through due to lockstep support from the Labor Party combined with coalition support from some members of the Liberals.

Privacy advocates raises concerns with surveillance bill

Some members of the government say that these new measures are necessary to combat sophisticated cybercriminals that are entrenched online, using anonymous dark web sites and encrypted accounts to communicate and engage in transactions. But privacy advocates are referring to the bill as a “surveillance state” measure ripe for abuse given the broad range of investigations it can apply to. In addition to the removal of proposed safeguards, the opposition is incensed at the fact that an Administrative Appeals Tribunal, an entity primarily made up of political appointees that sits outside the national court structure, is able to grant these warrants rather than a superior court.

The new bill follows the controversial Telecommunications Legislation Amendment (Assistance and Access) Act of 2018, which mandated that tech companies assist law enforcement investigations by decrypting user data upon request. That bill was also sold to the public primarily on the need to combat online child pornography distribution by cybercriminals, but the Australian Centre to Counter Child Exploitation notes that digital access of these materials has actually increased substantially each year since the bill was passed.

Regardless of the passage of any amendments, the Independent National Security Legislation Monitor is scheduled to review the new bill in four years.