New Australian laws could force CISOs to decrypt data, let police access accounts

Australian CISOs and system administrators could face jail time unless they help authorities surreptitiously hack the accounts of their network users — a possibility that has suddenly emerged with the rapid passage of what the Law Council of Australia’s president Jacoba Brasch called “novel, extraordinary, and intrusive” new surveillance legislation that has been flagged by Australian senator Lidia Thorpe, a member of the minority Green party, as “contempt of democracy”.

Passed into law at the end of August 2021 after the government agreed to a series of amendments, the Surveillance Legislation Amendment (Identify and Disrupt) Bill 2021 (SLAID) gives the Australian Federal Police (AFP) and Australian Criminal Intelligence Commission (ACIC) a host of powers, including the ability to “disrupt data by modifying, adding copying, or deleting data in order to frustrate the commission of serious offences online”.

The bill also gives authorities powers to access “the devices and networks used to facilitate criminal activity” and provides for new ‘account takeover warrants’ that allow investigators to take over a person’s online accounts — including social media or internet banking accounts — “for the purposes of gathering evidence to further a criminal investigation”.

Authorities will be able to use the powers to “gather evidence about a person’s criminality and their associates’ activity” — including on the dark web — then-Minister for Home Affairs Peter Dutton said when the bill was introduced in late 2020.

Also new are ‘network activity warrants’, which will enable AFP and ACIC officers “to build a picture of how criminal networks are operating online and inform future investigations,” Dutton said, noting that any information collected “must be relevant to the prevention, detection, or frustration of an offence with a maximum penalty of at least three years imprisonment”.

Significantly, section 64B of the new legislation also allows authorities to obtain an ‘assistance order’ that compels a specified person “to provide any information or assistance that is reasonable and necessary” to help officers disrupt data in a computer, access data in that computer, copy data from the computer to a data storage device, or convert data into “intelligible form”.

Based on this wording, system administrators could be forced to decrypt and hand over sensitive data to authorities upon request — with civil indemnity for those receiving such an order, and noncompliance punishable by penalties of 10 years or $133,200 in fines.

SLAID a worrisome new direction for government surveillance

Privacy-rights groups have been sceptical about the legislation since it was first floated — during a time when, unbeknownst to the public, Australian Federal Police and US FBI were spearheading a global sting based on the fake AN0M encrypted messaging app that ultimately led to the arrests of hundreds of criminals.

Although acknowledging that “law enforcement agencies need powers that are adapted to the specialised context of cyber-enabled offences”, the Law Council of Australia warned earlier this year that “the necessity and proportionality of the proposed powers requires careful scrutiny [as they] depart sharply from the traditional focus of their investigative powers on the collection of admissible evidence of specific offences. They also have the potential to have significant adverse impacts on large numbers of nonsuspects who are lawfully using the networks, systems, or accounts that are suspected of being used by offenders.”

The legislation’s passage in late August raised new concerns, with LCA president Jacoba Brasch calling it “particularly disappointing” that the government had failed to mandate judicial oversight of the “novel, extraordinary, and intrusive” warrants.

Noting “disappointment” that the legislation’s lack of clear oversight “fails to provide a meaningful safeguard or assurance”, Brasch argued that the warrants “have the potential to cause significant loss, damage, or disruption to lawful computer users who are not suspected of any wrongdoing”.

Faced with the threat of jail time if they fail to help authorities, CISOs should liaise with corporate legal and executive representatives to lay out strategies and procedures should the company receive an assistance order.

The threat of compulsion is extraordinary and worrying, Senator Thorpe said, noting that the bill “enables the AFP and ACIC to be ‘judge, jury and executioner’. That’s not how we deliver justice in this country,” noting that “the bill does not identify or explain why these powers are necessary.” Thorpe added, “Our allies in the United States, United Kingdom, Canada, and New Zealand do not grant law enforcement these rights.”

FILAB law also quickly passed to surveil Australians’ communications

Yet SLAID isn’t the only new legislation with potentially significant impacts on the collection of Australians’ data. The “significant adverse impacts” warned about by LCA could easily include the inadvertent collection of Australians’ personal data, after the government railroaded through a companion piece of legislation, the new Foreign Intelligence Legislation Amendment Bill 2021 (FILAB), just days after it was referred for Parliamentary Joint Committee on Intelligence and Security review.

Upending years of prohibition on domestic surveillance, FILAB allows Australian authorities to apply for a warrant that lets them spy on Australians who are living in Australia and “acting for, or on behalf of, a foreign power”.

By allowing authorities to obtain a warrant to surveil communications whose location is not clear — said to be a threat in the era of modern messaging apps — FILAB does away with longstanding protections that were implemented in 2000 and prevent government authorities from spying on Australians within the country.

The change was necessary, said Minister for Trade, Tourism, and Investment Dan Tehan in his second-reading speech before the bill was passed into law, because the domestic ban prevented intelligence agencies from intercepting communications of persons of interest “when there is even the smallest risk of incidentally collecting a domestic communication”.

“This is a considerable restraint on the collection of foreign intelligence,” he said, citing the “real risk that intelligence agencies are missing critical foreign intelligence [that] could result in serious threats to Australians being missed.”