Australian Federal Government introduces "absurd" police powers
Over the last couple of weeks, you may have noticed a swarm of articles discussing the Surveillance Legislation Amendment (Identify and Disrupt) Bill 2021, which blitzed through both Federal Houses of Parliament in under 24 hours and was passed on 25 August 2021. It received Royal Assent on 3 September 2021.
The Department of Home Affairs describes the purpose of the Bill as “[to modernise] Australia’s law enforcement and intelligence legal framework to better equip the AFP (Australian Federal Police) and ACIC (Australian Criminal Intelligence Commission) to deal with serious cyber-enabled crime” and “to address the challenges posed by increasing criminal use of the dark web and anonymising technologies.”[1]
In addition to some minor amendments to existing legislation, the main thrust of the Bill is to introduce three new types of warrants:
Network activity warrants allow law enforcement (namely, the AFP and ACIC) to conduct surveillance on a person’s online activities.
Account takeover warrants authorise law enforcement to access a person’s social media or other online accounts for the purposes of accessing data or locking the person out of their account.
Data disruption warrants allow law enforcement to access a device (such as a phone, computer, or hard disk) (“the target computer”) and read, write, copy, modify, transmit, or delete data contained on it. It also authorises removal of the device from the premises, any actions reasonably necessary to conceal that the data has been interfered with, and anything else ‘reasonably incidental’ to the other actions that have been authorised, including the use of reasonable force if necessary.
It also introduces assistance orders, which can be issued on a party to compel them to assist police in carrying out any of these three warrants. This might include another user of a device providing police with passwords, or network administrators downloading data for police and converting it into a readable format. The penalty for noncompliance with such an order is up to 10 years imprisonment, or 600 penalty units (penalty units are regularly adjusted for inflation – currently, one penalty unit is $222, so the maximum fine for this offence is $133,200).
After the bill was first introduced in December 2020, the Standing Committee for the Scrutiny of Bills issued a report in which they considered that the bill in its current form “[had] the potential to unduly trespass on personal rights and liberties”[2] and recommended that the powers it granted to law enforcement be tightly controlled to prevent misuse. Other civil rights groups recommended that the bill be outright withdrawn and not re-introduced until Australia had developed an enforceable framework of human rights.
The bill later passed without significant amendments, although some changes were implemented at the request of the House of Representatives to tighten up the requirements for requesting and issuing warrants.
Who can be affected by these powers?
Theoretically, almost anyone.
The power to issue any of these warrants is triggered when police ‘reasonably suspect’ that:
A serious crime has, is about to, or is likely to occur;
That crime, or crimes, involve or are likely to involve data held on a device, or the device is likely to be used by members of a suspected criminal network;
Data disruption, account takeover, or network activity monitoring is likely to substantially assist in frustrating the commission of a serious crime or crimes.
‘Reasonable suspicion’ is a fairly low bar for law enforcement to clear. A suspicion will generally be ‘reasonable’ if police can show it was objectively based on some specific facts or circumstances. A common example is a stop and search; if police witness Person A handing Person B a wad of cash, and Person B then handing Person A a plastic bag, this might cause police to reasonably suspect that a drug transaction is occurring, even though there could easily be an innocent explanation.
The Department of Home Affairs, in its submissions in support of the Bill, described serious crimes as “including terrorism, firearms and drug trafficking, human trafficking and child sexual abuse.”[3] In fact, a serious criminal offence is defined as any offence for which the maximum possible sentence is over three years imprisonment. This certainly captures paedophiles, terrorists, and human traffickers, but also (to name a few):
Illegal gambling;
Tax evasion;
Currency violations;
Possession of forged postage stamps (or the special paper used for making postage stamps);
Fraudulently obtaining Centrelink benefits;
Polygamy;
Bankruptcy offences;
Taking part in the supply of prohibited drugs;
Importing or exporting prohibited goods;
Posting harassing or offensive content on social media;
Piracy (the high seas kind, and the downloading movies off the internet kind);
Certain whistleblowing activities; and
Ironically, unauthorised modification of data held on a computer.
The term ‘serious crime’ is therefore exceptionally broad. Most of the offences it captures are entirely unrelated to the purposes of the Bill. Further, given that law enforcement is essentially speculating as to the nature of the crime that is ‘likely to’ take place, a suspect may well wind up ultimately being charged with a less serious offence that would not have met this threshold.
With respect to the test for network activity warrants, a criminal network is defined by the Bill to include ‘electronically linked individuals’ who ‘have engaged, are engaging, or are likely to engage in a relevant [i.e. serious] offence.’ ‘Electronically linked individuals’ is defined so broadly that it includes any two or more people who use the same website. The Human Rights Law Centre described this definition as “absurdly broad.”[4] Where any one person commits an offence using a website or app, every other user of that service could potentially have their data accessed, modified, or deleted by police.[5]
How does this differ from the powers that already exist?
One provision of the Bill about which a number of people have raised alarm is emergency authorisation, whereby police can carry out data disruption or account takeover without obtaining a warrant at all. The Bill provides that if:
Police reasonably suspect imminent serious violence or damage to property,
Data disruption or account takeover is urgently necessary to mitigate the risk, and
It is not practicable to apply for a warrant,
Then emergency authorisation may be obtained from an appropriate authorising officer, which includes certain senior and executive level members of law enforcement. This effectively means that police can authorise their own actions if they are satisfied there is an urgent need. They must then retrospectively apply for permission from a judicial officer to have given the authorisation. Crucially, if the judicial officer considers that authorisation should not have been given, they are not allowed to order that the wrongfully obtained data be destroyed.
Emergency authorisation has, in fact, been around since the original Surveillance Devices Act 2004 (Cth). The power to access a device, the power to compel telecommunications providers to provide information and assistance, and the power to monitor a person’s internet use through surveillance are all already in existence. The key difference introduced by these amendments is that police can now also covertly add, delete, and modify data from the devices they access.
The right to freedom from self-incrimination
One of the key criticisms of these amendments is that Australia does not have a robust, enforceable human rights framework in place to protect against abuse of these powers.
Australia does not have a Bill of Rights. Some of our rights are written into the Constitution and cannot be contravened, such as the right to vote. The rest are implied from the wording of the Constitution, provided for by legislation, or recognised at common law.
We rely on Parliament not to override our implied rights, but there is nothing preventing them from doing so. One such implied right is the right to freedom from self-incrimination. This is recognised as a fundamental human right throughout our legal system, and is codified to some extent in the Evidence Act 1995 (Cth), but it is not a Constitutional right and can be overridden by Parliament if they so choose.
A number of civil liberties advocates have argued that assistance orders do exactly this. Under these provisions a person could be ordered to assist police with accessing data that would incriminate them; in fact, the Bill specifically contemplates circumstances where an assistance order is made against a person who is suspected of committing a relevant offence. That person may then face the choice between defying the order and facing the steep penalties, or providing police with evidence that implicates them for a different crime.
As an aside on the subject of assistance orders, it has also been argued that if an assistance order is made against an employee (for example, of an internet service provider or social media platform), compliance with the order may place them in breach of their contractual obligations not to disclose confidential information.[6] It may also place their employer in breach of existing regulations preventing the unauthorised disclosure or misuse of consumers’ personal information, opening them up to potential legal action.[7]
The right to privacy
More broadly, numerous civil liberty and digital privacy advocacy groups have raised alarm about the implications of this Bill for Australians’ privacy.
Australians do not currently enjoy a legal right to privacy, either expressly or impliedly through the Constitution or through common law. There are some protections provided by the Privacy Act 1988, which regulates the way organisations can collect, store, and use personal information, and by other various telecommunications, health, and financial legislation. However, these protections have already been significantly eroded and are in no way sufficient to protect against misuse of the broad powers provided for by the Bill.
The potential privacy impacts of the Bill are numerous. We have discussed above that almost anyone’s data could be subject to one of these warrants. It would be difficult to exaggerate the potential scope of these powers. The Parliamentary Joint Committee on Human Rights noted in their report that some of the actions law enforcement might undertake under these warrants could include:[8]
Altering a person’s bank account credentials, or monitoring or re-directing a person’s funds held in a bank account;
Collecting personal information;
Taking control of an individual’s online account, such as changing a person’s password in order to take control of a person’s account and assume that person’s identity, and
Entering an individual’s home or workplace to carry out the warrant.
Again, any of these actions might be carried out against an innocent third party with no knowledge of or involvement in criminal activity.
The second limb of these concerns is the lack of remedies available to someone whose privacy has been breached. We have noted already that even if your data is found to have been accessed unlawfully, there is no power for judicial officers to order that it be destroyed.
There is no provision for a person who has been the subject of a warrant to be informed of this fact after the investigation is complete. In explaining this, the Minister pointed to the potential for disclosure of the details of these warrants to undermine ongoing investigations of other individuals: “while the Government acknowledges that the use of a covert warrant will impact a person's privacy, this limitation is reasonable, necessary and proportionate in order to safeguard the Australian community from serious crime.”[9] He also outright acknowledged that while a person would theoretically be able to challenge decisions in relation to warrants through judicial review, they would need to be aware of the warrant to do so, and therefore it would likely only occur after the investigation ceased being covert. He stated that the subject of a warrant “may” become aware of this during criminal proceedings.[10]
Evidence, and the onus of proof
Data accessed or obtained under data disruption and account takeover warrants is, subject to some limitations, admissible in criminal proceedings. Information obtained under network activity warrants is admissible only in specific circumstances.
From an evidentiary perspective, there are significant concerns in allowing police to covertly modify, add, or delete data. It is very possible that in the process of doing so, they may interfere with or delete exonerating evidence, or modify evidence in such a way that a suspect is further implicated for a crime. This could be done inadvertently – it is not generally obvious to an outside observer what will and will not become relevant evidence in later Court proceedings.
It is not clear how a person who has been charged with a crime might go about finding out whether their data has been tampered with. Given the measures taken to keep these warrants covert, it is not likely to be an easy task, if it is possible at all. Even where the fact that a warrant was issued is part of the prosecution case, there are significant concerns with how this is dealt with in Court. The Bill provides that law enforcement can issue an ‘evidentiary certificate’ setting out the data that was accessed or disrupted, and what was done with it. This certificate is prima facie evidence of everything contained within it, and the evidentiary burden then reverts to the accused person to demonstrate that any of it is untrue. For anyone who does not maintain scrupulous backups of all their data, this may well be an impossible task.
The fact that the burden of proof rests with the prosecution is a key tenet of our criminal justice system. Generally, an accused person is innocent until proven guilty. Also underlying this principle is the fact that it is, as a general rule, infinitely more difficult to prove that something did not occur, than to prove that it did.
Take, for example, an extreme hypothetical, where police claim that incriminating evidence was accessed on a device, and then deleted. Police will have then taken all necessary steps to conceal the fact that they deleted anything from the device. It is not clear precisely how an accused person could possibly go about proving that it was never on their device in the first place.
Conclusion
Undeniably, the threats at which these amendments are aimed are real and present. However, we are asked to accept a significant trade-off in the further abrogation of rights to privacy and potentially to due process as well. There is a concerning lack of external checks and balances, and an almost total lack of transparency. The fact that there is no proper mechanism for redress in the event that these extremely broad powers are abused is troubling.
If you are interested in further reading on this topic, a complete list of submissions made to the Parliamentary Joint Committee on Intelligence and Security can be found at https://www.aph.gov.au/Parliamentary_Business/Committees/Joint/Intelligence_and_Security/IdentifyandDisruptBill/Submissions.
Author: Sophie Bouhalis
[1] Home Affairs Portfolio submission to the review of the Surveillance Legislation Amendment (Identify and Disrupt) Bill 2020, p 4 [2] Standing Committee for the Scrutiny of Bills Scrutiny Digest 1 of 2021, p 30 [3] Home Affairs Portfolio submission to the review of the Surveillance Legislation Amendment (Identify and Disrupt) Bill 2020, p 4 [4] Human Rights Law Centre, Submission to the Parliamentary Joint Committee on Intelligence and Security on the Surveillance Legislation Amendment (Identify and Disrupt) Bill 2020, p 9 [5] Human Rights Law Centre, Submission to the Parliamentary Joint Committee on Intelligence and Security on the Surveillance Legislation Amendment (Identify and Disrupt) Bill 2020, p 9 [6] Communications Alliance Ltd, Review of the Surveillance Legislation Amendment (Identify and Disrupt) Bill 2020, p 4 [7] Communications Alliance Ltd, Review of the Surveillance Legislation Amendment (Identify and Disrupt) Bill 2020, p 4 [8] Parliamentary Joint Committee on Human Rights, Human rights scrutiny report, p 68 [9] Parliamentary Joint Committee on Human Rights, Human rights scrutiny report, p 81 [10] Parliamentary Joint Committee on Human Rights, Human rights scrutiny report, p 81