Many will recall last year’s battle between the United States Justice Department and technology giant Apple, whereby the former spent millions of dollars trying to force the latter to unlock the IPhone of a gunman allegedly involved in the San Bernadino terrorist attack.
The Justice Department felt the need to take such action because it knew the United States constitution would never allow the forced disclosure of an individual’s personal identity information in circumstances where it may incriminate them.
However, the situation in Australia is different. Here, there is a legal mechanism for police to force the disclosure of an individual’s passwords, personal identification numbers and private encryption keys to enable them to access an individual’s smartphone or computer during the investigation of a Commonwealth offence.
That mechanism is contained in section 3LA of the Crimes Act 1914 (Cth) (“the Act”), which provides that “a constable may apply to a magistrate for an order to provide any information or assistance that is reasonable and necessary” to allow them to access data stored on “a computer or data storage device.”
A “constable” is defined by section 3 of the Act as “a member or special member of the Australian Federal Police or a member of the police force or police service of a State or Territory”.
Police can apply to a magistrate for an “assistance order” requiring the owner or user of a computer or data storage device to provide such information they can establish a reasonable suspicion that the device holds or can enable access to evidential material relevant to a crime.
The subject of the order is not required to be suspected of any crime. He or she merely needs to be the owner of the device that police reasonably suspect holds information relating to an offence.
If the application is successful, the subject will be required to provide the password/s enabling police to gain access to the device/s, as well as any decryption information in order to make data accessible and intelligible to police.
Failure to comply with an assistance order is a criminal offence. When the law was first enacted, the maximum penalty was 6 months imprisonment. However, authorities have since raised the maximum penalty to 2 years behind bars.
A climate of paranoia
The Commonwealth Cybercrime Act inserted section 3LA into the Crimes Act in October 2001. The Cybercrime Act was passed through federal parliament in a post-September 11 climate of mounting fear about the threat of terrorism and cybercrime.
That Act created seven new criminal offences: three serious computer offences and four summary computer offences. It also extended police investigative powers in relation to search and seizure of electronically stored data.
The circumstances behind section 3LA
In his 2004 University of Queensland paper titled Handing Over the Keys, Nikolas James points to several reasons why a law that provides police with such pervasive power was passed at the time.
The EU’s Convention on Cybercrime recommended that countries implement laws that guaranteed authorities could access user data under the threat of imprisonment. And France suggested that the convention be open to all countries.
The Australian laws at the time were seen as inadequate when it came to the growing threat of cybercrime. Police were pushing for new powers, as encrypted data represented a significant obstacle to the gathering of evidence.
The Australian business community was also losing faith in the ability of law enforcement to guard against the rising cost of cybercrime. And the public’s perception of the threat posed by cybercrime helped enable authorities to broaden their reach.
Mr James also lists Australia’s involvement in the Five Eyes global electronic surveillance alliance as a reason the law was allowed to pass with little fanfare. The alliance is comprised of the USA, UK, Canada, New Zealand and Australia, and was established under the UKUSA Agreement back in 1946.
The Five Eyes agreement allows security agencies of these nations to collect and share private and commercial communications data with one another. In Australia, strong encryption had been hampering operations, and section 3LA helped facilitate data access.
The implications of section 3LA
Civil liberties groups have always been highly critical of the provision. They point out that the wording of the section is vague and the scope of the investigative powers it provides is almost unlimited. They argue that the section’s intrusion on the privacy of the populace – including those who are not suspected of an offence – is not justified or outweighed by the benefit it provides to law enforcement.
Electronic Frontiers Australia described the passing the Cybercrime Act as a “knee-jerk reaction to recent well-publicised virus attacks,” that “introduces an alarming law enforcement provision requiring release of encryption keys or decryption of data, contrary to the common law privilege against self-incrimination.”
The digital rights protection organisation further pointed out that the law has the potential to lead to the imprisonment of an individual who has genuinely forgotten their password or encryption keys.
The provisions under section 3LA also have the potential to enable police to access whole computer networks. If an officer has a reasonable suspicion a computer contains some evidential information, they can obtain an order, which will also provide access to any other computer it’s connected to.
And with the scope of the internet, the potential reach is virtually unlimited.
Brandis plans to broaden powers
In July this year, Australian prime minister Malcolm Turnbull announced proposed new laws that will require social media and technology companies like Facebook and Google to allow Australian security agencies access to people’s encrypted messages.
Attorney general George Brandis has actually been pushing for these laws since early 2014.
In a submission to the Senate inquiry into the comprehensive revision of the Telecommunications (Interception and Access) Act 2014, the attorney general’s office stated that these laws “would operate in a similar fashion to orders made under section 3LA.”
“Section 3LA permits agencies that have seized physical hardware… under a search warrant to apply for a further warrant requiring a person to ‘provide any information or assistance that is reasonable and necessary’ to allow information held on the device to be converted into an intelligible form,” the authors wrote.
Co-convenor of the UNSW Cyberspace Law and Policy Community David Vaile told Sydney Criminal Lawyers® in August that the trigger for social media companies starting to use encryption on a wider scale was revelations that the NSA had been hacking into Google data centres.
This information was revealed when Edward Snowden leaked classified documents from the NSA in mid-2013. The thousands of documents exposed by Snowden informed the public that global surveillance programs were being conducted by the NSA, along with other Five Eyes nations.
Big brother is watching
In his 2004 paper, Mr James outlined that by “undermining the effectiveness of encryption, section 3LA redirects the flow of power away from business and private citizens towards law enforcement agencies.”
Encryption empowers citizens to protect themselves against cybercrime without the need of police protection. But by applying the provisions of section 3LA, law enforcement can now shift that balance of power, making individuals more reliant on those agencies.
The provision also works to monitor citizens through panoptic surveillance, according to Mr James.
The panoptic surveillance effect of this law is that individuals are aware that, at any time, police have the potential to access their personal computers and smartphones. So people may begin to self-regulate their behaviour on these devices, as at any moment they might be subject to the investigation of authorities.
Mr James warned that as the population becomes aware such provisions exist, “citizens will willingly and obediently reduce the space within which they feel free to live, to play, to act and to create away from authority’s scrutiny and judgment.”