At a ministerial meeting of the Five Eyes alliance held in the Canadian capital of Ottawa on 26 June 2017, those gathered discussed the hindrance that encryption is when they’re trying to access private data.
A joint communique released following the meeting noted that encryption was “impeding lawful access to the content of communications during investigations into serious crimes”. And to address this the ministers committed to establishing sharing solutions with tech companies.
The Five Eyes alliance allows the security agencies of the US, Canada, the UK, New Zealand and Australia to collect and share data with one another. And encryption has long been a pet annoyance of the covert arrangement that was established post-World War Two.
About a month after the Ottawa meeting, then Australian prime minister Malcolm Turnbull announced that his government wanted to pass legislation that would enable local security agencies to gain access to actual encrypted data stored on devices and online platforms.
And last December, the Morrison government did just that with the passing of the Assistance and Access Bill. And as Electronic Frontiers Australia policy committee chair Angus Murray points out, this has opened the door to encrypted data not just for Australia, but for all Five Eyes nations.
Access all areas
Mr Murray told Sydney Criminal Lawyers last week that his greatest concern about the encryption-bypassing legislation is the “seemingly scopeless definition” of “designated communications providers”, which is outlined in section 317C of the Telecommunications Act 1997 (Cth).
Designated communications providers include domestic and foreign communications providers, device manufacturers, component manufacturers, application providers, as well as traditional carriers and carriage service providers.
Part 15 of the Telecommunications Act now contains a three-tiered system that allows Australian security agencies to request assistance from designated communications providers so as to access data stored on or via their systems.
A technical assistance request allows providers to give voluntary assistance, such as removing electronic protections or installing software provided by an agency. Then there’s a technical assistance notice, which is a compulsory request for assistance, like handing over decrypted data.
The top tier is a technical capability notice, which needs attorney general approval. It requires a provider to build a new capability that allows access to data. And if a company fails to comply with either type of notice, it can be fined $10 million, while an individual can be fined $50,000.
Quietly monitoring computers
Newly added part 2 division 4 of the Surveillance Devices Act 2004 (Cth) established a new framework of computer access warrants, which allow authorities to covertly access information at its end point when it’s no longer encrypted.
Section 27E of the Surveillance Act provides that these judge-approved warrants allow for the entering of any premises to gain access to the target computer, as well as using any electronic device to help provide that access.
And these warrants also allow agents to add, copy, delete or alter any information on the target computer for the purpose of an operation, or to do the same on any other computer they’re accessing in order to obtain the data on the target.
Surveilling the net
“The definition of computer which is now in the Surveillance Devices Act describes something which is broader than the entire internet,” warned Mr Murray. “What we’ve done is essentially given law enforcement the ability to surveil the entire internet on a covert basis.”
Section 6 of the Surveillance Devices Act contains the new definition of computer, which is “one or more computers, or one or more computer systems, or one or more computer networks, or any combination of the above”.
So, section 27A of the Surveillance Devices Act provides that a law enforcement officer investigating a relevant offence – an indictable offence punishable by 3 or more years imprisonment – may apply for a warrant in order to access a target computer, which entails the broad definition.
For all eyes only
Mr Murray further pointed out that the amendments made by the Assistance and Access Bill enable “foreign governments or law enforcement bodies to request surveillance through the operator within Australia”.
Although, they require high-level authorisation, the computer access warrant regime can still essentially give “our Five Eyes colleagues and counterparts” access to a target computer, which in its broadest sense is the entire internet.
Newly inserted section 15CC of the Mutual Assistance in Criminal Matters Act 1987 (Cth) provides that the attorney general can request a law enforcement officer to apply for a computer access warrant to enable a foreign agent obtain access to data on a target computer.
The warrant must be in relation to a serious criminal offence investigation within the foreign country that the agent seeking access is from. And these matters can relate to an offence that carries the death penalty.
And the relevant sections in the Telecommunications Act relating to the access requests and notices that can be presented to designated communications providers allow for all of them to be issued in relation to “assisting the enforcement of the criminal laws in force in a foreign country”.
Undermining protections for all
According to Murray, the Assistance and Access Bill has given the other Five Eyes nations – the US, Canada, the UK and New Zealand – the ability “to use Australia as the starting point or weak link in a global surveillance network”.
And the reason why these sort of provisions have been established in Australia, as opposed to the four other nations, Mr Murray put forth, is that this country has no “enforceable human rights legislation at the federal level”.
Indeed, Australia is the only western democracy without a federal charter of rights. So, this means that the government gets away with implementing laws that erode citizens’ basic freedoms. And now it seems it also allows for foreign governments to trespass upon their own citizens’ rights.
Not just sitting on the books
Mr Murray said it’s not known whether the ability to surveil the internet via a computer access warrant has been utilised as yet, but the recent AFP press raids reveal that some of the powers that have been provided via the Assistance and Access Bill are definitely in play.
ABC News executive editor John Lyons tweeted that the warrant used to raid the national broadcaster’s Sydney office allowed AFP officers to “add, copy, delete or alter” material on the computers being searched.
The Assistance and Access Bill amended the search warrant framework contained in the Crimes Act 1914 (Cth), so as to provide law enforcement officers with these enhanced search abilities when collecting evidence from electronic devices.
And as can be seen in this instance, while the new powers are being employed right now, they certainly aren’t being used to combat terrorism, but rather they’re targeting journalists, with the ultimate aim of silencing dissent.