4.1
The Surveillance Legislation Amendment (Identify and Disrupt) Bill 2020 (Cth) (the Bill) provides for the insertion of Network Activity Warrants (NAWs) into the Crimes Act 1914 (Cth) (the Crimes Act) for use by the Australian Federal Police (AFP) and the Australian Criminal Intelligence Commission (ACIC).
4.2
Following the setting out of some general comment this chapter will set out in more detail the following:
Determining the application
What an application must contain
What a data disruption warrant authorises
Extension, variation and revocation of a data disruption warrant
Revocation and discontinuance of access and disruption under warrant
Oversight, review and privacy
4.3
The Committee notes that a number of concerns raised by submitters, particularly the Law Council of Australia, and responses given by the Department of Home Affairs are similar, if not identical to, issues canvassed in the previous chapter on Data Disruption Warrants.
The requirement for the proposed legislation and the purpose of the powers
4.4
As describe in Chapter One NAWs would allow the AFP and the ACIC to collect intelligence on criminal networks operating online by permitting access to the devices and networks used to facilitate criminal activity. The Department of Home Affairs said:
The Bill introduces a network activity warrant to enable the AFP and ACIC to collect intelligence on criminal networks operating online. This will enable investigators to identify offenders and understand the scope of their activities to build a full picture of how criminal networks are operating online. The intelligence gained through this will inform investigations by enabling law enforcement to strategically target criminal networks of the biggest threat to maximise impact.
4.5
The threat environment and requirement of the NAWs is common across the other warrant types and referenced in earlier chapters. This chapter focusses specifically on the Bill itself and the proposed provisions relating to NAWs. The AFP said:
In the online environment, we’re far more restricted in how we can track illegal activities in this way. We can assume an identity and interact with offenders. We can get targeted warrants to intercept their communications and access their data, and, with the TOLA industry assistance framework, we can get help to pen the front door. But we’ve still got one hand tied behind our back.
4.6
The AFP said the purpose of NAWs was for intelligence, and specifically they would be used in advance of specific computer access warrants against individual devices. The AFP said a NAW would allow them to collect intelligence on a network of computers to best identify which devices to target under a subsequent, and separate, computer access warrant.
4.7
The AFP said the rapid development of anonymising and encrypted technology was changing the counter-terrorism environment and presenting new challenges for the AFP. They said it was incredibly challenging for law enforcement to positively identify persons of interest and NAWs would provide additional opportunities to reduce the threat to public safety by enabling earlier intelligence connection.
4.8
The AFP said NAWs could be used to identify unknown individuals in contact with a known individual. The AFP said a computer access warrant could be sought for the known individual but the NAW would be used to allow the AFP to gather intelligence about the broader network of individuals in contact with the known individual, even as they move between different encrypted platforms. The Department of Home Affairs said NAWs would be used as a first step to gather intelligence that allows the use of more targeted warrants. In this sense the NAWs could be considered as often antecedent to computer access warrants.
4.9
The ACIC placed this Bill in the context of the TOLA Act and said:
Traditionally, we may know who has done something or we might know what somebody has done. If we are lucky enough to know the who and the what, we use electronic surveillance that we currently have under TI, surveillance devices, search warrants under the Crimes Act and all sorts of other covert and overt investigative powers. But when we do not know the who or the what, we have a very significant gap. This is where we use components of the TOLA legislation to help us work with telecommunications companies et cetera to help discover the networks that are available. And now this piece of legislation will enable us to get on those networks.
4.10
The ACIC said NAWs would ‘immediately transform’ the ACIC’s ability to discover and understand serious criminal groups using the dark web and encrypted communication platforms to undertake facilitate serious crime. The ACIC said this would ‘critical enhance’ the ability of the ACIC to more accurately inform the national understanding of serious and organised crime.
4.11
The ACIC said the requirement for an NAW was because while the ACIC might be able to detect criminal behaviour on a website or network, they could not identify all the individuals participating in criminal behaviour in the network. They said a NAW would provide the ability to target and infiltrate the network, or class of computers, in which the crime is occurring so the members could be fully identified and the extent of the criminality be detected through intelligence collection.
4.12
The Law Council of Australia said the necessity of these particular powers had not been demonstrated as:
Intrinsic materials to the bill do not clearly or precisely identify a gap in existing investigative powers or the need for both the AFP and the ACIC to have dedicated intelligence collection powers.
At the moment, we have a very significant gap in law enforcement in tackling serious and organised crime due to encrypted networks. These criminal networks are currently operating, for example, in Australia on dedicated encrypted devices of which we estimate there may be just over 10,000 in this country…you do not have one of these devices unless you are a criminal.
4.14
The ACIC said they were ‘flying blind’ with respect to these 10,000 devices. Additionally the ACIC said:
I note that these networks operated by criminal networks are something that is different to what we’ve been able to tackle in law enforcement in this country up until this time – right now, as a matter of fact, before the Bill.
4.15
The Uniting Church discussed criminal networks in their submission, a particularly relevant concept given the importance of ‘criminal network’ in the proposed sections below. They said some criminal networks required a monthly subscription of providing a fresh image of a child being sexually abused, in order to maintain presence within the network.
4.16
The Carly Ryan Foundation described the requirement for these powers and the evolution of criminal offending using online means:
For me, the power for law enforcement agencies to be able to have data disruption warrants, network activity warrants and account takeover warrants is something that needs to happen. Crimes have changed. We have seen criminals hiding behind the anonymity of the internet and hiding behind privacy. When we put privacy ahead of protecting children I think we have a real societal issue.
4.17
The CRF said they were observing a huge network of offending happening online. To illustrate the scale or size of these networks, the Uniting Church noted the existence of an 18,000 person network who was involved in a site that was just dealing with sexual abuse of infants and toddlers in 2019. They said the networks were of a very large scale and the AFP were overwhelmed with the ‘sheer scale and size’ of the number of people engaged in these online abuse activities.
4.18
The ACIC noted the possible relationship between NAWs and disruption:
When we have got hold of the network we may need the tools to be able to disrupt them that we currently don’t have. We may want to do something to those networks similar to what they did in the United Kingdom, France and other countries.
Applications for network activity warrants
4.19
The Committee considered the application process for NAWs including the requirements for application, requirements for granting, emergency applications, applicable offences and the issuing authority.
Threshold and application requirements
4.20
The Bill provides for details for applications for NAWs at proposed section 27KK. They include, but are not limited to, the following requirements:
1
A group of individuals is a criminal network of individuals; and
2
Access to data held in a computer (the target computer) that is, from time to time, used, or likely to be used, by any of the individuals in the group will substantially assist in the collection of intelligence that:
a.
Relates to the group or to any of the individuals in the group; and
b.
Is relevant to the prevention, detection or frustration of one or more kinds of relevant offences.
4.21
Specifically this proposed section provides that it is immaterial if the identities of the individuals in the group are unascertained, the target computer can be identified or the location of the target computer can be identified. It is furthermore not material that the composition of the group changes from time to time. The effect of these proposed provisions would be to broaden the scope of applicable entity to which these proposed powers would apply.
4.22
These applications can be made by written document. The Bill provides for remote applications at proposed section 27KL of the Bill. The Department of Home Affairs said:
The network activity warrant has been lifted up to a more senior level because of the intelligence collection nature. That was determined appropriate, given the limited number as well.
4.23
The Bill provides for what information these applications must contain at proposed section 27KN of the Bill. This includes the kinds of relevant offences in respect to which the warrant is issued and the criminal network.
Criminal network
4.24
One of the most significant issues identified with the NAW framework, and most common topic in submissions, related to the definition of ‘criminal network of individuals’ in the Bill. Whilst slightly hyperbolic, the oft-repeated argument was that a NAW could be used to gather intelligence on every user of WhatsApp, technically. The Law Council of Australia recommended amending the definition of ‘criminal network of individuals’. The Human Rights Law Centre (HRLC) said:
The definitions provided by the network activity warrants are so expansive as to be practically unlimited in scope.
4.25
The Law Council of Australia said under the present definition it could be that a single person is suspected of an offence, but the power would allow application to a whole group. They said it could be that the group is not a criminal network, but a network that happens to have a criminal within it. The Law Council of Australia suggested:
There’s no nexus between the criminal activity and the group. Building the nexus would be a way of tightening it up.
4.26
Specifically the Law Council of Australia recommended amending the Bill to require reasonable suspicion of a nexus between the suspected conduct of an individual group member in committing an offence, or facilitating the commission of an offence (or having done so, or being likely to do so); and the actions or intentions of the group as a whole. Additionally, they recommended amending the Bill to require proof that access to data held in the target computer was likely to substantially assist in the collection of intelligence that: relates to the group, or the actions of one or more of its individual members in pursuit of a common criminal purpose of the group; and is relevant ot the prevention, detection or frustration of one or more kinds of relevant offences, which are committed or facilitated in pursuit of a common criminal purpose of the group.
4.27
The Cyber Security Cooperative Research Centre (CSCRC) said while the definition appeared vague, it was necessarily so for the intelligence gathering purposes of the warrant. They said it was unlikely the AFP or ACIC would use the power against an unrealistically large group but recommended the network be defined in the warrant application itself.
4.28
The Uniting Church noted the different types of offending which could occur within networks. They said there was debate about contact and non-contact offenders within child exploitation networks. They said there were networks composed of largely contact offenders, but also non-contact offenders who purchase child exploitation images and don’t engage in the contact offending themselves.
4.29
The Department of Home Affairs said that the definition was drafted ‘to ensure operational efficacy’ and is
designed to capture individuals who did not intentionally facilitate criminal activity, or who may be accessing the same electronic service as those who do have those intentions. It is necessary that these individuals fall within scope of the warrant because the devices they use may hold, or lead to, valuable intelligence about criminal activity. The breadth of this definition is balanced by the stringent criteria to obtain a network activity warrant and the limitations on the use of information obtained under the warrant for intelligence collection purposes only.
4.30
In addition the Department of Home Affairs made a number of points as follows:
criminal networks targeted by network activity warrants will not always be operating for a common criminal purpose—they may have multiple purposes and goals of which only some members are a part and carry out a range of serious crimes of differing gravity; and,
dedicated encrypted communication platforms, such as Phantom Secure or Encrochat, which are commonly used by organised crime groups. Such organisations are frequently involved in multiple different types of offending.
4.31
Ultimately The Department of Home Affairs submitted that implementing the Law of Australia’s recommendation could
undermine the intended purpose of network activity warrants as an intelligence collection tool to identify unknown individuals and the scope of their offending. Only being able to target one criminal enterprise would be detrimental to law enforcement gaining a complete understanding of the group’s criminal activities. It is the intelligence gathered under this warrant that may show the common criminal purpose as agencies may not have an accurate understanding of what criminal activity is being facilitated until they have access to devices used by the criminal network.
Issuing authority
4.32
The issuing authority for NAWs is an eligible Judge or nominated AAT member as provided by proposed section 27KK(3). This is similar to the Data Disruption Warrant (DDW) framework but distinct to the Account Takeover Warrant (ATW) framework. The Law Council of Australia recommended amending the Bill so that only judges of a superior court could authorise these warrants. These arguments and responses from the Department of Home Affairs are similar to those set out in the chapter on Data Disruption Warrants (DDW).
Determining network activity warrant applications
4.33
The Bill provides for the process for determining NAWs by the issuing authority at proposed section 27KM of the Bill. Specifically this provides that the issuing authority may issue the warrant if satisfied that there are reasonable grounds for the suspicion founding the application of the warrant. Furthermore the issuing authority must have regard to:
1
The nature and gravity of the conduct constituting the kinds of offences in relation to which information will be obtained under the warrant; and
2
The extent to which access to data under the warrant will assist in the collection of intelligence that:
a.
Relates to the group referred to in paragraph 27KK(1)(a) or to any of the individuals in the group; and
b.
Is relevant to the prevention, detection or frustration of one or more kinds of relevant offences; and
3
The likely intelligence value of any information sought to be obtained; and
4
Whether the things authorised by the warrant are proportionate to the likely intelligence value of any information sought ot be obtained; and
5
The existence of any alternative, or less intrusive, means of obtaining the information sought to be obtained; and
6
The extent to which the execution of the warrant is likely to result in access to dat a of persons who are lawfully using a computer; and
7
Any previous warrant sought or issued under this Division in relation to the group referred to in paragraph 27KK(1)(a).
4.34
The Department of Home Affairs said it was these factors that de facto narrowed the scope of the power so as to avoid the risk of intelligence collection against all users of WhatsApp, for example.
4.35
The Law Council of Australia however said there was a real risk that the mandatory considerations under proposed section 27KM would become ‘proforma assertions in affidavits’. They said it was rare for an issuing authority to seek additional information on a particular topic.
4.36
The Communications Alliance said they were concerned that NAWs could be damaging for the privacy of third parties and recommended a requirement in the Bill to take into account the privacy of third parties.
4.37
The Inspector-General of Intelligence and Security (IGIS) said the absence of considerations with respect to privacy in the granting criteria was conspicuous in this section. Specifically:
Clarity on the extent to which the right to privacy is intended to guide the use of network activity warrants will assist IGIS in the exercise of its legality and human rights oversight functions.
Relevant offences
4.38
The Bill provides the NAWs can be sought in relation to relevant offences which carries the same definition as DDWs, and materially the same definition as ATWs though the latter is a creature of the Crimes Act. This definition is drawn from the existing SD Act to which these powers are proposed to be inserted into, and is not a new definition. The new component, as was identified in the evidence to this Committee, was applying these new powers to the existing definition and the appropriateness of doing so. This issue has been addressed in detail in Chapter 2.
4.39
The AFP discussed the relevance and importance of context when considering the relevant offences these powers would apply to:
Criminal networks that we see online now, they commit a number of different offences. Collectively, it equals serious and organised crime.
4.40
The Department of Home Affairs said proposed section 27KM(2) was intended to ensure the issuing authority considered ‘the nature and gravity of the conduct constituting the kinds of offences in relation to which information will be obtained under the warrant’. The Department of Home Affairs said:
All of that together makes it very difficult to envisage a circumstance where you could have an offence that is subjectively considered a not serious three-year offence and then still get something like this network activity warrant. There is a range of measures in place for the issuing authority to give consideration to make sure that that exactly can’t happen and that he nature and the gravity of the conduct is forefront.
4.41
The Department of Home Affairs said if the thresholds were changed then potentially you would not be able to get targeted warrants for offences and do the intelligence work that the AFP have said they need to identify the offending.
Emergency authorisations
4.42
There are no provisions for emergency authorisations in the Bill for this power given its intrusiveness and intelligence function, the justification for use in life-threatening situations is absent.
Duration, extension, revocation and variation of the warrants
4.43
The Bill provides for the extension and variation of NAWs at proposed section 27KQ of the Bill. The effect of this proposed section is to allow for multiple 90 day extensions of the warrants.
4.44
The Bill provides the warrants may only be issued for a period of no more than 90 days at proposed section 27KN(2) of the Bill. This is common across the three warrant types.
4.45
The Bill provides for revocation processes at proposed section 27KR of the Bill.
What a network activity warrant authorises
4.46
The Bill provides for what NAWs authorise in proposed section 27KP of the Bill. While similar to a computer access warrant, NAWs are distinct and could be considered as broader. It is possible the intention of a computer access warrant is further along a spectrum of warranted powers for these agencies and a NAW is designed to collect intelligence before a computer access warrant was sought, including to scope probable suspects for subsequent warranted activity.
4.47
Concealment provisions and certain acts not authorised are provided at proposed sections 27KP(6) and (8) of the Bill.
Journalist information
4.48
The HRLC said the AFP could seek a NAW in relation to a journalist, and from that point access a WhatsApp group to which the journalist belonged which would give rise to press freedom concerns.
Power to authorise the use of surveillance devices
4.49
The Law Council of Australia recommended amending the Bill to omit the power to use surveillance devices under a NAW. They additionally provided non-preferred recommendations to this proposed section too. Arguments around the use of surveillance devices is covered in detail in Chapter 2.
Oversight, review and privacy
4.50
The Bill provides that oversight of these powers would be by the Inspector-General of Intelligence and Security. The Law Council of Australia recommended the Government increase funding to the IGIS to ensure they were able to adequately perform their oversight functions.
4.51
Department of Home Affair said that:
The power to authorise the use of surveillance devices under network activity warrants does not constitute a trend towards a ‘single electronic surveillance framework’, as suggested by the Law Council. Rather, this limited and incidental use of surveillances devices reflects the challenges agencies face in combating serious cyber-enabled crime occurring in the increasingly complex modern communications environment.