5.1
The Surveillance Legislation Amendment (Identify and Disrupt) Bill 2020 (the Bill) provides for the insertion of account takeover warrants (ATWs) into the Crimes Act 1914 (Cth) (the Crimes Act) for use by the Australian Federal Police (AFP) and the Australian Criminal Intelligence Commission (ACIC).
5.2
This chapter will set out in more detail the following:
The threat environment and requirements for the powers
Necessity and proportionality of the powers
Applications for account takeover warrants
What an application must contain
The issuing officer and threshold for granting the warrant
The applicable offences to which the warrant applies
What an account takeover warrant authorises
The scope of activities authorised by the warrant
Online account restoration
Extension, variation and revocation of account takeover warrants
Modifications to the Controlled Operations regime and other minor amendments not related to ATWs
The requirement for the proposed legislation and the purpose of the power
5.3
As described in Chapter One ATWs would allow the AFP and ACIC to take exclusive control of specified online accounts possibly for the purpose of gathering evidence, or intelligence, to further a criminal investigation. Of note and according to the evidence received by this committee, the ATW would only authorise the control of the account and any gathering of evidence would need to be supported by powers or warrants elsewhere.
5.4
The AFP said these powers could be used alongside search warrants and controlled operations as they were not intended for use by themselves. It is possible the combination of controlled operations and account takeovers would involve AFP control and use of alleged offender online accounts to collect intelligence and evidence against other offenders. The AFP said ATWs would allow them to assume the identity of an offender to take down child abuse material, identify further offender networks and their victims which they could not currently do.
5.5
The Explanatory Memorandum (EM) for the Bill said these powers were intended for use against serious crime types such as terrorism and child-exploitation. The threat environment and requirement for the ATWs is common across the other warrant types and is referenced in earlier chapters.
5.6
The AFP said there was an existing gap these warrants would remedy. They said they had previously conducted consensual account takeovers but if consent was not forthcoming then this would hamper law enforcement efforts to frustrate offending or collect information. The AFP said account takeovers were not intended to be exercised in isolation – they were intended for use in conjunction with existing law enforcement powers. The Department of Home Affairs said the narrow drafting of ATWs was deliberately for these purposes, and would increase the proportionality of the powers.
5.7
The AFP said it was critical for the AFP to promptly secure online accounts during search warrants to prevent content being deleted by an offender and preventing other perpetrators in the network being alerted to law enforcement interest. The AFP said their current challenges for child protection, as it related to ATWs, included the inability to safeguard resolution when executing warrants, the inability to take down child abuse material without account details, and that account access could both be retracted at any time and it was dependent on the offender’s willingness to negotiate.
5.8
The AFP said ATWs would greatly benefit child protection investigations. They said ATWs would lessen the risk that offenders not provide consent to a takeover which would halt valuable avenues of investigation and evidence collection or delete key evidence and notify criminal associates. The AFP said a covert ATW could prove useful prior to resolution of a search warrant.
5.9
The AFP said ATWs would provide alternative avenues to remove child abuse material from an offender’s online, cloud-based accounts, or prevent others accessing that material if the AFP had a data disruption warrant (DDW).
5.10
The ACIC said ATWs would allow both the AFP and ACIC to use the ‘trusted relationships and networks’ that already existed between criminals against those very criminals. They confirmed what several other submissions had already noted that they would be often used in conjunction with other powers.
5.11
The ACIC said ATWs would be an efficient method to infiltrate online criminal networks and could play a ‘crucial’ role in uncovering the identities of otherwise anonymous criminals, while also gathering evidence.
5.12
The ACIC said they could disrupt crime under an ATW by preventing access to a criminal network, influencing a criminal network to support law enforcement operations, or collecting evidence. The ACIC said the ability to exploit existing relationships within criminal networks would be more effective than infiltrating the networks via other means.
5.13
The ACIC said these powers could additionally be used to preserve evidence where technology enables quick destruction of material on devices.
5.14
The Law Council disagreed with the government-provided arguments of necessity and recommended ATWs not proceed unless and until a detailed justification of the perceived necessity was provided publicly which should include specific reasons for the perceived necessity of the power.
5.15
The Law Council said the EM did not identify the precise objective underlying the power to lock someone out of an online account in addition to covertly monitoring the person’s activities using that account. The Law Council queried whether the objective was to prevent destruction of evidence by a target, or to frustrate the commission of a relevant offence using that account.
5.16
The Department of Home Affairs described the process and purpose of account takeover, saying:
To take control of an online account involves law enforcement taking steps that result in law enforcement’s exclusive access to the account. In most cases, taking control of an online account will involve depriving the account holder or a user of their access to the account. This may facilitate the preservation of evidence, by ensuring that offenders cannot remove evidence of their criminality, but this is not the primary purpose. By enabling law enforcement to obtain exclusive control of an account, offenders are not able to alert other offenders of potential law enforcement activity.
5.17
The Law Council said the EM noted law enforcement agencies can presently only takeover a person’s account with that person’s consent and this power was intended to address this gap. The Law Council said this did not explain why these powers were necessary in light of several existing investigative powers. They said existing electronic surveillance powers existed which would authorise access (under computer access warrants, and surveillance device warrants authorising the use of data surveillance devices) to monitor a person’s online activities using an account, for the purpose of obtaining evidence of a suspected relevant offence.
5.18
As discussed above and based on evidence provided by the AFP it may be that ATWs are intended more towards collecting information against other suspects (subject to appropriate approvals) rather than collecting information against the person whose account is being taken over.
5.19
The Queensland Council for Civil Liberties and others in a joint submission said they did not accept that ATWs should be introduced into Australian law. The Human Rights Law Centre (HLRC) said there was a lack of evidence justifying the need for the warrants. In contrast, the Police Federation of Australia (PFA) and Uniting Church in Australia (Synod of Victoria and Tasmania) (the Uniting Church) said they supported the Bill and thought it should be introduced into Australian law.
5.20
The HLRC said ATWs would enable the AFP and ACIC to undertake significant invasions of privacy in the investigation of suspected criminal activity.
5.21
The Cyber Security Cooperative Research Centre (CSCRC) said if passed the Bill, including this power, would play a key role in countering serious cyber-enabled crime committed domestically and offshore. The CSCRC said authorities would no longer be required to ask serious criminals for permission to access online accounts as is the case currently.
5.22
The NSWCCL described ATWs as ‘crime prevention tools’ and a new warrant type for law enforcement as their intention was not evidence gathering. Amazon Web Services said ATWs were ‘formulated for fundamentally different objectives for law enforcement’ as they were not for gathering evidence per se but to allow law enforcement agents to effectively stand in the online shoes of persons suspected of engaging in potential criminal activity. Amazon Web Services said these warrants would represent a significant departure from existing warrants and would elevate the risk to liberty and privacy of individuals which should be commensurate with an elevation of checks and balances. In a broader discussion relevant to all of the powers the Law Council said:
This is a big, further step and, hence, the need for the level of protections. If those steps are taken, the level of protections needs to be, correspondingly, much higher.
5.23
The AFP disagreed with this characterisation and said:
I want to emphasise that disrupting crime is a core business for the AFP. There is a misconception that disrupting crimes means that an investigation will never proceed to prosecution. This is simply not true. Many of our disruption efforts still result in the prosecution of offenders.
Applications for account takeover warrants
5.24
The Committee considered the application process for ATWs including the requirements for application, requirements for granting the application, emergency applications, applicable offences and the issuing authority.
Threshold requirements and who may apply internally
5.25
The Bill provides details for applications for ATWs at proposed section 3ZZUN. They are:
1
A law enforcement officer may apply to a magistrate for the issue of an account takeover warrant if the law enforcement officer suspects on reasonable grounds that:
a.
One of more relevant offences have been, are being, are about to be, or are likely to be, committed; and
b.
An investigation into those offences is being, will be, or is likely to be, conducted; and
c.
Taking control of one or more online accounts (the target accounts) is necessary, in the course of that investigation, for the purpose of enabling evidence to be obtained of the commission of those offences.
5.26
These applications can be made by written document or in an emergency by other means of communication. If the latter occurs, the proposed section provides for several requirements to occur. The proposed section allows the magistrate to require the applicant provide additional information as is necessary for the proper consideration of the application.
5.27
The Law Council recommended limiting the ‘law enforcement officers’ who can apply for ATWs to staff members of a minimum classification who have been specifically authorised by the AFP Commissioner or ACIC CEO (as applicable) rather than authorising all staff of the AFP and ACIC as default. The Department of Home Affairs said this proposed provision was to maintain consistency with other powers in the Act.
5.28
The AFP said they had internal approval mechanisms to limit warrant and control warrant applications, saying:
It has to be adjudicated. We have internal processes that go to a rank officer to make those calls. One is, you can’t go to that issuing authority or issuing officer without going through that process. It has to be adjudicated. The resources have to be allocated. There are the costings of what this investigation or matter is going to apply and the specialist resources required. There’s a lot that goes in before you make this application.
5.29
When questioned about junior officers and whether these sections could or should be modified (in relation to both ATWs and DDWs) the AFP said:
You may open up a can of worms in the sense that you may have a sergeant who’s less experienced than a senior constable or constable. You might have a 25-year veteran who’s a detective constable and never wants to go anywhere from a rank point of view. You could classify them as a junior officer but they’re probably more experienced than the sergeant. We don’t just have rank and the junior bit attached to that.
5.30
ACIC said they had existing training and oversight mechanisms in place regarding applications for warrants. ACIC noted their ‘Excellence in Compliance’ strategy relating to this topic.
5.31
The Law Council recommended amending the definition of ‘online account’ per proposed section 3ZZUK to cover a more limited sub-set of online accounts, such as social media, email, and data or voice messaging accounts. The Law Council said if there was no intention to limit the definition of ‘online account’ in this way, they recommended the issuing criteria should apply specific exclusions or limitations in relation to online accounts that are used to provide essential services to a person such as banking and governmental services.
5.32
The Law Council recommended reducing the scope of the proposed definition of ‘online account’ to accounts connected with electronic communications services in a way similar to the definition of ‘designated communications provider’ for the proposed Telecommunications Legislation Amendment (International Production Orders) Bill 2020 (Cth) (the IPO Bill).
5.33
The Law Council noted the definition of ‘online account’ was increasingly broad and encompassed most online activity. They said this, in combination with the definition of ‘relevant offence’, gave rise to issues of proportionality overall for the Bill. The Law Council said the EM did not provide insight into the key types of online accounts that the powers are directed towards.
5.34
Home Affairs said the definition of online account per proposed section 3ZZUK of the Bill was ‘deliberately broad and technologically neutral’. They said the type of accounts that may need to be taken over to enable evidence to be obtained varied immensely contingent upon the unique circumstances of each investigation.
5.35
Home Affairs said it was important the definition of online account encompassed bank accounts and government services accounts. They said access to these accounts could be critical in revealing illicit financial flows, suspicious transactions or additional criminal actors, directly relevant to the crime being investigated.
5.36
Home Affairs said government accounts such as Centrelink and Medicare can form part of investigations into fraud, identity theft and the transfer of the proceeds of crime. They said it was important therefore that the ACIC and AFP were able to conduct account takeovers of these account types.
What information account takeover warrant applications require
5.37
The Bill provides for what information is required in an ATW application at proposed section 3ZZUQ. This includes, but is not limited to, the applicant, the alleged offence, the target account (including the holder when known) and an outline of the investigation. This provision indicates that the subject of the warrant would be a target account rather than a named individual necessarily.
5.38
The Ombudsman said the Bill required ATW applications to provide ‘sufficient information’ to enable the magistrate to make a determination. The Ombudsman recommended that an ATW application require an affidavit setting out the grounds of an application consistent with delayed notification search warrants (the Crimes Act), surveillance device warrants and retrieval warrants (the Surveillance Devices Act 2004 (Cth) (the SD Act), computer access warrants (the SD Act), telecommunications interception warrants ((Telecommunications (Interception and Access) Act 1979 (Cth) (the TIA Act)), proposed data disruption warrants, and proposed network activity warrants.
5.39
The Law Council also recommended the inclusion of an affidavit requirement setting out the facts and grounds on which the warrant application was based. The Law Council said this was anomalous given that ATWs have been designed to operate in tandem with other warrants that required affidavits (such as computer access warrants). The Law Council said the requirement for affidavits was an important form of assurance in relation to the rigour, precision and internal approval requirements for warrant applications.
5.40
Home Affairs said ATW applications must provide sufficient information to enable the magistrate whether or not to issue the ATW. They said other existing warrants do not explicitly require the production of an affidavit such as search warrants.
5.41
The QCCL and others said the warrants should include the statutory requirement the issuing authority must consider the human rights (including specifically the right to privacy) implications of issuing the warrants.
Issuing authority
5.42
Account takeover warrants are issued by a magistrate per proposed section 3ZZUJ of the Bill. In this sense the ATW regime differs substantially from the network activity warrant (NAW) and data disruption warrant (DDW) regimes discussed earlier. The applicant for an ATW must suspect on reasonable grounds that:
1
One or more relevant offences have been, are being, are about to be, or are likely to be, committed; and
2
An investigation into those offences is being, will be, or is likely to be, conducted; and
3
Taking control of the online accounts is necessary, in the course of that investigation, for the purpose of enabling evidence to be obtained of the commission of those offences.
5.43
The AFP and Home Affairs said the issuing of ATWs by a magistrate was consistent with existing powers in the Crimes Act. Home Affairs discussed this point and said:
We looked closely at the nature of the power and, in determining the nature of the power, determined that it was government determined and it was probably best placed in the Crimes Act, and those warrants are generally issued by magistrates.
5.44
However the Ombudsman recommended eligible judges and nominated Administrative Appeals Tribunal (AAT) members would be more appropriate issuing authorities for ATWs. This would have the practical effect of matching the issuing authority for ATWs to the other two warrants being considered under this Bill. Several submissions took this recommendation further and argued only superior court judges should be authorising officers for these powers, removing the role of AAT members and magistrates all together.
5.45
The Ombudsman said raising the issuing authority would be more consistent with covert regimes for delayed notification search warrants (Crimes Act), surveillance device warrants and retrieval warrants (the SD Act)), computer access warrants (the SD Act), telecommunication interception warrants (the TIA Act), proposed data disruption warrants, and proposed network activity warrants. The Ombudsman said having a magistrate issue ATWs was more consistent with overt powers than covert powers.
5.46
The Commonwealth Ombudsman said while the provisions of the Bill were consistent with other warrants in the Crimes Act:
We see an important distinction here in relation to the covert nature of these powers and suggest that it would be preferable for eligible judges and nominated AAT members to be the issuers of account takeover warrants and emergency authorisations, because of a consistency with the existing covert regimes for things such as delayed notification search warrants, surveillance device warrants and retrieval warrants, computer access warrants, and telecommunication interception warrants. With respect to all of those, it is judges and members of the AAT, as I understand it, who issue those covert warrants, and it seems to us sensible and consistent with those arrangements to approach it in that way.
5.47
The Commonwealth Ombudsman said judges and AAT members were more accustomed, and had background in, covert powers. The Law Council recommended amending the issuing authority to be a superior court judge, and not even a nominated AAT member. The Law Council said any operational issues with having a superior court authorise these warrants would be an issue of court resourcing and would depend on the volume of applications. In terms of whether altering the issuing authority would present an operational issue the AFP said:
I don’t want to overegg the pudding and say this would be disastrous in terms of operational impact, but, as Andrew [Warnes] said, it’s very consistent in terms of the powers that we currently have in place.
5.48
Twitter said the use of ‘lower-level magistrates’ to issue ATWs was inconsistent with other electronic surveillance warrants. Twitter said the Committee had previously recommended serious search warrants be issued only by senior judges.
5.49
The NSWCCL recommended the power to issue ATWs be limited to judges. NSWCCL said magistrates were not tenured and often did not have the background needed to properly examine requests under pressure and be prepared to reject the requests. NSWCCL said in Smethurst v Commissioner of Police a magistrate misstated the offence and used language so vague it provided no real limit on the nature of the search.
Determining account takeover warrant applications
5.50
The Bill provides for the determination of ATWs at proposed section 3ZZUP:
1
A magistrate may issue an account takeover warrant if satisfied that there are reasonable grounds for the suspicion founding the application for the warrant.
2
In determining whether an account takeover warrant should be issued, the magistrate must have regard to:
a.
The nature and gravity of the alleged relevant offence, or alleged relevant offences, in respect of which the warrant is sought; and
b.
The existence of any alternative means of obtaining the evidence sought to be obtained; and
c.
The extent to which the privacy of any person is likely to be affected; and
d.
The likely evidentiary value of any evidence sought to be obtained; and
e.
Any previous warrant sought or issued under this Division in connection with the same online account; and
f.
Any previous warrant sought or issued under this Division in connection with the same alleged relevant offence or the same alleged relevant offences.
5.51
Home Affairs said the determining characteristics assisted in narrowing the applicable relevant offences and ensuring proportionality for the powers. Specifically they noted the requirements, for example, in proposed section 27KM(2).
5.52
The QCCL and others said the threshold requirement of ‘reasonable suspicion’ was ‘inappropriately low’. The QCCL and others recommended the threshold for issuing ATWs be raised to ‘reasonable belief informed by probative evidence’. The AIIA said they supported the QCCL recommendation that the threshold for granting the warrants should be raised from ‘reasonably suspecting’ to ‘reasonably believing on the grounds of probative evidence’.
5.53
The OAIC recommended the Bill or EM be expanded to identify some of the ‘objective circumstances that should be considered in determining whether there are ‘reasonable grounds’ to support the seeking and issuing of a warrant’. The OAIC said this would assist in ensuring consistency in decision making as it relates to ‘reasonable grounds’.
5.54
The Law Council recommended introducing specific protections for privileged and journalistic information as part of the issuing criteria and process for the powers. The Law Council noted the PJCIS press freedoms inquiry and the recommendations made as part of that inquiry relating to this topic.
5.55
The Law Council recommended requiring the applicant specifically declare whether they believed on reasonable grounds that the data access sought would include information subject, or likely to be subject, to client legal privilege. If it was expected, then the following issues should be addressed by the issuing authority: access to privileged information is necessary to execute the warrant; the public interest in accessing the information outweighs the interest in protecting it; and adequate procedures have been implemented to protect information subject to a claim or likely claim of client legal privilege.
5.56
Home Affairs said the existing proposed provisions in section 3ZZUP supported magistrates giving consideration to third party impacts that included, but were not limited to, privacy.
Public interest monitor, advocate or contradicter
5.57
The Law Council recommended the inclusion of a Public Interest Monitor (PIM) as part of the warrant authorisation process. The Law Council said this person would test the propositions being put by the applicant to the issuing authority. The Law Council recommended a role for public interest advocates in all warrant applications that related to journalistic information and noted the PJCIS press freedoms inquiry recommendations. They recommended at least warrants sought in relation to journalists should be approved by a superior court judge.
5.58
The NSWCCL and QCCL et al. recommended the creation of PIM to protect the public interest regarding applications by law enforcement agencies for various warrants. NSWCCL said a similar role existed to some extent in Queensland, Victoria and New South Wales. NSWCCL said the Independent National Security Legislation Monitor (INSLM) did not fulfil this function. NSWCCL recommended a PIM be able to contest warrant and be informed of warrants before they are issued. The QCCL et al. said the warrants should be subject to a PIM to ensure that ‘these intrusive powers remain in the public interest and do not scope creep without oversight and a modicum of transparency’.
5.59
The Uniting Church in response to the recommendation for public interest advocates or monitors said:
If you suddenly introduce a public interest monitor – as far as I can tell, the purpose there would be to only consider the right of privacy – then who advocates for the victims of human rights abuses such as the potential of being murdered, raped, tortured, subjected to sexual abuse? Do we have a victim’s advocate who appears as well?
5.60
No Commonwealth precedent for a public interest advocate or monitor (in existence) was provided to the Committee.
Regard to technical considerations
5.61
The Communications Alliance recommended the judicial authorisation process be informed by independent technical advice on the intended method of disruption, and potential risks to networks, third parties or other ‘collateral damage’.
5.62
The AIIA recommended the government stand up an independent board or approved list of communications and technology technical experts that are able to be consulted before applications for warrants are made. Of note, these recommendations were often common across the three warrant types and may be more relevant for the disruption powers considered elsewhere in this Bill. The AIIA said this board would have regard to security, integrity and technical feasibility considerations of government intervention in systems and networks and could provide advice to both government and industry in facilitating the disruption of crime in a reasonable, proportionate and technically feasible fashion.
Regard to privacy (including third parties)
5.63
The Law Council recommended amending the Bill to require the issuing authority have specific regard to adverse impacts on third parties and several other factors. The Law Council said this should include specific requirements to assess likely: impacts on personal privacy; financial impacts on individuals and businesses; impacts on a person’s ability to conduct their business and personal affairs; and impacts on a person’s ability to have contact with family members, or provide or receive care.
5.64
The HRLC recommended amending the Bill so that in circumstances where an alternative means exist of preventing the offence or obtaining the evidence sought, the decision-maker should be obliged to deny the application unless reasonably satisfied that the alternative means would be more intrusive on the targeted individual’s privacy, or materially less effective in frustrating the offence or obtaining the evidence sought. The HRLC said the issuing authority must have regard to the existence of any alternative means of frustrating the offence or obtaining the evidence sought, however a warrant may be issued regardless of any such means.
5.65
DIGI said the requirement in the Bill for the issuing authority to have regard to the impact on privacy was ‘not sufficient’ as it was limited and vague. DIGI said ‘to have regard to privacy’, as was currently in the Bill, was highly general and not replicable. DIGI recommended stronger protections for privacy across all the powers, which should include whether these warrants are proportionate and necessary. The OAIC said the provisions in the ATWs required a magistrate to have regard to the extent to which the privacy of any person was likely to be effective. The OAIC however said they considered this to be a privacy protective measure that would help to ensure that ATWs were only issued in circumstances that were ‘reasonable, necessary, and proportionate to do so following consideration of the privacy impacts’.
5.66
DIGI recommended law enforcement write a ‘Privacy Impact Assessment’ for every warrant under the Bill. DIGI said while the EM alludes to such considerations they were not in the Bill itself. DIGI said this assessment would be in line with consumer expectations of their data privacy, provide necessary reassurances to the service provider on the due diligence undertaken, and ensure the Bill provides for the expected protections for privacy to assist Australia to be a qualifying power under the CLOUD Act. DIGI said these assessments should consider:
1
The necessity of the information being requested, and the need to minimise the collection of personal information to what is strictly necessary.
2
Whether the proposed method of accessing the information is the least privacy-infringing method available.
3
Whether the infringement on privacy is proportionate to the harm that will be averted by granting law enforcement access to the information.
4
An explicit requirement that agencies must show that they have attempted all other means of information access that would have a lesser privacy impact on individuals, and provide an explanation of why these alternate means are insufficient.
5
Requirements to minimise the retention of the data accessed during the investigation to a limited, specified period of time.
Regard to human rights
5.67
The QCCL recommended the decision making criteria for the ATWs (and assistance orders) explicitly include consideration of the potential impact of the human rights of the subject and any other, directly or indirectly, affected person(s).
Emergency authorisations
Application
5.68
The Bill provides for emergency authorisations by an appropriate authorising officer at proposed section 3ZZUJ of the Bill. This process is contained at proposed Division 3. This process allows for an official within the AFP or ACIC to issue the warrant, and it be subsequently authorised by a magistrate, having the practical effect of retrospective authorisation.
5.69
It does not allow the AFP or ACIC to authorise and issue their own ATWs. The application may be made orally, in writing or by telephone, fax, email or any other means of communication. The appropriate authorising officer may give the emergency authorisation if satisfied that there are reasonable grounds for the suspicion founding the application.
5.70
The proposed section provides statutory conditions on this process, most prominently that an emergency authorisation must not be executed in a manner that results in damage to data unless the damage is justified and proportionate. Furthermore it must not cause a person to suffer a permanent loss of money, digital currency or property (other than data). The Law Council said:
More fundamentally, we don’t agree with the internal process itself. These sorts of extraordinary powers should be done by warrant, should be done through a judge, a superior court judge, with a contradicter there. So, as a fundamental issue, we don’t agree with the internal process.
Authorising officer
5.71
The appropriate authorising officers for emergency applications are the same as provided at proposed section 3ZZUM. The effect of this proposed section is to enable the chief officer of the AFP and ACIC, or their appropriately selected delegate to be the authorising officer. The Bill provides for requirements of recording the emergency authorisations and their attributes at proposed sections 3ZZUY – 3ZZUZ.
5.72
The OAIC said ‘more appropriate mechanisms to seek a warrant in these kinds of emergency circumstances should be considered’ and said other sections of the Bill allowed for applications made by telephone, fax, email, or any other means of communication. The OAIC recommended the Bill be amended to exclude warrant approval by an ’appropriate authorised officer’ and consider alternative external warrant approval mechanisms.
Review and consideration by magistrate
5.73
The Bill provides at proposed section 3ZZVA that within 48 hours after giving an emergency authorisation to a law enforcement officer, the appropriate authorising officer who gave the authorisation (or another person on that appropriate authorising officer’s behalf) must apply to a magistrate for approval of the giving of the emergency authorisation. Furthermore they must provide sufficient information to enable the magistrate to decide whether or not to approve the giving of the emergency authorisation and be accompanied by a copy of the written record made under section 3ZZUY in relation to the emergency authorisation.
5.74
In considering the emergency application, the Bill provides at proposed section 3ZZVB several factors the magistrate must consider including: the nature of the risk of serious violence to a person or substantial damage to property; the extent to which issuing an ATW would have helped reduce or avoid the risk; other alternative methods of investigation that could have been used; and whether it was practicable in the circumstances to apply for the ATW.
5.75
The Bill then provides at proposed section 3ZZVC the magistrate’s consideration process of this application. For approval, the magistrate must be satisfied that there were reasonable grounds to suspect there was a risk of serious violence to a person or substantial damage to property, and taking control of the online account may have reduced this risk, and it was not practicable to apply for the ATW. The result of this process is the magistrate can issue the ATW as if it were approval for the original application. This has the practical effect of retrospective authorisation.
5.76
The OAIC recommended the Bill be amended to require that law enforcement agencies destroy any information collected under an emergency authorisation that was subsequently denied. Home Affairs said for instances where an emergency authorisation was given by the agency but then not issued by the issuing authority any information obtained would be quarantined for oversight (e.g. Ombudsman) review of that particular episode.
5.77
The Law Council recommended the issuing authority have discretion to order remedial action as appropriate, saying:
It’s our view that, if that occurs, there should be a requirement on the AFP or ACIC to inform the issuing authority of any adverse or potentially adverse impacts on third parties, and if there are adverse impacts on third parties as a result of an internal authorisation that has already been executed, then the issuing authority should have discretion to order remedial action be taken – for example, possibilities around financial compensation to those that have suffered damage or loss.
Duration, extension, revocation and variation of the warrants
5.78
The duration of the ATWs is provided at proposed section 3ZZUQ(3) as 90 days. The Bill provides for multiple 90 day extensions at proposed section 3ZZUS. The OAIC recommended the Bill be amended to limit the number of warrant extensions that could be sought in respect of the same or substantially similar circumstances. The OAIC recommended requiring the issuing authority to consider the privacy impact on any individual arising from the extension to the warrant to ensure that the potential law enforcement benefits are necessary and proportionate to this impact’.
5.79
The Bill provides for how ATWs are revoked or varied at proposed sections 3ZZUS – 3ZZUT.
5.80
The Law Council recommended amending the Bill to provide that ATWs must be executed within seven days of their issuance, and automatically cease to be in force once the AFP or ACIC has gained exclusive control of the account, akin to search warrants. The Law Council recommended amending the Bill so that if the AFP or ACIC sought to re-gain exclusive control of the account (or access was lost) they should be required to obtain specific authorisation under a new application.
5.81
Home Affairs said it was not ‘operationally feasible’ to require ATWs be executed within seven days of issuance and for those warrants to cease to be in force once the AFP or ACIC had gained exclusive control of the account. They said search warrants authorised discrete evidence gathering and could effectively cease to be in force once the evidence gathering exercise is complete. They said ATWs were intended to be executed in tandem with continuous methods of evidence collection, covert surveillance and controlled operations. They said:
Ongoing access to the online account is required to allow the flexibility needed to effectively infiltrate online criminality…The AFP and ACIC cannot remain in control of an account without an account takeover warrant, and as such the account takeover warrant must remain in force long enough to support evidence-gathering activities to be carried out.
5.82
Home Affairs said a seven day period of effect may be significantly limiting on the effectiveness of law enforcement action.
5.83
Home Affairs said it was not operationally feasible for there to be a requirement that the AFP or ACIC maintain control over the full period the ATW is in place. They said access could be lost due to a password reset which could reveal the existence of the operation. They said the requirement to obtain a new warrant where control of the account was lost temporarily was ‘unnecessary and disproportionate’.
Applicable offences
5.84
The Committee considered the applicable offences ATWs could be used for. In doing so it reviewed the EM, the Bill, submissions and public hearings. The ATWs apply to a ‘relevant offence’ per proposed section 3ZZUJ. This is defined by proposed section 3ZZUK (Definitions) as:
1
A serious Commonwealth offence; or
2
A serious State offence that has a federal aspect.
5.85
These two concepts are explored in Appendix C (Relevant Offences). These terms are not new to this Bill and are defined in the Crimes Act for existing use in other pieces of legislation. For an extensive discussion on applicable offences please see earlier chapters.
5.86
Home Affairs said the intention regarding relevant offences was to ensure consistency with other warrants in the Crimes Act. Home Affairs said another reason was because ATWs were a very, very narrow warrant and they did not enable access to data. They said it was hard to imagine a situation whereby an ATW was used without some other concurrent parallel power or controlled operation.
What an account takeover warrant authorises
5.87
The Committee next considered the account takeover warrants themselves, including what they authorised and the manner in which this could be conducted. The Bill provides for what an ATW authorises at proposed section 3ZZUR. It requires an ATW to authorise the doing of specified things in relation to each target account. The proposed section provides:
1
An account takeover warrant must authorise the doing of specified things (the subject to any restrictions or conditions specified in the warrant) in relation to each target account.
2
The things that may be specified are any of the following that the magistrate considers appropriate in the circumstances”
a.
Taking control of the target account at any time while the warrant is in force, if doing so is necessary, in the course of the investigation to which the warrant relates, for the purpose of enabling evidence to be obtained of the commission of the alleged relevant offence, or alleged relevant offences, in respect of which the warrant is issued;
ii.
A telecommunications facility operated or provided by the Commonwealth or a carrier; or
iii.
Any other electronic equipment; or
iv.
A data storage device;
for the purpose of taking control of the target account as mentioned in paragraph (1);
c.
If necessary for the purpose of taking control of the target account as mentioned in paragraph (a):
i.
Accessing account-based data to which the target account relates; or
ii.
Adding, copying, deleting or altering account credentials to which the target account relates; or
iii.
Adding, copying, deleting or altering data in a computer;
d.
If, having regard to other methods (if any) of taking control of the target account which are likely to be as effective, it is reasonable in all the circumstances to do so:
i.
Using a communication in transit for the purpose of taking control of the target account as mentioned in paragraph (1); and
ii.
If necessary to achieve that purpose – adding, copying, deleting or altering data in the communication in transit;
e.
Copying any account-based data to which the target account relates, and that:
i.
Appears to be relevant for the purposes of determining whether the account-based data is covered by the warrant; or
ii.
Is covered by the warrant;
f.
Copying any account credentials to which the target account relates;
g.
Any other thing reasonably incidental to any of the above.
3
For the purposes of paragraph (2)(e), if:
a.
Access has been obtained to account-based data; and
b.
The account-based data is subject to a form of electronic protection;
When account-based data is covered by a warrant
4
For the purposes of this section, account-based data is covered by a warrant if access to the data is necessary, in the course of the investigation to which the warrant relates, for the purpose of enabling evidence to be obtained of the commission of the alleged relevant offence, or alleged relevant offences, in respect of which the warrant is issued.
5.88
The Law Council said ATWs did not authorise the collection of evidence of the relevant offence, which would require authorisation under a separate warrant such as a computer access warrant. The Law Council said this suggested ATWs would be sought and executed as part of a suite of warrants.
5.89
DIGI said there was a disconnect between the Government’s intention with ATWs and the drafting of ATWs in the Bill. DIGI noted the EM set out that ATWs required separate warrants or authorisation for accessing data but this point was not made explicit in the Bill. DIGI said it was difficult to understand how someone could take control of an account without accessing data on that account.
5.90
Twitter said the scope of ATWs were unclear. Twitter said there were differences between what was outlined in the EM and the Bill (proposed Schedule 3 paragraph 25). Twitter said while the EM focussed on the AFP/ACIC taking over an account for the purposes of gathering evidence of criminal activity, the Bill provided that ‘any other activities, such as accessing data on the account, gathering evidence, or performing undercover activities such as taking on a false identity, must be performed under a separate warrant or authorisation’. Twitter said the scope of what activities were ultimately authorised under at ATW were unclear.
5.91
The Law Council recommended if the objective of account takeover was to preserve evidence of a suspected relevant offence by preventing its destruction, this should be included explicitly in the issuing criteria.
5.92
The Law Council recommended amending proposed paragraph 3ZZUR(8)(a) to provide that the AFP and ACIC must not execute a warrant in a manner that results in loss of, or damage to, data. The Law Council said there should be no general exception for loss or damage that is considered to be ‘justified and proportionate’. The Law Council said if there was a compelling justification for authorising the AFP or ACIC to cause loss of, or damage to, data in the course of executing an ATW, this should be among the powers in proposed subsection 3ZZUR(2) that the issuing authority may individually authorise.
5.93
Certain acts not authorised are provided for a proposed section 3ZZUR(5).
Concealment of access, covert execution and mandatory consultation with providers prior
5.94
Concealment of access is provided for a proposed section 3ZZUR(6). It has the effect of authorising anything reasonably necessary to conceal the fact that anything has been done under the warrant. The Law Council recommended amending the Bill to ensure the ability to engage in post-warrant concealment activities more than 28 days after an ATW has ceased to be in force to require independent authorisation.
5.95
DIGI said the powers could be used covertly without the knowledge of the service provider and this represented a key difference to the TOLA Act legislation which included service provider notifications. DIGI said the lack of service provider notifications were a significant issue with the Bill. DIGI said:
It is essential that a service provider be notified before the issuance of an Account Takeover Warrant. A lack of service provider notification compromises the security of users on the service provider’s service. Law enforcement “hacking” or otherwise manipulating a service in order to obtain access will threaten the security of other users of that service.
5.96
DIGI said for law enforcement to unilaterally undertake an account takeover they would need to identify and exploit vulnerability in the digital service and there was nothing to prevent this vulnerability being exploited by bad actors which would cause other security risks to users of the service and possibly crimes.
5.97
Communications Alliance (CA) recommended the Bill be amended to provide that the service provider who will be required to action a warrant, or assists with or facilitates its execution, ought to be consulted prior to a warrant being issued. CA said this would confirm that the most appropriate provider has been approached, provides a means to streamline the process and/or ensure the most effective means to disrupt the targeted activity can be applied. Twitter recommended introducing a requirement in the Bill for disclosure of ATWs to service providers before they are issued (i.e. in the planning phase) so the service provider can best assist the requesting agency.
5.98
Fastmail Pty Ltd recommended a consultation process be established where the target computer was not owned by the person suspected of the offence. Fastmail said this would allow the company to advise on the consequential damage that may result from the warrant and give guidance on more appropriate mechanisms to meet law enforcement’s needs. Fastmail said without this there was nothing stopping law enforcement compelling a company to shut down their servers when they only needed to target a single account.
5.99
The AIIA recommended the inclusion of a provision in the Bill mandating the formal consultation with any relevant company, service provider or related entity that will have any relevant computer or account asset accessed or investigated by authorised officers under the legislation. The AIIA said this consultation would involve formal and confidential notification that a warrant was being applied for that would require assistance from the relevant entity or network and an outline of the reasons for that warrant being sought. The AIIA said this would allow the entity or network to be on notice and consider the technical feasibility and impacts of the operation, resulting in a smooth and anticipated process of cooperation between government and the service provider.
Compensation for damages
5.100
The Bill provides for losses related to the execution of the ATWs at proposed section 3ZZWA. This section has the effect of inserting Commonwealth liability for loss of or serious damage to property or personal injury as a result of subsequent court action.
5.101
Amazon Web Services recommended the Bill be amended to introduce a new immunity for online account providers in relation to the execution of ATWs in good faith. AWS recommended this for proposed section 3ZZUR of the Bill. AWS said the execution of an ATW should not result in civil liability to a person. AWS recommended this immunity be extended to civil and criminal liability, or an action or other form of proceedings for damages, in relation to an act or omission done in good faith in purported compliance with, or in the furtherance of a requirement under an ATW.
5.102
The Law Council recommended amending proposed section 3ZZWA to extend statutory compensation rights to persons who suffer either direct or indirect loss, damage or injury from the execution of an ATW. The Law Council said this statutory compensation right appeared to be unduly narrow and did not extend to people who suffer loss as an direct result of the execution of an ATW, even if that loss was reasonably foreseeable to the AFP or ACIC in executing the warrant.
5.103
Home Affairs said there were existing important safeguards against unjustified and disproportionate loss or damage to data at proposed section 3ZZUR(8)(a) of the Bill. They said it would not be operationally feasible to guarantee that there would be no loss of or damage to data in all circumstances.
Control of an account
5.104
The Bill provides that a person takes control of an online account if the person takes one or more steps that result in the person having exclusive access to the account. The Bill provides at proposed section 3ZZUL several examples of these steps including using existing account credentials to alter one or more account credentials; removing a requirement for two-factor authentication; or altering the kinds of account credentials required to access the account.
5.105
The Law Council said there was no clear justification for the specific power of ‘lockout’ from online accounts for the purpose of collecting evidence of an offence on top of existing computer access and data surveillance powers which already enabled the covert monitoring of a person’s activities using those accounts.
Restoration of an online account
5.106
The Bill provides for restoration of an online account at proposed section 3ZZUV. The effect of this section is to allow the holder of a target account to possibly operate the account after an ATW ceases to be in force, where it is lawful to do so and they are unable to do so because of the ATW.
5.107
The Law Council recommended proposed section 3ZZUV be amended to require the AFP and ACIC to take all reasonable steps to restore the account holder’s access after an ATW ceases to be in force. They recommended removing the requirement in proposed section 3ZZUV(b) for the AFP or ACIC to form a view on whether it was lawful for the account holder to operate the account and instead introduce the ability to apply to an issuing authority for an exemption to the restoration obligation. They additionally recommended requiring the AFP exercise separate powers of investigation, arrest and charge in relation to any offences that may be committed as a result of the person holding or operating the account instead of the ability to prevent restoration based on the indication of criminality.
5.108
Home Affairs said existing proposed section 3ZZUV already provided that the AFP and ACIC must take all reasonable steps to restore an account holder’s ability to operate their account, if it were lawful to do so.
5.109
Home Affairs said this proposed section was designed on similar powers for the physical world. They provided the example of a search warrant where the return of a person’s property once the investigation was no longer ongoing depended on whether holding that property was lawful.
Extraterritoriality, overseas application and relationship with international laws such as the CLOUD Act
5.110
In contrast to the clear extraterritoriality provisions for DDWs and NAWs the ATWs regime does not have equivalent provisions relating to extraterritoriality. Submitters raised concerns as to the possible serving of these ATWs on persons outside of Australia, or companies outside of Australia in order to give effect to the warrant.
5.111
The QCCL and others said the powers would effectively extend the reach of Australian law enforcement outside the sovereign jurisdiction of Australia with significant extraterritorial impacts. The QCCL and others said this would have Australian authorities authorise extraterritorial law enforcement operations outside the scope of their lawful jurisdiction. They said there were also due process risks for suspects located outside Australia which could jeopardise prosecutions. They recommended the setting of clear limits for the extraterritorial exercise of Australian law enforcement powers.
5.112
This point was juxtaposed against the data disruption and network activity warrant powers which submissions said did not have the same ambiguity as ATWs. The Communications Alliance elaborated on this point and said:
It does not seem to see any consent is required from an official or the service provider that has to be sought. That stands in contrast to the data disruption or network activity warrants, which do require that access has been granted by an appropriate consenting official in the foreign country.
5.113
Fastmail recommended clarity on how the powers could be used by foreign law enforcement entities. Fastmail said there was nothing in the Mutual Assistance of Criminal Matters Act 1987 (the Mutual Assistance Act) and Telecommunications Legislation Amendment (International Production Orders) Bill (the IPO Bill) that would obviously preclude the usage of these warrants on behalf of a participating foreign country. Fastmail queried whether these powers could be used by foreign powers to circumvent stronger data privacy protections in their own country.
5.114
DIGI said the Bill raises a number of conflicts of law issues for overseas service providers and particularly those located in the United States. DIGI said there was no express provision in the Bill for a service provider to refuse to comply with a warrant on the basis of overseas laws. DIGI said further consideration of these issues was required.
5.115
Twitter said the ATWs were ‘divorced from standard due process requirements’ and ‘antithetical to core legal principles enshrined in democratic law and procedural fairness’. Twitter said they were concerned the Bill allowed law enforcement direct access to data regardless of the location of the server, without the provider being aware, and absent the agreement of a consenting official of the relevant foreign country where the warrant would be enforced. Twitter said:
If the Account Takeover Warrant is to be used to access an online account regardless of the location of the server, and executed without the knowledge of a service provider, or foreign official, then all due process requirements and safeguards that typically surround warrant processes have essentially been removed.
5.116
DIGI said ATWs could be used to access an online account regardless of the location of the server and without the knowledge of relevant foreign officials.
5.117
Home Affairs said ATWs could be used to take control of an online account regardless of where the account data is located but the power was only available if the AFP or ACIC were investigating a relevant offence within the AFP or ACIC’s functions to investigate. DIGI said there was a risk of Australian law diverging from the ‘robust protections for privacy and civil liberties’ required entering into a CLOUD Act agreement under US law.
Notification to target of ATW
5.118
The Law Council recommended amending the Bill to require the AFP or ACIC notify an account holder that their account was the subject of an ATW. The Law Council recommended amending the Bill to allow the issuing authority to authorise an order, on the application of the AFP or ACIC, to either delay or dispense with the notification requirement if satisfied on reasonable grounds that giving notification to the account holder would frustrate an investigation, or jeopardise the life or safety of any person. The effect of this recommendation by the Law Council would be to introduce a positive requirement to notify the subject of an ATW, rather than inverse.
5.119
The Law Council said the absence of any notification requirement meant that an account holder could be deprived of access to their account(s) for a prolonged period of time (up to 180 days) without any information about the reasons or an ability to challenge the legality of the warrant.
Review and privacy
Administrative and judicial review of decisions
5.120
QCCL recommended the issue of the ATWs be subject of merits and judicial review with the Federal Court of Australia. The AIIA recommended merits review processes.
Privacy concerns (including third parties)
5.121
Fastmail said Australia’s global reputation was moving away from individual rights and towards state surveillance. Fastmail said Australia was moving further away from global norms, and from the expectations of privacy protection that consumers are now demanding. CSCRC said an absolute right to privacy could never exist and there would be exceptions, such as provided by this Bill.
5.122
The Communications Alliance said there were privacy issues of third parties that were not the subject of ATWs. CA recommended the Bill provide protections for information that is being accessed in the course of such action but is unrelated to the crime under investigation. CA said the issuing authority should have ‘regard to the privacy of any individual affected by any of the new warrants under consideration’. Twitter said the Bill did not contemplate processes to protect the rights of third party users who interacted with the account subject to an ATW.
5.123
Twitter said the Bill included limited safeguards but did not consider the implications of law enforcement agencies accessing a service without the knowledge of the service provider. Twitter said they had concerns about the implications for Twitter’s own obligations as well as the privacy implications for the users of Twitter.
5.124
DIGI said the powers could compromise the privacy of users of the service provider’s digital products and it was unclear how law enforcement would mitigate against the violation of users’ privacy rights. DIGI said for ATWs in particular, law enforcement would have access to all content and data not just the content and data required to complete the investigation. DIGI said there was a requirement for rules to minimise the collection, retention, and use of data that is not relevant to the investigation. Telstra recommended the legislation be amended to address the issue of confidential information of non-targets.
5.125
Twitter said they noted specified account holders of requests for their account information unless they were prohibited or the request fell into one of the exceptions to their user policy.
5.126
The Bill provides for offences of unauthorised disclosure of protected information at proposed section 3ZZVH of the Bill. Exceptions to this proposed provision are provided by proposed section 3ZZVH(3).
Protection of account takeover technologies and methods
5.127
The Bill provides at proposed section 3ZZVK that a person may object to the disclosure of information on the ground that the information, if disclosed, could reasonably be expected to reveal details of account takeover technologies or methods. It provides that the person conducting the proceeding must take into account whether the information is necessary for the fair trial of the defendant or is in the public interest.
Miscellaneous other changes
Controlled operations
5.128
The Bill amends the Crimes Act in three instances. These amendments would have the effect of removing the requirement for guaranteeing that illicit goods would be held by Australian law enforcement at the conclusion of online controlled operations. This is achieved via negative in the below amendments.
5.129
In paragraph 15GI(2)(d) Crimes Act, before ‘that the operation’, insert ‘so far as the conduct involved in the controlled operation is not conducted online’.
5.130
In paragraph 15GQ(2)(d) Crimes Act, before ‘that the operation’, insert ‘so far as the conduct involved in the controlled operation is not conducted online’.
5.131
In paragraph 15GV(2)(d) Crimes Act, before ‘that the operation’, insert ‘so far as the conduct involved in the controlled operation is not conducted online’.
5.132
The Uniting Church said these Bill provisions were ‘consistent with their ability to conduct controlled operations in the physical world offline’. The Law Council however recommended omitting Schedule 4 from the Bill in recognition that the issues that have given rise to the perceived need for the amendments were, in fact, capable of being managed under the existing provisions governing the authorisation of controlled operations.
5.133
The Law Council said despite the suggestion in the EM the proposed amendments were minor, they appeared to have significant legal effect to the following matters:
The authorisation of law enforcement officers and other covert operatives to engage in activities that would otherwise constitute offences or torts, or both; and
The exercise of discretion by a court to exclude evidence on the basis that it has been unlawfully or improperly obtained.
5.134
The Law Council said this created a ‘fundamental tensions with the doctrine of the rule of law’ and it was no small measure to authorise agents of the state to engage in otherwise unlawful conduct and to limit the usual discretion of courts to exclude evidence obtained through such conduct.
5.135
The Law Council said the existing Act did not have an absolute requirement to ensure that law enforcement agencies must, invariably, have complete control over all illicit goods at the conclusion of a controlled operation. They said the requirement was the agency must take all reasonable steps to ensure that it would be a in a position to exercise control to the maximum extent possible. They said the existing authorisation, variation and extension provisions would be suitable and it would be dependent on the applications by the AFP or ACIC.
5.136
The Law Council noted the Richardson Review and said the measures in Schedule 4 of the Bill were an example of the perceived problem not being a defect in the relevant provisions of the existing Act. They said the existing provisions were a carefully designed safeguard which already took into account the issues identified in the EM.
5.137
The Law Council said there were two significant risks in ‘granting a wholesale exemption for online controlled operations’ from the requirements of sections 15GI, 15GQ and 15GV. These were the removal of statutory obligations even where it is possible to exercise control and unintended consequences. They said in situations where law enforcement could exercise a meaningful degree of control over illicit data the proposed amendments would have the effect of relieving the agency of the legal requirement to do so. The Law Council said they were concerned that the ‘wholesale exclusion’ would remove any statutory obligation, and potentially a strong incentive, to use existing capabilities and powers, or pro-actively seek out or develop new ones, to exercise control over harmful or illicit content that is accessed or disseminated as part of an online controlled operation. They said the effect of this would be to make the law governing the conduct of online controlled operations ‘frozen in time’ to reflect present technical limitations, or perceived limitations.
5.138
The Law Council said controlled operations conducted online could authorise an extremely broad range of otherwise unlawful activities, including the dissemination of a computer virus. They recommended requiring the applicant satisfying the issuing authority that they would be able to control that virus at the conclusion of the controlled operation.
5.139
The Law Council recommended amending section 15HC of the Crimes Act to provide expressly that a controlled operation cannot authorise, or confer criminal immunity or civil indemnity for, activities in respect of which a DDW, or NAW is required under the SD Act (or an emergency authorisation for these activities). The Law Council said they were concerned that acts done under a DDW or NAW were not clearly covered by the exclusions list of section 15HC which provides that criminal immunities and civil indemnities under Part IAB do not apply to certain conduct.
5.140
Home Affairs said the Schedule 4 amendments were important for the effective operation of controlled operations online.
5.141
Home Affairs said the nature of material which is likely to be the subject of a controlled operation conduct online necessarily meant that it could be much more easily forwarded, coped or transferred than was possible with physical goods. Home Affairs put this amendments in context and said:
As an example, the AFP may conduct a controlled operation to gather evidence as part of an investigation into the sale of stolen Australian identity documents on a dark web forum. The AFP might purchase those illicit goods as part of the controlled operation, but law enforcement cannot guarantee that they have purchased the only copy or that they will have all copies in their possession at the end of the operation.
Minor amendments
5.142
Several minor amendments are provided for in Schedule 5 of the Bill. These amend the SD Act and the TIA Act.