To protect human rights, identify and disrupt Australia’s “hacking bill”

The Australian “Identify and Disrupt” Bill is inching closer to passage. While the Australian Parliamentary Joint Committee on Intelligence and Security (PJCIS) has identified the surveillance overreach in the bill, it has not sufficiently disrupted its powers. In the absence of necessary additional amendments, the Parliament must reject the hacking bill. 

The Australian Identify and Disrupt Bill, also known as the hacking bill, severely endangers digital privacy and security by conferring unprecedented hacking powers to intelligence agencies. Despite this, it is close to passage, as Australia continues its insidious transformation into a surveillance state, including its growing attacks on encryption. Any vote in favour of the hacking bill, even with proposed amendments, is a vote to deepen the existing threats to human rights in Australia and across the region. 

What’s wrong with the hacking bill

The surveillance overreach is extremely damaging for people’s privacy. The Identify and Disrupt Bill grants extensive hacking powers to the Australian Federal Police (AFP) and the Australian Criminal Intelligence Commission (ACIC) through three new warrants: a data disruption warrant, a network activity warrant, and an account takeover warrant. These warrants allow the authorities to “disrupt” – add, copy, delete, or alter – the data of suspected offenders; hack into their devices and networks to discern identity; and covertly take over their accounts and lock them out. Civil society has rightly criticised the hacking bill for being “wide-ranging and coercive”, devoid of safeguards and detrimental to privacy. 

There have been efforts to improve it, but not enough. The Parliamentary Joint Committee on Intelligence and Security (PJCIS) in Australia has recommended 33 changes to the Surveillance Legislation Amendment (Identify and Disrupt) Bill 2020, subject to which it may be passed by the Australian Parliament. The recommendations made by PJCIS include integrating greater oversight, judicial review, consideration of privacy implications, sunset clauses, and assurance that it will only be used for the most serious offences. We welcome the changes PJCIS recommends, but they are not sufficient to warrant passage. In the interest of human rights, lawmakers should reject the bill outright or ensure additional reforms to protect people from the collective adverse impact of Australia’s increasingly disproportionate surveillance laws. 

The positive recommendations for amending the hacking bill

Necessity and proportionality 

In order to be compliant with international human rights laws and standards, laws authorising communications surveillance must be aligned with the global principles of necessity and proportionality.

The PJCIS has recommended that a judge must be satisfied that a data disruption warrant is reasonably necessary and proportionate, not “justifiable and proportionate” as the current draft of the bill specifies. The issuing authorities for an assistance order should be satisfied that it is reasonably necessary, justifiable, and proportionate, and that compliance with request is practicable and technically feasible. PJCIS recommends that given the covert nature of mandatory assistance orders, a mechanism should be developed to ensure necessity and proportionality. 

Further, PJCIS has called on intelligence agencies have been called upon to provide an unclassified submission outlining the necessity and proportionality of the proposed “new or expanded powers”, including case studies. 

Privacy and considerations before issuing warrants

The PJCIS has recommended that the issuing authority must consider, among other things, impacts on privacy, potential impact on third parties, a person’s ability to have contact with family to provide or receive care, privileged and journalistic information, and seriousness of offences.

It also recommended tightening accountability by requiring a sworn affidavit setting out the grounds of an application for an account takeover warrant. 

Oversight and reporting

PJCIS recommends that the oversight remits of the PJCIS, Inspector-General of Intelligence and Security, and Commonwealth Ombudsman be expanded to cover the intelligence functions of the AFP and the ACIC, including the exercise of new powers under the Identify and Disrupt Bill. 

The recommended amendments on strengthening review mechanisms require that the AFP and the ACIC submit an unclassified annual report to the PJCIS; the Independent National Security Legislation Monitor (INSLM) should review the warrants within three years of the Bill receiving assent; and a similar review by the PJCIS within four years, while taking into account the INSLM’s report. 

Judicial review 

The PJCIS  recommends that the issuing authority for all new powers, including emergency authorisations, must be a superior court judge. However, for account takeover warrants, it would still be an “eligible judge”.

Further, PJCIS is pushing to shore up judicial review by requiring an amendment to clarify that decisions under the new powers in the Identify and Disrupt Bill are not exempt from judicial review. 

The recommended amendments do not go far enough  

Amendments to the Identify and Disrupt Bill should mandate adherence with strict standards of necessity and proportionality for the exercise of all powers under the Identify and Disrupt Bill, and not only the data disruption warrant and assistance orders. Compliance with these principles should be tested on a case-by-case basis by a judicial authority before the issuance of any warrant or order under the Bill. Mandating compliance with the necessity and proportionality principles in a limited and selective manner will not adequately protect people’s privacy and security.     

There is also a need to incorporate explicit safeguards to protect end-to-end encrypted communication platforms. The Bill currently allows the AFP and the ACIC to add, copy, delete, or modify data, if necessary to access the relevant data, to overcome security features such as encryption. Further, encrypted data would be copied and analysed before its relevance can be determined. This further solidifies Australia’s attack on encryption and secure communications for all. It puts all encrypted communications at risk of exposure, corrodes the privacy and security guarantees of end-to-end encrypted messaging platforms, and encroaches on the rights to privacy and freedom of expression. 

The Identify and Disrupt Bill should not be passed — hacking cannot trump human rights 

The Identify and Disrupt Bill will operate as part of a larger framework of surveillance laws, including the Telecommunications and Other Legislation Amendment (Assistance and Access) Act 2018 (TOLA), that amplifies the government’s powers without adequate limitations, undermines encryption, and endangers human rights. 

TOLA and the Identify and Disrupt Bill would collectively damage cybersecurity, privacy, and end-to-end encryption. The Identify and Disrupt Bill, in tandem with TOLA, would make it practically impossible to implement end-to-end encryption to protect information and communications from unauthorised access by any third party. Authorities could use the Technical Capability Notice under TOLA to compel a service provider to build the prescribed technical capability, including decryption, to assist the government and intelligence agencies. Thereafter, law enforcement may utilise warrants under the Identify and Disrupt Bill to gain access to all kinds of data. A combination of TOLA and the Identify and Disrupt Bill effectively brings any kind of information in existence within the reach of law enforcement in an entirely unnecessary and disproportionate manner, to the grave detriment of cybersecurity and users’ privacy. 

TOLA is yet to be amended, even in line with the limited terms of the INSLM’s recommendations, which suggested stronger independent oversight. Pending these changes, and the PJCIS’s findings on TOLA, lawmakers should avoid additional threats to digital privacy and security through legislations like the Identify and Disrupt Bill. Australian surveillance laws must undergo significant course-correction before further obstacles are introduced. 

Therefore, while the PJCIS’s recommendations mark an important step towards allaying privacy concerns, the Identify and Disrupt Bill should not be passed unless the necessary limitations are in place to defend people’s human rights against Australia’s surveillance laws.