The Surveillance Legislation Amendment (Identify and Disrupt) Act 2021 introduced new powers for the Australian Federal Police (AFP) and the Australian Criminal Intelligence Commission (ACIC) to identify and disrupt serious crime online, including on the dark web or facilitated by encrypted and anonymising technology.
Where a warrant is in place, the new provisions allows the AFP and the ACIC to apply to an issuing authority for an order to compel a person to provide information or assistance as is reasonable and necessary to carry out the warrant. This is consistent with the existing assistance orders available to law enforcement agencies under the computer access warrant regime in the Surveillance Devices Act 2004. Assistance orders are not intended to be used to compel assistance from the technology industry, but rather from a person with relevant knowledge of a computer or account (for example, providing relevant account credentials and passwords to enable agencies’ access). This is distinct from the industry assistance framework.
The industry assistance framework was introduced by the
Telecommunications and Other Legislation Amendment (Assistance and Access) Act 2018 (Assistance and Access Act). Read more about the
Assistance and Access Act.
These reforms do not impose new obligations on the technology industry. Should the AFP or the ACIC wish to seek assistance from industry to support the new powers, they must do so through existing mechanisms, such as the industry assistance framework in Part 15 of the Telecommunications Act 1997 (Telecommunications Act).
What do the new powers do?
The three new powers enhance the AFP and the ACIC’s ability to identify and disrupt serious crime online.
Data disruption warrants enable the disruption of criminal activity facilitated or conducted online. The AFP and the ACIC may add, copy, alter and delete data for the purposes of frustrating the commission of criminal offences. However, if those activities are likely to materially interfere with, interrupt or obstruct a communication in transit or the lawful use by other persons of a computer, they may only be authorised if necessary to execute the warrant. A data disruption warrant cannot authorise causing any material loss or damage to other persons lawfully using a computer unless this is reasonably necessary and proportionate.
Network activity warrants enable the collection of intelligence on criminal networks operating online. The AFP and the ACIC may access data in computers used by the criminal network to collect intelligence about the group’s activities and identities. Network activity warrants must not authorise conduct likely to materially interfere with, interrupt or obstruct a communication in transit or the lawful use by other persons of a computer unless necessary to execute the warrant. The warrant cannot authorise causing any material loss or damage to persons lawfully using a computer.
Account takeover warrants enable the taking over of a person’s online account to gather evidence about criminal activity. The AFP and the ACIC may take exclusive control of an online account, to the exclusion of the account holder.
These warrants are supported by strict thresholds and safeguards that ensure the powers are used only where reasonable, proportionate and necessary. Each of the warrants must be sought only in respect of
relevant offences, that is, generally, offences punishable by a maximum term of imprisonment of three years or more. When considering whether to issue a warrant, issuing authorities must give extra weight to the most serious types of criminal activity, such as child exploitation, terrorism, cybercrime, money laundering and drugs and firearms trafficking.
Do the new powers impose any obligations on the telecommunications industry?
No. There are no obligations imposed on, or any activity required from carriers themselves.
The powers are only available to the AFP and the ACIC. The powers are targeted at devices, that is, at computers. They are not powers enabling the general collection of information over Australia’s telecommunications networks. It is up to law enforcement officers to employ techniques to execute the powers. These techniques can involve the AFP or ACIC using a telecommunications facility operated or provided by a carrier in the course of targeting devices.
In the course of executing any of the warrants, there is a mechanism for law enforcement to gain assistance from others if necessary. The AFP and the ACIC can apply to an issuing authority for an order to compel a person to provide information or assistance that is reasonable and necessary to carry out the warrant. These provisions already exist in relation to computer access warrants. There are also similar existing provisions in the
Crimes Act 1914 compelling a person to give law enforcement assistance in the execution of a search warrant – for example, the password to their computer. This mechanism is not intended to allow law enforcement to compel assistance from the technology industry, but rather from a person with relevant knowledge of a particular computer or a computer system, or online account in the case of account takeover warrants, to the investigation or operation (such as a person who uses a computer or online account).
How do these powers interact with the pre-existing industry assistance framework?
The industry assistance framework in Part 15 of the Telecommunications Act allows Australia’s law enforcement, security and intelligence agencies to request or compel assistance from communications providers where there is a technological obstacle to investigations and operations. Industry assistance can be sought by the AFP or the ACIC for the relevant objective of enforcing the criminal law, so far as it relates to serious offences, that is, offences punishable by a maximum term of imprisonment of three years or more.
The framework provides a structure for industry assisting agencies to carry out their lawful functions and protect the community. This is in addition to agencies’ ability to seek assistance from carriers and carriage service providers where reasonably necessary under section 313 of the Telecommunications Act.
It is intended that the industry assistance framework in Part 15 of the Telecommunications Act may, in appropriate circumstances, be used to support these new powers, just as it can be used to support other law enforcement powers, such as those in the
Telecommunications (Interception and Access) Act 1979. For example, the AFP or the ACIC could engage the assistance of a communications provider to deactivate the authentication mechanisms to an online account to enable the officer to take control of the account under an account takeover warrant. The AFP or the ACIC may also, for example, request a communications provider to delete an activity log in customers’ devices relating to the execution of a network activity warrant to conceal access to those devices under warrant.
The industry assistance framework will not replace the need to meet the thresholds for obtaining one of the new warrants. Instead, the industry assistance framework can be used, in appropriate circumstances, to seek technical assistance to facilitate agencies’ exercise of these new warrants. This supports the intent of the industry assistance framework in ensuring that the powers granted to the agencies charged with enforcing the criminal law should not be nullified by advances in technology.
What protections are in place in the industry assistance framework?
The industry assistance framework is supported by strong safeguards and limitations to protect the commercial interests of providers, and the privacy of individuals. These protections will continue to apply if the industry assistance framework is used to support these new powers. Importantly, the industry assistance framework expressly prohibits any request that would, at a systemic level, undermine cyber security or make data less secure.
Specifically, assistance under the framework cannot, at a systemic level, amount to:
- activities creating a material risk of unauthorised access to a service or product
- jeopardising a form of electronic protection
- refraining from patching a weakness
- building decryption capabilities.
These protections would rule out, for example, requesting a provider to give assistance in support of a data disruption warrant that would involve implementing systemic weaknesses into electronic services to frustrate criminal offending.