System administrators could be forced to help police hack into computers and user accounts or face 10 years in jail, under new legislation that passed this week.

The Surveillance Legislation Amendment (Identify and Disrupt) Bill 2020 provides the Australian Federal Police (AFP) and the Australian Crime Commission (ACC) with unprecedented powers to hack into the accounts of suspected criminals.

Officers at the AFP and ACC will be able to apply to a judge for each of the data disruption, network activity, and account takeover warrants – which can be granted retroactively under “emergency authorisations” – and then conduct now-legal hacking activities.

Those hacking activities include: looking at data to determine if it is covered by the warrants; altering, copying and deleting data; intercepting and modifying communications; surveilling networks; changing account credentials; and removing two-factor authentication requirements.

Designed with the stated intention of countering terrorism and child exploitation, the hacking powers can be granted to investigate, gather evidence of, or even disrupt a “serious Commonwealth offence” or “serious State offence that has a federal aspect”.

This covers a broad range of offences which are punishable by imprisonment of at least three years and includes acts of violence, terrorism, and dealing in child abuse material – but also affects offences like piracy, bankruptcy and company violations, and tax evasion.

The legislation provides law enforcement to do “anything reasonably necessary” to conceal their hacking activities, including “adding, copying, deleting or altering other data” so they remain undetected on a target's system or account.

Police can also apply for an “assistance order” which will require a targeted person – such as a system administrator, owner, lessee, contractor, or any person who has “relevant knowledge” of the computer or network – to assist with the hacking activities.

Anyone required to assist with government hacking will be protected from civil liability and refusing to help can carry a penalty of 10 years in prison.

Can’t trust technology

For lawyer Angus Murray, Chair of Electronic Frontiers Australia’s Policy Team, the hacking powers poses a serious risk to our civil liberties.

“This is now a regime in Australia where we have conferred power on law enforcement agencies to hack Australians’, and potentially overseas persons’, computers and to take over accounts and modify and delete data on those accounts,” he told Information Age.

“Australia doesn’t have constitutionally enshrined rights to political speech and other human rights, but if we’re going to give law enforcement these powers, that should be checked and balanced against a human rights instrument at Federal level.”

Having the ability to secretly hack into people’s computers and spy on them fundamentally undermines our right to privacy and has severe impacts for how we treat – and are treated by – technology, Murray said.

“Say I’m communicating with you by email but I don’t know that behind the scenes I’m communicating with someone from law enforcement who has taken over your account and is responding to my email on your behalf – in that instance my ability to trust technology is significant eroded,” Murray said.

“If my telephone or your telephone has some form of network activity monitoring warrant attached, I can have no confidence this phone call is private.

“In both cases my ability to communicate and act with dignity and autonomy has deteriorated.”

Targeting electronic communication

It’s not just the surveillance bill that is cause for concern.

There are years’ worth of Coalition-introduced laws targeting electronic communications such as the mandatory metadata retention regime and the encryption act which have been routinely criticised by the technology community and digital rights activists.

At every step of the way, the government has used the threat of terrorism and proliferating trade of child exploitation material as obvious reasons why these laws should pass.

In his second reading speech late last year, then Home Affairs Minister, Peter Dutton, invoked the usual threats, saying anonymising technology that hides “identities, IP addresses, jurisdictions” is “increasingly hampering investigation into serious crimes” like “child sexual abuse, terrorism and the trafficking of firearms and illicit drugs”.

“These key new powers are critical in enabling law enforcement to tackle the fundamental shift in how serious criminality is occurring online,” Dutton said.

But while any reasonable person can agree that terrorism and child exploitation are terrible, Murray warns against simply handing the stronger powers over to government without significant counter measures.

“There could come a point where this is used against society,” he told Information Age.

“They could put something like child exploitation images onto your computer – that is a disruption of the data on your device.

“I’m not saying the government would do that now, or that it is the intention of the bill, but we don’t have a significant safeguard against it.

“At what point do we draw the line and say we’ve gone too far?”