Privacy Pinpoint: Australian Surveillance skyrockets with new bill

December 2018

In December 2018, reports about Australia passing legislation began to make waves – the legislation would allow law enforcement to coerce companies into:

• Remove one or more forms of electronic protections
• Provide technical information
• Facilitate access to services and equipment
• Install software
• Modify technology
• Conceal that the company has done any of the above

With these capabilities afforded under law, Australian police would be entitled to install software onto people's devices - ranging from key loggers to screenshot tools (which wouldn't break encryption, just side-step it), record audio, modify people's personal devices to record audio continuously, website/email phishing, geolocation data. All of these, according to the law, can be utilized against anyone suspected of (or being investigated for) any offense punishable by a term of three years or more in prison. Many of these offenses have little to nothing to do with national security or CASM and absolutely have a disproportionate impact on human rights with regards to privacy and security. If any company creating communication software were compelled to comply with this law, they would effectively be weakening their communication platform which can have a sweeping effect on the privacy of innocent citizens utilizing such software. Compromising any secure system not only opens it up for abuse by "law abiding" actors (who have historically abused them in 100% of cases, this opens up extra security flaws and vulnerabilities to hackers and other entities who may wish to do harm by gaining control of such systems. In the case of WannaCry which is easily "...the biggest ransomware attack the world has ever seen originated with code written by the National Security Agency" (as of 2018). "If the NSA – one of the world's most capable agencies – can lose something that causes damage like that, who's to say that Australian state police agencies are going to be any less likely to unleash unintended consequences?"

August 2021

Fast forward to this year, the Australian parliament rushed an unprecedented surveillance bill in 24 hours which give the Australian Federal Police (AFP) and the Australian Criminal Intelligence Commision (ACIC) three new powers for dealing with online crime:

• Data disruption warrant: this gives law enforcement the ability to disrupt data by modifying it, copying it, adding to it, or deleting it
• Network activity warrant: this allows law enforcement to collect intelligence from devices/networks that are used (or likely to be used) by those subject to the warrant
• Account takeover warrant: this allows law enforcement to take control of an online account for the puposes of gathering information for an investigation

Let's just take all of this in for a second. Anyone suspected of a crime can have their online accounts taken over, their devices/networks infiltrated, and their data modified by a police agency with literally zero judicial oversight. These warrants aren't signed off or viewed by judicial entity, they are handled internally by the Administrative Appeals Tribunal! Let's be very clear here, having the legal right to modify, add, or delete data during an investigation is a little odd isn't it? In theory, these agencies can plant evidence for a crime, remove any evidence which would prove them wrong, and copy this data at will – legally. To put this into perspective, in a theoretical and non-digital space – these agencies have the right to come into your house, plant illegal drugs/documents/evidence, remove any evidence which proves your innocence, and then hang you for it (so to speak) – all while being covered under this new law.

Any company who does not comply with these laws could end up in jail for up to 10 years (that's more than three – which makes them subject to these laws). Some of the required actions are: Altering, copying, and deleting data, intercepting and modifying communications of any kind, surveilling devices and networks, and changing account credentials.

Can anyone guess what the justifications for this bill are? ding ding ding ding! Anti-Terrorism and CSAM. The same two justifications used for every anti-encryption/anti-privacy bill on the planet – "It's for the children" and "It's to catch all of the terrorists". I hope it goes without saying that anyone engaging in either of those activities should be promptly dealt with, but we don't need to destroy encryption, or remove the privacy and security of every single citizen in an entire country in order to do it. That's not how this needs to be done. These are the same two arguments that are used for every single law of this type and are meant to pull on the heart strings of people so they will give up their rights in order to have more "security". These governments have stopped little to no crimes even with access to petabytes (read: 1000s of terabytes) of data about citizens all over the world. Stop giving up your rights. The Australian government just removed basic human rights from its citizens and has enacted laws which are similar to those utilized by authoritarian governments like the CCP – these are not laws that belong in a democratic environment – they are for surveillance/police states. Surveillance is power and it is a direct attack on free and open societies.

Luckily, since the Snowden leaks in 2013, the open source community and security professionals world-wide have been creating tools to help us in these exact types of situations. Nottingham Nerds recommends these tools to everyone, but especially those who live in countries who have oppressive and sweeping laws which remove basic privacy rights such as those recently adopted by Australia. We can protect ourselves by utilizing free and open source software (Linux/LUKS disk encryption) as well as true end-to-end encrypted services like Element, ProtonMail, and Signal – as well as utilizing tools like ProtonVPN, TOR, and TAILS to give us more anonymity online and allow us to bypass censorship.