Australian government pushing to expand surveillance, hacking powers

News & Analysis
Australian government pushing to expand surveillance, hacking powers

In a disturbing move to broaden its mass surveillance powers, the government of Australia is pushing forward a bill that undermines fundamental rights, including the right to privacy. Disappointingly, this comes mere months after civil society and citizens alike expressed outrage over the Australian intelligence service’s offer to share deeply personal information about ordinary citizens with its Five Eyes partners.

The Bill, which amends the Australian Security Intelligence Organisation (ASIO) Act 1979, is rife with provisions that threaten privacy, including one that would allow ASIO to use any computer, network or Internet communication to remotely gain access to a targeted computer. The Bill expands even further the legal bases for ASIO to hack into computers when they see it as useful to an investigation.

While the Bill provides some clarity on investigation procedures, the proposed powers are entirely disproportionate to the privacy interests of innocent individuals collaterally implicated. Further, given the lack of a constitutional right to privacy or any legal expectation of privacy in Australia, these powers have a significant potential for abuse.

Expanded definitions

The ASIO Minister can issue a warrant for remote computer access if the sought-after data is “important in relation to security” and is thought to exist in a computer. The Bill broadens the definition a “computer” to one or more computers, networks and systems, allowing for a seemingly unlimited number of devices to be included in a single warrant. This definition alone gives ASIO the power to infiltrate multiple networks, jeopardize the integrity of network routers, servers, storage systems and computers and violate the privacy of unrestricted numbers of people. The expansive category of “security” is not defined, nor does it have any limitations.

Further, the Bill defines “target computer” to include any “computer” (computers, networks and systems) likely to be used by a person whose identity may not be known. A network that is likely to be used by a person with an unknown identity could be any network in proximity to the target’s assumed location. All that is required is specifying the person by name or otherwise: an all-encompassing term for anyone ASIO wants to target.

This could permit ASIO to pre-emptively compromise entire networks to catch the target. It is unclear how ASIO determines whether the target is using the network. There is nothing, however, preventing ASIO from inspecting the emails sent, websites visited and intimate files of every single network user to this aim; no personal activities escape the scope of the Act. This gross potential to intrude in the private lives of ordinary citizens that happen to be using the same network contravenes the very rights that ASIO purports to defend.

The broad definitions of the Bill exceed any sensible understanding of targeted surveillance. They threaten democratic principles of accountability to citizens in the form of clear laws and meaningful restrains to the scope of government power. This allows for unrestrained indiscriminate surveillance.

Invasive capabilities

ASIO can add, delete and alter any data on the computer for the duration of the warrant, a maximum of six months. These capabilities existed before, but crucially, only for a single computer in the logical sense of the word. Under the new definition, the warrant allows ASIO to add, alter, delete and copy– an added power– any data on any device on the network. These capabilities raise many concerns:

  • The copying of information: passwords, encryption keys and personal files can be collected and copied to a remote computer to further other intelligence aims.
  • Integrity of evidence: covert modifications and planting of data and network logs can lead to misrepresentations of activity and perversions of justice.
  • The integrity of the network: unfettered access can incur significant economic losses to network administrators and users and create backdoors for outside access to all personal information contained within the network.
  • Impossibility of remedy and notification: ASIO would likely supress any knowledge of the intrusion on national security grounds.

The Bill goes beyond even these alarming concerns. Under provision 25A(4)(ab) ASIO can add, copy, delete or alter any data in any computer or “communication in transit” to access the desired data. A communication in transit in simply defined as any interpersonal communication that travels over a telecommunications network or communications between “things and things”. This can include emails sent in confidence, website pages loaded on the user’s screen or updates sent to the computer.

ASIO can manipulate communications and data if they think the use is reasonable and merely consider all other methods that are “likely to be as effective”. This language obfuscates the intention of the provision, and does little to constrain the actions of ASIO. Other methods will seldom be as effective. Modified communications– a trusted interpersonal communication or a website requested by the user– are the least suspicious means to hack into a computer.

The amended capabilities strongly suggest that ASIO will infiltrate networks using intrusion technology. Intrusion technology, in recent years coming into the spotlight as the preferred tool of repressive regimes to target their citizens, can come in many forms, one of which is called FinFisher whose command and control centre has been found in Australia. The Australian government issued a blanket rejection of Privacy International’s Freedom of Information Act request for clarifications on its use.

Intrusion technology allows the remote injection of malware into a normal file sent as an attachment or downloaded online. Alternatively an application update appearing to come from a legitimate source can be sent to the computer. Recently published information from these tools is a reminder that the use of intrusion technology does not further security; in addition to violating privacy rights of the targets of intrusion tools, their deployment endangers the security and privacy of every single network user.

Intrusion technology can make use of 0-day vulnerabilities, which are unknown and unpatched vulnerabilities in computer applications, to hack into the computer. ASIO would have to research, hoard and buy these vulnerabilities and withhold information about them for continued exploitation. Instead of protecting its citizens, ASIO would open the possibility for other governments and entities with malicious intent to exploit the same vulnerabilities, jeopardizing the privacy and security of all users.

Low threshold for harm

All the above activities cannot “materially interfere with” the computers and communications involved. Material interference is ambiguous. Are damages to software considered material? Is irreparable damage to computer files considered material? Or does material only include damage to hardware components? Whatever the damage is, it can occur if it’s “necessary” to satisfy the warrant.

The potential damage is not balanced by accounting for its impact or the collateral rights violated. There is nothing to suggest that a clearly specified process overseen by a judicial authority governs the act of hacking. It seems that an  ASIO officer can inflict damage at will. The Bill also includes a provision that allows the Director General to make an agreement with a foreign power to designate a member of their staff as an “ASIO affiliate”. By doing so, ASIO allows foreign intelligence agents – likely drawn from the intelligence agencies of its Five Eyes partners – to conduct the hacking, increases intelligence sharing and insulates the foreign agent from any liability.

The Australian government has failed to provide a substantive justification for this imprudent escalation of power. The government has not only ignored evaluating the effectiveness of the hacking in achieving security, but has given virtually no considerations to the privacy rights of the unlimited number of people affected by the Bill. It is this disregard for the rights of citizens in the face of miscalculated security concerns that undermines the confidence of Australians in their government. Lawmakers must now take the opportunity regain the lost trust and strike down these provisions.