New surveillance laws give authorities the power to change social media posts
Legal hacking by law enforcement may make it easier for criminal hackers to illegally access computer systems
What’s in the law?
The bill introducesthree new powersfor law-enforcement agencies:
There is also an “emergency authorization” procedure that allows these activities without a warrant under certain circumstances.
How is this different from previous laws?
Previous legislation, such as theTelecommunications (Interception and Access) Act 1979and theTelecommunications Act 1997, containedgreater privacy protections. Those laws, and others such as theSurveillances Devices Act 2004, do permit law-enforcement agencies to intercept or access communications and data under certain circumstances.
However, the new bill gives agencies unprecedented interception or “hacking” powers. It also allows “assistance orders”, which could require selected individuals toassist government hackingor face up to ten years in prison.
Why do police argue this bill is required?
According to the Department of Home Affairs,more and more criminal activitymakes use of the “dark web” and “anonymizing technologies”. Previous powers are not enough to keep up with these new technologies.
In our view, specific and targeted access to users’ information and activities may be needed to identify possible criminals or terrorists. In some cases, law enforcement agencies may need to modify, delete, copy or add content of users to prevent things like the distribution of child exploitation material. Lawful interception is key to protecting public and national security in the fight of the global community against cybercrimes.
How does lawful data interception work?
“Lawful interception” is a network technology that allows electronic surveillance of communications, as authorized by judicial or administrative orders. There are standards (which means regulations and rules) for telecommunication and internet service providers to achieve this, such as those recommended by theEuropean Telecommunications Standards Institute.
Law-enforcement agencies mayrequireservice providers to hand over copies of communications data, decrypted data, or intercepted data without notifying users. Service providers may also have to make available analytical tools such as graphs or charts of target behaviors.
What are the privacy concerns?
The Office of the Australian Information Commissioner and others have alsoraised privacy concerns. The bill may impact third parties who are not suspected in the investigation of criminal activities. In particular, the bill can authorize access to third party computers, communication, and data.
The Human Rights Law Centre argues the proposed broad powers canpotentially compelany individual with relevant knowledge of the targeted computer or network to conduct hacking activities. In some cases, this may clash with an individual’s right to freedom from self-incrimination.
Enabling law enforcement agencies to modify potential evidence in a criminal proceeding is also a major issue of concern. The detection and prevention of inappropriate data disruption will be a key issue.
The implementation of the new warrants needs to be in line with thePrivacy Act 1988which was introduced to promote and protect the privacy of individuals and to regulate Australian government agencies and organizations. Where some agencies may have exemptions against the Privacy Act, it is important tobalancebetween public safety andprivacy impacts.
What are the security issues and impacts?
The Identify and Disrupt Bill is a part of an extensive set of Australian digital surveillance laws, including the Telecommunications and Other Legislation Amendment (Assistance and Access) Act 2018 (TOLA), and the Telecommunications (Interception and Access) Amendment (Data Retention) Act 2015 (the Mandatory Metadata Retention Scheme).
Under the Identify and Disrupt Bill, access can be gained to encrypted data which could be copied, deleted, modified, and analyzed even before its relevance can be determined. This significantly compromises users’ privacy and digital rights.
Modern encryption can be very hard to crack, so hackers often exploit other vulnerabilities in a system to gain access to unencrypted data. Governments too are reportedlyusing these vulnerabilitiesfor their own lawful hacking.
Specifically, they depend on “zero-day exploits”, which use software vulnerabilities that are unknown to software vendors or developers, to hack into a system. These vulnerabilities could be exploited for months or even years before they are patched.
A conflict of interest may arise if law enforcement agencies are using zero-day exploits for lawful hacking. To protect citizens, we would expect these agencies to report or disclose any software vulnerabilities they discover to the software manufacturers so the weakness can be patched.
However, they may instead choose not to report them and use the vulnerabilities for their own hacking. This puts users at risk, as any third party, including criminal organizations, could exploit these so-called zero day vulnerabilities.
It’s not an abstract concern. In 2016, the CIA’ssecret stash of hacking toolsitself was stolen and published, highlighting the risk of these activities. The Chinese government has claimed the CIA washacking targets in Chinafor more than a decade using these and similar tools.
Government use of hacking tools may result in worse cyber security overall. The warrant powers given to Australian law enforcement agencies may protect public safety and national interests, but they may also provide powerful means for adversaries to access government data.
This includes the data and online accounts of targeted individuals like state officials, which may significantly impact national security. This possibility needs to be considered in light of the passing of the new bill.
Whilst the justification of the bill for public safety over personal privacy can be debatable, there is no doubt that the security aspects should not be undermined.
Article byJames Jin Kang, Lecturer, Computing and Security,Edith Cowan UniversityandJumana Abu-Khalaf, Research Fellow in Computing and Security,Edith Cowan University
This article is republished fromThe Conversationunder a Creative Commons license. Read theoriginal article.
Story byThe Conversation
An independent news and commentary website produced by academics and journalists.An independent news and commentary website produced by academics and journalists.
Get the TNW newsletter
Get the most important tech news in your inbox each week.
