No Warrant? No Problem. Surveillance down under

How recent legislative changes in Australia are eroding civil liberties, turning the country into a surveillance state

Australia's the only western nation without a bill of rights[1]. As such we're the guienne pigs of groundbreaking legislation that's turning us into a surveillance state to aid our five eye allies in surveillance they otherwise wouldn't be allowed to undertake. Australia has seen many suggested laws that could "force [telcos] ... to do whatever the government of the day wants"[2] or mean prison for "refusing to provide [police] passwords ... [even] people who are not suspected of a crime"[3]. Laughable as these are, similarly unprecedented laws have been enacted lately, pushed quickly through parliament as the public were distracted by a global pandemic.

You'd be hard pressed to find someone that doesn't support Australia's intelligence agencies investigating the likes of terrorism and child abuse through proper and balanced judicial process. However, when laws are introduced under the guise of addressing these issues, but then extend far beyond their original scope, allowing for warrantless surveillance and judicial bypass, they quietly erode civil liberties, evade scrutiny, and open the door to abuse without accountability.

So terrified are they of the public grasping the extent of the erosion of their rights, they have taken to raiding journalists who dare to report on such matters[4], ostensibly to intimidate and silence. To shed light on these developments, here are straightforward summaries of recently enacted laws and a twist on an old one, aiming to raise awareness and understanding.

Disclaimer: I'm not a lawyer, nor do I guarantee 100% accuracy, these are just compiled notes from many a late night reads

Warrantless Tracking of Individuals

Australian Security Intelligence Organisation Amendment Act 2020

The debut of a distracting international pandemic had Dutton cleverly introduce a bill[5] "to introduce legislation giving ASIO the power to question 14-year-old children, interfere with the rights of legal advisers, and enable the tracking of individuals without the need for a warrant"[6]. Paperwork? Oversight? Nah... "ASIO officers will have the power to track individuals and will only have to get the OK to do so from another ASIO officer"[6]. What kind of tracking? Well... any technology ASIO "has access to"[6].

Warrantless Access to Metadata

Telecommunications (Interception and Access) Amendment (Data Retention) Act 2015

Since 2015, telcos have been required to retain metadata on telecommunications such as phone call/SMS, emails and their attachments, device location histories[7] (full URLs seem to also be captured[8] - despite being exempted in the act[9]) - which is plenty to indict or build a dossier on someone even if actual content is not being stored. Originally, 22 law enforcement and security agencies were intended to have warrantless access to this metadata[10], however Home Affairs conceded they don't "even know how many agencies have been authorised to access telecommunications metadata without a warrant, let alone what for" allowing the likes of local councils and the RSPCA to snarf the data[11]. This was enacted under the guise of preventing terrorism and child abuse and yet of the roughly half a million requests a year[12] the single highest access reason is for drug offences[13]. There were promises of harsh penalties for those that abuse data retention powers only for the AFP to illegally access data within two weeks of commencement[14] - with hundreds of documented instances of abuse left unpunished[15]. Despite the goodwill of the act to force encryption of this data[16], exemptions have been granted[16].

Warrantless Hacking, Account Takeover and Forced Assistance

Surveillance Legislation Amendment (Identify and Disrupt) Act 2021

This "warrantless surveillance regime"[17] empowers the AFP to hack your computers, phones and accounts without a warrant[18]. The bill flew through both houses in a single day[19] - leaving MPs no time to review it[20] and it didn't pop up on the public's radar because this was in the midst of a COVID breakout[21]. The legislation goes against the government's own review into hacking powers[22] and no meaningful recommendations from a bipartisan parliamentary committee's review were implemented[23], including the suggestion to have a public interest advocate on behalf of the hacked person[17] - whom at no point is notified mind you, not even retroactively. Powers include data manipulation which may allow for the doctoring of evidence, which is a valid fear given police have "such an appalling record throughout Australia of planting evidence and wrongly locking up people for years and decades"[24]. It also allows for "assistance orders" to require a person "to provide any information or assistance that is reasonable and necessary" to help hack. So if you work at a telco, ISP or otherwise, or work in IT/cybersecurity - watch out - but don't be a hero and speak out or refuse because that's 10 years prison and/or $100,000+ fines[25]. Despite Dutton's promise that only "terrorists, paedophiles and drug traffickers" would be targeted[26], the act's scope is so broad that theft and the illegal import of fauna are fair game[27].

Warrantless Device Seizing and Cloning

Customs Act 1901

The Australian Border Force has the power to require you surrender electronic devices[28] and take a copy of it[29] without a warrant. Whilst you're not legally required to hand over your password[30], they'll happily claim "you are required to provide the passcodes for your mobile phones"[31] knowing no one knows their rights. Even if you put your foot down, a) they can take your device indefinitely[32], which is not something you want to do after an international trip where you just want to get home b) Home Affairs has contracts with Grayshift[33] and Cellebrite[34] which sell software to bypass smartphone passwords[35]. Once the copy's made, they can share it around[36], store it for however they like, and have their way with it as they like[37] - there's also no guarantee they haven't added a backdoor or malware to it. In five years, 40,000 devices were searched[38].

Forced Communication Decryption with Little Judicial Oversight

Telecommunications and Other Legislation Amendment (Assistance and Access) Act 2018

The Australian government legislated an amendment to "assist law enforcement or intelligence to decrypt a communication"[39] as end-to-end encrypted messages bypass their traditional means of collecting evidence[40] (i.e. backdoors). The act allows intelligence agencies to compel "communication providers" (which once defined includes almost everyone under the sun[41]) to let them use pre-existing decryption capability or to develop it[42]. Apple slammed the act calling it "extraordinarily broad" and "dangerously ambitious"[43] and Atlassian for "significantly [degrading] the global reputation of the Australian tech sector"[44]. These orders require little judicial oversight provided the request is "reasonable and proportionate"[45] This is the same government that suggests the following is "reasonable and proportionate":

Too bad we won't hear of anything unreasonable or unproportionate because whistleblowing or refusal could see you with $10 million fines and prison time[50] This isn't some dusty law sitting on shelf either, it's been used dozens of times[51].

Conclusion

With the culmination of these loopholes, if you're a person of interest, your life can be made very difficult.

All this collected data sits somewhere "securely", and would never be compromised like:

But what do you expect from a government that considered selling citizen biometric data to private companies?[55]