Australian govt makes play for sweeping online account takeover powers

Federal law enforcement agencies are set to receive sweeping online account takeover powers under new legislation designed to cripple serious criminal activity on the dark web.

The new laws will also give the Australian Federal Police and the Australian Criminal Intelligence Commission the ability to disrupt criminal activity and collect intelligence.

Home Affairs Minister Peter Dutton introduced the Surveillance Legislation Amendment (Identify and Disrupt) Bill 2020 in Parliament this morning after months of speculation.

It follows $90 million in funding in the government's cyber enhanced situational awareness and response (CESAR) package to strengthen the AFP's cyber crime investigative capabilites.

“As technology has changed so too has the tradecraft of criminals,” Dutton said introducing the bill on Thursday.

“Multiple layers of technologies that conceal the identities, IP addresses, jurisdiction, location and activities of criminals are increasingly hampering investigations into serious crimes.

“This includes child sexual abuse, terrorism and the trafficking of firearms and illicit drugs.”

Dutton said the new laws will give the AFP and the ACIC three new powers to “shine a light into the darkest recesses of the online world and hold those hiding there to account”.

He noted existing computer access warrants available to the agencies were “not designed to address the new threats perpetrated by the increased use of anonymising technologies”.

Network intelligence

The first power will allow for the collection of intelligence from online networks using a new “network activity warrant”, allowing investigators to identify offenders on the dark web.

“Network activity warrants will allow officers to access networks being used by criminal gangs, whose members are suspected of being involved in serious online offenses,” Dutton said.

“This warrant will be available when the member’s identities are unknown to authorities, allowing the suspects' online identifying information to be collected as the first step in an investigation.”

Dutton explained the warrant could be issued by a judge or Administrative Appeals Tribunal (AAT) member where there was “reasonable grounds to suspect a group is a criminal network”.

However, the intelligence must be “relevant to the prevention, detection or frustration of an offense with a maximum penalty of at least three years imprisonment”, and will not be admissible in court.

Criminal offenses will apply to “any unlawful disclosure of information collected using a network activity warrants, while “additional safeguards” will be introduced to protect “legitimate users”.

Data disruption

Agencies will also be able to remotely “disrupt criminal activity that is being facilitated or conducted online by using computer access techniques” under a “data disruption warrant”.

The “covert power” will allow the AFP and the ACIC to “add, copy, delete or alter data to allow access to and disruption of relveant data in the course of an investigation”.

“For example, investigators who become aware of child abuse images being shared online will be able to modify or delete that material to prevent its further spread,” Dutton explained.

“This will halt the further victimisation of children in the images, while police work to bring their abusers to justice."

For a warrant to be issued, the judge or AAT member will need to be satisfied there are “reasonable grounds for suspecting that a criminal offence is being committed and disruption is necessary”.

Account takeover

A third “account takeover power” will allow officers to take control of a person’s online account to gather evidence about serious offences, as well as that of their associates.

It is expected to help law enforcement “uncover identities of individuals operating online and identify potential victims”.

Any takeover will be “covert” and “forced”, according to the bill's explanatory memorandum, whereas at present agencies can only take over a person's account with their consent.

“The account takeover power will enable an officer to obtain exclusive control of an online account and prevent the person's continued access to a forum, and the further dissemination of child abuse material,” Dutton said.

“A magistrate will need to be satisfied that there are reasonable grounds for suspicion and account takeover is necessary for the purpose of gathering evidence for a serious offense.

“The nature and extent of the suspected criminal activity must justify the account takeover.

“When issuing a warrant the magistrate must consider the existence of alternative means of obtaining the evidence that is being sought and the extent to which privacy of any person is likely to be affected.”

Agencies will need to report on the use of the data disruption warrants and network activity warrants in the Surveillance Devices Act annual report, while account takeover warrants will be reported in the Crime Act annual report.

The Commonwealth Ombudsman will supervise the use of data disruption warrants and account takeover warrants, and the Inspector-General of Intelligence and Security the network activity warrants.

More to come