Electronic surveillance laws, including those around interception, are set to be overhauled following a comprehensive review into the country's national intelligence community.
Australia’s cyber spy agency will also continue to be limited to offshore operations, with only assistance to be provided to the Australian Federal Police for onshore operations.
A 1300-page declassified report, released along with the government’s response on Friday, contains 203 recommendations to reform the country’s intelligence and security laws.
All but four of the 190 unclassified recommendations have been agreed to by the government in full, part or principle, while a further 13 recommendations are classified.
A key recommendation in the review is that legislation “governing the use of computer access and surveillance devices powers… be repealed and replaced” with a single electronic surveillance Act.
Authorities are granted such powers under Surveillance Devices Act, Telecommunications (Interception and Access) Act and the Australian Security Intelligence Organisation Act.
“In short, we conclude that the legislative framework governing electronic surveillance is Australia is no longer fit-for-purpose,” the report states.
“Successive governments and parliaments have taken care to update the framework.
“However, after 40 years of continued amendments, problems with the framework have accumulated.
“The foundations of the framework, set in a different era, have come under significant pressure.”
The review found the powers were regulated in a “highly inconsistent fashion” and that “outdated technological assumptions” were now hampering agencies.
The TIA Act was found particularly outdated, having been “formulated around the concept of landline telecommunications” some 40 years ago.
“The legislation predates the complexity and scale of internet communications and creates challenges in this environment,” the review said.
It also labelled the TIA Act’s oversight framework for law enforcement agencies “a dog’s breakfast”, and “complex to the point of being opaque”.
But the review also pointed out that “reform of this nature will not be a simple or quick undertaking”, with a new Act likely to take between two and three years to draft.
A further two-year implementation period will be required to “update IT systems, adjust procedures and retain staff”.
“All of this will need to be resources and funded over and above existing budgets, at a cost of more than $100 million over five years.”
As part of the new Act, the review has recommended granting the Attorney-General new powers to “require a company to develop and maintain a specified attribute-based interception capability” for authorities.
In circumstances where such a capability has already been developed, the review suggested that law enforcement and national security agencies “be able to obtain attribute-base interception warrants”, to which the government has agreed.
“There are some circumstances where the benefits to law enforcement or security would justify the cost of requiring selected members of the telecommunications industry to develop and maintain a specified attribute-based interception capability,” the government said in its response.
“In those cases, attribute-based interception would be an effective tool that allows for more targeted interception and reduces the interception of irrelevant communications, when compared with intercepting communications based on specified services and devices.”
Financial transaction watchdog AUSTRAC and corrective services agencies (if state and territory government deem it necessary) are also expected to receive new powers to access telecommunications data under the new Act.
Attorney-General Christian Porter labelled the proposed overhaul “one of the biggest national security legislative projects in recent history – requiring the repeal and rewriting of nearly 1000 pages of laws."
"The TIA Act was developed in 1979. It has lasted remarkably well, but is no longer fit for purpose in the digital world of the internet, smartphones and end-to-end encryption," the Attorney-General said.
ASD remit to remain offshore only
The review also recommended the Australian Signals Directorate’s cyber crime function continue to apply to only people or organisations outside of Australia and “not be extended to apply onshore”.
“Expanding ASD’s functions so it can use its offensive cyber capabilities onshore to combat online child sexual abuse would be a profound change,” the report states.
“It would change the essential character of ASD and give it a domestic enforcement role.”
The report notes it would also be “exceedingly difficult” to limit any domestic law enforcement role to a single crime type, and that the role would eventually “eat into” signals collection from overseas.
“There is only one ASD and its focus should not be diluted,” the report states.
Govt presses ahead with dark web laws, ignoring review
While the review called for the Australian Federal Police's (AFP's) “existing power to disrupt online offending” to continue, the government has already revealed plans to introduce new powers around anonymising technology.
The Surveillance Legislation Amendment (Identify and Disrupt) Bill 2020, introduced to parliament this week, is slated to give the AFP three new powers.
This includes the ability to take over a person’s online account, collect intelligence from online networks and add, copy, delete or alter data during the course of an investigation.
“The government disagrees with the review’s position that the AFP does not need new powers to disrupt online offending,” the government said in its response to the review.
“New powers should enable agencies to identify and collect intelligence on dark web targets, and to take action against those targets, whether that be through traditional investigation and prosecution, or through further disruption of criminal activities.
“To implement such reforms, [authorities] would likely require the technical assistance of ASD.
“Any technical assistance provided by ASD in support of the proposed new powers should be provided from within ASD’s existing statutory powers and resourcing for counter cyber crime activities.”