Perhaps I can partly answer my own question? Section 64A of the in-force Act[1] already has similar provisions for assistance to be provided by a third party in accessing a computer, copying and converting data into a format accessible by law enforcement. However there does not appear to be current provisions for cost recovery if that assistance requires the company/person involved to dedicate significant time and expense.
Table 8 (PDF page 14) of the Surveillance Devices Act 2004 Annual Report 2019-2020[2] states that only 20 such warrants were issued in that year and 11 extensions issued, and none of them were issued as a result of international requests (PDF page 25). The report doesn't indicate how many of these 20 requests resulted in assistance needing to be provided and who needed to provide that assistance.
Given the low count (20) of computer access warrants issued and likely nature that anyone providing assistance would be well aware of whether the request related to e.g. CSAM, I'd guess that most businesses involved may be happy to help out for free even if their business wears a small cost of complying with the order. I suspect though if this Act or new types of warrants generated significant workload for Australian private sector companies, and warrants were difficult and expensive to comply with, there would suddenly be a lot of backlash.
ACMA states[3] that the private sector self-reported costs during 2019-2020 of AUD$24m related to telecommunications interception legislation and AUD$21m related to metadata retention for at least 2 years. It also reported only 8 requests to block websites (7 being ACMA wanting to block foreign gambling websites) and 17 requests for Internet/communications services being switched off.
Aside from the metadata retention laws which the private sector has reported costing $237m to implement to date (with only ~21% cost recovery from the government), the other costs of complying with law enforcement warrants appear to be fairly minimal in the grand scheme of things and are just a small consideration towards the cost of doing business in Australia.
These "data disruption warrants" are the most interesting to me:
> Data disruption means adding, copying, deleting or altering data held in a computer. This can only be done in order to frustrate the commission of offences or determine relevance of data. To assist disruption, a warrant can also authorise other facilitative activities, such as entering specified premises, using electronic equipment to obtain access to data, removing a computer from premises, copying data that has been obtained, and intercepting if necessary to carry out the things authorised in the warrant. A data disruption warrant also allows the officer to take actions to conceal the access and the activities, allowing the warrant to be conducted covertly.
> Data disruption warrants can be used to affect data offshore with the consent of an appropriate consenting foreign official (if the location of data is known or can be reasonably determined). They can also be issued internally in an emergency situation, and subsequently authorised by a Judge or AAT member. They can also permit the officer to seek assistance from a person with knowledge of a computer or a computer system to help in carrying out the warrant.
So they can get a warrant to come into your house while you're not home and put a keylogger in your keyboard USB cable, or put a bug on the UART of your router, etc. Or just hacking your cheap Netgear router with one of the hundreds of vulnerabilities that exist.
Scary shit. Sounds like they're pretty drunk with power. Does Australia really have a capable offensive security group like the NSA to pull these sorts of things off, though?
EDIT: note that I'm probably wrong, see reply below by @brongondwana!
---
One problem not being addressed is that via #AABill data access requests can now be submitting without warrants issued by a judge, so it removes the judicial oversight.
Also this law says that all such requests need to be "reasonable", but it doesn't define what that means. For example is blanket surveillance reasonable? AFAIK this law doesn't say. And companies like FastMail cannot report abuse publicly, or the people responsible risk 10 years in jail.
Couple this with the fact that Australia is part of the "Five Eyes", being the only country without a "Bill of Rights", it means that agencies like the NSA could use Australia for their dirty work.
Please correct me if I'm wrong, I haven't read the actual bill, just random commentary on the net.
I'm a FastMail customer, but reading this blog article is leaving me worried, because FastMail keeps mentioning "lawful warrants", but from what I've read warrants aren't needed anymore.
It's pretty sad. I've seen many Australian software companies doing a good job, like FastMail here and their reputation is now tarnished due to incompetent politicians. The wave of populism and stupidity has been spreading.
This seems quite similar to the Australian Assistance and Access Bill [0], which also compels companies to implement new solutions that enable decryption services. This bill also makes it illegal for a compelled person to communicate this order, even to their own company.
Seems like the old trope of Australia being the squishy testbed for shitty US laws is true after all.
I believe section 317ZK, subsection (3) of the act [0] prohibits a provider from bearing the costs of compliance. If I read correctly, the cost is negotiated between the provider and the government and the government bears the cost.
And section 317ZGA [1] explicitly puts compliance with interception warrants (which I believe are the warrants in the new bill) out of scope.
I _think_ the effort a provider has to put in to comply with the new act is primarily limited by 27KP(2)e's "reasonable" wording.
The grandparent comment is likely referring to the TOLA Act, which allows Australian police and intelligence agencies to issue for example technical assistance requests to decrypt or otherwise get access to whatever data they want.
>tech firms and businesses may be penalized up to $7.2 million USD if they don’t respond to the government's requests [1]
>The legislation ... creates a new framework for law enforcement agencies to request or compel technical assistance from tech companies, even to create new capabilities such as backdoors to get around the encryption in some of their products. [2]
They request a backdoor in the encryption and if the cooperator does not cooperate, then fine the company / Australian citizen and if they enter the country again, they can go to jail.
> Under the proposals, people who are not even suspected of a crime would face a fine of up to $50,000 and up to five years’ imprisonment for declining to provide a password to their smartphone, computer or other electronic devices.
> Furthermore, anyone (an IT professional, for example) who refuses to help the authorities crack a computer system when ordered will face up to five years in prison. If the crime being investigated is terrorism-related then the penalty for non-compliance increases to 10 years in prison and/or a $126,000 fine.
> Tech companies who refuse to assist authorities to crack encryption when asked to do so, will face up to $10 million in fines. What’s more, if any employee of the company tells anyone else they have been told to do this, they will face up to five years in gaol.
My understanding of the law is that the Australian government can demand assistance from Microsoft as long as Microsoft provides services to Australians. The location of the data is actually irrelevant.
> One problem not being addressed is that via #AABill data access requests can now be submitting without warrants issued by a judge, so it removes the judicial oversight.
TANs require a warrant (or rather, a TAN is unenforceable if it would require the agency to get a warrant -- but a TAN instead is a method to give force to a warrant). The restrictions on notices are in s317ZH (which is a while after the definitions of the notices so people might be forgiven for misunderstanding the limitations).
> And companies like FastMail cannot report abuse publicly, or the people responsible risk 10 years in jail.
5 years in gaol is the limit. There are also processes for them to provide statistical information about how many notices they've received, as well as provisions for courts and the Commonwealth Ombudsman to make public notice information.
> Couple this with the fact that Australia is part of the "Five Eyes", being the only country without a "Bill of Rights", it means that agencies like the NSA could use Australia for their dirty work.
This is definitely true, and GCHQ has already started requesting similar powers in the UK (not that they need to, since they can just use the Australian powers). There are several provisions in the act which specify that it can be used for investigations into "serious foreign crimes".
> Please correct me if I'm wrong, I haven't read the actual bill, just random commentary on the net.
I would recommend reading it, a lot of people haven't.
Australia is pushing for client-side scanning too:
"We know there are a number of solutions that would ensure illegal activity online can be addressed, without weakening encryption and still allowing lawful access to information needed in serious criminal investigations. Solutions include: using certain types of encryption that allow proactive tools to function, implementing proactive detection tools at transmission, rather than on receipt, moving AI and proactive technical tools to the device level."[1]
The main problem with client-side scanning is that to have any effectiveness it requires a situation where "Trusted Computing" becomes a legal requirement for sale and use of computing or communications devices, where only registered operating systems can be installed and software can only be installed from registered application stores. And in terms of the Internet, registered operating systems would have to only permit access to registered web services, and registered web services would find themselves quickly unregistered if they allowed end users to execute their own scripts within a browser session. It'd require the end of "General Purpose Computing"[2] e.g. along the lines of regulations such as [3].
Criminals are being pushed increasingly down the Phantom Secure [4] path (developing their own technology that doesn't implement backdoors, client-side scanning, etc), and in response, public policy is increasingly seeking to outlaw[5] "General Purpose Computing" and the current decentralised model of communications. It'll take a long time, but perhaps over the course of the next 20 years we'll see the end of "General Purpose Computing"?
Councils already access metadata in accordance with the Telecommunications Act.[1]
I provided the links to the amended Telecommunications ( Interception ) Act 2006 as it describes the warrant system required for stored data or content. Not data in transit.
Those agencies that have a more direct linkage to federal funding, for example, the ATO on the input side, and Social Security, for example, Jobcentres on the output side, are those bodies that probe metadata the most it would appear, under the provisions in the Act regarding defrauding the public finances without suspicion of criminality or otherwise, though such a suspicion is in itself also a justification.
While the funding provided to local councils via the states is also public funding, direct funding by the Commonwealth has as its aim efficiency of course, but also control and competitive negotiation between councils. The single representative present at the COAG meetings can only be partly effective at representation given the competition between the states. One size doesn't fit all, and there is a case to be made for greater efficiencies by having direct negotiation with the Commonwealth, and for greater formalisation over things like standards of delivery and varieties of services.
With these advantages also comes responsibility, in things like reporting and budget control. Just as happens with the states that have an interest in maximising funding, and where effectively punitive financial penalties are extracted in future COGM rounds because of either malperformance or political difference, I contend that the pressure upon councils to protect their funding will only increase, as it has with the states, which face competitive constraints. Some will win and some will lose, but maintaining maximum levels is something that we expect in any case.
This is a significant constitutional change I think. Local councils, when directly accountable to the Commonwealth, and as providers of services financed from general Commonwealth revenue, will I think behave more broadly alike in their attitude to income and expenditure, and use the methods already allowed them, and already employed by certain other councils. The linkage between council revenues and the revenues considered exactly in the Telecommunications Act are more direct perceptually.
I think Australians should be cautious about this, and so do some of Australia's politicians as well. [2]
That legislation also has Technical Assistance Requests (TAR) where company isn't compelled but can choose to comply. As not trying to compel they have few safeguards in being issued and less limitations on what can be requested.
Not a user and not an Australian but that sounds like a bad deal for customers. Especially since warrants will probably not be thoroughly checked in the future. So the invasion of privacy seems to be seen as a trifle.
Protection of the public revenue is the clause in the telecommunications act 1997 that the Australian Tax Office and Job Centre investigators often rely on. Access to metadata does not require a warrant. In some cases, telcos can provide information to allowed agencies even without certification.
I'm fairly convinced that local governments will be motivated to protect their own revenue with methods that are specifically designed to protect the public revenue. Already we are seeing some councils using these methods. The number of accesses must be reported, and these reports form the basis of recent news stories on this subject. It remains to be seen whether there are any real constraints on the volume of queries when and if local governments are directly funded by the federal government.
By federal taxing powers I mean what is generally described in [1]
There is history in the relationship between the Federal and local governments. Reference the Whitlam governments attempt at bringing local government under federal control, which failed, and the Fraser government etc [2]
The COAG meetings provide the mechanism for state funding, through which local councils currently are funded. There is one local government representative present at COAG meetings [3][4]
Part 13 of the Telecommunications Act and access to metadata.[5].
The amendments relevant to warrants for access to content of stored electronic communications and the Telecommunications (Interception) Amendment Act 2006 are in [6]
(I'm also in NSW)-- The list of "support requests" on the customers page suggests that the tools are used only in accordance with duly-issued warrants. Access would need to be removed once the purpose of the warrant had been fulfilled, but we may never know whether they get that right in practice. Ben Grubb has collated some background information on the operation of those laws.[1]
There are two major pieces of legislation [1][2] that have been enacted in the last few years that have eliminated any expectation of privacy and security in Australia.
The AABill introduced warrants that can be handed down without judicial oversight that compel the recipient (individual or institution) to grant (or, critically, develop the means to grant) read access to any system to the government; while simultaneously acting as a gag order preventing disclosure of the warrant's existence. Violating this gag order would incur jail time.
The IDBill introduced warrants that allow the government to "disrupt data by modifying, adding, copying or deleting data in order to frustrate the commission of serious offences online" and further allows them to impersonate the online profiles of a person deemed significant to a criminal investigation.
Both of these bills were rushed through parliament with minimal opportunity for public comment. Where public comment (from the legal, tech, and human rights arenas) was made, it was universally negative. We have just ousted the government that drove these bills, but the new government (supposedly considerably more left leaning) supported both these bills with minimal opposition and has made no public plans to repeal or amend this legislation.
A previous Prime Minister once said (not in regards to these particular laws): “The laws of mathematics are very commendable, but the only law that applies in Australia is the law of Australia.”
I was also under the impression this can be served to individuals without the knowledge of their employer, leaving the individual in a position where they can consult a single lawyer about the legality of the request and face jail time for discussing the request with anyone else (including employers).
I would need to re-read the act, but the gov website[1] indicates you are correct that these requests are served to organisations and not individuals excepting sole traders.
Not that this is any good, but at least in the US the state pays for the surveillance. Here the businesses have to foot the bill for who knows hoe many unending requests. If you thought it was hard to make a viable tech business in Australia before, well you can forget all about that now.
It's more like if Microsoft and FB were in bed with the NSA. And then they sent you the bill for your own surveillance. And if you didn't pay, then sent you to jail.
Last year the Australian government even went so far as to pass a law allowing them to force companies to sabotage their own products/services in cases where a government agency wants to get access to someone's communications.
Table 8 (PDF page 14) of the Surveillance Devices Act 2004 Annual Report 2019-2020[2] states that only 20 such warrants were issued in that year and 11 extensions issued, and none of them were issued as a result of international requests (PDF page 25). The report doesn't indicate how many of these 20 requests resulted in assistance needing to be provided and who needed to provide that assistance.
Given the low count (20) of computer access warrants issued and likely nature that anyone providing assistance would be well aware of whether the request related to e.g. CSAM, I'd guess that most businesses involved may be happy to help out for free even if their business wears a small cost of complying with the order. I suspect though if this Act or new types of warrants generated significant workload for Australian private sector companies, and warrants were difficult and expensive to comply with, there would suddenly be a lot of backlash.
ACMA states[3] that the private sector self-reported costs during 2019-2020 of AUD$24m related to telecommunications interception legislation and AUD$21m related to metadata retention for at least 2 years. It also reported only 8 requests to block websites (7 being ACMA wanting to block foreign gambling websites) and 17 requests for Internet/communications services being switched off.
Aside from the metadata retention laws which the private sector has reported costing $237m to implement to date (with only ~21% cost recovery from the government), the other costs of complying with law enforcement warrants appear to be fairly minimal in the grand scheme of things and are just a small consideration towards the cost of doing business in Australia.
[1] https://www.legislation.gov.au/Details/C2019C00296
[2] https://www.homeaffairs.gov.au/nat-security/files/surveillan...
[3] https://www.acma.gov.au/sites/default/files/2020-12/Telecomm...
reply