New surveillance laws give authorities the power to change social media posts
A new law gives Australia’s police unprecedented powers for online surveillance, data interception and data modification. These powers, outlined in the Surveillance Law Amendment Bill (identify and disrupt), raise concerns about potential abuse, privacy and security.
The bill updates the Surveillance Devices Act 2004 and the Telecommunications (Interception and Access) Act 1979. In essence, it allows law enforcement agencies or authorities (such as the Australian Federal Police and the Australian Criminal Intelligence Commission) to modify, add, copy or delete data during the investigation of crimes in the United States. serious line.
The Human Rights Law Center says the bill does not contain enough guarantees for freedom of speech and press freedom. Digital Rights Watch calls it a “warrantless surveillance regime” and notes that the government ignored recommendations from a bipartisan parliamentary committee to limit the powers granted by the new law.
Additionally, legal hacking by law enforcement can make it easier for criminal hackers to gain access to computer systems through the same vulnerabilities used by the government.
What is in the law?
The bill introduces three new powers for the police:
- “data disruption warrants” allow authorities to “disrupt data” by copying, deleting or modifying data as they see fit
- “network activity mandates” allow the collection of intelligence from devices or networks that are used, or likely to be used, by the subject of the mandate
- “Account takeover mandates” allow agencies to take control of an online account (such as a social media account) to gather information for investigation.
There is also an “emergency clearance” procedure that allows these warrantless activities under certain circumstances.
How is this different from previous laws?
Previous legislation, such as the Telecommunications (Interception and Access) Act of 1979 and the Telecommunications Act of 1997, contained more stringent privacy protections. These laws, and others such as the Surveillances Devices Act 2004, authorize law enforcement agencies to intercept or access communications and data under certain circumstances.
However, the new bill gives agencies unprecedented interception or “hacking” powers. It also allows “assistance orders,” which could require selected individuals to help the government hack or face up to ten years in prison.
Why are the police saying this bill is necessary?
According to the Interior Ministry, more and more criminal activities are using the “dark web” and “anonymization technologies”. Prior powers are not enough to keep up with these new technologies.
In our opinion, specific and targeted access to user information and activities may be necessary to identify possible criminals or terrorists. In some cases, law enforcement agencies may need to edit, delete, copy, or add user content to prevent things like the distribution of child exploitation material. Lawful interception is essential to protect public and national security in the global community’s fight against cybercrime.
How does lawful data interception work?
“Lawful interception” is network technology that enables electronic surveillance of communications, as authorized by court or administrative orders. There are standards (i.e. regulations and rules) for telecommunication and internet service providers to achieve this goal, such as those recommended by the European Telecommunications Standards Institute.
Law enforcement agencies may require service providers to hand over copies of communications data, decrypted data, or intercepted data without notifying users. Service providers may also need to provide analytical tools such as charts or tables of target behaviors.
What are the privacy concerns?
The Australian Information Commissioner’s office and others have also raised privacy concerns. The bill could affect third parties who are not suspected in the course of criminal activity investigations. In particular, the bill may allow access to the computers, communications and data of third parties.
The Human Rights Law Center argues that the proposed extended powers have the potential to force anyone with relevant knowledge of the targeted computer or network to engage in hacking activity. In some cases, this may conflict with an individual’s right not to incriminate himself.
Allowing law enforcement agencies to modify potential evidence in criminal proceedings is also a major concern. Detecting and preventing inappropriate data interruptions will be a key issue.
The implementation of the new mandates must be in accordance with the Privacy Act 1988, which was introduced to promote and protect the privacy of individuals and to regulate Australian government agencies and organizations. When certain organizations can benefit from exceptions to the Privacy Act, it is important to find a balance between the impacts on public safety and privacy.
What are the security issues and impacts?
The Identification and Disruption Bill is part of a larger body of Australian digital surveillance laws, including the Telecommunications and Other Law Amendments (Assistance and Access) Act 2018 (TOLA) and the Telecommunications (Interception and Access) Act (data retention). 2015 (the mandatory metadata retention program).
Under the Identification and Disruption Bill, it is possible to access encrypted data that could be copied, deleted, modified and analyzed before its relevance can even be determined. This greatly compromises the privacy and digital rights of users.
Modern encryption can be very difficult to crack, so hackers often exploit other vulnerabilities in a system to gain access to unencrypted data. Governments would also use these vulnerabilities for their own lawful hacking.
Specifically, they depend on “zero-day exploits,” which use software vulnerabilities unknown to vendors or software developers, to hack into a system. These vulnerabilities could be exploited for months or even years before being patched.
A conflict of interest can arise if law enforcement uses zero-day exploits for lawful hacking. To protect citizens, we expect these agencies to report or disclose any software vulnerabilities they discover to software makers so that the weakness can be fixed.
However, they can instead choose not to report them and use the vulnerabilities for their own hacking. This puts users at risk, as any third party, including criminal organizations, could exploit these so-called “zero day” vulnerabilities.
It is not an abstract concern. In 2016, the CIA’s secret stash of hacking tools itself was stolen and released, underscoring the risk of these activities. The Chinese government has claimed that the CIA has been hacking targets in China for more than a decade using these and similar tools.
The government’s use of hacking tools can lead to an overall degradation of cybersecurity. The warrant powers given to Australian law enforcement agencies can protect public safety and national interests, but they can also provide adversaries with powerful means to access government data.
This includes the data and online accounts of targeted individuals such as state officials, which can have a significant impact on national security. This possibility should be considered in the light of the adoption of the new bill.
While the bill’s rationale for public safety over privacy may be questionable, there is no doubt that the security aspects should not be compromised.
Article by James Jin Kang, Senior Lecturer, Computer Science and Security, Edith Cowan University and Jumana Abu-Khalaf, Computer Science and Security Researcher, Edith Cowan University
This article is republished from The Conversation under a Creative Commons license. Read the original article.