The anti-encryption laws passed by the federal parliament last year have been used to bypass journalist protections in other national security laws, a cybersecurity researcher has said.
The parliamentary joint committee on intelligence and security has launched a review into the Telecommunications (Assistance and Access) Act, which passed into law at the end of 2018.
The legislation made a number of changes to existing laws governing law enforcement access to data, and in what situations tech companies are required to help law enforcement to be able to view that data, even if that data is encrypted.
One part of the law updated the powers law enforcement have in executing a warrant. Added into the Crimes Act was the power for agencies to “add, copy, delete or alter” data on computers as part of the execution of warrants.
It was this new power the Australian federal police relied on, in the now-infamous photos of AFP officers clicking through and reviewing files for hours on end at the ABC headquarters.
The Department of Home Affairs admitted to using the new power in a submission to the review, stating the AFP relied on the power in raiding the ABC and the Canberra home of News Corp journalist Annika Smethurst in June.
“In June 2019, the Australian federal police executed two search warrants in relation to secrecy offences in part 6 (offences by and against public officers) and part 7 (official secrets and unlawful soundings) of the Crimes Act,” the Department of Home Affairs stated.
“In executing these search warrants, the AFP used section 3F of the Crimes Act, which was amended by schedule 3 of the Assistance and Access Act.”
This undermined protections granted to journalists under other national security legislation, said cybersecurity researcher Riana Pfefferkorn, an associate director of surveillance and cybersecurity at the Stanford Centre for Internet and Society.
Data retention legislation passed in 2015 had a carve-out for journalists that required law enforcement to obtain a special journalist information warrant, but Pfefferkorn said in a personal submission to the review that the combination of the new powers meant the information warrant need not be obtained.
“Law enforcement’s powers granted under the Data Retention Act in 2015 were augmented by the new powers the Assistance and Access Act provided at the end of 2018, creating the framework that authorised the federal police in mid-2019 to raid the homes and offices of journalists over articles published in July 2017 and April 2018, in defiance of international norms,” she said.
“Because parliament passed these laws, the federal police had the power to strike a chilling blow against press freedom in Australia, and call it lawful.”
Tech companies remain concerned at the implementation of the encryption law overall.
The Australian Information Industry Association, which represents a wide range of tech companies including Apple, Adobe, Cisco, Deloitte, Google and IBM, said that some multinational members of the association had already considered pulling out of Australia due to the legislative compliance obligations.
“There is broad consensus across the ICT industry on the adverse effects this legislation will have for Australian business and economic interests, the group said.
The commonwealth ombudsman, too, repeated concerns about the scope of the new laws.
In a submission, the ombudsman said that the law still gives the home affairs minister the power to delete content from reports by the commonwealth ombudsman if the information could prejudice an investigation or compromise an interception agency’s operational activities.
This is a power no other minister has, the ombudsman said, and should be reconsidered.