PJCIS asks for Australia's 'hacking' Bill to gain judicial oversight and sunset clauses
The committee probing the Surveillance Legislation Amendment (Identify and Disrupt) Bill has asked for a few amendments, such as protections around privacy, the requirement for the authorising authority to be a superior court judge, and that other law enforcement options are considered before a warrant is requested, before the Bill is passed.
The Parliamentary Joint Committee on Intelligence and Security (PJCIS) has recommended the passage of the so-called "hacking" Bill that will afford three new computer warrants to two Australian law enforcement bodies, providing its 33 other recommendations are met.
The Surveillance Legislation Amendment (Identify and Disrupt) Bill 2020, if passed, would hand the Australian Federal Police (AFP) and the Australian Criminal Intelligence Commission (ACIC) the new warrants for dealing with online crime.
The first of the warrants is a data disruption one, which according to the Bill's explanatory memorandum, is intended to be used to prevent "continuation of criminal activity by participants, and be the safest and most expedient option where those participants are in unknown locations or acting under anonymous or false identities".
The second is a network activity warrant that would allow the AFP and ACIC to collect intelligence from devices that are used, or likely to be used, by those subject to the warrant.
The last warrant is an account takeover warrant that would allow the agencies to take control of an account for the purposes of locking a person out of the account.
The Bill has been criticised for its "wide-ranging" and "coercive" powers by the Office of the Australian Information Commissioner (OAIC), human rights lawyers have asked the Bill be re-drafted, and the likes of Twitter have labelled parts of the proposed Bill as "antithetical to democratic law".
After considering all the submissions made and testimonies provided on the Bill, the PJCIS in its report [PDF] has called for some tweaks, such as amending the Bill to provide additional requirements on the considerations of the issuing authority to ensure the offences are reasonably serious and proportionality is maintained.
"The effect of any changes should be to strengthen the issuing criteria and ensure the powers are being used for the most serious of offending," it added.
The committee wants the issuing authority for all of the new powers introduced by the Bill, including emergency authorisations, to be a superior court judge, either of the Federal Court or a state or territory Supreme Court, except for account takeover warrants which may be granted by an eligible Judge as law according to the Surveillance Devices Act 2004.
The issuing authority, PJCIS asked, must give consideration to third parties, specifically their privacy, and to privileged and journalistic information.
It wants the Bill amended so that, in order to provide an emergency authorisation for disruption of data held in a computer, an authorising officer must be satisfied that that there are no alternative means available to prevent or minimise the imminent risk of serious violence to a person or substantial damage to property and that they consider the likely impacts of the proposed data disruption activity on third parties.
In addition, the committee said the Bill should be amended so that, where an issuing authority declines to retrospectively approve an emergency data disruption authorisation, the issuing authority may require the AFP or ACIC to take remedial action, including financial compensation.
The OAIC previously testified the definition of a "criminal network of individuals" has the potential to include a significant number of individuals, including third parties not the subject or subjects of the warrant who are only incidentally connected to the subject or subjects of the warrant.
To remedy that, the PJCIS has asked the definition under the network activity warrant require there to be a reasonable suspicion of a connection between the suspected conduct of the individual group member in committing an offence or facilitating the commission of an offence and the actions or intentions of the group as a whole.
Where applying for authorisation is concerned, the committee wants changes made to reflect that only an AFP or ACIC law enforcement officer can apply for a data disruption warrant or an account takeover warrant. The person must also be approved, in writing, by either the AFP Commissioner or ACIC CEO to apply for data disruption warrants, and the relevant agency head must also be satisfied that person possesses the requisite skills, knowledge, and experience to make warrant applications.
Further amendments requested include that the individual must make a sworn affidavit setting out the grounds of an application for an account takeover warrant.
The PJCIS has asked the issuing criteria for each of the warrants require satisfaction that the order for assistance, and not just the disruption of data, is "reasonably necessary to frustrate the commission of the offences that are covered by the disruption warrant; and justifiable and proportionate, having regard to the seriousness of the offences that are covered by the disruption warrant and the likely impacts of the data disruption activity on the person who is subject to the assistance order and any related parties".
It wants it made clear that decisions under the Bill are not excluded from judicial review.
The PJCIS wants the Bill to impose a maximum period for a non-emergency mandatory assistance order to be served and executed, and asked that if the order is not served and executed within that period, the order will lapse and a new order must be sought.
It also wants all applications for a non-emergency mandatory assistance order to be made in writing and for the AFP and the ACIC, unless absolutely necessary, to be prohibited from seeking a non-emergency mandatory assistance order in respect of an individual employee of a company.
Further amendments include the Bill making it clear that no mandatory assistance order can ever be executed in a manner that amounts to the detention of a person, and that the Bill introduce immunity provisions for both assisting entities and those employees or officers of assisting entities who are acting in good faith with an assistance order.
The AFP and ACIC, the committee said, should also be required to notify the Commonwealth Ombudsman or the Inspector-General of Intelligence and Security (IGIS) as soon as reasonably practicable if they cause any loss or damage to other persons lawfully using a computer. Similarly, the PJCIS wants any computers that have been removed from premises under a data disruption warrant or a network activity warrant required to be returned to as soon as reasonably practicable.
Elsewhere, PJCIS has requested an amendment to allow it to conduct a review of the three warrants no less than four years from when the Bill receives Royal Assent. It also wants each of the new powers to sunset five years from the date on which the Bill receives Royal Assent.
The final recommendation, recommendation 34, simply states: The committee recommends the Surveillance Legislation Amendment (Identify and Disrupt) Bill 2020 be passed, subject to the amendments outlined above.