The APF would also like to issue a corrective to what appears to be a misleading understanding in media reports. While reports have correctly noted that the ASD presently has legal authority to monitor Australian citizens to assist domestic intelligence and law enforcement through agreement between the Director of the ASD and the Attorney-General, the reports incorrectly assert this is a form of “judicial authorisation”. An agreement between two heads of agency is a form of executive agreement that is non-compliant with the principles of rule of law. To erroneously suggest that this is a form of judicial authorisation is misleading, and ignores the present state of duress that rule of law is under in Australia.

In response to these issues, the APF calls for:

1. An immediate public denunciation by all Australian political parties of the proposal to decouple ASD activities from prior authorization by the AG.
2. A change in the existing status quo that authorises ASD assistance to domestic agencies based on executive authority between the heads of the agencies in favour of actual judicial authorisation that would uphold rule of law and provide meaningful democratic accountability.
3. That all political parties work together to introduce a comprehensive constitutional rights regime, especially given present day capacities for collection and analysis of digital information.
4. Enhanced resourcing and legal reform that ensures both the Independent National Security Legislation Monitor and Office of the Australian Information Commissioner are fit for purpose.

Contacts:

Good morning. We would like to thank the committee secretary and the panel members for inviting us to provide evidence on the challenges of information communication technologies on law enforcement, on behalf of the Australian Privacy Foundation, Digital Rights Watch Australia, Electronic Frontiers Australia and FutureWise.

Innovations in technology are an important public policy issue that affect all aspects of society, and we are pleased that the panel is devoting attention to this issue.

In our opening statement we would like to reiterate some of the main points from our written submission and provide a brief response to points raised in the written submissions by other government and law enforcement agencies.

We note that almost every party that made a written submission raised the issue of encryption – highlighting that it is crucial for innovation and cyber security, and yet presenting some challenges for law enforcement.

Encryption is an important public policy issue that demands careful and nuanced consideration. Encryption tools, technologies, and services are essential to protect against harm and to shield our digital infrastructure and personal communications from unauthorized access. The ability to freely develop and use encryption provides the cornerstone for today’s global economy. Economic growth in the digital age is powered by the ability to trust and authenticate our interactions and communicate and conduct business securely, both within and across borders. Any attempt to weaken or undermine strong encryption poses serious risks to cyber security. While we recognise law enforcement’s legitimate interest in accessing communications, we are fundamentally opposed to any attempt to weaken encryption given the additional risks this would entail for a range of groups and sectors including banking and finance, government, and the general public.

Encryption does not pose a fatal investigatory hurdle, and by contrast, it is an essential component of cyber security. It protects against cybercrime which is estimated to cost between 1 billion and 17 billion annually. According to the Department of Home Affairs we already see reports of ransomware attacks doubling each year. Weakening encryption will undermine the security of information communication technologies for everyone and will exacerbate these issues. The absence of encryption facilitates easy access to sensitive personal data, including financial and identity information, by criminals and other malicious actors. Once obtained, sensitive data can be sold, publicly posted, or used to blackmail or embarrass an individual. Additionally, insufficiently encrypted devices or hardware are prime targets for criminals.

Given the collective economic and social good that encryption provides we urge the committee to pay attention to existing legal and technical capabilities that enable access to evidence on physical devices in ways that will not unnecessarily inflict the unintended consequences of weakening the security of all digital devices. We outline issues associated with undermining encryption at length on pages 11 to 15 of our written submission, and set forth the existing legal and technical capabilities to access evidence on page 14.

In addition to encryption, and as per our written submission, we also wish to comment on other areas that fall within the inquiry’s Terms of Reference including darkweb policing, Mutual Legal Assistance arrangements for accessing extraterritorial digital evidence and the importance of independent criminological research in these areas. We welcome the committee’s questions on these topics. In summary, law enforcement play an important role in public safety and security, though we contend that law enforcement use of new ICTs should be supported with evidence, consistent with international human rights standards, subject to robust oversight and proper checks and balances – including judicial – and uphold the rule of law.

This article is part of a series originally published on The Conversation on how law enforcement is fighting crime across digital borders.

Australian police are using “poisoned watering holes” to investigate crime on the dark web. By taking over illegal marketplaces that traffic in child pornography or drugs, law enforcement are collecting information about criminals all over the world.

Of course, crimes that occur on the internet often cross international borders, but this situation is creating troubling new standards in transnational policing.

Research, including our own, indicates that as police operations move into online environments, new rules for digital evidence collection and exchange must be developed to assist prosecutions while preserving due process and human rights.

Investigations on the dark web readily transcend geographic demarcations fundamental to the use of search warrants and the admissibility of evidence.

Some enforcement agencies have conducted online investigations and attempted to access or transfer information outside existing domestic and transnational legal frameworks. This is common in cases involving dark web sites that distribute child exploitation material (CEM).

Without proper checks, police could have significantly expanded scope to search homes and computers around the world, even in cases not involving CEM.

Watering holes and network investigative techniques

The techniques used in online investigations can have potentially problematic legal standing.

Playpen was a dark web site used to distribute CEM. The FBI seized the site in 2015, and obtained a warrant to continue its operation on a government server.

The FBI used a Network Investigative Technique (NIT), also known as Computer Network Exploitation, to identify Playpen users. This distributed malware onto any computer used to log into the site.

The NIT enabled the FBI to identify the IP addresses, log-in times, and operating systems of around 150 computers located in the United States and more than 8,000 computers located in 120 countries. Up to 215,000 registered Playpen users globally could be affected.

According to the Electronic Frontier Foundation, Playpen is the largest known US government hacking operation. But it was authorised by a single warrant issued in Eastern Virginia.

Specialist online units in Australia, such as Task Force Argos in the Queensland Police Service, have also used “poisoned watering hole” tactics.

Australian convicted child sex offender Shannon Grant McCoole, who administered “The Love Zone” site, was apprehended after a tip from Danish police. Task Force Argos investigators then effectively ran the site “while feeding information to international law enforcement colleagues”.

The investigation identified many users located in other countries, including several who were prosecuted in the United States.

Details of the warrant used in this investigation are unclear, which is common in cases involving CEM that result in guilty pleas.

Darkweb investigations and the law

There are some established methods for law enforcement sharing information across borders.

Mutual Legal Assistance Treaties (MLATs) are similar to extradition treaties. States seeking access to digital evidence located offshore must first issue a formal request.

MLATs aim to protect the legal rights of people suspected of transnational or offshore offending. However, available US cases involving The Love Zone do not appear to mention MLAT procedures.

This has troubling implications for the right to a fair trial.

It’s possible Task Force Argos informally communicated the IP addresses of US-based site users directly to US authorities. Queensland Police declined to comment on the warrant.

The geographic scope of the Playpen NIT warrant, on the other hand, is extremely unclear. Some US courts have declared the NIT warrant to be valid only within Eastern Virginia.

At least one US court has ruled that warrants to search homes and seize computers outside of this district produced evidence viewed as the “fruit of the poisonous tree”.

In other words, because the dark web’s infrastructure could only enable law enforcement to uncover the locations and identities of suspects through the defective NIT warrant, any physical evidence seized from a subsequent warrant to search a home was inadmissible.

However, some US courts seem willing to admit evidence from the Playpen NIT because the FBI is regarded by the courts as acting in good faith in both seeking and executing it.

Legal geographies of online investigations

Law enforcement agencies are keen to maintain secrecy of dark web CEM investigations. But there is concern from legal experts that informal police networks routinely operate outside of established MLAT procedures.

The MLAT process is slow, technical and cumbersome. This may fuel the acceptance of questionable NITs and exchange of data between police to streamline transnational dark web investigations. But it could also undermine complex cyber-prosecutions and the fairness of criminal trials that rely on electronic evidence.

The informal exchange of criminal intelligence and use of malware is understandable where child welfare is at stake. But these investigative methods undercut current attempts to preserve due process and digital security standards.

Success in these types of investigations cannot solely be measured by prosecution and conviction rates. It should also be measured by the legality, ethics and transparency of transnational investigative procedures and the rules that underpin them.

Ian Warren, Senior Lecturer, Criminology, Deakin University; Adam Molnar, Lecturer, Criminology, Deakin University, and Monique Mann, Lecturer, School of Justice, Researcher at the Crime and Justice Research Centre and Intellectual Property and Innovation Law Research Group, Faculty of Law, Queensland University of Technology

This article was originally published on The Conversation. Read the original article.

Monique Mann, Queensland University of Technology; Adam Molnar, Deakin University, and Ian Warren, Deakin University

An Australian Tax Office (ATO) staffer recently leaked on LinkedIn a step-by-step guide to hacking a smartphone.

The documents, which have since been removed, indicate that the ATO has access to Universal Forensic Extraction software made by the Israeli company Cellebrite. This technology is part of a commercial industry that profits from bypassing the security features of devices to gain access to private data.

The ATO later stated that while it does use these methods to aid criminal investigations, it “does not monitor taxpayers’ mobile phones or remotely access their mobile devices”.

Nevertheless, the distribution of commercial spyware to government agencies appears to be common practice in Australia.

This is generally considered to be lawful surveillance. But without proper oversight, there are serious risks to the proliferation of these tools, here and around the world.

The dangers of the spyware market

The spyware market is estimated to be worth millions of dollars globally. And as Canadian privacy research group Citizen Lab has noted, spyware vendors have been willing to sell their wares to autocratic governments.

There are numerous examples of spyware being used by states with dubious human-rights records. These include the surveillance of journalists, political opponents and human rights advocates, including more recently by the Mexican government and in the United Arab Emirates. In Bahrain, the tools have reportedly been used to silence political dissent.

Commercial spyware often steps in when mainstream technology companies resist cooperating with law enforcement because of security concerns.

In 2016, for example, Apple refused to assist the FBI in circumventing the security features of an iPhone. Apple claimed that being forced to redesign their products could undermine the security and privacy of all iPhone users.

The FBI eventually dropped its case against Apple, and it was later reported the FBI paid almost US$1.3 million to a spyware company, reportedly Cellebrite, for technology to hack the device instead. This has never been officially confirmed.

For its part, Cellebrite claims on its website to provide technologies allowing “investigators to quickly extract, decode, analyse and share evidence from mobile devices”.

Its services are “widely used by federal government customers”, it adds.

Spyware merchants and the Australian Government

The Australian government has shown considerable appetite for spyware.

Tender records show Cellebrite currently holds Australian government contracts worth hundreds of thousands of dollars. But the specific details of these contracts remain unclear.

Fairfax Media has reported that the ATO, Australian Securities and Investment Commission, Department of Employment , Australian Federal Police (AFP) and Department of Defence all have contracts with Cellebrite.

The Department of Human Services has had a contract with Cellebrite, and Centrelink apparently uses spyware to hack the phones of suspected welfare frauds.

In 2015 WikiLeaks released emails from Hacking Team, an Italian spyware company. These documents revealed negotiations with the Australian Security and Intelligence Organisation (ASIO), the AFP and other law enforcement agencies.

Laws and licensing

In Australia, the legality of spyware use varies according to government agency.

Digital forensics tools are used with a warrant by the ATO to conduct federal criminal investigations. A warrant is typically required before Australian police agencies can use spyware.

ASIO, on the other hand, has its own powers, and those under the Telecommunications (Interception and Access) Act 1979, that enable spyware use when authorised by the attorney-general.

ASIO also has expanded powers to hack phones and computer networks. These powers raise concerns about the adequacy of independent oversight.

International control of these tools is also being considered.

The Wassenaar Arrangement, of which Australia is participant, is an international export control regime that aims to limit the movement of goods and technologies that can be used for both military and civilian purposes.

But there are questions about whether this agreement can be enforced. Security experts also question whether it could criminalise some forms of cybersecurity research and limit the exchange of important encryption technology.

Australia has export control laws that apply to intrusion software, but the process lacks transparency about the domestic export of spyware technologies to overseas governments. Currently, there are few import controls.

There are also moves to regulate spyware through licensing schemes. For example, Singapore is considering a license for ethical hackers. This could potentially improve transparency and control of the sale of intrusion software.

It’s also concerning that “off-the-shelf” spyware is readily accessible to the public.

‘War on math’ and government hacking

The use of spyware in Australia should be viewed alongside the recent announcement of Prime Minister Malcolm Turnbull’s so-called war on maths.

The prime minister has announced laws will be introduced obliging technology companies to intercept encrypted communications to fight terrorism and other crimes.

This is part of a general appetite to undermine security features that are designed to provide the public at large with privacy and safety when using smartphones and other devices.

Despite the prime minister’s statements to the contrary, these policies can’t help but force technology companies to build backdoors into, or otherwise weaken or undermine, encrypted messaging services and the security of the hardware itself.

While the government tries to bypass encryption, spyware technologies already rely on the inherent weaknesses of our digital ecosystem. This is a secretive, lucrative and unregulated industry with serious potential for abuse.

There needs to be more transparency, oversight and strong steps toward developing a robust framework of accountability for both the government and private spyware companies.

Monique Mann, Lecturer, School of Justice, Researcher at the Crime and Justice Research Centre and Intellectual Property and Innovation Law Research Group, Faculty of Law, Queensland University of Technology; Adam Molnar, Lecturer in Criminology, Deakin University, and Ian Warren, Senior Lecturer, Criminology, Deakin University

This article was originally published on The Conversation. Read the original article.

The “Five Eyes” is a surveillance partnership of intelligence agencies consisting of Australia, Canada, New Zealand, the United Kingdom, and the United States. According to a joint communique issued after the meeting encryption and access to data was discussed. The communique stated that “encryption can severely undermine public safety efforts by impeding lawful access to the content of communications during investigations into serious crimes, including terrorism.”

In the letter organised by Access Now, CIPPIC, and researchers from Citizen Lab, 83 groups and individuals from the so-called “Five Eyes” countries wrote “we call on you to respect the right to use and develop strong encryption.” Signatories also urged the members of the ministerial meeting to commit to allowing public participating in any future discussions.

Read the letter in full – (web) – (PDF)