New Australian laws could force CISOs to decrypt data, let police access accounts

SLAID’s “novel, extraordinary, and intrusive” warrants threaten 10 years’ jail for noncompliance, while FILAB allows for government spying on Australians’ communications.

big brother privacy eye data breach security binary valerybrozhinsky getty
ValeryBrozhinsky / Getty

Australian CISOs and system administrators could face jail time unless they help authorities surreptitiously hack the accounts of their network users — a possibility that has suddenly emerged with the rapid passage of what the Law Council of Australia’s president Jacoba Brasch called “novel, extraordinary, and intrusive” new surveillance legislation that has been flagged by Australian senator Lidia Thorpe, a member of the minority Green party, as “contempt of democracy”.

Passed into law at the end of August 2021 after the government agreed to a series of amendments, the Surveillance Legislation Amendment (Identify and Disrupt) Bill 2021 (SLAID) gives the Australian Federal Police (AFP) and Australian Criminal Intelligence Commission (ACIC) a host of powers, including the ability to “disrupt data by modifying, adding copying, or deleting data in order to frustrate the commission of serious offences online”.

The bill also gives authorities powers to access “the devices and networks used to facilitate criminal activity” and provides for new ‘account takeover warrants’ that allow investigators to take over a person’s online accounts — including social media or internet banking accounts — “for the purposes of gathering evidence to further a criminal investigation”.

Authorities will be able to use the powers to “gather evidence about a person’s criminality and their associates’ activity” — including on the dark web — then-Minister for Home Affairs Peter Dutton said when the bill was introduced in late 2020.

Also new are ‘network activity warrants’, which will enable AFP and ACIC officers “to build a picture of how criminal networks are operating online and inform future investigations,” Dutton said, noting that any information collected “must be relevant to the prevention, detection, or frustration of an offence with a maximum penalty of at least three years imprisonment”.

To continue reading this article register now

Make your voice heard. Share your experience in CSO's Security Priorities Study.