Lucie Krahulcova and
The growth of digital surveillance
When Prime Minister Scott Morrison fronted up to the press conference to announce the outcome of Operation Ironside last month, he seemed even more pleased with himself than usual. Hundreds of alleged offenders had been charged and millions of dollars’ worth of drugs had been seized. It was almost as though it was an election year, and Morrison knew that fear mongering and surveillance powers play well with certain voters.
Morrison could not resist using the opportunity to push an agenda for even greater powers. “There is a series of pieces of legislation that we’ve been seeking to move through the parliament,” he reminded everyone, “not just in this term, but in some cases over three terms.”
Since the Coalition took office, Australia has become world renowned for its ever-expanding ability to surveil citizens. The country made international headlines in 2018 when the government passed encryption-busting laws, and it’s making headlines again as the government demands an expanded mandate to intercept and monitor communications. But while these laws are often sold as being about safety, that’s not really true. They are about government control and a show of power, both domestic and international.
On balance, they do more for over-reach and the erosion of our rights and political freedoms than they do for our safety.
Let’s start at the beginning. Encryption is critical in protecting the security and integrity of our digital infrastructure. These days, everything from banking to government services to communications apps is end-to-end encrypted, meaning that the information remains a secret as it travels over the internet. Encryption works by hiding information in ciphers – complex strings of letters and numbers – thereby protecting us from identity fraud, banking theft, espionage and corporate spying. We use it every day to do basic things online, and government infrastructure relies on it to deliver services.
Strong encryption is also critical to protecting human rights. Journalists, lawyers, and human rights defenders rely on privacy tools built with encryption to protect their sources and communications. In a similar way that we may expect a letter sent through the post office to remain unopened until its final destination, we should expect our online communications to remain unmolested until they reach the intended recipient.
But encryption is a more complex issue than this metaphor suggests. First, because we would never send thousands of letters every day containing our every thought, complete with our location data and time stamps. Second, because widespread encryption is a relatively recent phenomenon. For about two decades our online communications were virtually unprotected. It wasn’t until the Snowden revelations in 2013, when the importance of securing data was made plain, that many technology companies began to roll out end-to-end encryption more widely.
The latter is important because law enforcement claims its job is made more difficult with the rise of encryption across communications platforms. They complain they have lost access to private communications that they were previously able to intercept in bulk – although in reality they should never have had such access. In response to law enforcement concerns, the then prime minister, Malcolm Turnbull, proposed legislative powers to break encryption in 2017. This is how we ended up with the Telecommunications and Other Legislation Amendment (TOLA). It is the basis of our digital surveillance system.
TOLA gives law enforcement powers to contact digital platforms directly to obtain information and access, without the need for a warrant. Law enforcement can ask technology companies to build the capability to listen in to private conversations or send copies of data to third-party servers. Either way, we – as the end users – have to rely on the companies to ensure the request by the law enforcement agency is legal and correct, because we will likely never know if the product or service we use is subject to such surveillance.
In a disgraceful circumvention of democratic scrutiny, TOLA was written and passed into law in a matter of months, under immense political pressure and in spite of spirited protest from civil society and the local tech community. Software company Atlassian estimates the law is costing Australia billions every year in trust lost with international partners.
Worryingly, TOLA removes the ability for companies to say if they have or have not been issued with a notice or request under any of these powers. This removes a key mechanism known as a “warrant canary” which would enable a digital service provider to place a statement on their website confirming they haven’t been served a notice, and remove it if they have. Such a measure could allow companies to provide reassurances to their customers. Buyers of technology products, such as customers of Atlassian, could use the presence of a warrant canary to trust that the technology they are purchasing has not been interfered with by the government. This is prohibited under TOLA and the government is under no obligation to let us know we were ever compromised.
TOLA facilitates the deliberate weakening of encrypted systems. Once a weakness is created, knowledge about it becomes a very valuable asset. There is a real risk of such assets falling into the wrong hands. Indeed, this is exactly what happened with the WannaCry ransomware attack, which was traced back to a vulnerability in Microsoft systems used by America’s National Security Agency. Weak encryption is a threat to public safety, but we are now forced to live with it because it serves the interests of law enforcement and intelligence agencies.
Operation Ironside has given the Morrison government the opportunity to justify laws like TOLA, and to ask for more. Some technical details of how the operation was executed are unclear, but Australian authorities played a key role in acting where the FBI was constrained by US legislation. The compromised phone system that underpinned the police operation relied on TOLA. A key reason is that Australia, unlike other jurisdictions, lacks checks and balances around privacy and other human rights.
If TOLA was a world-leading attack on the integrity and privacy of communications, the Surveillance Legislation Amendment (Identify and Disrupt) Bill is probably worse. Introduced in late 2020, the bill provides additional powers to conduct online investigations, establishing a series of specialised powers and warrants with broad, undefined scope.
There are three new powers the bill would introduce: an account takeover warrant; a network activity warrant; and a data disruption warrant. The latter is not a warrant at all and requires no judicial approval in order to be served to the digital service provider. The other powers are drafted so broadly that if someone is using a service, anyone in the world using that service would fall under the scope. This is an unprecedented reach into communications infrastructure, and an over-reach by a government known for abusing its vast investigatory powers, greedy for surveillance and control.
Two weeks ago, the parliament rubberstamped one of the new investigatory powers that Morrison was pushing for after Operation Ironside. This was the Telecommunications Legislation Amendment (International Production Orders) Bill, which gives the Australian government the power to enter into a data-sharing agreement with the US. Such an agreement falls under something known as the Clarifying Lawful Overseas Use of Data (CLOUD) Act and will have to be reviewed by the US congress. This may mean the international production orders regime is unworkable, as congress in the past has expressed concerns that Australian privacy standards are not satisfactory. That’s right, the Americans are worried by how badly we protect privacy.
When the government advocates to expand our surveillance regime, we need to be very clear: we are compromising our collective digital security in the name of increasing powers for law enforcement and intelligence agencies. When everyday people suffer as a result of relying on compromised technical systems, don’t expect the Morrison government to hold a press conference about it, but it doesn’t mean the harm is not significant.
It’s easy to view surveillance laws as a necessary evil – a way to deal with the worst of humanity. But it should worry us that we are losing rights as surveillance systems grow all around us. We are becoming victims of a networked world that is increasingly being designed not to service us securely but to police and criminalise a small minority.
As a jurisdiction with few protections for human rights, Australia is in fact becoming the bargain basement of digital rights. For this reason, a bill of rights is more urgent than ever.
And when you next hear about a tech proposal designed to keep us safe by expanding invasive powers, remember that the interests of the surveillance state are not synonymous with the public interest. They are increasingly operating in a parallel world.
This article was first published in the print edition of The Saturday Paper on July 10, 2021 as "Surveillance states".
A free press is one you pay for. Now is the time to subscribe.