Australian Privacy Charter Council
Version of July 2001
© Australian Privacy Charter Council, 2001
This document is at http://www.privacy.org.au/apcc/Submns/SenCybercrime0107.html
The Australian Privacy Charter Council welcomes the opportunity to comment on this Bill. The Committee will be familiar with the Council and its role from past Inquiries. Background can be found at www.apcc.org.au
The Privacy Charter Council welcomes in principle the attempt to update the criminal law to apply to computer related crime. Soundly drafted computer offence provisions would complement privacy laws - in particular providing support for the use and disclosure limitation and security principles of the Commonwealth Privacy Act 1988 and equivalent state laws in NSW and Victoria.
However, the provisions in Schedule 1 of the Bill do not appear to have been adequately drafted to ensure that they do not inadvertently criminalise legitimate behaviour. In this respect we support the criticisms of the Australian Computer Society and others who have highlighted specific weaknesses.
We are particularly concerned about the provisions in Schedule 2 relating to warrants for access to computer equipment and data, for which all investigatory agencies operating under the Crimes Act 1914 and the Customs Act 1901 are able to apply.
The first concern is the lack of any adequate justification for the new powers. We understand that the Australian Federal Police received 320 electronic crime referrals between 1 July 2000 and 30 May 2001 (more than a third from the Australian Broadcasting Authority). In what proportion of these referrals were investigations inhibited by the absence of the powers now sought? No extension of police powers should be granted without a more sophisticated analysis of the scale and nature of the risk or problem they are designed to address.
Our second major set of concerns centres on the potential for misuse of powers to manipulate computer data. The concept of a computer data warrant first came to our attention in the context of ASIO operations. We raised concerns in relation to the ASIO computer warrants in our submission in 1999 to the ASIO Joint Committee on the Australian Security Intelligence Organization Legislation Amendment Bill 1999, in the following extract:
"The Council is concerned that the implications of the proposed new s.25 in relation to access to computer data have not been fully thought through. As the government is well aware, the importance of trust in electronic transactions cannot be overestimated. Confidence in the integrity of electronic transactions is essential for the take up of new forms of commerce and service delivery and for Australia's future in the global information economy. However well intentioned, empowering ASIO to add, delete or alter data, and to modify access control and encryption systems (even if technically feasible) fatally undermines this trust and confidence. It is difficult to see how the supposed limitations on this power - not obstructing lawful use or causing loss or damage - would work in practice, and in any case they would not restore the confidence which, once lost, is gone forever. The Council does not claim detailed expertise in the area of electronic commerce or cryptography applications, but understands enough to know that this proposal is fraught with dangers and needs much more discussion in the relevant technical communities as well as in the general public arena."
These concerns were never in our view satisfactorily addressed, and are equally relevant to the proposed amendments to the Crimes Act and Customs Act contained in Schedule 2. We understand that some of these concerns may in fact go back to 1994 amendments concerning electronic data, but as far as we know there was not an adequate debate at that time, and the proposed extended powers have to be seen in that wider context.
Of particular concern are the provisions for remote access; for removal of computer equipment off-site; for copying of `all data' even if only a small proportion of it is suspected', and for requiring individuals to provide assistance in accessing computer data. All of these powers, in our view, are open to abuse and the requirement to obtain a warrant does little to prevent abuse once the power has been authorised. As with the ASIO Act amendments, much more public debate is required, informed by independent technical experts, about the potential for abuse and the necessary safeguards to prevent and detect such abuse. It is not clear that even the limited safeguards written in to the ASIO Act amendments (eg: not obstructing lawful use or causing loss or damage) will apply to these wider powers.
We note that the New Zealand Privacy Commissioner has recently commented on the equivalent Crimes Amendment Bill No 6 2001 (NZ)[1]. Amongst a range of concerns he expressed is the view that allowing remote hacking into computer systems by government agencies for ordinary law enforcement is unacceptable, even if it is subject to a warrant process.
We hope that the Committee is able to obtain independent technical advice to allow it to evaluate the risk to privacy and to underlying confidence in e-commerce and e-government posed by these provisions.
To the extent that any extension of powers does go ahead, it is in our view essential that this is accompanied by additional safeguards such as strict requirements to return and destroy copies of any computer data that is not relevant to an investigation, within prescribed time periods, and to place strict controls over access and use of such data. If the entire contents of a computer hard disk are imaged as part of an investigation, law enforcement agencies will inevitably come into possession of enormous amounts of personal and other confidential material, most of which is likely to be irrelevant to any suspected unlawful activity.
Another important safeguard, which we fear may be (inadvertently?) removed from the Crimes Act by the proposed amendments is the right of the owner of seized equipment to be present during `off-site' inspection and analysis. Given the potential for damage or disruption, owners should also have a statutory right to be fully informed of all `operations' carried out on their equipment.
We understand that several other submissions to the Committee will highlighted the potential for abuse of these new powers, and the consequential erosion of confidence of the integrity and reliability of computer systems. Given that defending this integrity appears to be one of the main justifications for the Bill, it is bizarre that the provisions could have exactly the reverse effect. If law enforcement agencies are given the power to alter data without adequate oversight, the evidentiary value of the data must in any case be called into question.
We thank the Committee for the opportunity to put this submission and stand ready to explain or amplify our concerns at the Committee's request.
Go to APCC's Home-Page.
Go to the contents-page for this segment.
Send an email to the APCC Convenor
Created: 30 July 2001
Last Amended: 30 July 2001
APCC thanks its site-sponsor: