ACS has recommended the Australian Government change the way electronic surveillance is performed by the nation’s law enforcement agencies.
In a written response to the Department of Home Affairs’ Reform of Australia’s electronic surveillance framework Discussion Paper last week, ACS called on the government to stop ‘deputising’ IT professionals and technology companies.
This follows ACS’ objection to the 2018 Assistance and Access Bill requiring Australian IT companies and professionals to secretly assist in cracking electronic protections when called upon to do so by agencies.
“Australian ICT companies need to be able to compete fairly on the world stage and we can’t do that when government legislation requires IT professionals to break their own products in order to comply with government assistance requests,” said ACS President Nick Tate.
“We don’t object to the government performing surveillance activities. That is a requirement of any modern society. We are also glad the Department of Home Affairs is undertaking this much needed review of the current frameworks. But fundamentally surveillance activities should be driven from within government agencies, not outsourced through mandatory compliance laws to unaffiliated IT companies and professionals.”
“If government currently lacks the skills and capabilities to do that, then it should be making investing in those skills and capabilities more of a priority.”
The response, developed by expert members of ACS’ Cyber Security Advisory Committee, highlighted current shortcomings of the current surveillance framework. It noted:
Australian anti-corruption agencies should be able to directly make access requests. “The current circumstances require anti-corruption agencies to request access through an authorised agency and ACS members have seen first-hand examples where requests have been denied, frustrated and delayed so that the information is no longer useful,” the response noted.
The government should consider the compliance demands on smaller businesses. “A service provider should not be seen to be in breach of assistance orders where they lack the technical or financial resources to implement such requests. ACS members also don’t want innovation to be limited due to the threat of compliance.”
Government agencies should be responsible for identifying individuals. “ACS members are concerned about any proposal that creates an onus on technology suppliers to identify the third parties. The onus to identify suspects, including third parties, must be with an agency, with technology suppliers merely acting on an agency’s request to provide records relation to specific persons and specific things.”
Agencies should not be allowed to obtain a warrant to access data for all users of a specific application. “The ACS has concerns about collective surveillance of groups merely because they use a specific technology, including hardware or software.”
Technology suppliers should not be required to identify what information is privileged or sensitive. “While ACS agrees with the need to protect privileged and other particularly sensitive information, the onus for identifying that information should be with an agency.”
Surveillance orders should be authorised by independent authorities, supported by public interest advocates. “The ACS supports requiring independent authorities such as Courts or Tribunals to authorise surveillance. The ACS also strongly supports the proposal that judges, magistrates, and tribunal members will need support from suitably qualified experts (ie. public interest advocates) to assist in their deliberations regarding the need for some orders, specifically those requiring technology suppliers to modify commercial and retail software or devices.”
The full ACS response can be found here.