An inquiry has recommended parliament passes national security legislation that would expand ASIO's ability to hack into third party computers in order to access target systems.
A report on the National Security Legislation Amendment Bill (No. 1) 2014 issued today by the Parliamentary Joint Committee on Intelligence and Security recommended the bill be passed, albeit suggesting a number of alterations.
The bill, introduced into parliament in July by Attorney-General George Brandis, is largely based on the recommendations of an earlier Joint Committee report.
The legislation includes provisions to allow ASIO to access third party computers or communications in order to gain access to a target computer.
Appearing before a public hearing of the inquiry, representatives of the Attorney-General's department said that the amendments were necessary because targets of ASIO surveillance are becoming increasingly security conscious.
"The amendment would enable ASIO to use a third party computer or ‘communication in transit’ in order to access data held on a target computer. If necessary to achieve the purpose, ASIO would also be able to add, copy, delete or alter data on the third party computer or communication in transit," the committee's report notes.
Content on a third party system would not be accessed without a telecommunications interception warrant, according to the department.
The bill also modernises the definition of "computer" in the ASIO Act, changing it to "one or more computers", "one or more computer systems", "one or more computer networks", or "any combination of the above".
The broadening of the definition drew ire from civil libertarians and others, who argued that the new definition could arguably apply to the entire Internet.
The committee's report recommends that clarification be included in the bill's explanatory memorandum or guidelines issued by the attorney-general under section 8A of the ASIO Act that "a computer access warrant may only authorise access to a computer (which would include a network) to the extent that is necessary for the collection of intelligence in respect of a specified security matter."
The report endorses the view of the Attorney-General's Department and ASIO that "existing safeguards in the legislation are sufficient to limit ASIO's access to networks to specific security matters".
"[F]or a warrant to be issued there needs to be ‘reasonable grounds’ for believing that access by ASIO to data in the specified computer will ‘substantially assist the collection of intelligence … in respect of a matter (the security matter) that is important in relation to security’," the report states.
"Any use of a computer that may be authorised in such a warrant is further limited in the ASIO Act to activities that are ‘for the purpose of obtaining access to data that is relevant to the security matter and is held in the target computer at any time while the warrant is in force’."
'Disruption'
The bill will allow the "disruption" of computers by ASIO. "The current limitations in subsection 25(6) and 25A(5) [of the ASIO Act] that prevent any interference, interruption or obstruction or any loss or damage, can prevent ASIO from effectively executing a search warrant or a computer access warrant as they prevent a warrant from authorising even minor interferences or disruptions," the Attorney-General's submission to the inquiry stated.
The report recommends that ASIO's chief "include details of any instances of material disruption of a computer, or non-routine access to third party computers or premises, in the reports on the execution of each warrant provided to the Attorney General under section 34 of the Australian Security Intelligence Organisation Act 1979":
The Committee supports the [intelligence agency watchdog Inspector-General of Intelligence and Security's] suggestion for reports on the execution of warrants provided to the Attorney-General to include details of computer interference, as well as any third party access.
In order to avoid these reports becoming an unnecessary administrative burden on ASIO, the Committee agrees with the Department’s proposal for such reporting to be limited to exceptional activities. The Committee suggests that the category of ‘exceptional’ would constitute any material disruption of a computer (noting that the Committee has been assured this power is intended to be used only rarely), as well as any non-routine access to third party computers or premises.
"Material interference would be extremely rare and only occur when necessary. So it's not just a matter of convenience but would have to be necessary for the execution of the warrant. Immaterial interference could include, for example, using a minor amount of storage space or bandwidth as a result," a spokesperson for the Attorney-General's Department told a committee hearing in August.
Other measures included in the legislation have also proved controversial. They include creating a category of 'Special Intelligence Operations', the disclosure of which could risk prosecution. Media organisations have expressed concerns that the provisions could be used to prosecute journalists for reporting on ASIO activities.
The committee recommended a number of changes in this regard including the Commonwealth Director of Public Prosecution taking into account "the public interest, including the public interest in publication, before initiating a prosecution for the disclosure of a special intelligence operation."
'Safeguards' in the legislation mean that the committee "does not consider it appropriate to provide an explicit exemption for journalists from the proposed offence provisions. Part of the reason for this is that the term ‘journalism’ is increasingly difficult to define as digital technologies have made the publication of material easier.
"The Committee considers that it would be all too easy for an individual, calling themselves a ‘journalist’, to publish material on a social media page or website that had serious consequences for a sensitive intelligence operation. It is important for the individual who made such a disclosure to be subject to the same laws as any other individual."
Data retention
National Security Legislation Amendment Bill (No. 1) 2014 does not include provisions for a mandatory data retention, and the inquiry didn't examine Brandis' data retention proposals. The attorney-general has confirmed that the government will introduce separate legislation that contains provisions to force telcos to retain metadata relating to customers' use of their services.
Follow Rohan on Twitter: @rohan_p