Just over a week ago, the government did some quiet tidying up. Having made structural changes to a few federal portfolios — most notably shifting the Australian Federal Police and ASIO out of the Attorney-General’s Department and back to Home Affairs where they resided under Coalition governments — Anthony Albanese undertook some further sweeping in the corners.
Part of it related to highly sensitive police powers to covertly take over online accounts while investigating serious crime, especially child sexual abuse. It may well be a coincidence, but given the shocking abuse allegations involving Melbourne childcare centres this week, the timing of the tidy-up is interesting.
At the start of a new term, the PM signs an administrative arrangements order outlining each department’s responsibilities and listing all legislation falling under each portfolio. These machinery-of-government changes and associated authorisations have gained more attention since the infamous Scott Morrison multiple-ministries revelations. The Albanese government increased administrative transparency in response.
Having finalised the ministry and the distribution of responsibilities, a newly elected PM relies on relevant departments’ advice as to which laws need to go on which list. On first pass with the new broom in mid-May — as sometimes happens — they missed a bit.
On 26 June Albanese signed an updated order to take effect on Tuesday 1 July. Among the raft of mostly uncontroversial fixes to several departmental lists, part IAAC of the Crimes Act 1914 was added to minister Tony Burke’s responsibilities in Home Affairs.
It’s not uncommon for a single piece of legislation to be divided between multiple portfolios, especially when it’s a hefty, complex umbrella package of laws about the law itself.
A dozen other parts of the Crimes Act were allocated to Home Affairs in the May order but part IAAC was left out, meaning it stayed with the Attorney-General’s portfolio by default. What’s interesting in the context of the Melbourne childcare allegations — which are the purview of state police but which the federal government was notified about last week before they were made public on Tuesday — is that when the part IAAC power was created for the AFP and the Australian Criminal Intelligence Commission, or ACIC, to obtain takeover warrants, it was described as being aimed at serious federal offences including terrorism and drug trafficking, but child pornography was top of the list.
Even curiouser, given the whole transparency thing, last week’s administrative update was done in an oddly oblique way. Instead of just adding part IAAC to Home Affairs as its own line item, the document signed by Albanese and governor-general Sam Mostyn orders that the dozen other alphabet-soupy bits of the Crimes Act already transferred to that department be omitted from its tasks and then added again, with IAAC tucked innocuously into the middle of an otherwise identical list. Surrounded by a forest of unnecessary out-then-in-again letter groupings, it almost looks like it wasn’t meant to be noticed.
Some in the security community believe the power to oversee warrants of all kinds should always be with the first law officer, the Attorney-General, and not with Home Affairs. The account-takeover warrants can only be issued by a magistrate and there’s no direct role for the minister, unlike ASIO warrants which remain in the Attorney-General’s portfolio even though the agency itself is back with Home Affairs.
Nevertheless, part IAAC involves what’s seen as a highly intrusive power and is subject to a range of checks as a result.
There has long been tension between the two departments. The AFP and ASIO and their legislation have ping-ponged between the portfolios since the Coalition created Home Affairs in 2017. They were moved there at that time, then back to A-Gs initially under Labor in 2022, then back to Home Affairs at the start of its second term. The latest move coincides with former attorney-general Mark Dreyfus being dumped from the ministry and replaced by Michelle Rowland. Between Rowland and Tony Burke, Burke is the more politically powerful.
The timing of last week’s administrative tidy-up may simply further reflect that and appears to have no practical impact on the work of the AFP. It may be completely unrelated to the Melbourne charges, though something clearly alerted the government to the fact that those powers were left behind when the AFP was moved.
At the very least it’s a reminder that successive governments have been supposedly working for six years on overhauling the entire federal legal framework for electronic surveillance and consolidating an overly complicated web of laws into a single, streamlined piece of legislation. And it hasn’t been done.
The charges against two Melbourne men accused of engaging in, and possessing images of, sexual abuse have unsurprisingly reignited public debate about how to make children safer when left with paid carers, and the important role surveillance can play in both prevention and prosecution.
At the very least, talk of more widely adopting a protocol known as the “four eyes principle,” enshrined in Dutch law after an horrific child-abuse case there, would seem eminently sensible. The principle ensures that every adult interaction with a child in childcare must be witnessed by at least one other adult. In the Netherlands, that can be achieved by having another adult physically present or watching through glass, or by using closed-circuit TV cameras.
Whichever way it’s implemented, the measure is ideally preventative. But relying on cameras is only effective if someone is monitoring everything they capture — which is neither practical nor cheap. It would certainly see the cost of care go up.
High-profile criminal cases involving the creation and transmission of abuse material inevitably lead to pressure for more to be done, both to stop it and to track and punish perpetrators. Real-time public debate on these issues is understandably steeped in emotion and leaves little room for conversations about privacy or individual rights and freedoms. It has little truck with where the line should be drawn in protecting those rights versus keeping predators away from vulnerable little people. In this environment, those wanting to err on the side of privacy safeguards aren’t likely to get much of a hearing. Electronic surveillance powers — especially the covert kind, which police say are crucial when so much crime now involves encrypted tech — are right in the middle of that ugly intersection.
In 2019, former ASIO boss Dennis Richardson undertook a comprehensive review of Australia’s intelligence laws and devoted multiple chapters in the four-volume, 1400-page unclassified version of his report to electronic surveillance. Richardson recommended an overhaul of surveillance laws, declaring them far too complicated and open to being incorrectly wielded by those empowered to use them and poorly understood by those against whom they could be used.
Richardson supported the Australian Signals Directorate providing technical support to domestic law enforcers in tackling serious and organised crime, but opposed a Home Affairs proposal to give ASD its own crime-fighting role, which would extend its offshore-only remit to spying on Australians for the first time.
He also explicitly advised against giving police extra cyber-disruption powers. He thought their existing powers were adequate and he pulled no punches in outlining the complexity of offensive cyber operations. It’s worth revisiting in some detail what he said.
“A poorly planned or executed operation could impact negatively on innocent people and, in extreme cases, compromise computers that support the provision of essential services,” Richardson warned. “All agencies, including the AFP, can and do make mistakes and this would be no exception. A more specific disruption mandate for the AFP also risks compromising essential democratic rights.”
Richardson was particularly concerned about “empowering police officers to pass conclusive judgement and act in accordance with that judgement to destroy property.” Any “disruption” activity that could damage or destroy property should involve judicial authorisation because there “appears to be a tendency for some officials to consider that ‘zapping’ computers being used in child exploitation is a reasonable response.”
“Police making conclusive assessments of criminality would raise serious questions about the separation of powers, given that the courts, not police, are responsible for adjudicating criminal guilt in Australia,” he counselled. “Such a move should not be taken lightly — it is the equivalent of making the police the judge, jury and executioner.”
The Morrison government received Richardson’s report in December 2019 and sat on it for a year. Three days before making the unclassified version and its own formal response public in December 2020, the government introduced legislation to parliament that expressly contradicted Richardson’s recommendation against extra police powers, although it didn’t go as far as allowing the destruction of property.
What became the Surveillance Legislation Amendment (Identify and Disrupt) Act 2021, known as SLAID, bestowed three new intrusive cyber powers on the AFP and ACIC that allowed them to disrupt data to prevent crime, monitor criminal activity online and, in extremis, lock people out of their online accounts while executing a search warrant and take them over, to stop evidence being destroyed or others being tipped off. Those powers were established by amending the Crimes Act.
The original bill was also amended after the parliamentary intelligence and security committee echoed Richardson’s concerns and emphasised the extreme nature of the powers being granted. In the end, the law obliged the agencies to report annually to their minister on the use of the warrants and gave permanent operational oversight to the Commonwealth ombudsman, who also reports to parliament. Those reports show the AFP only obtained six account-takeover warrants last financial year and the ACIC didn’t use the power at all.
The ombudsman’s 2023–24 report noted that the AFP undertook two years ago to update its written guidelines on how to use the “covert and intrusive” account-takeover powers after the 2023 inspection raised concerns. By mid-2024, it still hadn’t been done.
Before the powers became law in 2021, the parliamentary joint committee recommended that the Independent National Security Legislation Monitor, or INSLM, begin a review of the cyber powers within four years. It also had a sunset clause inserted, ensuring parliament must re-examine them within five years and either re-endorse or scrap them.
That deadline arrives in September next year. Last November, the INSLM, Jake Blight, published an issues paper on the operation of the laws. He held public hearings early this year and his report is due to go to Attorney-General Rowland any day.
Oh, and responsibility for the electronic surveillance reform that’s been in the works for six years has now bounced back to Home Affairs. On when the promised streamlining might finally occur, the minister’s spokesperson says only that “comprehensive intelligence reform can’t be rushed” and they are “committed to getting it right.”
What has all this to do with last week’s administrative tidy-up? Or the charges laid in Melbourne? Possibly nothing at all. But it does mean crunch time is coming on these cyber powers.
Given the publicity surrounding the Melbourne allegations, and with electronic surveillance reform still incomplete and that legislative review due next year, it would be amazing if the AFP and other security agencies didn’t press for even greater powers.
Timing, as they say, is everything. •
