Powers ‘needed’ despite never being used
ASIO and police say controversial powers to compel tech companies to hand over potential terrorists and criminals' encrypted data are needed, despite never once being used.
Tech companies have handed over encrypted data of potential terrorists and criminals to law enforcement 40 times, without once using the compulsory powers introduced by the federal government two years ago.
ASIO, the Australian Federal Police and NSW police bosses gave evidence on Friday before the Parliamentary Joint Committee on Intelligence and Security examining the scope of the powers, which can compel companies to help them access encrypted data of suspected criminals and terrorists.
The controversial legislation gives law enforcement and security agencies powers to request or compel tech companies under warrant to remove encryption on users' messaging services, such as WhatsApp.
The inquiry heard security agencies hadn't had to use the compulsory provision in the past two years because telcos had co-operated and handed over the information.
The committee is examining the scope and proportionality of the powers under the Assistance and Access Act, its interaction with foreign laws, the impact on the telecommunications industry and the reporting obligations and oversight on law enforcement using the powers.
The AFP revealed it had asked for data eight times since the laws were passed in December 2018, NSW police had used it 13 times and ASIO had used it fewer than 20 times.
None had to issue a compulsory notice in any of these instances.
The AFP said it had also used the new computer access warrants, which allow authorities to conceal the fact a device had been accessed, 23 times.
ASIO said it had used the legislation for counter terrorism and espionage investigations, the AFP for counter terrorism, corruption, cyber crime and drug trafficking probes and NSW police for investigations into murder, armed robbery and commercial drug supply and importation.
ASIO director-general Mike Burgess said the intelligence agency took advantage of the act within 10 days of it coming into effect.
He said ASIO had "come close" to issuing a compulsory notice but had reached a point of agreement with the corporation holding the data.
"ASIO's preference to use voluntary powers first does not mean the compulsory powers are not needed," he said.
"Almost all communications of investigative value would be difficult or impossible to access in an intelligible form without lawful access tools such as those available under this Act," he told the committee.
"Encrypted communication damages intelligence collection coverage in nine out of 10 priority counter terrorism cases."
AFP investigations deputy commissioner Ian McCartney said his organisation had used the laws proactively and it had been "extremely beneficial". He added the co-operation of the tech companies had made it unnecessary to compel them to assist investigations.
Shadow attorney-general Mark Dreyfus questioned why the compulsory powers were needed if they hadn't once been used.
"The AFP told this committee in 2018 and the Australian people … that it urgently needed these new coercive powers and now the AFP has the powers it's not using them," Mr Dreyfus said.
"But you're now telling the committee the fact the powers haven't been used is evidence that the powers are both needed and they've been effective."
Superintendent of Digital Surveillance Robert Nelson said: "We do leave it up to industry in terms of whether they want to voluntarily provide that assistance or compulsorily."
The inquiry heard that between 2017-19 the Act helped the AFP crack a major malware operation that was purchased by many domestic violence offenders to remotely gain control over a victim's computer or other devices to access documents, record key strokes and activate their webcam, all without their knowledge.
The investigation yielded 85 warrants across the globe, resulting in 13 arrests and the seizure of 434 devices, as well as the website selling the malware being taken down.