New ASIO powers risk security of third party systems: EFA

Civil liberties group criticises short length of public consultation on new national security legislation

Civil liberties organisation Electronic Frontiers Australia has warned that new ASIO powers proposed by the federal government could compromise the security of third party computer systems.

Appearing today before a parliamentary inquiry into the National Security Legislation Amendment Bill (No. 1) 2014, EFA executive officer Jon Lawrence said that new powers, which would allow ASIO to compromise a third party computer in order to get access to a target's system, lack safeguards.

Use of the powers could create "potential significant insecurity for third parties in terms of technical backdoors and security vulnerabilities that may remain in place well beyond any operation," Lawrence told the Parliamentary Joint Committee on Intelligence and Security.

At a hearing held Friday of the same inquiry, a representative of the Attorney-General's Department said the power to access third party systems was important because targets of ASIO surveillance are becoming increasingly security conscious.

Lawrence told today's hearing that "there's ... the potential for organisations to incur financial liability under the Privacy Act or other acts for actions that have been taken as part of an intelligence operation that has essentially created a vulnerability in their network".

Organisations could be unable to defend themselves from further security breaches because they may be unaware of a backdoor into their systems.

The EFA has also raised concerns over the power contained within the legislation for intelligence agencies to "disrupt" computer systems. Lawrence describe the "power to disrupt" as "potentially quite disproportionate".

The proposed reforms "will allow ASIO to undertake acts authorised by computer access warrants that [are] likely to cause an 'immaterial' interference, interruption or obstruction to a communication in transit or the lawful use of a computer or is likely to cause any other immaterial loss or damage," Jamie Lowe, first assistant secretary for the national security law and policy division of the Attorney-General's Department, told last week's hearing.

Under certain circumstances, "material" interference would also be permitted.

"Material interference would be extremely rare and only occur when necessary," Lowe said. "So it's not just a matter of convenience but would have to be necessary for the execution of the warrant. Immaterial interference could include, for example, using a minor amount of storage space or bandwidth as a result."

"We ... believe that there are some significant potential issues with this power in terms of the credibility of evidence in any court proceeding that may eventuate," Lawrence told the inquiry.

"We think that it potentially provides, essentially, a blanket area of reasonable doubt for a defence to use in any such criminal proceedings and particularly combine d with the very broad definition of computer that's proposed we are concerned that this could allow some very serious and widespread disruption of innocent computers and innocent citizens."

The bill also changes the definition of 'computer' in the ASIO Act to "one or more computers", "one or more computer systems", "one or more computer networks", or "any combination of the above". The definition is "far too wide and too expansive", Lawrence said.

"Under the current definition it would be quite arguable that [it] would apply to the entire Internet given the way the legislation is currently worded."

Both the EFA and the Law Council of Australia, which appeared before the committee earlier today, expressed concerns over the length of time available for public scrutiny of the legislation.

The committee intends to issue a report by 8 September, in time for parliament to consider the legislation in its spring sittings.

Although the government has made clear that data retention is on its agenda, it was not included in this bill and will be part of a third tranche of national security-related legislation.

Follow Rohan on Twitter: @rohan_p

Read More:

Tags Electronic Frontiers Australia (EFA)civil libertiessurveillancesecurityASIOprivacy

More about ASIOAttorney-GeneralBillEFAElectronic Frontiers Australia

Comments

Comments are now closed

Usage alert compliance a priority as TCP code enforcement heads into year three

READ THIS ARTICLE
DO NOT SHOW THIS BOX AGAIN [ x ]