Protecting Australia beyond its traditional borders: apps and policing in the internet age
17 Jun 2021|

The success of Operation Ironside, led by the Australian Federal Police with a host of international partner agencies, hinged on the use of a messaging app thought by criminals to be encrypted. The numerous arrests and seizures announced last week show how globalised the business model of transnational and serious organised crime groups has become.

Digital sovereignty requires a democratic state to take a forward-looking approach to mitigating the various intersecting, compounding and increasing threats presented to it and its people by advances in digitisation and technological innovation.

Operation Ironside is a reminder that strategic policing sits at the forefront of this effort. Old threats like violent extremism, organised crime, child exploitation and adult sex crimes have exploded in new ways online. Terrorist attacks have been livestreamed, inspiring other extremist actors; criminal networks have become globalised; and online child abuse and revenge pornography have proliferated. This has happened through the incredible ease of connecting with likeminded individuals and amassing a real-time audience on social media platforms and websites, and the agility of business communications enabled by the internet of things that benefit illegal as much as legal enterprises.

Keeping up with the unprecedented volume and diversity of data-enabled criminal activity has stretched the resources and capabilities of policing and intelligence agencies. In Australia, the push to respond more effectively to digitally exacerbated threats has led to calls for the parliament to provide policing and intelligence agencies with greater powers. Creating a legislative framework to police the new spaces created by the digital age is part of a proactive, strategic response to these threats.

This is not to say, however, that police powers should be increased without due process and debate.

There are two parts to this move. The first is increasing police tools to respond to online threats, both reactively to prosecute and proactively to frustrate and prevent criminal activities; the aim is to remove the conditions in which these threats flourish online. The second part is balancing the legislative powers given to intelligence and policing agencies with the protection of the civil liberties that are core to the democratic state.

This is not a mutually exclusive tussle. It is the same process democracies have always followed in the physical, offline world. And just because the parliament or the public can’t easily decide which argument is more important doesn’t mean there’s a problem. Democracy is about enduring the ongoing debate and tension between different points of view; the alternative is the Chinese government’s ‘Skynet’.

To this end, four new bills have put to parliament since 2018 that seek to increase the powers of the AFP, the Australian Criminal Intelligence Commission and eSafety Commissioner to police and regulate online criminal activity. Only one, the Telecommunications and Other Legislation Amendment (Assistance and Access) Bill 2018 (TOLA), has been enacted so far. The other three, which are still before the parliament, are the Identify and Disrupt Bill 2020, the International Production Orders Bill 2020 and the Online Safety Bill 2021.

The spectacular success of Operation Ironside has prompted questions about whether Australia’s policing and intelligence agencies really need greater powers to police the internet—especially given that the one bill that has passed (TOLA, which makes it mandatory for industry to decrypt and hand over encrypted data in some cases) doesn’t appear to have been necessary because the app used in the operation was developed and cleverly dropped into criminals’ hands by the AFP and the FBI.

The AFP has confirmed that TOLA was used in Operation Ironside, but declined to clarify how, or if it was the basis for the court order that enabled the beta test of the AN0M app in Australia. In response to  a media enquiry from ASPI, the AFP said that Commonwealth legislation required it to withhold such details ‘until these matters are lawfully disclosed in open court’.

The success of this operation is evidence of the AFP’s capacity to engage in multilateral efforts to great effect. It has also demonstrated the AFP’s ability to study and adapt to a threat that has grown into a resilient, globalised network of criminals and ‘trusted insiders’ (corrupt lawyers, accountants, airport and freight logistics staff).

But it all hinged on access to an app that criminals thought was encrypted. And organised crime groups will surely not fall for that twice.

If there’s one thing we’ve learned from this bust, it’s that these groups are not a bunch of unsophisticated thugs (though they definitely employ some). They are an innovative network of often ordinary people with a globalised business model and strategy that makes their profits and operations resilient to busts even this big. The profit margins for methamphetamine and heroin trafficked from Southeast Asia into Australia in 2019 were 82% and 83%, respectively, despite border seizures of 31% and 23%. These margins are so high that international businesses would be insulated from border seizures even if they doubled or tripled.

So, could the AFP have played such a key role in this multinational operation if Australia hadn’t had the extra powers provided by TOLA? It won’t be possible to definitively answer that question until we know how the act was used.

Australia actually has fewer policing powers on the international stage than some of our allies and partners. We are yet to legislate Magnitsky-style sanctions like our Five Eyes partners have, despite compelling evidence of their effectiveness as a targeted policing tool against transnational organised crime. And suggestions that the AFP’s involvement was sought purely because it has a legal power to access encrypted data ignores the AFP’s proven record in bilateral and multilateral operations to counter organised crime and child exploitation.

There is much room for debate on the intended positive and possible unintended negative effects of the remaining three bills to be passed. Those discussions need to be informed by sufficient parliamentary and public scrutiny, and industry consultation, to ensure maintenance of civil liberties and guard against unintended consequences. The legislation should not be rushed through parliament despite significant concerns, like TOLA was in late 2018.

The key for Australia is to take on this challenge without debating it as a zero-sum game between democracy and policing. There must also be full transparency in the upcoming Parliamentary Joint Committee on Intelligence and Security’s review of how TOLA has been used so far (pending court cases permitting) and how it would be used in a future instance like Operation Ironside with an industry app.

If AFP Commissioner Reece Kershaw and Prime Minister Scott Morison are hoping to convince the parliament and the public that TOLA is justified and more bills are necessary, doing so by citing Operation Ironside as an example but not explaining how the bill was used in the operation won’t be fair or effective.

Surely explaining that the next time the AFP wants to snoop on criminals’ encrypted messages it won’t have AN0M in play, and therefore would rely on the bill, would be a more effective strategy to gain public trust and encourage the debate required to get the remaining bills passed in a format that still protects our privacy.

In order for these efforts to be successful, the Australian people need to be brought along on the journey through transparent processes that ensure they understand how both sides of this debate are honoured. That’s especially true in the post-Covid landscape where Australians have rediscovered how much we value our democratic freedoms.