Computer network operations and ‘rule-with-law’ in Australia

Computer Network Operations (CNOs) refers to government intrusion and/or interference with networked information communication infrastructures for the purposes of law enforcement and security intelligence. The following article explores how CNOs are lawfully authorised in Australia, and considers the extent to which the current use of CNOs are subject to ‘counter-law’ developments. More specifically, the article finds that the scope and application of CNOs in Australia are subject to weak legislative controls, that while such operations might be ‘lawful’, they undermine rule of law and disturb core democratic freedoms.


BACKGROUND ON CNOS
'Going Dark' is the popular notion that changes in information technology are obstructing intelligence gathering and criminal investigation.In particular, proponents of the Going Dark position are concerned that the interception of data in transit and at rest, such as emails, VoIP, chat messages, and texts, is increasingly ineffective due to encryption and the dispersed nature of online communications (FBI. 2016;Government of Canada, 2016;Comey, 2014Comey, , 2016;;Hess 2015;Yates, 2015;United Kingdom Government, 2016).To counteract 'Going Dark', intelligence and investigatory authorities are adopting CNO measures into their operational policies.
CNOs represent a significant shift in how governments exercise power as it transitions from compelled collection by intermediaries, to forcibly acting upon, and collecting from intermediaries and affecting their networks, often without their assistance or knowledge.In the United States, recent changes to powers of criminal procedure under Rule 41 widen the scope of existing warrant powers to allow federal authorities to conduct CNE across a range of devices and legal jurisdictions, both domestic and international (Wydenet al.,2016).Similarly, the UK Investigatory Powers Act, adopted in late 2016, provides police and security intelligence agencies with powers to surveil and disrupt communications in bulk, which according to the UK Home Office is necessary "in a digital age to disrupt terrorist attacks" (Murdock, 2016).
In this article, we conceptually divide CNOs into three categories of activity: Computer Network Exploitation (CNE), Computer Network Attack (CNA), and Computer Network Disruption (CND). 1 CNE refers to the intrusion, through implantation of foreign code into equipment associated with information infrastructures, as a means to monitor and/or exfiltrate data for intelligence or criminal investigations.CND refers to intrusion and/or interference with equipment associated with network infrastructures to add, modify, delete, or disrupt the integrity of data at rest or in transit.CNA refers to the use of malware to physically degrade or destroy equipment, physical infrastructure, as well as goods and services that depend on the integrity of that infrastructure.
CNOs might be lawfully authorised under domestic legislation and be subject to a legally prescribed degree of oversight (Hardy& Williams, 2016).Such activities may, however, be deliberately obfuscated from authorising judges (2016( FC 1105) ) or from the oversight bodies (Security Intelligence Review Committee, 2014).They might also be conducted unlawfully, insofar as either government agencies or other parties may intrude upon intermediaries' networks or systems and affect the data the organisations are transiting without clear legislative or judicial authorisation.It is also possible for CNO-related measures to be lawful whilst simultaneously evading the fulsome transparency and accountability that is required for it to be recognised as a democratically legitimised activity, violating laws of foreign states, or infringing upon international human rights.

CNO THROUGH "COUNTER-LAW"
Developments in CNOs can be analysed through the frame of 'counter-law'.This concept emerged out of criminologist Richard Ericson's analysis of the relationship between law and socio-technical practices of surveillance and security (Ericson, 2007(Ericson, , 2008)).There are two main forms of counter-law.The first, counter-law I, refers to the proliferation of criminal procedure and counter-terrorism statutes that erode or even eliminate constitutional standards of rule of The concept of counter-law is focused through Robert Reiner's (2010) analytical dualism of "the black letter of the law" (i.e. law doctrine) and the "blue letter of the law" (operational discretion and activities).Legal permissiveness of "black letter law", particularly through counter-law I, creates a "blue letter law" or "law in action", which refers to actual practices of policing.Bowling and Sheptycki (2015) discuss how the limits of black letter law in cross-border law enforcement operations establishes a space wherein blue letter law exists as a kind of 'post-legal' space.Just one example of a 'post-legal' space involves a case where the US Federal Bureau of Investigation (FBI) previously obtained a warrant to 'hack' computers around the world, after which it shared collected evidence with foreign law enforcement agencies.This showcases how legal permissiveness -the capability to engage in such CNE activities -combined with the legal permissiveness of data sharing regimes between international police forces can enable activity, such as hacking of foreign devices, which might have normally required heightened judicial approval as part of international warranting practices (Cox, 2016).In this context, law is used 'against law', where legal instruments are used to manipulate, undermine, or nullify the 'spirit' and effects, if not the letter, of other legal instruments (Bowling& Sheptycki, 2015, p. 169).
Consequently, global policing as a form of "law in action under transnational conditions" does not exemplify rule of law but instead exemplifies as a form of rule with law.Bowling and Sheptycki (2015) conclude that the emergence of a permissive black letter frame unbounds blue letter law, thereby redrawing the boundaries of discretionary authority and proportionality.Commission (IBAC) also consulted Hacking Team to learn about their CNO products (Sveen& Ockenden, 2015).These events showcase significant domestic interest in adopting CNO technology for law enforcement and national security operations.As discussed in the following section we will see that some Australian legal frameworks have already existed, where others have been recently amended to further expand the use of CNO measures that lawfully target telecommunications and internet intermediary points.CNOs for security and law enforcement purposes.Given space constraints, we briefly discuss Commonwealth (federal) policy and legislation premised on relevant agencies and functions.

TELECOMMUNICATIONS INTERCEPTION (AND ACCESS) ACT 1979, CNOS, AND COUNTER-LAW
The Telecommunications (Interception and Access) Act 1979 (the TIA) is the primary legal framework for security intelligence and police access to communications that transit telecommunications infrastructure in Australia.It has been incrementally amended since its inception (Bronitt & Stellios, 2005, 2006).Originally, the TIA existed as an instrument for the investigation of serious drug offences through "real-time" interception of communications (voice, data, text, images, and signals) "passing over a telecommunications system" (s.5F) but has subsequently been amended to apply more broadly, including access to stored communications for any criminal offence without judicial authorisation, and can also be used to authorise CNE.
Specifically, the TIA legalises exfiltration of intelligence from systems pursuant to Part 2.2 and 2.5 warrants.Part 2.2 warrants are issued to the Australian Security Intelligence Organisation (ASIO) under executive ministerial authorisation by the federal Attorney-General for both domestic (s.9, s.9a) and foreign intelligence (s.11a-c).Part 2.5 warrants are issued to federal and state law enforcement agencies by judges and members of the Administrative Appeals Tribunal (AAT) pursuant to investigating federal and state level offences (s.39).Each type of warrants may be issued with respect to either a 'telecommunications service' or 'a person' (s.39 (1); see also Bronitt & Stellios, 2006, p. 415).
Exfiltration under the TIA is not based on reasonable suspicion that an individual has, or will, commit a serious offence, but: upon "reasonable grounds for suspecting that a particular person is using, or is likely to use" 1.
(s.46 c) a telecommunications service; or if information collected under the interception "would be likely to assist in connection with 2.
the investigation" (s.46 d) in which the particular person is "involved" (s.46 dIi).
The the content of the intercepted communication, or on the identity of innocent third parties to the intercepted communication (Bronnitt and Stellios, 2006, p. 417).In principle, the black-letter of CNEs authorised through B-Party warrants could apply, in the blue-letter operational space, to a broad category of persons, including judges, politicians, lawyers, journalists, medical professionals, and civil rights defenders.
Furthermore, the black-letter of the B-Party warrant authority means that significant segments of a "telecommunications service" could be intercepted to target even a single subject.Even if, the B-Party amendment was initially intended to authorise collection on another 'single' party on a one-to-one wireline conversation, as counter-law II developments in information infrastructures evolve, the black-letter of the TIA might now authorise the collection of bulk traffic in and out of a mobile tower.

THE SURVEILLANCE DEVICES ACT 2004, CNOS, AND COUNTER-LAW
The Surveillance Devices Act (Cth) 2004 (SDA) also authorises the use of CNE-related CNO activities.The Australian Federal Police, the Australian Crime Commission (ACC), the police force of each State or Territory, the New South Wales Crime Commission, amongst others, (SDA s6( 1)) are authorised to conduct CNE when investigating serious offences.
A range of warranting powers were included in the SDA.One of them, for a "data surveillance device" (s.6( 1)), can be used to compromise mobile phones, laptops, or other digital devices operated by Australian citizens.A data surveillance device is defined in the Act as "a device or program used to record or monitor the input into or out of a computer" (S.6( 1)).By extension, a "computer", is defined under the Act as "any electronic device for storing or processing information" (s.6 SD Act).
In practice, the aforementioned black-letter definitions could include the use of any type of technical device or programme in blue-letter CNE activities to gain access to data inside, or flowing into or out of, any electronic, smart or connective technology, such as computers, iPads, tablets, smartphones, GPS systems, and vehicular control systems.The black-letter ambiguity in the SDA regarding data surveillance device warrants might also authorise targeting upstream of the end-point device, such as a router or other networks many devices use, to the effect of a single warrant affecting thousands of devices and users.While clearly being one device or possibly one system, a router for instance relays information regarding multiple devices relying on that router.
In addition to the ambiguity of "device" in black-letter terms, the SDA consistently uses terminology suggesting warrants will be used to target specific computing devices -a "computer", a "device", an "instrument", an "apparatus" -and thus implies a degree of targeted specificity in the warrant scheme.S.18 of the SDA expands this definition to include multiple devices.Per Section 18(3)(b) and(f), surveillance devices and "enhancement equipment in relation to the surveillance device" can be connected to any "system" to perform the operation.
Furthermore, s.19(5) authorises interference with third parties' property that is not the subject of the investigation.In effect, this means that, similar to counter-law I developments concerning B-Party warrants in the TIA, third parties can be affected by CNEs by authorities for domestic investigative purposes."computer access warrant" following a request from the Director-General of ASIO.Such warrants authorises ASIO to intrude on "a target computer", a "telecommunications facility operated by a Commonwealth or a carrier", or "any other electronic storage equipment" or a "data storage device" (ASIO Act, s.25(a)).These warrants are granted when the Attorney-General is satisfied that there are reasonable grounds for believing that access to data held in a computer would "substantially assist the collection of intelligence" in relation to a "security matter" (ASIO Act, s.25(a)).

THE ASIO ACT, CNOS, AND COUNTER-LAW
ASIO's CNO-related powers were expanded in late 2014 under the ASIO Act.The definition of a "computer" was broadened to include "one or more computers", "one or more computer systems", "one or more computer networks", or "any combination of the above" (ASIO Act, s.4).
The warrants also let ASIO use "any other computer or communication in transit to add, copy, delete or alter data...for the purpose of obtaining access to data relevant to the security matter and held on the target computer" (National Security Legislation Amendment Bill (No.1) 2014), Explanatory Memorandum).As a result, a single computer access warrant can allow CNEfacilitated surveillance of entire businesses, university networks, telecommunications companies, or core internet infrastructure for gathering intelligence or disrupting activities (Hardy, 2015).The only explicit limitation on ASIO's use of CNO measures is if the operation would "cause any other material loss or damage to other persons lawfully using a computer" (s.25A(5)(b)).What constitutes "material loss" is not defined or set out in the Act or Explanatory Memorandum that accompanied the amendment.

THE AUSTRALIAN SIGNALS DIRECTORATE AND DOMESTIC ASSISTANCE IN CNOS
The ASD has a mandate to assist domestic agencies to carry out their functions under the Intelligence Services Act 2001 (ISA) (s.13 and s.13(a)). 2 In particular, they can provide practical assistance when domestic agencies are addressing activities that are, or "are likely to be", a threat to security (ISA 2001, s.9;s.13,s.13a)with ministerial authorisation.This assistance draws on the ASD's "cryptography", "communication" and "computer technologies" capabilities (s.7).
Under existing law and practice it is unclear how often ASD provides technical assistance.In a similar jurisdiction, such as Canada, approximately 300 requests were made for domestic assistance in a four-year period between 2009and 2012(Freeze, 2014)).
CNOs are also subject to a limited degree of oversight and accountability mechanisms even though they can be deeply intrusive investigative and intelligence tools.Such mechanisms tend to be structurally deficient, however, because many of the agencies responsible for oversight and review are restricted to performing a legal compliance function.And as we note in the following section, in an era where CNOs are characterised by counter-law developments it can be challenging for intelligence and policing agencies to exceed such extraordinarily broad blackletter statutes when it comes to actual blue-letter practice.

DEMOCRATIC SAFEGUARDS, SECRECY, AND COUNTER-LAW
Many CNO measures in Australia are performed with executive oversight.Such oversight is meant to ensure compliance with the law as well as to propose non-binding recommendations to influence government policy and strategy on counter-terrorism matters.First, while the Parliamentary Joint Committee on Intelligence and Security (PJCIS) can review the ASIO's administration and expenditure, it lacks a mandate to review intelligence-gathering matters or operations (Lynch et al., 2014, p. 156).ASIO can also redact information in committee reports provided to the PJCIS (Lynch et al., 2014, p.156) seemingly grants an exception regarding impacts upon innocent third parties during the lawful use of CNOs, so long as the operation is "in accordance with procedures, established by law" (s.21( 3)).Broadly, the lack of a federal bill of rights in tandem with exemptions mean that a commonplace method of evaluating the proportionality of CNO measures is lacking.
And lastly, the Privacy Act 1988 places few limits on the sharing, retention, integrity, and accuracy of personal information acquired through CNOs amongst Australian security intelligence and law enforcement organisations (Molnar& Parsons, 2016;Privacy Act 1988).
ASIO and the ASD are exempt from the Act in its entirely (Privacy Act 1988, s.7).And while law enforcement agencies are broadly covered by the Act they enjoy considerable exemption under the Act.Generally speaking, disclosing personal information is permitted for law enforcement if it is "reasonably necessary for the enforcement of the criminal law, or of a law imposing a pecuniary penalty, or for the protection of the public revenue (ALRC, 2008, s.37).
These privacy concerns are exacerbated by the security risks linked to CNO measures.Where malware code is used to target an individual, and designed to affect the type of device or application they are using, then the code is simultaneously capable of running against the same devices and applications of non-targeted persons.By concealing the weaknesses of the device or exploit code used to perform the CNO, not only is the security of a specific target compromised, but so is the security of all other persons who happen to use the same device or rely on the same codes.Exploits are reproducible, and so the failure to disclose vulnerabilities can mean that other parties (e.g., nation-state actors, cyber mercenary firms, independent hackers, or academics) can also identify and exploit the same vulnerabilities.Furthermore, in failing to notify companies of weaknesses in their defenses or flaws in their software code those companies can suddenly fall victim to the state's exploit code when it is accidentally released to the public.In the US for example, the intelligence development of vulnerabilities is subject to independent review by committee through the so-called vulnerabilities equities program (Daniel, 2014).The black-letter of Australian legislation and policy, as well as the oversight system, fails to account for how the blue-letter operations introduce systemic threats to individual and collective privacy and security.
The relative weakness of the structure of oversight, accountability, official oversight and review functions is worsened by counter-law I legislation that cloaks most CNO measures in secrecy.
When CNOs are pursued through ASIO Act computer access warrants, they can be designated as a "special intelligence operation" (SIO) by the Attorney-General (ASIO Act, s.35(b), a measure that provides civil and criminal immunity for ASIO officers and affiliates involved in the operation (Hardy & Williams, 2016, ASIO Act, s.35(k)) and that also imposes a five year penalty for "disclosing information" related to the operation.This term can be extended to ten years if the disclosure "will endanger the health or safety of any person or prejudice the effective conduct of a special intelligence operation" (ASIO Act 35(p)).There are no exceptions for journalists or whistleblowers, and the statute has been understood by the Attorney-General to apply "generally to all citizens" (Williams, 2014).While SIOs represent the most harsh secrecy provisions in Australia, two others are worth mentioning.Section 70 of the Crimes Act would make any disclosure of a CNO (including those not designated as a SIO) by any current or former Commonwealth officer punishable by imprisonment of up to two years for sharing if the disclosure "would be prejudicial to the effective working of government" (Hardy and Williams 2014, p. 802;Crimes Act 1914, s.70).Another secrecy offence in the Crimes Act, Section 79, is also generally applicable to both citizens and non-citizens and carries an increased maximum penalty of seven years' imprisonment.Unlike s.70 and 35P, the disclosure, however, must be accompanied with an intention to cause harm (Hardy & Williams, 2014, p. 803-807;Crimes Act 1914, s.79).Aggressive secrecy provisions surrounding information that may pertain to an ongoing SIO could also undermine any responsible vulnerability reporting process that help to maintain the security and integrity of internet communication infrastructures as a broader public good.

DISCUSSION
Counter-law is exemplified by CNOs through the collision of technological advancements and legal powers.This occurs in two main ways.First, outdated definitions of technology in legislation are surpassed by an interconnected technological environment that works to decouple the use of CNOs from clearly defined boundaries.The disconnect between ambiguous black-letter definitions in primary legislation from technological environments results in the relatively unrestrained application of CNOs.While the use of CNOs can remain 'lawful' in a narrow sense, their application in blue-letter space, including the range of privacy, civil liberties, and security risks they introduce, are disproportionately broad.
Second, even more recent counter-law I developments have involved a purposeful counter-law trend black-letter 'catch-all' terminology.For instance, the 2014 amendment of the black-letter definition of "a computer" under the ASIO Act as "a network" or "any combination" of computers and networks presents an unrestrained limit to perform CNOs in the current technological environment.Furthermore, more recent counter-law I developments allow CNOs in domestic contexts to reach remotely beyond mere interception of information that is transiting networks and to actually annul and/or modify information and processes existing on systems, sometimes even potentially to include physical effects on the infrastructure.The introduction of disruption measures places strain on rule of law principles of procedural fairness and due process rights.
Moreover, the mechanisms that democratically elected representatives created -namely oversight and review bodies -in combination with judicial authorities are not necessarily able to assure the public that basic democratic freedoms are not inappropriately trodden upon.Laws, as they are currently written, provide authority to identify and evaluate instances where security and policing agencies act illegally; this means, however, that oversight and review bodies are similarly ensnared in counter-law developments because they may be deeply challenged to find  2015).While the general trend of counter-law developments and CNOs are likely to be felt across many liberal democratic jurisdictions, Australia is in a novel position in comparison to its Five Eyes partners.Unlike Canada, the United States, New Zealand, and the United Kingdom, Australia does not have a formal bill of rights or a regional judicial body to adjudicate on human rights.Given that government agencies possess lawful authority to conduct unbounded CNO operations and can seek relatively unbounded warrants instead of those with strongly circumscribed limits, the rule of law has become distorted and replaced with rule with law (Bowling & Sheptyicki, 2015).The combined force of the technical environment outpacing laws on the books, along with new laws which are passed to provide wide legal remit for blue-letter CNO operations, have considerably threatened the rule of law itself.As a result, the 'lawful' use of CNOs in Australia can disturb the preservation of democratic freedoms and procedural justice.

CONCLUSION
While this article focused on the reach and implications of CNOs in Australia, our discussion carries broader implications concerning debates surrounding meaningful regulation CNOs in national security and policing operations.Future work might consider the extent to which a space of 'post-legal' exceptionality is emerging for the use of CNOs via counter-law developments.In pursuing this line of analysis it would be useful to juxtapose the Australian case with others, where similar counter-law manifestations are taking place but which possess a formal bill of rights.Specifically, is it the case that such a bill would effectively moderate counter-law infringements on civil liberties as they pertain to CNOs?Though the state 'drives' CNO operations they are resisted by private companies and NGOs that attempt to make such operations more transparent, more clearly accountable to lawmakers or the public, and more demonstrably targeted.Additional lines of research might also investigate the effectiveness, and tactics used, to reinforce the rule of law.Are such efforts broadly successful, or are they dependent on specific popular media or other kinds of social capital?
A number of ethical questions concerning procedural fairness and due process also emerge.For instance, while forensics standards exist for analysing computers there are no equivalent standards for using malware that transmits evidence across the internet.The result is that there is a very low standard required to use the tools without an equivalent balancing to ensure that their operation does not render collected information inadmissible in court as a result of mistakes in how exploit code is crafted, deployed, or potentially tampered with by a third-party while in transit.Furthermore, the use of CNOs might be in excess of the threat posed, or also run contrary to the intended effect.Mistakes in how exploit code is crafted or deployed can have unexpected consequences when deployed in production environments and disruptions could inhibit the communications of targets and non-targets alike.
CNOs represent a significant transformation of state authority to intrude and affect digital information.Such measures often occur under a veil of exceptional secrecy and jeopardise the universal security of information communication systems.Thus, in addition to such activities raising questions about the appropriate degree of power invested in state authorities, the proliferation of CNOs by governments around the world for domestic investigations that have global reach (Cox, 2016), for intelligence operations targeting individuals and millions of persons alike (Gallagher, 2014;Schneier, 2013), and for damaging critical infrastructure and computer records (Zetter, 2014;Zetter, 2016;Greenwald & Fishman, 2015), it should also raise Computer network operations and 'rule-with-law' in Australia Internet Policy Review | http://policyreview.info 3 March 2017 | Volume 6 | Issue 1 CNO measures are authorised by Section 25(a) of the Australian Security Intelligence Organisation Act 1979 (ASIO Act).The statute empowers the Attorney-General to issue a Computer network operations and 'rule-with-law' in Australia Internet Policy Review | http://policyreview.info 7 March 2017 | Volume 6 | Issue 1 (3)econdly the Office of the Inspector-General of Intelligence and Security (IGIS) serves as an independent executive oversight body for the intelligence community.The IGIS' is mandated to ensure legal compliance of security intelligence activities, such as guaranteeing that all ministerial guidelines and directives are appropriately followed (Inspector-General of Intelligence and Security Act 1986 (Cth).It relies on classified submissions from security intelligence and law enforcement agencies to assess adherence with laws, directions, and guidelines, and 'group-specific' human rights codes (e.g., Age DiscriminationAct 2004, Disability Discrimination Act 1992, Racial   Discrimination Act 1975, or the Sex Discrimination Act 1984).However, whereas proportionality tests might normally include balancing against a formal Bill of Rights, Australia lacks this aspect of basic law (barring that which exists in the State of Victoria and ACT).As a result, balancing is generally less robust in Australia than in other jurisdictions such as Canada and Europe.Moreover, even the Victoria bill of rights contains black-letter exceptions.S.21(3) Computer network operations and 'rule-with-law' in Australia Computer network operations and 'rule-with-law' in Australia illegal what is overtly made legal by these agencies' lawful authority (as example, see Robinson, Internet Policy Review | http://policyreview.info 10 March 2017 | Volume 6 | Issue 1