Note: Where available, the PDF/Word icon below is provided to view the complete and fully formatted document
Crimes Legislation Amendment (Ransomware Action Plan) Bill 2022

Bill home page  


Download WordDownload Word


Download PDFDownload PDF

 

 

 

 

2019-2020-2021-2022

 

 

THE PARLIAMENT OF THE COMMONWEALTH OF AUSTRALIA

 

 

HOUSE OF REPRESENTATIVES

 

 

CRIMES LEGISLATION AMENDMENT (RANSOMWARE ACTION PLAN) BILL 2022

 

 

EXPLANATORY MEMORANDUM

 

 

(Circulated by authority of the Minister for Home Affairs,

the Honourable Karen Andrews MP)

 

 

 

 

 

 

 

 

 

 

 

 

CRIMES LEGISLATION AMENDMENT (RANSOMWARE ACTION PLAN) BILL 2022

GENERAL OUTLINE

1.      The Crimes Legislation Amendment (Ransomware Action Plan) Bill 2022 (the Bill) amends the Criminal Code Act 1995, the Crimes Act 1914 and the Proceeds of Crime Act 2002 to modernise criminal offences and procedures to respond to the threat of ransomware.

 

2.      This Bill implements key aspects of the Ransomware Action Plan, announced on 13 October 2021, which sets out the policy, operational, and legislative response to this growing threat. It introduces the Government’s plan to protect Australia and Australian’s against ransomware, build strengthened response and recovery mechanisms for ransomware victims, and disrupt and deter the perpetrators of ransomware attacks.

 

3.      The Bill targets the increasing trend of data theft and encryption, cyber extortion, and Ransomware-as-a-Service (RaaS). Individuals and crime syndicates, including transnational syndicates, have modernised their cybercrime tradecraft by ‘locking’ or encrypting computers through ransomware or by stealing and threatening to release sensitive information contained on a computer publicly. Once files are stolen or encrypted, criminals demand a ransom (often in the form of hard-to-trace cryptocurrencies) from the system owner in return for the decryption keys. Malware developers also provide ransomware for payment (ie, RaaS) which represents the increasing commercialisation and sophistication of the ransomware business model.

 

4.      Australia’s relative wealth, high levels of online connectivity and increasing delivery of services through online channels make it attractive and profitable for cybercriminals to engage in these tactics. As new entrants to the criminal marketplace gain access to ransomware, the threat to Australia will only grow.

 

5.      Detailed notes on the clauses of the Bill are included at Attachment A .

FINANCIAL IMPACT

6.      There is no financial impact.

STATEMENT OF COMPATIBILITY WITH HUMAN RIGHTS

7.      A Statement of Compatibility with Human Rights has been completed in relation to the Bill. It has been assessed that the amendments are compatible with Australia’s human rights obligations. A copy of the Statement of Compatibility with Human Rights is at Attachment B .



 

Attachment A

Crimes Legislation Amendment (Ransomware Action Plan) Act 2022

NOTES ON CLAUSES

Section 1              Short title

1.      Section 1 of the Bill provides that the short title of the Act is the Crimes Legislation Amendment (Ransomware Action Plan) Act 2022.

Section 2              Commencement

2.      Section 2 of the Bill sets out the times at which the Act commences once passed by the Parliament.

 

3.      Subsection (1) provides that each provision of the Bill specified in column 1 of the table commences, or is taken to have commenced, in accordance with column 2 of the table. Any other statement in column 2 has effect according to its terms.

 

·          The whole of this Bill commences the day after this Bill receives the Royal Asset (Item 1).

 

4.      Subsection (2) provides that any information in column 3 of the table is not part of this Bill. Information may be inserted in this column, or information in it may be edited, in any published version of this bill.

Section 3              Schedules

5.      Section 3 of the Bill provides that legislation that is specified in a Schedule of the Bill is amended or repealed as set out in the applicable items in the Schedule concerned, and any other item in a Schedule to this Act has effect according to its terms.

 

6.      There are three schedules to the Bill. Schedule 1 to the Bill will make amendments to the Criminal Code Act 1995 (Criminal Code) to:

 

·          Amend the geographical jurisdiction provision under s 476.3;

·          Insert an extortion offence into Division 477;

·          Amend penalties under Division 478;

·          Insert an offence for Dealing with data obtained by unauthorised access or modification under Division 478;

·          Insert new Division 479 dealing with aggravated offences;

·          Insert an aggravated offence for persons who target critical infrastructure into Division 479;

·          Insert an aggravated offence for persons who produce, supply or obtain data for payment into Division 479.

 

7.      Schedule 2 to the Bill will make amendments to the Proceeds of Crime Act 2002 (POCA) to:

 

·          Ensure that law enforcement can continue to monitor and freeze criminals’ ill-gotten gains by extending current investigative and freezing powers that cover financial institutions to certain digital currency exchanges.

 

8.      Schedule 3 to the Bill will make amendments to the Crimes Act 1914  and the POCA to:

 

·          Ensure that the powers available to law enforcement to seize digital assets (including cryptocurrency) under warrant reflect the operational environment and are suitably adapted, and extended to prevent the dissipation of proceeds of crime so that it is available for subsequent restraint and forfeiture action under the POCA.

 

Schedule 1—Amendments of the Criminal Code

Criminal Code Act 1995

Item 1    Section 476.3 of the Criminal Code

9.      Item 1 repeals section 476.3 of the Criminal Code and substitutes it with an amended specialised geographical jurisdiction provision for computer offences under Part 10.7 of the Criminal Code.

 

10.    Amending the geographical jurisdiction provision in this section is necessary to ensure law enforcement agencies and prosecutorial bodies have the legal authority to investigate and prosecute offences under Part 10.7 of the Criminal Code where the conduct occurs outside of Australia but impacts persons in Australia.

 

11.    The amended geographical jurisdiction provision reflects the borderless nature of cybercrime, changes in criminal methodology, and the evolving landscape of electronic communication and data storage. In particular, the data of individuals and bodies corporate based in Australia is often hosted or held within computers (e.g. data storage centres) outside of Australia. For example, this provision will capture conduct involving individuals who set up personal email accounts or Australian companies who engage with offshore companies for the purposing of managing their data needs. Often the location of specific data is indeterminate due to the globalisation of information technology infrastructure and data storage practices.

 

12.    Cybercriminal activity now effortlessly targets victims across the globe. Often criminals targeting Australians are not located within Australia. Given the remote means of storing data, cybercriminals can now identify and target vulnerabilities in foreign data processing centres and networks, thereby causing harm to Australians through illicit use, possession and control of their data.

 

13.    New paragraphs 476.3(1)(a), (b), (c) and (e) insert provisions designed to replicate the Category A extended jurisdictional provisions under s 15.1 of the Criminal Code.

 

14.    New paragraph 476.3(1)(d) provides an additional basis for jurisdiction. This provision allows conduct that occurs wholly offshore which may comprise an offence against Part 10.7 to be investigated by law enforcement and prosecuted. It has the effect that a person can commit an offence against Part 10.7 if the conduct occurs wholly outside of Australia and at the time of the alleged offence, the condition in new subsection 476.3(2) is satisfied.

 

15.    New subsection 476.3(2) establishes a condition which will be satisfied where paragraphs (a), (b) and (c) are satisfied.

 

16.    New paragraph 476.3(2)(a) identifies relevant conduct and will allow law enforcement and prosecutorial agencies to investigate and prosecute alleged Part 10.7 Criminal Code offences provided jurisdictional thresholds are satisfied, and the conduct constituting the alleged offence relates to:

 

·          unauthorised access to data held in a computer outside Australia

·          unauthorised modification of data held in a computer outside Australia

·          unauthorised impairment of electronic communication of data to or from a computer outside Australia, or

·          unauthorised impairment of the reliability, security or operation of any data held outside Australia on a computer disk, credit card or other device used to store data by electronic means.

 

17.    New paragraph 476.3(2)(b), provides that at the time of the unauthorised access, modification or impairment mentioned in paragraph 476.3(2)(a), that data is under the control of, or owned by a person, regardless of whether the computer or device is in the person’s possession, and the person is:

 

·          an individual who is resident of Australia and is physically present in Australia; or

·          a body corporate incorporated by or under a law of the Commonwealth, or of a State or Territory.

 

18.    Under new paragraph 476.3(2)(b), control adopts its ordinary meaning. Control of data includes circumstances where a person exercises authority over data, including under an arrangement (for example, an agreement, contract or licence, however described) with an entity, that holds that data on behalf of the person or provides services in relation to that data.

 

19.    Under new paragraph 476.3(2)(b), data that is owned by a person includes data for which a person has assignable legal rights including copyright or intellectual property rights.

 

20.    Under new subparagraph 476.3(2)(b)(i) the data must be under the control of, or owned by, a resident of Australia who is physically present in Australia. An individual who is a resident of Australia is an individual who lives in Australia for a sufficient period of time with some degree of permanence. For example, this:

 

·          includes individuals who live in Australia and have organised their affairs (economic, professional or personal) in relation to being in Australia. This is intended to include Australian citizens, permanent residents, visa holders and unlawful non-citizens residing in Australia.

·          does not include individuals who are transiting temporarily through Australia (such as persons who travel from another country to an Australian international airport for purposes of travelling to another country). 

 

21.    Under new paragraph 476.3(2)(b), a computer or device mentioned under paragraph 476.3(2)(a) does not need to be in the person’s possession. This provision recognises the nature of data and its relationship with computers or devices. For example:

 

·          a body corporate uses a data processing centre in a foreign country to manage that body corporate’s data needs. The body corporate does not possess the computer or device on which the body corporate’s data is stored, however the data can be characterised as being in the control of the body corporate.

·          an individual uses a data storage device to store their data, over which they exercise legal rights, in an account which is hosted on a computer located outside of Australia. The individual owns their data within this account regardless of whether the person knows the data will be stored outside of Australia.

 

22.    New paragraph 476.3(2)(c) provides that the data must be reasonably capable of being accessed within Australia. This establishes a link to Australia and limits the application of the extended jurisdiction provision.

 

23.    New subsection 476.3(3) provides that for the purposes of paragraphs (2)(b) and (c), any effect on the control or accessibility of data caused by the unauthorised access, modification or impairment is to be disregarded. This provision ensures the condition may be satisfied where a person no longer exercises control or is unable to access their data as a result of the alleged offending. For example, where data is stored on a computer located outside of Australia and is subject to a ransomware attack resulting in the data’s encryption, which prevents the person’s access.

 

24.    New subsection 476.3(8) provides that section 16.1 of the Criminal Code applies, with the exception of paragraph 16.1(1)(a), therefore requiring the Attorney-General’s consent for prosecution of an offence if the alleged conduct occurred wholly in a foreign country and at the time of the offence, the person alleged to have committed the offence is neither an Australian citizen nor a body corporate incorporated by or under a law of the Commonwealth, a State or Territory. Paragraph 16.1(1)(a) does not apply because it refers to consent only being required where certain geographical jurisdiction provisions apply, and these provisions do not apply to Part 10.7 offences.

 

25.     This provision provides for a further level of safeguard and oversight where a prosecution is sought against a person. This provision does not require the Attorney-General’s consent for the commencement of an investigation by law enforcement.

Item 2 At the end of Division 477

26.    New section 477.4 adds an offence for a person who engages in extortion in relation to unauthorised access or modification of data held in a computer, or unauthorised impairment of electronic communication to or from a computer, or unauthorised impairment of the reliability, security or operation of any data held on a computer disk, credit card, or other device used to store data by electronic means.

 

27.    This new offence criminalises all forms of extortion in relation to a victim of a computer offence. The offence captures conduct which involves the computer or data in the possession or control of, or owned by another person (the victim), and at or after the time of the unauthorised access, modification or impairment, the person makes a threat to the victim with the intention of compelling the victim to do or omit to do an act.

 

28.    New paragraph 477.4(1)(a) provides that a person is guilty of this offence whether or not the person has caused the unauthorised access, modification or impairment of data. This ensures that groups of individuals or criminal syndicates face criminal liability where individuals comprising the group perform specific roles.

 

·          For example, a perpetrator may commit an underlying offence that compromises a computer system, which allows them to install malware (including ransomware) on the victim’s computer. Another perpetrator, as part of the same criminal syndicate group, may then seek to encrypt the victim’s data contained in the computer and threaten to permanently deprive the victim of their data contained in that computer.

 

29.    Paragraph 477.4(1)(b) identifies that the unauthorised access, modification or impairment involves a computer in the possession of, or data under the control of, or owned by, a victim.

 

30.    Paragraph 477.4(1)(c) provides that the person must make a threat to the victim in relation to the victim’s computer or data. A threat is taken to be any threat which is unreasonable. For example, this includes, a demand for payment that is related to the unauthorised access, modification or impairment of data. The offence is not intended to criminalise conduct which would comprise a reasonable threat, such as a threat to take legal action or exercise legal rights.

 

31.    Paragraph 477.4(1)(d) provides that the threat must be made using a carriage service.

 

32.    Subparagraph 477.4(1)(e) provides that the person makes the threat with the intention of compelling the victim to do or omit to do an act. This provision reflects the circumstances and conduct comprising extortion.

 

33.    This offence is punishable by a maximum penalty of 10 years’ imprisonment. This conduct carries significant risk to the wellbeing of Australians and the viability of Australian businesses. A single ransomware attack can have devastating long term personal and financial impacts. This punishment therefore reflects the severity of the conduct and the impact it has on victims, and will punish and deter cybercriminals who engage in extortion.

 

34.    The penalty also reflects that this conduct is as serious as the conduct comprising the offences under sections 477.1, 477.2, 477.3. The combination of unauthorised access or modification of data, or unauthorised impairment, in conjunction with threatening or extorting payment (or some other gain) represents egregious criminal conduct.

 

35.    Subsection 477.4(2) provides that for the purposes of paragraph (1)(b), any effect on the control of data caused by conduct constituting unauthorised access, modification or impairment, is to be disregarded. This provision ensures the element of the offence may be satisfied where a person no longer exercises control of data as a result of the conduct.

 

36.    Subsection 477.4(4) provides that it is not necessary for a prosecution agency to prove that a victim was actually compelled to do or omit to do the act identified in paragraph 477.4(1)(e). 

 

37.    Subsection 477.4(5) provides that for this offence provision, a reference to data under the control of a person, includes a reference to data under the control of the person that is held in a computer in the possession of another person.

 

38.    For the purposes of this offence, a victim means a person, which is taken to be either a body corporate or natural person consistent with Part 2.5 of the Criminal Code.

Item 3    Subsection 478.1 of the Criminal Code (penalty)

39.    Item 3 repeals the penalty of 2 years imprisonment under subsection 478.1(1) of the Criminal Code , substituting it with a penalty of imprisonment for 5 years.

 

40.    Increasing penalties within Part 10.7 of the Criminal Code appropriately reflects the criticality of data and the need to maintain its availability, integrity, reliability and confidentiality. These penalties have not been amended since the introduction of the Cybercrime Bill 2001. The conduct captured by these offences is increasingly prevalent and serious in nature. The increased penalty is intended to appropriately punish and deter persons engaging in conduct that results in unauthorised access to, or modification of, restricted data.

 

41.    This amendment also aligns with existing offences under the Criminal Code such as, section 471.3 - Taking or concealing mail-receptacles, articles or postal messages which carries a penalty of 5 years’ imprisonment. Given how data is used by Australians and Australian businesses, including in relation to communicating by email, this penalty should align with s 471.3 as it criminalises like conduct.

 

42.    Courts will ultimately have discretion to determine appropriate sentences, up to the maximum penalty, based on the seriousness of the offending.

Item 4    Section 478.2 of the Criminal Code (penalty)

43.    Item 4 repeals the penalty of 2 years imprisonment under subsection 478.2 of the Criminal Code , substituting it with a penalty of imprisonment for 5 years.

 

44.    Increasing penalties within Part 10.7 of the Criminal Code appropriately reflects the criticality of data and the need to maintain its availability, integrity, reliability and confidentiality. These penalties have not been amended since the introduction of the Cybercrime Bill 2001. The conduct captured by these offences is increasingly prevalent and serious in nature. The increased penalty is intended to appropriately punish and deter persons engaging in conduct that results in unauthorised impairment of data held in a computer disk.

 

45.    This amendment also aligns with existing offences under the Criminal Code, including section 471.3 - Taking or concealing mail-receptacles, articles or postal messages which carries a penalty of 5 years’ imprisonment. Given how data is used by Australians and Australian businesses, including in relation to communicating by email, this penalty should align with s 471.3 as it criminalises like conduct.

 

46.    Courts will ultimately have discretion to determine appropriate sentences, up to the maximum penalty, based on the seriousness of the offending in question.

Item 5    Subparagraph 478.3(1)(b)(i) of the Criminal Code

47.    Item 5 inserts “or section 478.1 or 478.2” after “Division 477” in subparagraph 478.3(1)(b)(i) of the Criminal Code.

 

48.    Currently, s 478.3 criminalises the conduct of possessing or controlling data with intent to commit a serious computer  offence under Division 477 of the Criminal Code. Division 477 offences target conduct that impairs the security, integrity and reliability of computer data and electronic communications. Sections 478.1 and 478.2 are also related to the security, integrity and reliability of data, as they concern unauthorised access or modification of restricted data, and the unauthorised impairment of data. This amendment expands the range of computer offences that a person may intend to commit when they possess or control data to include sections 478.1 and 478.2.

 

49.    This amendment will criminalise conduct where a person is in possession of a program designed to allow unauthorised access to a victim’s computer (without modifying the data to cause an impairment or impairing the electronic communication of that computer) and  that person intends to use the software to access and observe the victim’s restricted information.

Item 6    Subsection 478.3(1) of the Criminal Code (penalty)

50.    Item 6 repeals the penalty of 3 years’ imprisonment under subsection 478.3(1) of the Criminal Code , substituting it with a penalty of imprisonment for 5 years.

 

51.    Increasing penalties within Part 10.7 of the Criminal Code appropriately reflects the seriousness of persons who possess or control programs or technology (including ransomware) that enable them to engage in other computer offences. This penalty has not been amended since the introduction of the Cybercrime Bill 2001. The conduct captured by these offences is increasingly prevalent and serious in nature as technology has evolved.

Item 7    Subsection 478.3(2) of the Criminal Code

52.    Item 7 omits “against Division 477,” substituting it for “mentioned in subparagraph (1)(b)(i),” for subsection 478.3(2) of the Criminal Code - in line with amendments in Item 5.

 

53.    This is a technical amendment to ensure consistency with the amendment under Item 5.

Item 8    Paragraph 478.4(1)(a) of the Criminal Code

54.    Item 8 inserts “or solicits the production, supply or obtaining of data.” after “obtains data” in paragraph 478.4(1)(a) of the Criminal Code.

 

55.    Current section 478.4 criminalises the conduct of producing, suppling or obtaining data (including malware) with intent to commit a computer offence. This amendment criminalises the conduct of malware developers where they endeavour to produce, supply or obtain malware.

 

56.    The term 'solicits’ takes its ordinary meaning and is intended to capture conduct that involves endeavouring to obtain, provide or produce data, whether or not the person is successful. For example:

·          a person may be found to have solicited the obtaining of data where they have made enquiries to obtain data by contacting a ransomware developer, but has failed to successfully obtain the data due to interception by law enforcement.

·          a person may be found to have solicited the production and supply of data where they have agreed to produce and supply data after being contacted by a prospective buyer of that data, however, the person fails to successfully supply that data due to the failure of a payment method by the prospective buyer.

·          a person may be found to have solicited the obtaining of data where they have made enquiries to obtain data by contacting a ransomware developer, but has failed to successfully obtain the data as the transaction failed due to technical issues with the banking service or digital currency exchange.

 

 

 

Item 9    Subparagraph 478.4(1)(b)(i) of the Criminal Code

57.    Item 9 inserts after “Division 477,” “or section 478.1 or 478.2,” for subsection 478.4(1)(b)(i) of the Criminal Code.

 

58.    Currently, section 478.4 only applies to conduct where a person produces, supplies or obtains data, with the intent to commit a serious computer offence under Division 477. Division 477 offences target conduct that impairs the security, integrity and reliability of computer data and electronic communications. Sections 478.1 and 478.2 are also related to the security, integrity and reliability of data, as they concern unauthorised access or modification of restricted data, and the unauthorised impairment of data.

 

59.    This amendment expands the range of computer offences that a person may intend to commit when they produce, supply or obtain data to include sections 478.1 and 478.2. 

Item 10  Subsection 478.4(1) of the Criminal Code (penalty)

60.    Item 10 repeals the penalty of 2 years imprisonment under subsection 478.4(1) of the Criminal Code , substituting it with a penalty of imprisonment for 5 years.

 

61.    Increasing penalties within Part 10.7 of the Criminal Code reflects the serious of persons who produce, supply or obtain data (including, malware such as ransomware) which is intended for use in the commission of an offence. This penalty has not been amended since the introduction of the Cybercrime Bill 2001. The conduct captured by these offences is increasingly prevalent and serious in nature.

 

62.    For example, this offence captures increasingly common conduct such as developing ransomware software and uploading it online for access by any individual, who may go on to commit an offence using that ransomware software. The increased penalty is intended to appropriately punish and deter this conduct.

 

63.    Courts will ultimately have discretion to determine appropriate sentences, up to the maximum penalty, based on the seriousness of the offending in question.

Item 11  At the end of Division 478

64.    Item 11 adds new section 478.5 which creates a new offence of dealing with data obtained by unauthorised access or modification.

 

65.    The offence criminalises conduct that involves obtaining, releasing or modifying (for example, deleting) data of a victim that has been obtained by unauthorised access or modification.  For example, a cybercriminal may combine the encryption of a person’s computer, or the act of exfiltrating the victim’s data, with threats to release or on-sell stolen sensitive data for the purpose damaging the victim’s reputation or financial gain. This tactic is effective even if victims have adopted robust digital backups because it leverages the value of the private information rather than the tactic of encrypting a computer system alone.

 

66.    Additionally, this offence criminalises the conduct of third parties who obtain, release or modify stolen data. For example, a person may dishonestly gain access to a large volume of stolen emails and release that information online to publicly reveal commercial-in-confidence information contained in those emails. Ensuring this aspect of the cybercriminal business model is criminalised is critical to deterring third parties from recklessly obtaining data to either gain an advantage over, or cause further harm to, a victim.

 

67.    New paragraph 478.5(1)(a) provides that the person must dishonestly obtain, cause any access, cause any modification, or cause any release of data held in a computer.

 

68.    New paragraph 478.5(1)(b) provides that the person commits this offence by using a carriage service.  

 

69.    New paragraph 478.5(1)(c) provides that the data mentioned in paragraph 478.5(1)(a) must be data that has been obtained through unauthorised access or unauthorised modification, whether or not by the person. This provision is structured such that it applies to persons who directly and dishonestly obtain data held in a computer as well as person who dishonestly obtain data by virtue of another person.  

 

70.    This offence imposes a maximum penalty of imprisonment for 5 years. This penalty appropriately reflects the criticality of data and the need to maintain its confidentiality within Australia’s modern digital economy. This penalty is also consistent with other amended penalty provisions as part of this Bill.

 

71.    New subsection 478.5(3) defines dishonest as dishonest according to the standards of ordinary people and known by the defendant to be dishonest according to the standards of ordinary people. This requires the prosecution to prove that a person has knowledge that they, or through another person, have recklessly obtained data and they have released or modified that data and the conduct was dishonest according to the standards of ordinary people.

 

72.    The element of dishonesty recognises the need for certain persons or entities to obtain, release or modify data for legitimate purposes in limited circumstances, and distinguishes between innocent third parties from persons who have nefarious reasons for dealing with the data.

 

73.    Conduct that is not intended to result in criminal liability under this offence includes the following:

 

·          a cyber security firm is engaged and authorised to conduct incident response on behalf of a client in relation to a ransomware or cyber security incident and, in the course of doing so, obtains data online relating to their victim client or other persons or entities;

 

·          a cyber security firm obtains stolen data for the purposes of advising clients or the public on incident response or on cyber security controls;

 

·          a person obtains information in the public interest, such as a journalist conducting research in a professional capacity. As community expectations in relation to public interest may change over time, the element of dishonesty will ensure that the application of this offence is able to adapt with community expectations in relation to this offence and determine whether the data that is obtained or released is on legitimate public interest grounds;

 

·          a company that engages in open source intelligence gathering on breached or stolen data and provides reports to industry or law enforcement either voluntarily or as part of a paid service. 

 

74.    Conduct that is intended to result in criminal liability under this offence includes the following:

 

·          a person gains unauthorised access to a victim’s computer using malware and that person conducts a ransomware attack or engages in cyber extortion comprising unauthorised access or modification of data. The person obtains the victim’s data, releases it to others via an online forum and deletes the victim’s data on the victim’s computer. The person is criminally liable under this offence as they have recklessly obtained stolen data, and dishonestly released and modified the victim’s data, and the release or modification was dishonest according to the standards of ordinary people, as the person did not have authority from the victim to engage in that conduct.

 

·          A body corporate became aware through news reports that a competitor was subject to a cyber incident in which information was released in an online forum. A representative of the body corporate conducts online web searches of the incident before identifying a website that purports to have the commercial-in-confidence information. The representative of the body corporate downloads the purported competitor’s commercial-in-confidence information. The representative uses that commercial-in-confidence information for the benefit of the body corporate. The representative and the body corporate may be criminally liable under this offence as they have recklessly obtained the competitor’s data and that conduct was dishonest according to the standards of ordinary people, as the representative and the body corporate did not have authority from the victim competitor to obtain that data. 

 

75.    New subsection 478.5(4) provides that in a prosecution for this offence, the trier of fact determines whether the conduct of obtaining, releasing or modifying the relevant data was dishonest.

 

Item 12  At the end of Part 10.7 of the Criminal Code

76.    Item 12 adds a new “Division 479—Aggravated offences” at the end of Part 10.7 of the Criminal Code. Division 479 contains new offences that will apply to persons committing a Part 10.7 computer offence in relation to a critical infrastructure asset and, persons who engage in an arrangement for the purposes of propagating malware, including ransomware.

Division 479-Aggravated offences

Division 479.1     Aggravated offence—critical infrastructure

77.    New section 479.1 creates an aggravated offence for a person who commits an offence against sections 477.2, 477.3, 478.1 or 478.2 (the underlying offences) and that offence relates to a critical infrastructure asset.

 

78.    This new aggravated offence ensures that any computer offence against Australia’s critical infrastructure carries an appropriate penalty and deters would be offenders. A significant disruption or attack on Australia’s critical infrastructure could have significant consequences for Australia’s economy, security and sovereignty. The offence captures conduct where a person commits an underlying offence, and intends to cause an impact, whether direct or indirect, on the availability, integrity or reliability of a critical infrastructure asset or on the confidentiality of information about or stored in, or confidentiality of the critical infrastructure asset.

 

79.    Subparagraph 479.1(1)(a) identifies underlying offences which must be committed together with the conduct in relation to a critical infrastructure asset. These underlying offences are:

 

·          Section 477.2 - Unauthorised modification of data to cause impairment

 

·          Section 477.3 - Unauthorised impairment of electronic communication

 

·          Section 478.1 - Unauthorised access to, or modification of, restricted data

 

·          Section 478.2 - Unauthorised impairment of data held on a computer disk etc

 

80.    For example, a perpetrator may commit an underlying offence that compromises a critical infrastructure’s computer system, which allows them to install malware on the computer. They may then seek to use ransomware to encrypt the data contained in the computer and threaten to disrupt the availability of the critical infrastructure asset unless a ransom is paid.

 

81.    Specific examples of conduct may include:

·          A person gains unauthorised access to a telecommunications provider’s computer system, which allows them to install malware (including ransomware) on the computer. They then seek to use that ransomware to encrypt the data contained in the computer, such as the personal details of clients of the telecommunications provider, and threatens to disrupt the availability of the telecommunications provider unless a ransom is paid to decrypt that data.

 

·          A person uses malware and gains unauthorised access to a bank’s data. The person modifies that data to cause an impairment to the bank’s ability to communicate with customers. This disrupts the essential services provided by the bank such that customers are unable to gain access to or use their banking accounts.

 

·          A person uses malware and gains unauthorised access to an electricity asset’s computer network and modifies confidential information and other data contained within that network. This disrupts the supply of electricity to the general public as well as compromises the integrity of the confidentiality of customer data sets.

 

82.    Subparagraph 479.1(1)(b) provides that the person must have intended to cause a direct or indirect impact on the availability, integrity or reliability of the critical infrastructure asset. An impact also relates to the confidentiality of information about or stored in, or of, the critical infrastructure asset. This definition is intended to align with the definition of relevant impact in section 8G of the Security of Critical Infrastructure Act 2018.

 

83.    In accordance with this definition, a relevant impact may be direct or indirect to ensure the focus of the conduct is on the result of the cyber security incident rather than its source.

 

84.    A relevant impact includes an impact to a critical infrastructure asset’s availability. For example, a cyber attack on a critical infrastructure asset which results in that asset being unable to provide essential services, such that a significant population does not have access to those essential services or, the supply is unreliable, is a relevant impact in relation to availability.

 

85.    A relevant impact includes an impact to a critical infrastructure asset’s integrity. For example, unauthorised access to a critical infrastructure asset may result in an impact on business’ ability to trust the integrity of the data held by that asset and is a relevant impact in relation to integrity.

 

86.    A relevant impact includes an impact to a critical infrastructure asset’s reliability. For example, a cyber attack on a critical infrastructure asset which results in that asset being able to provide its essential services intermittently to a significant population, is a relevant impact.

 

87.    A relevant impact includes an impact to the confidentiality of information about or stored in, or the confidentiality of, a critical infrastructure asset. For example, a cyber attack on a critical infrastructure asset in which a person gains unauthorised access to the critical infrastructure asset’s computer system, could result in a compromise to the confidentiality of that information. This is a relevant impact.

 

88.    However, a relevant impact must be more serious than a reduction in the quality of the essential services being provided.

 

89.    This offence is punishable by a maximum penalty of 25 years’ imprisonment. This will ensure that perpetrators face punishment commensurate with the severity of their conduct and the risk of harm it has to critical infrastructure, Australia’s national security and economy, and the Australian community.

 

90.    This penalty is consistent with other serious offences under the Criminal Code, including section 82.3 - Offence of sabotage involving foreign principal with intention as to national security - which carries a term of imprisonment of 25 years. This offence involves a person engaging in conduct that results in damage to public infrastructure (infrastructure owned by the Commonwealth) with the intention that the conduct prejudices Australia’s national security.

 

91.   This penalty appropriately reflects the catastrophic risk posed by cyber attacks that utilise ransomware or malware to cause harm to critical infrastructure, and therefore Australia’s national security, economic interests, and the Australian community. It also appropriately punishes and deters perpetrators in relation to that conduct .

 

92.    New subsection 479.1(7) clarifies that a reference to critical infrastructure in this section, is a reference to a critical infrastructure asset within the meaning of the Security of Critical Infrastructure Act 2018.

Division 479.2     Aggravated offence—producing, supplying or obtaining data under arrangement for payment

93.    New section 479.1 creates an aggravated offence for a person who produces, supplies or obtains data for payment and commits an offence against section 478.4(1) (the underlying offence).

 

94.    Section 478.4(1) makes it an offence for producing, supplying or obtaining data with intent to commit a computer offence .

 

95.    This offence seeks to criminalise the ransomware business model, including sale, purchase, lease or commission arrangements in relation to data that is used in the commission of an offence against     section 478.4(1). It captures conduct such as ransomware-as-a-service, whereby a person produces data with the intent that the data be used in the commission of an offence against Division 477 or sections 478.1 or 478.2, and that person supplies the data to another person for payment.

 

96.    For example, it criminalises the conduct by a crime syndicate that develops ransomware and solicits to supply it to other less sophisticated criminals for payment (whether or not they are successful in supplying the ransomware). It also criminalises conduct by individuals who obtain ransomware with the intent it be used to modify data to cause impairment, and obtains that ransomware under an arrangement for payment.

                                                                                                                                                            

97.    Subparagraph 479.2(1)(a) identifies section 478.4(1) - producing, supplying or obtaining data with intent to commit a computer offence - as the underlying offence.

 

98.    Subparagraph 479.2(1)(b) identifies the circumstances in which a person produces, supplies or obtains data (malware, including ransomware) involving an arrangement to receive or make a payment. This includes circumstances where a person produces, supplies or obtains or, solicits the production, supply or obtaining of, data under an arrangement for the person to receive or make a payment.

 

99.    This offence is punishable by a maximum penalty of 10 years’ imprisonment. This will ensure that the developers, sellers and buyers of malware face punishment commensurate with the severity of their conduct in supporting the cybercriminal business model.

 

100. This penalty is consistent with penalties for existing offences in the Criminal Code, including:

 

·          Section 131.1 - Theft. This offence criminalises conduct of a person who engages in conduct where a person dishonestly appropriates property belonging to another with the intention of permanently depriving the other of that property. This offence punishable by a maximum of 10 years’ imprisonment. This offence is analogous to the conduct which malware, including ransomware, facilitates in relation to computers.

 

·          Division 477 - Serious computer offences. This aggravated offence aligns to penalties already contained under Division 477 of the Criminal Code in relation to serious computer offences. Given the enabling nature of the commercialisation and propagation of malware, including ransomware, is similarly serious, alignment to the penalty provisions under Division 477 is appropriate and required.

 

101. Subparagraph 479.2(6) defines payment as including a reference to giving or being given property. Reference to property includes all types of property, including fiat currency and cryptocurrency, provided as consideration as part of the transaction for the data.



 

Schedule 2—Cryptocurrency exchanges

Proceeds of Crime Act 2002

Overview

102. The Proceeds of Crime Act 2002 (POCA) provides law enforcement agencies with wide-reaching powers to monitor, freeze, restrain and confiscate proceeds and instruments of crime.

 

103. The POCA currently enables certain orders and notices to be given or made in relation to ‘financial institutions’:

·          Freezing orders (section 15B POCA)

·          Notices to financial institutions (section 213 POCA), and

·          Monitoring orders (section 219 POCA).

 

104. This measure will ensure that the current regime applies to digital currency exchanges and the accounts they administer, at a time where there is the rapid adoption of digital currencies. In October 2021, the Select Committee on Australia as a Technology and Financial Centre released its Final Report, which commented that:

·          the total cryptocurrency and digital assets market now totals in the trillion of dollars, and

·          around 25 per cent of Australians either currently have, or have previously held cryptocurrencies, making Australia one of the biggest adopters of cryptocurrencies on a per capita basis.

 

105. The amendments will ensure that existing information gathering powers and freezing orders available in relation to financial institutions can also be exercised in relation to digital currency exchanges.

 

106. These reforms will enhance law enforcement agencies’ investigative powers to ensure they can identify where digital currencies may be associated with criminal offending and then freeze relevant accounts to prevent that digital currency from being dissipated (and potentially reinvested in further criminal activity) before restraint action can be taken under the POCA. This measure is part of a suite of measures the Government intends on introducing to modernise law enforcement powers and legal frameworks to ensure that law enforcement agencies can continue to deprive criminals of the benefits of their crime.

Item 1    Paragraph 7(aa)

107. Item 1 is a consequential change to the outline of the POCA to reflect the amendments made by this Schedule.

Item 2    Subsection 15B(1)

108. Item 2 expands the scope of the existing freezing order provisions to ensure a freezing order limits withdrawals and other transactions involving accounts with digital currency exchanges (which will fall within the definition of ‘financial institution’). The use of the word ‘transaction’ is intended to capture the broader range of dealings that can occur in relation to digital currencies when compared to fiat currency, so that law enforcement agencies have the capabilities required to prevent account holders taking actions that could result in a reduction in the account’s balance. For example, some digital currency exchanges include the ability to swap or trade one type of cryptocurrency held for another, which could result in a change of the value of the cryptocurrency connected with the account. For the avoidance of doubt, ‘transaction’ should be interpreted broadly to include any dealings with digital currencies held in an account, including dealing with it as a gift, exchanging digital currency for fiat currency, or transferring digital currency from the digital currency exchange to a private wallet.

 

109. The rationale for making freezing orders is to prevent the risk of account balances being reduced, and the criteria in existing section 15B(1) ensures that freezing orders will only be made in situations where it is necessary to ensure funds (including digital currency) are not moved or dissipated. It follows then that the freezing order provisions do not operate in a manner that precludes additional deposits to frozen accounts, and the amendments do not change this fact.



 

Items 3 and 4       Section 15K

110. Current section 15K ensures that withdrawals mandated by law are not affected by the making of a freezing order. Item 4 reflects that digital currency exchanges will be able to undertake relevant transactions from an account holding digital currencies where those transactions are required by law.

Items 5 and 6       Section 15L(a) and (c)

111. Current section 15L supports the enforcement of freezing orders by making it an offence for a financial institution to allow a withdrawal from an account, which is subject to a freezing order, where the withdrawal contravenes the terms of the orders.

 

112. Items 5 and 6 align the offence provisions with the amendments inserted through Item 2 by making it clear a financial institution will also commit an offence if it allows a withdrawal from or transaction involving an account, which is subject to a freezing order, where the withdrawal or transaction contravenes the order.

Items 7 and 8        Section 15Q(1)

113. Current section 15Q(1) confers a magistrate with the power to vary a freezing order to enable a financial institution to allow a withdrawal from the account to meet one or more of the circumstances in subsections (a) - (d). Allowing for a freezing order to be varied recognises that in certain situations it will be necessary to allow for withdrawals from a frozen account, such as to allow a person to provide food and other necessities for their family.

 

114. Item 8 is intended to ensure that these provisions apply to accounts held with digital currency exchanges. There is no change to the statutory criteria a magistrate should consider when determining whether to vary a freezing order.

Items 9 - 11           Definition of ‘account’

115. Items 9, 10 and 11 collectively:

 

·          amend the existing definition of ‘account’ to specifically capture accounts provided by digital currency exchanges, and

·          clarify that the balance of an account that relates to digital cryptocurrency can be expressed as either the amount of digital currency, Australian currency, or any other currency.

 

116. Digital currency exchanges adopt a variety of different operational structures and processes through which they provide a registrable digital currency exchange service. For example, a user may deposit $10,000 to an account held with a digital currency exchange, and use those funds to interact (or ‘purchase’) digital currencies controlled by the exchange. A user could invest half of those funds to acquire 0.5 Ether and 0.25 Bitcoin (an example of digital currencies offered by a digital currency exchange). Their account balance would then show that they have $5,000 in fiat currency, 0.5 Ether and 0.25 Bitcoin.

 

117. Item 10 inserts subsection (ea)(i) and (ii), which provides that the definition of ‘account’ extends to an account relating to digital currency that includes:

 

·          an account representing the holding of an amount of digital currency, and

·          an account provided as part of a digital currency exchange.

 

118. These new definitions of ‘account’ are intended to capture an account holding fiat currency and any sub-accounts or related accounts that contain different digital currency balances a user holds. The ‘account’ ‘provided as part of a digital currency exchange’ definition is intended to operate as a catch-all to ensure that different operating structures to the one described above do not circumvent the Government’s clear policy intention to capture any fiat currency and digital currency balances e.g., the $5,000, 0.5 Ether and 0.25 Bitcoin in the above example.

 

119. However, the  accounts described in (ea)(i) and (ea)(ii) are not intended to be an exhaustive list of the types of accounts that might be held with digital currency exchanges and subject to a freezing order, as denoted by the phrase ‘and includes’ in the introductory component of that definition.

Item 12   Definition of ‘digital currency’ and ‘digital currency exchange’

120. Item 12 inserts a new definition of ‘digital currency’ and ‘digital currency exchange’ in section 338 of the POCA. The definition of ‘digital currency’ adopts the same definition as in the Anti-Money Laundering and Counter-Terrorism Financing Act 2006 (AML/CTF Act). Under the AML/CTF Act, digital currency means either:  a representation of value that:

·          functions as a medium of exchange, a store of economic value, or a unit of account and

·          is not issued by or under the authority of a government body and

·          is interchangeable with money (including through the crediting of an account) and may be used as consideration for the supply of goods or services and

·          is generally available to members of the public without any restriction on its use as consideration.

OR

·           it means a means of exchange or digital process or crediting declared to be digital currency by the AML/CTF Rules.

121. However, ‘digital currency’, as per the definition in the AML/CTF Act does not include any right or thing that, under the AML/CTF Rules, is taken not to be digital currency for the purposes of that Act.

 

122. The definition of ‘digital currency exchange’ means a ‘registrable digital currency exchange service’ within the meaning of the AML/CTF Act. Under the AML/CTF Act, registrable digital currency exchange service means designated services covered by item 50A of table 1 in section 6 of the AML/CTF Act but not those that are of a kind specified in the AML/CTF Rules.

 

123. This definition does not require a digital currency exchange to be registered under the AML/CTF Act before a freezing order can be made. This is to ensure that a digital currency exchange cannot circumvent the scope of the new regime by failing to enrol with the Australian Transaction Reports and Analysis Centre in breach of its obligations under the AML/CTF.

Item 13           Definition of ‘financial institution’

124. Item 13 expands the definition of ‘financial institution’ to include a corporation to which paragraph 51(xx) of the Constitution applies that provides a digital currency exchange. This definition expands the scope of the proceeds of crime regime so that orders that can currently be sought against financial institutions, or notices that can be given to them, can also be sought or given against a digital currency exchange.

 

125. Expanding this definition will also amend the scope of the following provisions by reference:

 

·          Schedule 1 of the POCA as it relates to Schedule 1 - Information gathering by participating States and self-governing territories, and

·          other Acts that rely on the concept of ‘financial institution’ and related concepts from the POCA: see for example the International Criminal Court Act 2002 , International War Crimes Tribunals Act 1995 and the Mutual Assistance in Criminal Matters Act 1987 .

Item 14 - Amendments to Schedule 2

126. Item 14 clarifies that the amendments made by this Schedule apply in relation to a notice given under clause 12 of Schedule 1 to this Act on or after the commencement of this clause:

·          whether currency, property or a thing to which the notice relates was acquired before, on or after that commencement; and

·          whether conduct or a crime to which the notice relates happened before, on or after that commencement.

127. The reasons for this application is the same as set out in paragraph 130 below.

 

Item 15          Application of amendments

128. Item 15 clarifies that the amendments made by this Schedule, to the extent that they relate to an order under Part 2-1A or 3-4 of the POCA, or a notice given under section 213 of the POCA, apply in relation to an application or notice made under the abovementioned provisions made on or after the commencement of this item:

 

·          whether currency, property or a thing to which the application or notice relates was acquired before, on or after that commencement, and

·          whether conduct or a crime to which the application or notice relates happened before, on or after that commencement.

 

129. In effect, this provision is intended to ensure that a freezing order, monitoring order, or notice to financial institution can be made in relation to currency, property, conduct or crime to which the order or notice relates, but which occurred before, on or after commencement. These amendments do not have the effect of permitting orders to be made retrospectively.

 

130. The application of these amendments is consistent with previous amendments to POCA. It is also necessary to ensure all relevant criminal conduct is captured, as the offending leading to POCA action may be historic or occur over a period of time. Further, at the time of requesting information, such as through a notice to a financial institution, there will often limited information as to which accounts exist and when they were opened. Accounts may also be opened significantly prior to the suspected offending. As such, by providing express provisions in relation to the application of these amendments, these issues are put beyond doubt and prevent the potential frustration of POCA investigations and proceedings through arguments about when criminal conduct occurred or specific accounts were opened.



 

Schedule 3 —seizing digital assets

Crimes Act 1914 and Proceeds of Crime Act 2002

Overview

131. The ability for law enforcement agencies to seize evidential material and tainted property represents a vital capability in their ability to effectively disrupt the criminal business model by depriving criminals of the benefits of their crime and prosecuting those who engage in activities that threaten the interests of all Australians.

 

132. The Crimes Act 1914 (Crimes Act) and Proceeds of Crime Act 2002 (POCA) establishes the legal basis upon which law enforcement agencies can seize:

 

·          in relation to the Crimes Act , evidential material in relation to an offence to which the warrant relates or another offence that is an indictable offence, evidential material (within the meaning of the POCA ), or tainted property (within the meaning of the POCA), and

 

·          in relation to the POCA, tainted property to which the warrant relates, evidential material in relation to property to which the warrant relates, or evidential material (within the meaning of the Crimes Act ) relating to an indictable offence (as defined in the POCA ).

 

133. Law enforcement agencies are seeing an increase in criminals’ use of digital assets to facilitate their offending and as a means to hold and distribute the benefits derived from their offending, including in the context of ransomware, money-laundering and other predicate offending. The provisions will complement existing search and seizure powers by including provisions that specifically address some of the unique issues and complexities that arise in search for and seizure of digital assets. This will ensure that the powers available to law enforcement reflect the operational environment and are suitably adapted and extended to prevent the dissipation of proceeds of crime so that it is available for subsequent restraint and forfeiture action under the POCA.

 

134. This measure is part of a suite of measures the Government intends on introducing to modernise law enforcement powers and legal frameworks to ensure that law enforcement agencies can continue to deprive criminals of the benefit of their offending.

Item 1    Definition of ‘digital asset’

135. Item 1 inserts a new definition of ‘digital asset’  and ‘seize’ into subsection 3C(1).

 

136. A ‘digital asset’ means:

 

·          a digital representation of value or rights (including rights to property), the ownership of which is evidenced cryptographically and that is held and transferred electronically by a type of distributed ledger technology or another distributed cryptographically verifiable data structure, or

·          a right or thing prescribed by the regulations, but does not include any right or thing that, under the regulations, is taken not to be a digital asset for the purposes of this Part.

 

137. The first limb of the definition is cast broadly to capture a range of digital assets that could hold value and be capable of restraint or forfeiture action under the POCA . Without limitation, it is intended to capture a broad range of assets such as ‘coins’, ‘stablecoins’ and ‘tokens’ as those terms are used by the crypto-asset industry. However, recognising the evolving nature of digital assets, the second limb of the definition is designed to provide flexibility to tailor the definition as technology changes and in the use of digital assets in criminal offending changes.

 

 

 

 

138. This definition is broader than that in relation to the measure in Schedule 2. This difference is intentional, recognising that:

 

·          for the definition of ‘digital currency’ in relation to the measure in Schedule 2, the intention is to capture digital currencies in accounts administered by financial institutions (now defined to include digital currency exchanges) noting that the institutional arrangements that support the administration and facilitation of these accounts is capable of supporting the freezing order and notice to financial institution regimes under the POCA, and

·          for the definition of ‘digital assets’ in relation to this measure, the intention is not to limit the search and seizure powers to digital currency which is administered or facilitated by a digital currency exchange, but to confirm the ability of law enforcement agencies to seize digital assets that are capable of having a value and could be subject to restraint and confiscation under the POCA .

 

139. In that way, ‘digital currency’ as will be defined in the POCA , can be viewed as a subset of ‘digital assets’ as will be defined in the Crimes Act and the POCA (see paragraphs 135, 136 and 173).

 

140. The new definition of ‘seize’ clarifies that, in relation to a digital asset, the meaning is affected by subsection 3FA(3).

Items 2 - 5    When search warrants can be issued

141. Items 2 - 5 collectively ensure that the warrant, when issued, expressly includes reference to law enforcements’ ability to seize digital assets under the terms of that warrant.

 

142. The intention is for this provision to include the broadest range of things that may relate to a digital asset, recognising that this is an emerging and evolving area of property. For example, this could include (amongst other things) anything from a digital wallet, digital asset account or app, information on a computer hard drive or even the digital asset itself.

Items 6 and 7 Things authorised by a search warrant - additional things for digital assets

143. Item 6 repeals and substitutes the heading of section 3F to ‘The things authorised by a search warrant - general’.  This amendment is consequential to the amendments made by item 7.

 

144. Item 7 inserts new provisions into the Crimes Act that:

·          establish the circumstances in which digital assets can be seized, both in relation to warrants over premises or in relation to warrants over persons

·          establish the thresholds required for the seizure of digital assets and the matters the executing officer or constable assisting must be satisfied of prior to effecting the seizure

·          sets out a non-exhaustive list of ways digital assets can be seized

·          clarifies the time limit for seizing digital assets, and

·          clarifies that a digital asset can be seized at the premises to which the warrant relates, in the presence of a person to which the warrant relates, or at any other place.

 

145. These new provisions are intended to complement existing search and seizure powers by specifically addressing some of the unique issues and complexities that arise in search for and seizure of digital assets. This includes only requiring that the executing officer or constable assisting finds one or more things that suggest the existence of the digital asset’ before seizure of that digital asset can be effected.

 

146. New subsections 3FA(1)(a) to (c) collectively authorises the executing officer or a constable assisting to seize a digital asset (including as described in subsection (3)) under a warrant in force in relation to premises if the following three requirements are met:

 

·          the existence of a digital asset : an executing officer or constable assisting is able to seize a digital asset if in the course of exercising powers under this Part, the executing officer or constable assisting finds one or more things that suggest the existence of the digital asset.

                               .         For example, law enforcement agencies may locate evidence on a person of interest’s (POI) electronic device that they control cryptocurrency (such as via a digital wallet application), may locate seed phrases written down or stored electronically, or may locate a cold storage wallet at the premises.

                              i.         Other examples of where a thing suggesting the existence of a digital asset may not be found at the premises includes where it is located during examination of items that have been moved under subsection 3K(2) or during the examination of items that have been seized under the search warrant.

 

·          nature of the digital asset : the executing officer or constable assisting must suspect on reasonable grounds that the digital asset is ‘evidential material’ in relation to an offence to which the warrant relates or another offence that is an indictable offence, or ‘evidential material’ or ‘tainted property’ within the meaning of the POCA . These three conditions replicate the existing three bases upon which things (other than the evidential material specified in the warrant) can be seized under paragraph 3F(1)(d), subject to a change to the threshold required from ‘believes on reasonable grounds’ to ‘reasonably suspects’. This change:

 

                               .         reflects the fact that the existing threshold is often difficult to meet in relation to digital assets because it is not always as clear whether digital assets are linked to a crime as it may be other forms of property. For example, the existence of large sums of cash at a premises is quite unusual in the broader community.  Where large sums of cash are found during a search warrant, the “believes on reasonable grounds” threshold may be satisfied, due to this being so uncommon.  The holding of digital assets is becoming more ubiquitous within the community, so the mere fact that a person holds a digital asset may not necessarily, on its own, be sufficient to meet a reasonable belief threshold.  To seize a digital asset under the reasonable suspicion threshold, any suspicion that the digital asset is evidential material or tainted property must be reasonably held.  This means there will need to be other information available to the relevant officer which objectively indicates a connection between the digital asset and criminal activity, before seizure is able to occur, and

 

                              i.         is not intended to apply to the existing search warrant provisions in subsections 3F(1) or (2) - the lower threshold applies only to the seizure of digital assets, and

 

·          reasons for seizure : the executing officer or the constable assisting reasonably suspects that seizing the digital asset is necessary to prevent the digital asset’s concealment, loss or destruction or its use in committing an offence.

 

147. For the avoidance of doubt, the phrase ‘concealment, loss or destruction’ includes ‘dissipation’ of the digital asset, including by transferring it in whole or in part to another entity, digital wallet etc.. This covers situations where there is a reduction in the value or balance of the digital asset, such as in circumstances where a person moves or sells most (but not all) of the digital asset.

 

148. The note in that section is intended to clarify that:

·          the digital asset need not be found at the premises

·          the new powers to seize digital assets is not intended to limit existing powers in relation to accessing data. These new powers are also exercisable in relation to digital assets, as set out in the example.

 

149. New subsections 3FA(2)(a) to (c) collectively authorises the executing officer or a constable assisting to seize a digital asset (including as described in subsection (3)) under a warrant in force in relation to persons if the same requirements in paragraph 146 are met. Importantly, the inclusion of the note after section 3FA(2)(c) is intended to clarify that the digital asset need not be found in the person’s possession.

 

150. Subsection 3FA(3) is intended to clarify some of the ways in which digital assets can be seized under subsection 3FA(1) or (2). This includes:

 

·          transferring the digital asset from an existing digital wallet (or some other thing) to a digital wallet (or other thing) controlled by the Australian Federal Police or a police force or police service of a State or Territory

·          transferring the digital asset               from a digital wallet (or some other thing) recreated or recovered by a police force or police service using things found in the course of the search authorised by the warrant; and to a digital wallet (or other thing) controlled by the Australian Federal Police or a police force or police service of a State or Territory, and

                              .         The recreation or recovery of a digital wallet would involve the use of information including, but not limited to, private keys and seed phrases located during the execution of the warrant to obtain access to the digital asset.  Access to individual digital assets are secured using a private key, and these keys are often held in digital wallets that allow a user to manage the digital asset. These wallets generally provide a recovery mechanism through the use of a seed phrase which is generated during the wallet creation process. Seed phrases are typically a list of words that contain all the information required to recover the digital assets held in a deterministic digital wallet. Possession of this seed phrase, therefore allows access to the digital assets controlled by the digital wallet when the pin number, password or other access method has not been provided.

·          transferring the digital asset in circumstances prescribed by regulations made for the purposes of this paragraph.

 

151. Subsection (c) is designed to provide flexibility to expressly prescribe other ways in which digital assets can be seized, such as to correspond to changes to the definition of ‘digital assets’.

 

152. Subsection 3FA(4) provides that the power to seize a digital asset under the warrant may only be exercised, to the extent that the exercise of power relates to a thing referred to in paragraphs 3FA(1)(a) or 3FA(2)(a) for the warrant during the period starting when the warrant is issued and ending when a particular event occurs.

 

153. Subsection 3FA(4) is intended to clarify that law enforcement agencies are able to exercise their powers under subsection 3FA(1) and (2)) at different times depending on the circumstances they became aware that there was a thing that suggests the existence of a digital asset. The period ends:

·          for a thing moved to another place under subsection 3K(2)— the time applicable under subsection 3K(3A) or that time as previously extended as described in subsection 3K(3B)

·          for a thing seized under this Division—any time that the thing must be returned as described in Subdivision B of Division 4C of this Part,

·          if the thing is data that is copied under subsection 3L(1A) or 3LAA(2)—the time the Commissioner is satisfied the data is not required (or is no longer required) as described in paragraph 3L(1B)(b) or subsection 3LAA(3), or

·          otherwise - the end of the period of 30 days starting on the day the warrant is issued.

154. Notes 1 and 2 clarify that:

·          the power to seize the digital asset may be exercised at different times if there is more than one thing referred to in paragraph (1)(a) or (2)(a) that suggests the existence of the digital asset, and

·          if 2 or more things referred to in paragraph (1)(a) or (2)(a) suggest the existence of the digital asset, seizure of the digital asset may occur during the longest period that applies to the digital asset as a result of the application of this subsection in relation each of those things.

 

155. This is intended to capture that these powers may need to be exercised at different times:

·          the existence of digital assets may be located during searches for evidential material under subsection 3FA(1) (premises warrant), during searches for evidential material under subsection 3FA(2) (person warrant), or in the case of a premises warrant, examination of electronic equipment at the premises for data that is evidential material (section 3L).

·          the existence of digital assets may be located during examination of items that have been moved under subsection 3K(2) (note section 3LAA allows examination of electronic equipment moved under subsection 3K(2) to find data that is evidential material). For example, law enforcement officers may locate evidence of digital assets, such as seed phrases to recreate a digital wallet, when examining a laptop under section 3LAA following it having been moved under subsection 3K(2), and

·          the existence of digital assets may be located during examination of items that have been seized under the search warrant. Section 3ZQU allows use of seized items in investigations, and section 3ZQV covers examination of seized electronic equipment to access data that may be evidential material.

 

156. To illustrate the application of the above section, assume that:

·          a laptop computer is moved under section 3K, and a mobile phone is seized under section 3F. the laptop that is moved contains a text file containing a seed phrase for a digital wallet, and the mobile phone contains the wallet password. Both of these things are capable of suggesting the existence of cryptocurrency and, provided that the requirements in paragraphs 3FA(1)(a) - (c) are satisfied, can trigger the exercise of the powers in subsection (1

·          the exercise of these powers can take place within the period that a law enforcement agency is permitted to retain possession of the mobile phone. This is despite the fact that the laptop computer may need to be returned after 30 days if not extended.

 

157. Subsections 4(a) and (b) are subject to existing safeguards in existing subsections. 3K(3A) and Subdivision B of Division 4C of this Part. That is, the intent of these provisions is that the powers in subsection (1) and (2) are exercisable:

·          for a thing moved to another place under subsection 3K(2)— a period of 30 days if the thing is a computer or data storage device, unless otherwise extended. For the avoidance of doubt, any extension granted in relation to a thing under subsections 3K(3B) - (3D) will automatically extend the time in which the powers in subsection 3FA(3) can be exercised, and

·          for a thing seized under this Division, until such time as the Commissioner is satisfied that the thing is no longer required.

 

158. However, in all of the above circumstances, the powers in subsection (1) and (2)) can only be exercised if the thresholds in paragraphs. 3FA(1)(a) - (c) or 3FA(2)(a) - (c) are satisfied.

 

159. Although not expressly addressed through this Bill, the expectation is that a law enforcement agency, after having seized a digital asset, will provide a receipt under section 3Q.

 

160. Subsections 3FA(5) and (6) are intended to clarify that the new powers in subsection 3FA((1) and (2) should be exercisable from any location (which for the avoidance of doubt should include the remote exercise of these powers), and should not have to occur in the presence of the occupant (where a premises warrant) or person (where a person warrant). These provisions would also extend to:

·          providing remote assistance to an officer who is at the premises during the execution of the warrant, and

·          seizure by an officer located at law enforcement agencies’ offices or elsewhere following the moving or seizure of items under the search warrant.

 

161. Items 8 - 13 are intended to make similar amendments to the POCA to ensure that the legal frameworks in both Acts remain broadly consistent.

Items 8 - 9            Contents of warrants

162. Items 8 - 9 collectively:

·          amend the matters that a search warrant must state to include that the warrant authorises the seizure of a digital asset if in the course of exercising powers under this Part, the executing officer or constable assisting finds one or more things that suggest the existence of the digital asset, and

·          require that the warrant reproduce the content of paragraph 228A(1)(a) to (c).

163. These provisions are intended to ensure that the warrant, when issued, expressly includes reference to the ability of law enforcement to seize digital assets under the terms of that warrant.

Items 10-11 - Things authorised by a search warrant additional things for digital assets

164. Item 10 repeals and substitutes the heading of section 228 to ‘The things authorised by a search warrant - general’.  This amendment is consequential to the amendments made by item 12.

 

165. Item 11 inserts new provisions into the POCA that:

·          establish the circumstances in which digital assets can be seized

·          establish the threshold required for the seizure of digital assets and the matters the executing officer or constable assisting must be satisfied of prior to effecting the seizure

·          sets out a non-exhaustive list of ways digital assets can be seized

·          clarifies the time limit for seizing digital assets, and

·          clarifies that a digital asset can be seized at the premises to which the warrant relates, in the presence of a person to which the warrant relates, or at any other place.

 

166. As these provisions are intended to broadly operate in the same manner as set out in the Crimes Act , an explanation of these provisions is set out in paragraphs 143 to 161. The key differences reflect the slightly different structure under the POCA to the Crimes Act , and include:

·          Subsection 228A(1)(b) requires that the executing officer or a person assisting must reasonably suspect the digital asset to be tainted property to which the warrant relates, evidential material in relation to property to which the warrant relates, or evidential material (within the meaning of the Crimes Act ) relating to an indictable offence (as that term is defined in the POCA )

·          transferring the digital asset               from a digital wallet (or some other thing) recreated or recovered by an enforcement agency using things found in the course of the search authorised by the warrant; and to a digital wallet (or other thing) controlled by an enforcement agency, and

·          transferring the digital asset in circumstances prescribed by regulations made for the purposes of this paragraph.

 

167. Subsections 228A(3)(a) - (c) are intended to capture that these powers may need to be actioned at different times (see paragraph 153 above), and that subsections 228A(3)(a) and (b) are subject to existing safeguards in existing subsections 244(2) and (3) and Subdivision B or C of Division 3 of this Part.

 

168. The intent of these provisions is that the powers in subsection 228A(1are exercisable during the period starting when the warrant is issued and ending at:

·          for a thing moved to another place under subsection 244(2) and (3)— a period of 72 hours unless otherwise extended. For the avoidance of doubt, any extension granted in relation to a thing under subsection 244(3) will automatically extend the time in which the powers in subsection ((1) can be exercised, and

·          for a thing seized under this Division, until such time as the Court orders that the thing be returned to the person, or

·          -otherwise the end of the period of 30 days starting when the warrant is issued.

 

169. However, in all of the above circumstances, the powers in 228A (1)) can only be exercised if thresholds in paragraphs 228(1)(a) - (c) are satisfied.

 

170. The amendments to the POCA do not include a provision similar to that in subsection 3FA(4)(c) of the Crimes Act. This is because section 256 sets out the process time limits for returning things seized. While section 245 does not expressly use the word ‘seized’ in relation to data, paragraph 249(3)(a) clarifies that actions taken under subsections 245(2) or (3)(b) constitute a ‘seizure’ for the purposes of the POCA.

 

 

171. Although not expressly addressed through this Bill, the expectation is that a law enforcement agency, after having seized a digital asset, will provide a receipt under section 253.

Item 12  Definition of ‘digital asset’

172. Item 13 inserts a new definition of ‘digital asset’ into section 338. The scope of this definition is the same as set out in paragraphs 135 and 136.

Item 13  Application of amendments

173. Item 14 clarifies that the amendments made by this Schedule, to the extent that they apply in relation to an application for a search warrant under Division 2 of Part IAA of the Crimes Act or Part 3-5 of the POCA on or after the commencement of this item:

·          whether property or a thing to which the application relates was acquired before, on or after that commencement, and

·          whether conduct or a crime to which the application relates occurred before, on or after that commencement.

 

174. These amendments only apply to search warrants made on or after commencement in recognition that the threshold of seizing cryptocurrency has been reduced from reasonable belief to reasonable suspicion and to reflect the introduction of specific powers relating to digital assets.

 

175. In effect, this provision is intended to ensure that a search warrant can be issued regardless of whether the criminal conduct to which it relates occurred before on or after commencement or whether the property of thing to which the application relates was acquired before, on or after commencement. These amendments do not have the effect of permitting warrants to be made retrospectively.

 

176. The application of these amendments is consistent with previous amendments to POCA. It is also necessary to ensure all relevant criminal conduct is captured, as the offending leading to POCA action may be historic or occur over a period of time. Further, at the time of executing a warrant there may be limited information as to the full extent and duration of offending or when tainted property may have been acquired. As such, by providing express provisions in relation to the  application of these amendments, these issues are put beyond doubt and prevent the potential frustration of POCA investigations and proceedings through arguments about when criminal conduct occurred or things acquired.  Applying the amendment to criminal conduct that has occurred or things that have been acquired prior to the amendments commencing is also more broadly justified on the grounds that the seizure of digital assets is already available under warrants and these provisions merely seek to provide a more specific set of powers in relation to this category of asset.

 

 

 

 



Attachment B

Statement of Compatibility with Human Rights

Prepared in accordance with Part 3 of the Human Rights (Parliamentary Scrutiny) Act 2011

 

Crimes Legislation Amendment (Ransomware Action Plan) Bill 2022

 

This Bill is compatible with the human rights and freedoms recognised or declared in the international instruments listed in section 3 of the Human Rights (Parliamentary Scrutiny) Act 2011 .

 

Overview of the Bill

This Bill proposes amendments to the Criminal Code Act 1995 (Criminal Code Act), the Crimes Act 1914 (Crimes Act) and the Proceeds of Crime Act 2002 (POCA) to modernise criminal offences and procedures to ensure Australian law enforcement agencies can investigate and prosecute cybercriminals, as well as modernise law enforcement powers to ensure that law enforcement agencies can continue to take the profit out of crime.

Geographical Jurisdiction

The Bill amends the extraterritoriality provisions under s 476.3 of the Criminal Code Act to provide Australian law enforcement with clear legal authority to investigate and prosecute ransomware crimes and offences as they apply under Part 10.7 of the Criminal Code Act.

The amendments will ensure Part 10.7 of the Criminal Code Act sufficiently criminalises conduct which occurs in foreign countries to allow law enforcement agencies to effectively investigate and prosecute offshore cybercriminals, where the crime impacts on a person in Australia.

Existing Category A extended jurisdiction thresholds (under section 15.1 of the Criminal Code Act) may not be sufficient to meet the above objectives. Consequently, the Bill will amend paragraphs 476.3(1)(a), (b), and (c) of the Criminal Code Act, to replicate Category A extended jurisdictional provisions under s 15.1 of the Criminal Code Act, for offences that occur in foreign countries.

New paragraph 476.3(1)(d) and (e) and new subsection 476.3(2) provides extended geographical jurisdiction to enable law enforcement authorities to investigate and prosecute where:

  • an alleged Part 10.7 offence occurs wholly outside Australia and the condition in subsection (2) is satisfied, or
  • the alleged offence is an ancillary offence of which the conduct constituting the alleged offence occurs wholly outside Australia, and the conduct constituting the primary offence to which the ancillary offence relates, or a result of that conduct, occurs, or is intended by the person to occur, wholly or partly in Australia or wholly or partly on board an Australian ship.

The condition under subsection (2) is satisfied if:

  • the conduct constituting the alleged offence relates to unauthorised access to data held in a computer; or unauthorised modification of data held in a computer; or unauthorised impairment of electronic communication of data to or from a computer; or unauthorised impairment of the reliability, security or operation of any data held on a computer disk, credit card or other device used to store data by electronic means
  • at the time of the unauthorised access, modification or impairment, that data is under the control of, or owned by, a person who is a resident of Australia and who is physically in Australia or a body corporate incorporated by or under a law of the Commonwealth or of a State or Territory regardless of whether the computer or device is in the person’s possession, and
  • at the time of the unauthorised access, modification or impairment, that data is reasonably capable of being accessed within Australia.

Individuals and bodies corporate based in Australia often engage in arrangements in which their data is being hosted or held within computers (for example data processing centres) outside of Australia. These arrangements include individuals who set up personal email accounts through Australian companies entering into contractual arrangements with foreign companies for the purposes of managing their data needs.

In step with this modern approach to managing data, cybercriminals are identifying and targeting vulnerabilities in these foreign data processing centres and networks for the purpose of gaining unauthorised access to, or engaging in unauthorised modification of, data.

The application of extended geographical jurisdiction reflects the increasingly transnational and borderless nature of cybercrime, which often involves multiple participants in multiple countries. 

For example, where:

  • an Australian company has a contractual arrangement with an offshore data processing centre to host that Australian company’s data
  • the data processing centre’s servers are infiltrated by a person or body corporate not authorised to access that Australian company’s data, and the Australian company’s data is accessed, modified or stolen by that person or body corporate, and
  • Australian law enforcement agencies suspect that the person or body corporate who has gained unauthorised access to the data processing centre is also based offshore.

The amendments will allow law enforcement agencies to consider this conduct as potentially constituting an offence under Part 10.7 of the Criminal Code Act and to investigate accordingly. 

The object of the new provisions is to provide law enforcement agencies with the legal authority to investigate and prosecute crimes that take place in a foreign country but which impact on persons who are a resident of Australia. This may include Australian citizens, permanent residents, visa holders and unlawful non-citizens residing in Australia. The provisions are not intended to cover persons who are only temporarily in Australia, such as those transiting through.  Residents of Australia who are the victims of a ransomware attack should be able to expect that Australian law enforcement agencies can take action on their behalf to investigate and prosecute these crimes.

Standalone offence of cyber extortion

The Bill introduces a standalone cyber extortion offence which will criminalise the extortive conduct associated with ransomware: specifically, the conduct of a person making a threat with the intention of compelling another person to do or omit to do an act.

The Cyber extortion, through ransomware, is an increasingly prevalent incident which impacts all Australians. Cyber extortion is rising in prevalence because it is an effective means of exercising power over a victim which may result in a financial gain or some other outcome such as causing a disruption. 

Cybercriminals extort victims (including through ransomware) because it is an effective means to exercise power over a victim. Through ransomware, cybercriminals are able to extort victims by ‘locking’ a computer by removing the victim’s access to their data through encryption. This empowers cybercriminals to seek a ransom from victims. Cybercriminals also engage in extortive conduct where they successfully gain unauthorised access to a victim’s data without locking a computer through ransomware. In this case, the cybercriminals then ransom the victim by threatening to release the victim’s data in an online forum. Through these methods, cybercriminals are empowered to either coerce money from a victim, permanently deprive the victim of their data, or release the victim’s data publicly.

New section 477.4 creates an offence for a person if:

  • Any of the following (whether or not caused by the first person) is occurring or has occurred:
    • Any unauthorised access to data held in a computer
    • Any authorised modification of data held in a computer
    • Any unauthorised impairment for electronic communication of data or from a computer
    • Any unauthorised impairment of the reliability, security or operation of any data held on a computer disk, credit card or other device used to store data be electronic means, and
    • that unauthorised access, modification or impairment involves a computer in the possession of, or data under the control of, another person (the victim) and
      • the first person makes a threat to the victim in relation to that computer or data, and
      • the first person makes the threat with the intention of compelling the victim to do or omit to do an act.

The prosecution will need to prove beyond reasonable doubt, all physical and fault elements as part of the underlying offence in addition to all physical elements of the offence. The new offence does not remove the requirement for the prosecution to prove intent (which is the fault element for Part 10.7 offences). Further, the penalty for this offence carries a maximum term of 10 years’ imprisonment.

This new offence is designed to ensure that all forms of cyber extortion are criminalised. The offence is designed to take into account the fact that cyber extortion takes place after a computer system is compromised by a cybercriminal - that is, unauthorised access or impairment of data takes place which allows the cybercriminal to install malware (including ransomware) on the victim’s computer or, steal that victim’s data. This first step empowers the cybercriminal to subsequently activate the malware (including ransomware) on the victim’s computer or, make threats to release the victim’s data - both of these tactics are criminalised by this offence. This offence will enable law enforcement agencies to conduct investigations and prosecutorial agencies to prosecute under a dedicated offence provision criminalising cyber extortion.

Aggravated offence relating to cyber attacks on critical infrastructure

The Bill introduces an aggravated offence relating to cyber attacks on critical infrastructure assets as defined under the Security of Critical Infrastructure Act 2018.

New section 479.1 creates an aggravated offence for a person who commits an offence against sections 477.2, 477.3, 478.1 or 478.2 (the underlying offences) and the conduct relates to a person intending to cause a direct or indirect impact on the availability, integrity or reliability of a critical infrastructure asset or on the confidentiality of information about or stored in, or the confidentiality of, a critical infrastructure asset.

There is no fault element for the physical elements in this offence, other than the fault elements (however described) for the underlying offence, which is consistent with other aggravated offences in the Criminal Code Act.

The prosecution will need to prove beyond reasonable doubt all physical and fault elements as part of the underlying offence in addition to all physical elements of the aggravated offence. The new offence does not remove the requirement for the prosecution to prove intent (which is the fault element for Part 10.7 offences). The penalty for this offence carries a maximum term of 25 years’ imprisonment.

This aggravated offence recognises the severe disruption that would be caused by the deployment of malware (including ransomware) on critical infrastructure assets’ computer systems. In some cases, these cyber security incidents have resulted in sensitive personal and medical information being encrypted so that it could no longer be used. This conduct directly threatens the operation of essential facilities and significantly risks the safety of the community. These incidents demonstrate the importance of deterring cybercriminals from targeting critical infrastructure with ransomware.

A high priority is placed on protecting Australia’s critical infrastructure to secure the essential goods and services all Australians rely on - everything from electricity and water, to healthcare and banking. A significant disruption or attack on Australia’s critical infrastructure could have catastrophic consequences to Australia’s economy, security and sovereignty. Australia’s threat environment has evolved rapidly, including through the proliferation of low cost-high impact malware (particularly, ransomware). This is supported by the Australian Cyber Security Centre’s (ACSC) Annual Cyber Threat Report 2020-21 which provides that individuals who attack critical infrastructure are engaging in tactics to hunt ‘big game’ - that is, those entities in society which cybercriminals perceive as high profile, high value and/or those that provide critical services. Through ransomware, disruptions to critical infrastructure may have rapid and serious consequences for the Australian community.  

International cyber incidents, such as the ransomware attack on US company Colonial Pipeline, which affected the distribution of fuel to customers on the east coast of the United States, demonstrate the potential for attacks to cause devastating harm. Australia is facing increasing cyber security threats to essential services, businesses and all levels of government, and in the past two years there have been cyber attacks on federal Parliamentary networks, logistics, the medical sector and universities. Internationally, there have been disruptive cyber attacks on critical infrastructure including water services and airports. On 19 June 2020, the Prime Minister advised the Australian Government was aware that Australia’s critical infrastructure was being targeted by a sophisticated state-based actor.

Accordingly, the Government will hold cybercriminals to account if they target Australia’s critical infrastructure. While existing offences under the Criminal Code Act may criminalise certain cyber attacks (such as attacks on public infrastructure under Division 82 or those attacks which prejudice Australia’s national security), other types of attacks involving privately owned infrastructure may not be covered.

Therefore, cybercriminals who engage in conduct with the intention of disrupting or impacting critical infrastructure must face harsh penalties which appropriately reflect the severity of harm or potential harm they cause to the community. A single attack may cause a cascading disruption to interdependent critical infrastructure assets which provide several other essential services. The risk of harm arising from these attacks is nationally significant as they may impact a much wider number of entities or individuals and/or may disrupt or destroy the targeted critical infrastructure asset’s ability to provide essential services.  Through ransomware and big game tactics, cybercriminals attack a single critical infrastructure asset knowing that this is a critical choke point and dependency for other critical infrastructure assets.

Dealing with Stolen Data

The Bill introduces a stand-alone offence of dealing with data obtained by unauthorised access or modification at section 478.5.

This offence criminalises the conduct of a person dealing with data obtained by unauthorised access or modification if:

  • a person dishonestly obtains data, or causes any access to data, or causes any modification to data, or causes any release of data to one or more persons,
  • the person does so using a carriage service, and
  • the data has been obtained (whether or not by the person) by any unauthorised access to data or modification of data held in a computer.

The offence will only apply to persons whose conduct is deemed to be dishonest according to a trier of fact applying the standards of ordinary people. The trier of fact (or jury) is empowered to make a determination on whether the conduct was dishonest, and defendants are afforded a fair hearing and fair trial rights.

As community expectations in relation to public interest may change over time, the element of dishonesty will ensure that the application of this offence is able to adapt with community expectations in relation to this offence and determine whether the data that is obtained or released is on legitimate public interest grounds.

Criminal liability for this offence is strictly determined within the parameters of new section 478.5. This offence imposes a maximum penalty of imprisonment for 5 years. This penalty appropriately reflects the criticality of protecting personal information or information that is commercial-in-confidence and the need to maintain its confidentiality within Australia’s modern digital economy.

This new offence represents a key aspect of the tradecraft used by cybercriminals. Cybercriminals combine the encryption of the victim’s network or the act of exfiltrating the victim’s data, together with threats to release or on-sell stolen sensitive data for the purpose damaging the victim’s reputation or financial gain. This tactic is effective even if victims have adopted robust digital backups because it leverages the value of the private information rather than the tactic of locking a computer system alone.

Additionally, this offence criminalises the conduct of certain third parties who obtain stolen data. Ensuring this aspect of the cybercriminal business model is criminalised is critical to deterring third parties from knowingly accessing stolen data to either gain an advantage over, or cause further harm to, a victim. This will also help reduce the effectiveness of online cyber extortion on victims. Persons who knowingly access data taken from a victim’s system through cybercrime may have different motivations. Accordingly, the offence criminalises the conduct of knowingly accessing a company’s stolen data to undermine that business or, to access a victim’s personal information to further extort or harm that person.

The offence is not intended to apply to innocent third parties, including, for example, where:

  • a cyber security firm is engaged and authorised to conduct incident response on behalf of a client in relation to a ransomware or cyber security incident and, in the course of doing so, obtains data online relating to their victim client or other persons or entities
  • a cyber security firm obtains stolen data for the purposes of advising clients or the public on incident response or on cyber security controls
  • a person obtains information in the public interest, such as a journalist conducting research in a professional capacity, or
  • a company engages in open source intelligence gathering on breached or stolen data and provides reports to industry or law enforcement either voluntarily or as part of a paid service. 

Aggravated offence producing, supplying or obtaining data under arrangement for payment

The Bill introduces an aggravated offence criminalising producing, supplying or obtaining data under arrangement for payment under section 479.2.

This new section creates an aggravated offence for a person who produces, supplies or obtains data (malware) for payment and commits an offence against section 478.4(1) (the underlying offence).

There is no fault element for the physical elements in this offence, other than the fault elements (however described) for the underlying offence, which is consistent with other aggravated offences in the Criminal Code Act.

The prosecution will need to prove beyond reasonable doubt, all physical and fault elements as part of the underlying offence in addition to all physical elements of the aggravated offence. The new offence does not remove the requirement for the prosecution to prove intent (which is the fault element for Part 10.7 offences). Further, the penalty for this offence carries a maximum term of 10 years’ imprisonment.

This offence targets the commercialisation of ransomware, including the increasing use of Ransomware-as-a-Service (RaaS), which has enabled less-sophisticated actors to gain access to highly disruptive and readily deployable ransomware.

RaaS is conduct whereby ransomware is developed by one person or entity and sold to other, less sophisticated criminals. This empowers less sophisticated criminals who would otherwise be unable to engage in cybercrime. RaaS suppliers often require a percentage of the profits made after a successful ransomware attack. In some cases, the developers and suppliers of RaaS will operate hotlines and call centres to assist their cybercriminal ‘clients’ with technical issues they may have in deploying the package.

Accordingly, this offence targets the conduct of developers, sellers and buyers engaging in commercial transactions as part of the ransomware business model. This offence will ensure that the ransomware business model (through conduct comprising either a sale, purchase, lease or commission based arrangement) is appropriately criminalised and punished.

Amendments to s 478.4

The Bill amends the offence in section 478.4 of producing, supplying or obtaining data with the intention to commit a computer Criminal Code Act by criminalising the conduct of persons who engage in conduct of soliciting, but ultimately failing to produce, supply or obtain data (malware).

This amendment ensures that conduct in seeking to produce, supply or obtain malware, which ultimately fails, still carries criminal culpability. Existing subsection 478.4(3) removes attempt as an extension of criminal liability to this offence given its intended application to preparatory conduct. 

Penalties

The Bill amends relevant penalty provisions for all Division 478 offences under the Criminal Code Act such that the maximum penalties for each offence carries at least a maximum term of 5 years’ imprisonment - increasing the maximum term of imprisonment for offences which currently carry a maximum term of 2 or 3 years’ imprisonment.

These increases appropriately reflect the severity of harm or potential harm they cause to the community.

Digital currency

The Bill amends the POCA to ensure that existing information gathering powers and freezing orders available in relation to financial institutions can also be exercised in relation to digital currency exchanges. These reforms will enhance law enforcement agencies’ investigative powers to ensure they can identify where digital currencies may be associated with criminal offending and then freeze relevant accounts to prevent that digital currency from being dissipated (and potentially reinvested in further criminal activity) before restraint action can be taken under the POCA.

In October 2021, the Select Committee on Australia as a Technology and Financial Centre handed down its final report, which considered, among other things, the emergence of cryptocurrency (a type of digital currency) and other digital assets. That report found that:

[t]he scale and speed with which cryptocurrencies and other digital assets have progressed in recent years has surprised governments, regulators and policy makers. With a global market now totalling in the trillions of dollars, the tremendous potential of blockchain technology and decentralised finance is becoming recognised by mainstream institutions and investors. Recent survey data shows that 25 per cent of Australians either currently or have previously held cryptocurrencies, making Australia one of the biggest adopters of cryptocurrencies on a per capita basis .

Anecdotally, as the mainstream adoption of digital currency increases, so does its criminal use. Investigations involving digital assets (including digital currency) have been associated with a variety of crime types including purchase of drugs, child exploitation material and firearm purchasing through dark-web markets; ransomware and cyber related offences; money laundering; scams and financing terrorist organisations.

It is therefore imperative that law enforcement agencies have the appropriate capabilities to investigate the use of digital assets to facilitate criminal activities, including where it becomes the proceeds of crime, and where necessary, to be able to track, monitor, freeze and seize those digital assets as a pre-cursor to other restraint actions that can be taken.

The Bill introduces measures to address these challenges in order to:

1          ensure that that criminals are deprived of the benefits of their crimes and are deterred from further criminal activity

2          disrupt and combat serious and organised crime, and

3          ensure that freezing orders, notices to financial institutions, and monitoring orders can be made in relation to digital currency exchanges.

The definition of ‘digital currency’ adopts the same definition as in the Anti-Money Laundering and Counter-Terrorism Financing Act 2006 (AML/CTF Act), but does not capture any right or thing that, under the Anti-Money Laundering/Counter-Terrorism Financing Rules (AML/CTF Rules), is taken not to be digital currency for the purposes of that Act.

The definition of ‘digital currency exchange’ means a registrable digital currency exchange service within the meaning of the AML/CTF Act, but does not include designated services covered by item 50A of table 1 in section 6 of the AML/CTF Act that are of a kind specified in the AML/CTF Rules.

Search and seizure

The Bill amends the Crimes Act and POCA to ensure the powers available to law enforcement to seize digital assets (including cryptocurrency) under warrant reflect the operational environment, and are suitably adapted and extended to prevent the dissipation of proceeds of crime so that it is available for subsequent restraint and forfeiture action under the POCA.

The objectives sought to be achieved by this measure include to:

4          ensure that criminals are deprived of the benefits of their crimes and are deterred from further criminal activity, and

5          disrupt and combat serious and organised crime.

A ‘digital asset’ means:

6          a digital representation of value or rights (including rights to property), the ownership of which is evidenced cryptographically and that is held and transferred electronically by a type of distributed ledger technology or another distributed cryptographically verifiable data structure, or

7          a right or thing prescribed by the regulations, but does not include any right or thing that, under the regulations, is taken not to be a digital asset for the purposes of Part 1AA of the Crimes Act.

Human rights implications

The Bill engages the following human rights:

  • The right to freedom from discrimination in Article 26 of the International Covenant on Civil and Political Rights (ICCPR).
  • The right to freedom from arbitrary detention in Article 9 of the ICCPR.
  • The right to a fair trial and fair hearing in Article 14 of the ICCPR.
  • The right to privacy in Article 17 of the ICCPR.
  • The right to an adequate standard of living, including the right to adequate food in Article 11 of the International Covenant on Economic, Social and Cultural Rights (ICESCR).
  • The right to the enjoyment of the highest attainable standard of physical and mental health, including medical service and attention in the event of sickness in Article 12 of the ICESCR.

The right of freedom from discrimination

Article 26 of the ICCPR provides that:

All persons are equal before the law and are entitled without any discrimination to the equal protection of the law. In this respect, the law shall prohibit any discrimination and guarantee to all persons equal and effective protection against discrimination on any ground such as race, colour, sex, language, religion, political or other opinions, national or social origin, property, birth or other status.

This means that laws, policies and programs should not be discriminatory, and also that public authorities should not apply or enforce laws, policies and programs in a discriminatory or arbitrary manner.

Discrimination is impermissible differential treatment among persons or groups that result in a person or a group being treated less favourably than others, based on one of the prohibited grounds for discrimination.

Amendments to the geographical jurisdiction provisions captured under proposed section 476.3(2)(b) apply to ‘a person who is a resident of Australia.’ This could have the effect of excluding certain cohorts of persons subject to a ransomware attack, for example those merely transiting through Australia.

The phrase ‘resident of Australia’ includes all those who reside in Australia, requiring a certain degree of permanence.

The object of this provision is to provide law enforcement with the legal authority to investigate and prosecute crimes that take place in a foreign country but which impact on persons who reside in Australia. This may include Australian citizens, permanent residents, visa holders and unlawful non-citizens residing in Australia.

Although the measure limits the right to non-discrimination, as it does not extend to persons who do not reside in Australia, the limitation is reasonable, necessary and proportionate, as it enables law enforcement authorities to investigate and prosecute offences under Part 10.7 of the Criminal Code Act, to deal with criminal conduct that occurs outside of Australia but ultimately impacts victims in Australia.

The right to freedom from arbitrary detention

Article 9(1) of the ICCPR provides that:

Everyone has the right to liberty and security of person. No one shall be subjected to arbitrary arrest or detention. No one shall be deprived of liberty except on such grounds and in accordance with such procedure as are established by law.

This right applies to all forms of detention where people are deprived of their liberty.

Increasing penalties in the Criminal Code Act

Certain existing computer offences in Part 10.7 of the Criminal Code Act provide adequate maximum penalties for offences relating to unauthorised access to restricted data. For example, unauthorised modification of data to cause impairment under section 477.2 and unauthorised impairment of electronic communication under section 477.3 both carry a maximum of sentence 10 years’ imprisonment.

However, some existing computer offences only carry a maximum sentence of 2 years’ imprisonment, such as the unauthorised access to, or modification of, restricted data under section 478.1 or unauthorised impairment of data under section 478.2. Other existing computer offences only carry a maximum sentence of 3 years’ imprisonment, such as possession or control of data with intent to commit a computer offence under section 478.3 or producing, supplying or obtaining data with intent to commit a computer offence under section 478.3.

These lower maximum penalties do not reflect the seriousness of the offence with reference to the criticality of data to Australian businesses and individuals or the harm that could be caused by ransomware or cybercrime on the thousands of individuals whose data could be impacted through unauthorised access or modification of restricted data or through unauthorised impairment of data held on a computer disk.

The Bill will amend sections 478.1, 478.2, 478.3 and 478.4 of the Criminal Code Act by increasing the maximum penalty for these offences to 5 years. Such increases reflect the increasing seriousness of harm that may be caused by cybercrime and ransomware attacks. The increased penalties do not amount to arbitrary detention, as they are reasonable and necessary to reflect the seriousness of these crimes. While five years will be the maximum penalty available for these offences, the penalty is reasonable given that the penalties will only be applied by a court if a person is convicted of an offence following a fair trial in accordance with the criminal procedures as established by law. Maximum penalties are set to adequately deter and punish a worst case offender, while supporting judicial discretion and independence. The measures are also proportionate to the seriousness of the offence. The amended penalties are consistent with other like offences. For example, postal offences under Division 471 of the Criminal Code which similarly address unauthorised access to, disruption of, or interference with postal items, carry a maximum penalty of 10 years’ imprisonment.

As such, existing penalties in the Criminal Code Act do not adequately reflect the severity of cybercrime offences.

The Online Safety (Transitional Provisions and Consequential Amendments) Act 2021 increased penalties for offences under section 474.17 of the Criminal Code Act (using a carriage service in a way that is menacing, harassing or offensive). The maximum penalty was increased from 3 years to 5 years imprisonment to ensure that the seriousness of the offence is matched by a proportionate punishment. Increasing 2 year penalties to 5 years for section 478 computer offences aligns these penalties with similar offences.

Aggravated offence for targeting critical infrastructure assets

For the aggravated offence of targeting critical infrastructure assets, the Australian Government considers that penalties should reflect the seriousness of introducing a vulnerability into, or disrupting the availability, integrity, relatability or confidentiality of, a critical infrastructure asset.

Like offences, such as sabotage of a public infrastructure asset under section 82.3 of the Criminal Code Act, carry maximum penalties of 25 years imprisonment. This offence imposes a significant penalty as the conduct is serious and may seriously prejudice national security, cause loss of life or significant economic damage. The new aggravated offence introduced in section 479.1 and the corresponding maximum penalty of 25 years imprisonment reflects the potential for serious disruption to the availability, integrity, reliability, and confidentially of critical infrastructure assets of vital importance to Australia and Australian communities. A disruption to a critical infrastructure asset also carries a significant risk to human life and economic damage, which is reflected by the significant penalty available under section 479.1. The penalty does not amount to arbitrary detention, as it is reasonable and necessary to reflect the seriousness of this offence. While 25 years imprisonment will be the maximum penalty for these offences, the penalty is reasonable given that the penalties will only be applied by a court if a person is convicted of an offence following a fair trial in accordance with the criminal procedures as established by law. Maximum penalties are set to adequately deter and punish a worst case offender, while supporting judicial discretion and independence.

Cyber extortion

New section 477.4 creates a stand-alone cyber extortion offence which will criminalise the extortive conduct associated with ransomware: specifically, the conduct of a person making a threat with the intention of compelling another person to do or omit to do an act. This new offence criminalises all forms of extortion in relation to a victim of a computer offence. The offence captures conduct which involves the computer or data in the possession or control of, or owned by, another person (the victim), and at or after the time of the unauthorised access, modification or impairment, the person makes a threat to the victim with the intention of compelling the victim to do or omit to do an act. The new offence carries a maximum penalty of 10 years imprisonment. The penalty does not amount to arbitrary detention, as it is reasonable and necessary to reflect the seriousness of this offence. While 10 years imprisonment will be the maximum penalty for these offences, the penalty is reasonable given that the penalties will only be applied by a court if a person is convicted of an offence following a fair trial in accordance with the criminal procedures as established by law. Maximum penalties are set to adequately deter and punish a worst case offender, while supporting judicial discretion and independence.

Dealing with stolen data

New section 478.5 creates a stand-alone offence of dealing with data obtained by unauthorised access or modification. The offence criminalises conduct that involves obtaining, releasing or modifying (for example, deleting) data of a victim that has been obtained by unauthorised access or modification.  For example, a cybercriminal may combine the encryption of a person’s computer, or the act of exfiltrating the victim’s data, with threats to release or on-sell stolen sensitive data for the purpose damaging the victim’s reputation or financial gain. This tactic is effective even if victims have adopted robust digital backups because it leverages the value of the private information rather than the tactic of encrypting a computer system alone.

Additionally, this offence criminalises the conduct of third parties who obtain, release or modify stolen data. For example, a person may dishonestly gain access to a large volume of stolen emails and release that information online to publicly reveal commercial-in-confidence information contained in those emails. Ensuring this aspect of the cybercriminal business model is criminalised is critical to deterring third parties from recklessly obtaining data to either gain an advantage over, or cause further harm to, a victim.

This offence imposes a maximum penalty of imprisonment for 5 years. This penalty appropriately reflects the criticality of data and the need to maintain its confidentiality within Australia’s modern digital economy. This penalty is also consistent with other amended penalty provisions as part of this Bill.

The penalty does not amount to arbitrary detention, as it is reasonable and necessary to reflect the seriousness of this offence. While 5 years imprisonment will be the maximum penalty for these offences, the penalty is reasonable given that the penalties will only be applied by a court if a person is convicted of an offence following a fair trial in accordance with the criminal procedures as established by law. Maximum penalties are set to adequately deter and punish a worst case offender, while supporting judicial discretion and independence.

The measure is also proportionate. It is not intended to apply to innocent third parties such as cyber security firms which obtain information in the course of their duties in acting for a client, or persons who obtain information in the public interest, such as a journalist conducting research in a professional capacity. However, as community expectations in relation to the public interest may change over time, the requirement that the person dishonesty obtain the information will ensure that the application of this offence is able to adapt with community expectations in relation to this offence and determine whether the data that is obtained or released is on legitimate public interest grounds. It is also not intended to apply to companies that engages in open source intelligence gathering on breached or stolen data and provides reports to industry or law enforcement either voluntarily or as part of a paid service. These measures help to ensure that criminalisation of this conduct does not amount to arbitrary detention.

Aggravated offence of producing, supplying, or obtaining data under arrangement for payment

New section 479.2 introduces an aggravated offence criminalising producing, supplying or obtaining data under arrangement for payment. This new section creates an aggravated offence for a person who produces, supplies or obtains data (malware) for payment and commits an offence against section 478.4(1) (the underlying offence).

This offence seeks to criminalise the ransomware business model, including sale, purchase, lease or commission arrangements in relation to data that is used in the commission of an offence against     section 478.4(1). It captures conduct such as RaaS, whereby a person produces data with the intent that the data be used in the commission of an offence against Division 477 or sections 478.1 or 478.2, and that person supplies the data to another person for payment.

For example, it criminalises the conduct by a crime syndicate that develops ransomware and solicits to supply it to other less sophisticated criminals for payment (whether or not they are successful in supplying the ransomware). It also criminalises conduct by individuals who obtain ransomware with the intent it be used to modify data to cause impairment, and obtains that ransomware under an arrangement for payment.

This offence is punishable by a maximum penalty of 10 years’ imprisonment. This will ensure that the developers, sellers and buyers of malware face punishment commensurate with the severity of their conduct in supporting the cybercriminal business model. The penalty does not amount to arbitrary detention, as it is reasonable and necessary to reflect the seriousness of this offence. While 10 years imprisonment will be the maximum penalty for these offences, the penalty is reasonable given that the penalties will only be applied by a court if a person is convicted of an offence following a fair trial in accordance with the criminal procedures as established by law. Maximum penalties are set to adequately deter and punish a worst case offender, while supporting judicial discretion and independence.

Amendments to section 478.4

The Bill amends the section 478.4 offence by criminalising the conduct of persons who engage in conduct in soliciting but ultimately failing to produce, supply or obtain data (malware). Currently, section 478.4 only applies to conduct where a person produces, supplies or obtains data, with the intent to commit a serious computer offence under Division 477. Division 477 offences target conduct that impairs the security, integrity and reliability of computer data and electronic communications.

This amendment ensures that conduct in seeking to produce, supply or obtain malware, which ultimately fails, still carries criminal culpability. Existing subsection 478.4(3) removes attempt as an extension of criminal liability to this offence given its intended application to preparatory conduct.

The offence is punishable by a maximum of 5 years imprisonment. The amendments will ensure that, even where someone fails in an attempt to produce, supply or maintain malware, they still face criminal liability. While 5 years imprisonment will be the maximum penalty for these offences, the penalty is reasonable given that the penalties will only be applied by a court if a person is convicted of an offence following a fair trial in accordance with the criminal procedures as established by law. Maximum penalties are set to adequately deter and punish a worst case offender, while supporting judicial discretion and independence.

The ACSC’s Annual Cyber Threat Report contains an overview of cyber threats affecting Australia, how the ACSC is responding, and vital advice on how all Australians and Australian organisations can protect themselves against those threats. In the 2020-21 financial year, the ACSC received over 67,500 cybercrime reports, an average of one every eight minutes, representing an increase of nearly 13 per cent from the previous financial year. Cybercrime reports submitted via ReportCyber (through cyber.gov.au) recorded total self-reported financial losses of more than $33 billion (AUD). To increase the likelihood of ransoms being paid, cybercriminals are encrypting networks and also exfiltrating data, then threatening to publish stolen information on the internet. These shifts in targeting and tactics have intensified the ransomware threat to Australian organisations across all sectors, including critical infrastructure. The threat faced by cybercriminals has real personal, financial, and disruptive impacts to Australians and Australian businesses. 

Increasing penalties and imposing offences for cyber extortion, dealing with stolen data, and soliciting but ultimately failing to produce, supply or maintain malware, and new aggravated offences for targeting critical infrastructure assets and for producing, supplying or obtaining data under arrangement for payment, is required to reflect the severity of harm caused by ransomware and Australia’s reliance on internet-enabled devices to communicate data. The measures which increase the penalties are not arbitrary, as they are reasonable, necessary and proportionate in achieving the legitimate objective of protecting Australia and Australians from the increasingly disruptive nature of cyber threats.

The right to privacy

Article 17(1) of the ICCPR provides that:

No one shall be subjected to arbitrary or unlawful interference with his privacy, family, home or correspondence, nor to unlawful attacks on his honour and reputation.

The use of the term ‘arbitrary’ means that any interference with privacy must be in accordance with the provisions, aims and objectives of the ICCPR and should be reasonable in the particular circumstances. The United Nations Human Rights Committee has interpreted ‘reasonableness’ to imply that any limitation must be proportionate and necessary in the circumstances.

A limitation on the right to privacy will be permissible under international human rights law where it addresses a legitimate objective, is rationally connected to that objective and is a reasonable and proportionate means of achieving that objective.

The POCA and Crimes Act measures in the Bill may engage the right to privacy because they may:

  •   require a financial institution to disclose to law enforcement agencies a person’s personal information related to an account held with a Digital Currency Exchange (DCE), such as details of what accounts a person holds, details of transactions made from particular accounts for up to six months, and the current balance of the account, and

 

  • require a financial institution to disclose to law enforcement agencies details of transactions a person makes over a period set out in a monitoring order.

 The measures confer on law enforcement agencies the ability to obtain further information on accounts held with digital currency exchanges (as they will be brought within the definition of financial institutions), monitor transactions from particular accounts, and if necessary, undertake additional law enforcement action such as freezing accounts to prevent withdrawals or transactions from them. These capabilities will enhance law enforcement investigations by providing credible actionable intelligence and prevent the dissipation of digital currency in circumstances where it could be used to facilitate criminal activity or where it could be considered the proceeds of crime.

To the extent that these measures limit the rights protected under Article 17 of the ICCPR, these limitations are not arbitrary, and are reasonable, necessary and proportionate to achieve legitimate objectives.

The expansion of the regime to include digital currency exchanges retains existing safeguards, including that:

·          these measures are subject to appropriate oversight which takes into account the need to preserve an individual’s rights and interests:

·          freezing orders and monitoring orders are subject to independent oversight, such that the relevant orders must be made by a magistrate after considering whether the legislative requirements for making the order have been met, and

·          notices to financial institutions can only be made by those officers prescribed in the legislation.

·          the orders only operate for a set period of time and need to be reviewed by a magistrate if they are to be extended. The types of orders that will be able to be sought under these measures initially operate in relation to:

·          freezing orders, a period of three working days

·          notices to financial institutions, six months in relation to the requirement to provide ongoing details about transactions on an account, and

·          monitoring orders, three months in relation to the requirement to provide notice of transactions from a particular account.

As a result of the above, these measures do not operate in a blanket manner and there is sufficient flexibility to consider individual circumstances and treat different cases differently when deciding whether particular orders should be made.

Although the amendments will result in the collection and storage of personal information, Australian Public Service agencies (including law enforcement agencies) are required to comply with the Australian Privacy Principles which protects the unauthorised disclosure of personal information.

While the measures extend the POCA freezing and monitoring orders to digital currencies held by financial institutions, limiting the right to privacy, the measures are reasonable, proportionate and necessary to support the functioning of Australia’s proceeds of crime regime and help prevent the use of digital currency in criminal activity.

The introduction of the search and seizure measure is intended to ensure the powers available to law enforcement to seize digital assets (including cryptocurrency) under warrant reflect the operational environment, and are suitably adapted and extended to prevent the dissipation of proceeds of crime so that it is available for subsequent restraint and forfeiture action under the POCA. This measure reflects changes in the way criminals are using digital assets as part of their criminal activities. As Australia has evolved into a modern digital economy, law enforcement agencies are seeing an increase in criminals’ use of digital assets to facilitate their offending and as a means to hold and distribute the benefits derived from their offending, including in the context of ransomware, money-laundering and predicate offences. This measure ensures that law enforcement agencies are able to effectively disrupt and combat serious and organised crime, and that criminals are to be deprived of the benefits of their crimes and are deterred from further criminal activity.

The search and seizure measures will engage the right to privacy by enabling law enforcement agencies to conduct a search of a person, or to conduct a search at or in relation to a person’s premises or conveyance, and seize a digital asset identified in the course of those searches. The measures allow the executing officer to access the person’s digital wallet to transfer the contents to a law enforcement digital wallet as a means of seizing the digital asset. The executing officer needs to reasonably suspect that the seizure of the digital asset is necessary to prevent the digital asset’s concealment, loss or destruction or its use in committing an offence.

To the extent that these measures limit the right to privacy under Article 17 of the ICCPR, these limitations are not arbitrary, and are reasonable, necessary and proportionate to meet the increase in criminals’ use of digital assets to facilitate serious offending and ensure law enforcement agencies are able to continue to effectively detect, disrupt and deter activities harmful to Australians.

The safeguards that currently exist in the legislation, including timeframes which govern how long law enforcement can retain things moved or seized under warrant will apply to the amendment. For example, in relation to the amendments to the Crimes Act:

  • for a thing moved to another place under subsection 3K(2), the thing can only be retained for a period of 30 days if the thing is a computer or data storage device, unless otherwise extended by the issuing officer, and
  • for a thing seized under Division 2, until such time as the Commissioner is satisfied that the thing is no longer required.

The Bill provides that these safeguards will apply to the seizure measures.

This demonstrates that the existing provisions are intended to balance criminal justice outcomes with the effects depriving a person of their property may have. For that reason, the limitation on privacy is reasonable, proportionate and necessary to support the functioning of Australia’s proceeds of crime regime and help prevent the use of digital assets in criminal activity.

The right to an adequate standard of living, and highest attainable standard of health

Article 11 of the ICESCR provides that:

(1)     The States Parties to the present Covenant recognize the right of everyone to an adequate standard of living for himself and his family, including adequate food, clothing and housing, and to the continuous improvement of living conditions…

It commits States Parties to improve methods of production, conservation and distribution of food.

Article 12 of the ICESCR provides that:

(1)     The States Parties to the present Covenant recognize the right of everyone to the enjoyment of the highest attainable standard of physical and mental health…

including the creation of conditions which would assure to all medical service and medical attention in the event of sickness.

The Bill’s introduction of an aggravated offence for targeting critical infrastructure assets supports these rights by recognising the role critical infrastructure plays, in particular critical food and grocery assets, in ensuring Australia’s food security which maintains and sustains life. The introduction of an aggravated offence is designed to deter cybercriminals from conducting malicious cyber activity which can disrupt distribution networks and other key operations of Australia’s major supermarkets, which could impact the availability of food and groceries.

Similarly, health care and medical facilities are crucial to Australia’s ability to fulfil this obligation as they provide critical care to patients with a variety of medical, surgical and trauma conditions. The impact of a successful ransomware attack against health care and medical facilities significantly risks the standard of physical and mental health available to Australians. An aggravated offence will help reduce this risk by deterring would be offenders from targeting Australian health care and medical facilities.

The Bill’s POCA and Crimes Act measures may also limit these rights to the extent that the operation of the freezing order or the seizure of digital assets impacts a person’s ability to use their assets to access relevant goods or services. To the extent that these measures limit the rights protected under Articles 11 and 12 of the ICESCR, these limitations are not arbitrary, and are reasonable, necessary and proportionate to achieve legitimate objectives for the same reasons outlined above.

Current section 15Q(1) of POCA confers a magistrate with the power to vary a freezing order to enable a financial institution to allow a withdrawal from the account to meet the reasonable living expenses of the person, dependents of the person, business expenses of the person, or a specified debt incurred in good faith by the person. Allowing for a freezing order to be varied recognises that in certain situations, such as where all of a person’s property is frozen or restrained, it may be appropriate to allow for withdrawals from a frozen account, particularly noting that a freezing order can be extended until a restraining order application is determined. Amendments in the Bill ensure that these provisions apply to accounts held with digital currency exchanges, so that freezing orders can be varied in relation to digital currency subject to a freezing order. 

Consistent with existing search warrant provisions in the POCA and the Crimes Act, a person is not able to seek a variation when digital assets are seized during the execution of a search warrant under the POCA or Crimes Act amendments in the Bill. While this may limit a person’s ability to use their digital assets to access relevant goods or services consistent with their rights under Articles 11 and 12 of the ICESCR, these limitations are proportionate as digital assets subject to a seizure warrant are:

•           unlikely to form the entirety of a person’s income, and

•           not commonly exchangeable for goods and services in the same way standard currency currently is.

This means that a person would ordinarily be expected to retain some level of standard currency to meet day to day expenses.

Therefore, any limitation on the rights under Articles 11 and 12 of the ICESCR by the POCA measures are reasonable, necessary and proportionate to support the functioning of Australia’s proceeds of crime and search and seizure regimes and help prevent the use of digital currency and digital assets in criminal activity.  

The right to a fair trial and fair hearing

Article 14 of the ICCPR provides in part that:

All persons shall be equal before the courts and tribunals. In the determination of any criminal charge against him, or of his rights and obligations in a suit at law, everyone shall be entitled to a fair and public hearing by a competent, independent and impartial tribunal established by law.

Section 478.5 criminalises the conduct of unlawfully dealing (with (that is, obtaining, deleting or releasing) data. This offence includes an element of dishonesty. 

New subsection 478.5(2) defines dishonest as being dishonest according to the standards of ordinary people and known by the defendant to be dishonest according to the standards of ordinary people. This requires the prosecution to prove that a person have knowingly, or through another person have recklessly, obtained data and they have released or modified that data, and that the conduct was dishonest according to the standards of ordinary people. The element of dishonesty recognises the need for certain persons or entities to obtain, release or modify data for legitimate purposes in limited circumstances, and distinguishes between innocent third parties and persons who have nefarious reasons for dealing with the data.

In the determination of this criminal charge, a person will have the right to a public hearing that is conducted by an independent and impartial body. Penalties will only be applied by a court if a person is convicted of an offence following a fair trial in accordance with the criminal procedures as established by law. This ensures that the measures do not limit the rights under Article 14 of the ICCPR.     

Conclusion

The Bill is compatible with human rights because it promotes the protection of human rights and to the extent that it may limit human rights, those limitations are reasonable, necessary and proportionate.

 

 

The Hon Karen Andrews, MP

Minister for Home Affairs