A controversial Australian anti-encryption law was a key factor in a combined AFP and FBI sting operation that took down hundreds of criminals, but Prime Minister Scott Morrison and federal authorities are tight-lipped about how it was used.
The encryption-busting telecommunications laws – rushed through Parliament in 2018 – have been used “for the first time” by police, prompting concerns from tech experts.
It’s further raised questions about whether Australian police have snooping powers that even the American FBI doesn’t.
Law enforcement agencies worldwide began detailing a startling investigation on Tuesday, unravelling a complex three-year global sting that started with the Australian Federal Police and FBI operating a messaging app used by criminals.
The service, known as ANoM, allowed crooks to send and receive texts, photos and voice messages.
It was hidden on specially designed phones, distributed by police informants to criminals, who shared plans for violence, drug deals and other illegal activity.
In Australia, the investigation was titled Operation Ironside. It was described as the biggest operation in AFP history, with the FBI running the app, and Australian police receiving and decrypting the encoded messages.
The AFP said on Tuesday the three-year operation had, in Australia alone, seized nearly four tonnes of drugs and $4.5 million cash, and prevented 21 murders.
“Ironside has arrested and charged, who we allege, are some of the most dangerous criminals to Australia,” AFP Commissioner Reece Kershaw said.
He said a key component of Australia’s involvement was the Telecommunications and Other Legislation Amendment of 2018, known as TOLA.
That law, passed in the dying moments of the last sitting day of Parliament in December 2018, was controversial as it gave Australian authorities the power to force encrypted messaging companies to install secret ‘back doors’ in their apps, to give police power to access and unscramble encrypted messages.
Such encryption technology is the basis for many online services used by millions of people daily, including messaging platforms like WhatsApp and Signal, as well as banking apps.
Privacy and tech experts were aghast when the laws were proposed in 2018, but the legislation was rushed through Parliament after then-home affairs minister Peter Dutton warned there was an “urgent” need.
Commissioner Kershaw said the laws were used in the ANoM sting.
“It’s legal. And we did use the TOLA passed in 2018 for the first time,” he said.
“The FBI had the lead on this. We provided a technical capability to be able to decrypt those messages.”
When asked at Tuesday’s press conference whether Australia had powers to “analyse” the messages that the FBI didn’t, Commissioner Kershaw answered “yeah”.
Mr Morrison, also at the press conference, was asked if the AFP was “able to do things that other countries were not legally able to do”.
He didn’t respond directly, but said the government made “no apologies for ensuring that our law enforcement authorities have the powers and authorities they need to stop criminal thugs and gangs”.
Commissioner Kershaw, responding to the same question, said “we’ve used the laws … successfully”.
But with neither man commenting on exactly how the TOLA laws were used, questions have abounded.
A recently unsealed court filing lodged by the FBI in the United States District Court in May states that law enforcement came into possession of the ANoM app after a criminal informant in San Diego offered it to them, at some point in mid-2018.
The ANoM-equipped phones began being distributed to criminals in October 2018. TOLA would be rushed through Parliament just two months later.
ANoM had a “beta test” in Australia, the court filing says, where “the AFP obtained a court order to legally monitor” about 50 ANoM devices operating on our shores.
The court filing was posted on the U.S. government records site PACER, and shared with The New Daily by Seamus Hughes, a researcher at Washington D.C.’s George Washington University who monitors court documents.
Belinda Barnet, a senior lecturer in media and communications at Swinburne University, said it was unclear how or why TOLA’s powers around back doors would be needed, considering police already owned and ran the app.
Indeed, the US court filing specifically notes ANoM attached a “master key” to each message on the app, allowing “law enforcement to decrypt and store the message” sent by criminals.
“There would be no reason for the FBI or the AFP to ask the manufacturer of the app to create a back door, because it seems like the entire device and the app was a back door,” Dr Barnet told The New Daily.
“If they built an app specifically to spy on, and obtain messages of those criminals, it’s not like they’d send it out all locked up.”
She described the innovation as “brilliant, right out of a high-tech movie”, but was curious in how TOLA was involved.
Justin Warren, a technology expert and chief analyst at tech company PivotNine, was also interested in the legislation, and questioned if it was used to allow the harvested data to be extracted and then shared internationally.
“What I’d be most interested in is the cross-jurisdictional part of this. We need to know which powers were granted which allowed this, and how they were used,” Mr Warren told TND.
“That could be what TOLA was used for, essentially ‘jurisdiction shopping’. Does it enable the AFP to do certain things that other places wouldn’t be able to do?”
Mr Warren said it was important for police to “collaborate across borders”, but said it was important for citizens to be able to scrutinise how police used their powers.
“If they’re uncomfortable sharing that with us, that indicates a problem. They should be very proud of what they’ve done,” he said.
“If they’re proud, they should be able to share that detail with us.”