Twitter worried by 'secret' account takeover, data access powers

By

Urges govt to amend proposed laws.

Twitter has criticised laws that would give federal authorities the power to take control of a person's online accounts in secret, accusing the government of failing to properly consider the obligations of service providers.

Twitter worried by 'secret' account takeover, data access powers

The social media giant made the remarks in its submission to the parliamentary joint committee on intelligence and security review of the Surveillance Legislation Amendment (Identity and Disrupt) Bill.

If passed, the bill would allow the Australian Federal Police to take control of a person’s online account to gather evidence about serious offences, as well as to add, copy, delete or alter material.

The submission [pdf], published on Tuesday, calls on the government to “amend the bill to reflect practices that are consistent with established norms of privacy, free expression and [the] rule of law”.

“We believe it will take sustained research, discussion and effort from government, industry and relevant expert civil society to appropriately reform this draft legislation and its relevant processes,” the microblogging service said

Twitter said it was troubled there was “no consideration or reference in the bill of the implications of law enforcement agencies accessing a service without the knowledge of the service provider”.

“We are very concerned about the implications for Twitter’s own obligations as a company, as well as the rights and privacy implications for the users of Twitter and other online services,” it said.

The company said this is made worse by the lack of clarity regarding “standards of review and the means of appeal available”, as well as the lack of consideration of third-parties, it said.

“This is especially [sic] in the context where notice is not provided to the company that these account takeover warrants are being applied,” the submission states.

“Also, it does not appear that the bill has contemplated any processes to consider and protect the rights of any third-party users who may interact with the account… subject to a [warrant].

“This again raises a number of inherent privacy concerns and potential violations of substantive rights, as well as potential conflict of laws if these third-party users are outside Australia.”

The submission recommends that “necessary protections and procedures” be introduced to “to preserve democratic processes, extend privacy protections, and enshrine procedural fairness”.

This includes “requir[ing] agencies to disclose when warrants may be effectuated under this legislation”.

Online account takeover powers that allow authorities to access data “regardless of the location of the server, [and] without requiring knowledge of such access” have drawn particular ire.

“If the account takeover warrant is to be used to access an online account regardless of the location of the server, and executed without the knowledge of a service provider, or foreign official, then all due process requirement and safeguards that typically surround warrant processes have essentially been removed,” Twitter said.

Assistance orders

Another area of concern is the application of assistance orders that would require a ‘specified person’ to provide information or assistance to law enforcement for an account takeover.

Twitter said not only was the bill “unclear” on whether this applies to service providers and their employees, but also that there is a limit to what assistance can be provided.

“Twitter does not store user credentials, including passwords, in plaintext form,” the submission states

“Thus, depending on the content of the assistance order, service providers like Twitter could be in a position where our capacity to comply with these orders would be correspondingly limited or not technically feasible.”

An assistance order could also be in direct “conflict with obligations under laws of other countries where [service providers] operate”, Twitter added.

“This paradox places service providers in an impossible situation with regard to conflict of laws or technical feasibility and could potentially place Australian national security agencies in direct conflict with relevant international obligations or legal regimes operating in other jurisdictions,” it said.

Twitter also raised issues with “what activities are ultimately authorities under an account takeover warrant remains unclear”, with the explanatory memorandum pointing to the need of a separate warrant to access data or gather evidence.

The company is similarly concerned about the decision to allow “lower-level magistrates rather than a judge or Administrative Appeals Tribunal member to issue account takeover warrants”.

It said this was “inconsistent with other electronic surveillance warrants”, highlighting recent changes to press freedoms that it recommended around the issue of warrants by senior judges.

“As recommended by this committee, the power to issue such serious search warrants should be solely held by senior judges, such as those on state and territory supreme courts,” it said.

“However, that was not the approach taken in this bill.”

Got a news tip for our journalists? Share it with us anonymously here.
Copyright © iTnews.com.au . All rights reserved.
Tags:

Most Read Articles

Macquarie Uni to spend up to $700m on 10-year digital transformation

Macquarie Uni to spend up to $700m on 10-year digital transformation

Nissan A/NZ's outsourced cyber incident call centre breached

Nissan A/NZ's outsourced cyber incident call centre breached

Digital ID bill passes parliament

Digital ID bill passes parliament

Macquarie's banking CISO headed to Endeavour Group

Macquarie's banking CISO headed to Endeavour Group

Log In

  |  Forgot your password?