The recent US government banning of Pegasus spyware from Israeli tech company NGO Group has had a significant impact on Australian efforts to regulate digital technologies in the face of new national security threats on the Internet.
Putting human rights and democratic freedoms at the heart of US foreign policy was one of Joe Biden’s key campaign promises. His government kept that promise by blacklisting the NSO Group for selling its Pegasus software to governments who abuse these principles. This move presents the increasing challenge for states to regulate cyber and digital technologies right at the center of US political decisions and strategies.
This is a powerful statement to the international community, especially given the historic US support for Israel. For Australia, this is particularly important given Canberra and Washington’s renewed commitment to work together under the AUKUS Agreement to maintain security in the Indo-Pacific region and their longstanding collaboration as members of the Five Eyes Agreement to exchange information. Australia’s new Cross-Border Communications Act, or Cloud Act, which enables data sharing with partners such as the US on the basis of shared values, underscores the importance of Australia and the US on an equal footing when it comes to the ethical regulation of digital technologies.
Israel is already lobbying the US to lift the ban, arguing that Pegasus is vital to its foreign policy. The NSO Group claims that Pegasus is a national security tool for governments to prevent transnational organized crime and violent extremist groups from using the “dark” parts of the internet for business.
The Australian government is not an existing or potential customer of Pegasus. But it used the same justification as the NSO Group to pass a number of laws that significantly expanded the powers of police and intelligence agencies to spy on Australians. In addition to the cloud law, a law was passed that enables authorities to access encrypted data and to change data. The speed with which these bills passed through Parliament, the uncertain safeguards against scale intrusion, and the hasty consultations with industry raised serious concerns. The application of the encryption law by the Australian Federal Police to Operation Ironside also raised concerns that Australia could become a police partner of choice given its expanded powers and the undemocratic government that has allowed the legislation. AFP’s refusal to tell how the law’s powers have been used has further damaged public confidence.
In order for Australian authorities to apply these laws, certain conditions and warranties are required; there is no authoritarian arbitrariness in the way Viktor Orban’s government used Pegasus to “wage war” against the media in Hungary. But by overriding Australian civil liberties on the basis of arguments to ward off unprecedented threats to national security, the government is creating a legal framework to allow internet surveillance that is disturbingly similar to Pegasus’s spying through possibility to access, decrypt and even manipulate data in online accounts and apps on devices.
Australian law does not allow devices to be remotely activated for audio recording. But given the justifications for the powers granted – that new, extraordinary threats warrant new, extraordinary measures – this may yet come.
The problem isn’t finding new strategies and tools to monitor cyberspace; they are needed. But when we legalize new security powers based on the argument that a threat landscape is “unprecedented” and “exceptional”, it is difficult to define which other threats are similar to “exceptional” and what is justified by “exceptional circumstances”. We have seen this through the pseudo-legal framework created by the George W. Bush administration to allow the widespread use of torture during the “war on terror”. These policies have been widely condemned on the basis of ethics, US international and national law, and even the provision of actionable information.
If the Morrison government is as serious as the Biden government about protecting civil liberties in the digital age, it should invest as much effort in building the legal framework to regulate and govern the fourth industrial revolution on democratic principles as they do it does monitor them. Where is Australia’s equivalent to the European Union’s data protection and privacy rules for digital technologies, given how quickly we got these police laws in place?
And why is the new Artificial Intelligence Ethics Framework completely voluntary for governments and businesses when the Queensland Police Department is already using AI products to create a risk profile for possible domestic violence perpetrators? This is in spite of the known limitations of the algorithms available for scrutinizing police data without exacerbating human bias and discrimination. Given the threat this poses to already over-controlled communities, where are the hastily passed laws protecting democratic rights at a time when new technologies represent flashy “solutions” to their own ethical problems in implementation?
It’s easy to welcome Washington’s decision to ban Pegasus. But aren’t we racing down a similar path, to the same place, fueled by the same argument of “extraordinary threat”?