The following is an article not intended to be relied upon as legal advice, or considered as such.
Last week I wrote a case summary article on my pertaining to the decision of Barbaro v Queensland Police Service [2020] QDC 39. The essence of that summary was that legal professional privilege was considered a “reasonable excuse”, in those particular circumstances, not to provide a phone’s PIN code to access the information stored within that phone.
However, one of my readers drew my attention to a recent article and amendments to the Police Powers and Responsibilities Act 2000 (“PPRA”), which has provided extraordinary powers to the Queensland Police Service (“QPS”) to access not only data stored on the device itself, but in ‘clouds’.
This article considers those recent amendments, providing some practical examples of why the Queensland Law Society and the author consider them troubling, and some proposed checks that business operators can put into place to protect their company information.
I should preface all of the information, below, in saying that I am not a data protection expert by any means of the imagination.
Storage on a device vs. storage on the ‘cloud’
Those in the know understand that much of the information we readily access in our daily lives is not contained on a particular device, but in a cloud.
For those in the second or third carriages of the relentless information technology train – to save the memory from being overburdened on a phone or laptop (i.e. having thousands of songs, photos, files, etc.) many users opt to store information on ‘clouds’, so the physical document is held outside of the device, and downloaded when requested for viewing/listening, before returning back once the user has finished with it.
This makes life pretty simple, assuming everyone’s playing by the rules.
Where this becomes complicated is that cloud services can become somewhat of a spider’s web of information themselves. For example, many users of Apple’s iPhone would be well aware that their entire collection of passwords and user authentication is also usually held in the cloud to make purchases or access easier.
This can include user access information (i.e. usernames, passwords and log on credentials) to, for example, MyGov, containing health records, tax returns, military service records; company servers, containing client files, privileged information
What is further troubling, and the major focal point of this article, is how often personal devices will contain access information for business or other confidential information that may be very unrelated to any alleged wrong-doing. The intersection between personal, private and privileged information, can, if appropriate control measures aren’t enacted, become extraordinarily blurry.
And your point is?
According to ITNews, an Australian IT online news service, in an article dated 21 February 2020, the Queensland Police Service were granted further powers in the early part of this year through the Police Powers and Responsibilities and other Legislation Amendment Bill 2019.
I did some digging. And discovered this bill was passed with amendment on 20 February 2020. In the second reading speech on 18 September 2019, the Honourable Minister for Police and Corrective Services, Mark Ryan, said:
“Amendments in this bill to powers which permit access to password protected devices ensure that the suite of legislation I have referred to keeps pace with advancing technology. The bill ensures that terminology used in the provisions of the act is sufficiently broad to ensure that, no matter how incriminating evidence is contained on or through a device, it can be lawfully accessed. Whether evidence of crimes is stored physically on a device, in the cloud, in email accounts or in social media applications, police and commission officers will have access to the evidence upon meeting existing criteria.”
In short, the storage of information on cloud services was not clearly defined within the existing legislative provisions. For example, while the PPRA implied access to stored information, the scope of whether that extended to information on a cloud service was unclear.
As readers of my previous article, and those versed in criminal practice, are no doubt aware, Chapter 7, Part 1 of the PPRA, allows Police to search places with warrants. Relevantly (and the provision being referred to), is s 154, which provides the powers through which a warrant may order a person to give a police officer access to a device, among other matters.
So, in summary, Police may seek a search warrant, part of which requires a person to provide access information (i.e. a password, encryption code, swipe pattern or fingerprint) to gain access to an electronic device, such as a laptop or mobile phone. This allows the QPS to access information within that device, so-called ‘device information’.
Importantly (and we’re going to come back to this!) ss. 154(3) provides that the order must state any conditions to which the provision of the information or assistance is subject (s. 154(3)(c)) and that a failure to comply with the order may be dealt with under s. 205A of the Criminal Code (s. 154(3)(d)).
Now, hopefully if you’ve come this far, you have read the previous article, in which the Supreme Court of Queensland considered s 205A, and what a “reasonable excuse” might mean. In Barbaro, a reasonable excuse included well founded grounds of legal professional privilege.
This article is now going to examine the practical wide-ranging scope of this power, and some possible control measures for your consideration.
Meet “Frank”:
So, for example, a person, let’s say: “Frank”. Frank may have conducted criminal activity to which Police attention is directed. Frank lives an otherwise lawful life. The company that Frank works for utilises a cloud-based platform to ensure staff can work effectively from home. The company has thousands of files in the cloud, including all manner of clientele information, commercially sensitive material and correspondence between other company employees and lawyers. Under this new provision, access to anything Frank had access to, will now be accessible by the QPS.
I say accessible, not accessed, for a reason. Assuming the warrant order is specifically worded to allow Police to obtain only that information necessary and incidental to the criminal activity; then the powers to be should only access that specific material.
Any sceptics in the audience starting to feel uncomfortable?
For the more trusting, this assumption relies upon two premises: first, that the warrant is specific in identifying the alleged criminal actions; and two, anyone executing powers under that warrant confines themselves to the first premise.
Commence the catastrophising!
So where does this leave companies, law firms, or lawyers, who rely on cloud-based storage? As many of you are aware, this is a common practice for solicitors and barristers alike, to use cloud-based storage as we move toward a paperless world.
What if an employee of a law firm has a warrant executed upon them – do Police now have access, through a back door, to the entirety of what would otherwise constitute legally sensitive and privileged information?
It would seem, yes.
What about if that person is an employee of the Commonwealth, or a politician, who is able to access, as part of their role, classified documents? Do the Police now have potential access to ministerial or national security documents through this backdoor?
It would appear to be so.
I accept I’m beginning to look like a conspiracy theorist, and, in fairness, I should identify that the bill contained the qualification:
“The Bill makes amendments to resolve this ambiguity and to make it clear that any information can be accessed (within the terms of the judicial order) on or through an electronic device.”
I should also identify that the objectives are to combat online child sex offending and serious organised crime. Rightfully crimes that deserve the community’s moral condemnation. So, the old statement of, “those who have nothing to hide, will have nothing to fear”, probably rings true – if that’s a disposition you’re comfortable with.
But what these amendments are essentially asking, is that we must trust when these powers are exercised by the State, that operatives will look no further than within the remit of the judicial order.
Do we trust that premise? And the question remains, how will we ever know if such orders were flaunted?
The Queensland Law Society, in a letter authored by the then-president, Mr Bill Potts, was clearly (and in my humble view, appropriately) of the disposition that:
“Such a broad power, unfetted by any checks and balances, has enormous implications for privacy and commercial confidentiality in the modern world. There is also the potential for abuse of this broad power.”
So… what now?
Let’s return to “Frank”. Frank has committed despicable acts of criminal behaviour online. Police successfully execute a search warrant onto Frank’s phone, and with their powers Frank provides his access information, they find what they’re looking for, and Frank is duly charged and prosecuted.
However, Frank’s company director, “Sally”, was smart in introducing a privacy policy that passwords must never be saved in a device or cloud, and that any passwords associated with his employment must be distinct from anything Frank uses in his private capacity.
In short, the company information has a seperate password, that unless Frank divulges, secures that information.
Now, Frank might be asked to provide these details, but he may also identify a reasonable excuse not to provide the further access information, and thus not liable for criminal prosecution under s. 205A of the Criminal Code.
This prevents an overzealous person accessing information not strictly according to the provisions of the warrant. If they have grounds for believing access to Sally’s company was required and within the ambit of the warrant, that could be grounds for a further warrant – but an appropriate check to unfettered access is in place.
In an age where users don’t tend to read the terms and conditions of the many applications we install onto our devices (admit it, have you?), and companies are increasingly using cloud-based technology (especially during the health epidemic) to allow staff to remotely work effectively, multilayering access information should become a priority for everyone, companies, law firms and sole traders should inform themselves, or engage professions to inform them, about information privacy and data protection.