Australian news.com.au reported Sunday that “The Attorney-General's Department is pushing for new powers for the Australian Security Intelligence Organization (ASIO) to hijack the computers of suspected terrorists.” The report seems to be based on a response, in the form of Q&A, by the Attorney General’s Department to questions raised in the inquiry into potential reforms of National Security Legislation. According to ITWire, this was lodged in August or September 2012.
Key to the news.com report is the response to the question: “Why should ASIO be empowered to hack third party computers that may belong to people who are not threats to national security?” The AG response states that the requirement is not to gain access to the computer’s content or the content of its communications, but “is essentially like using a third party premises to gain access to the premises to be searched where direct access is not possible.” This may be necessary, it says, “where a person of interest is security conscious and may use mechanisms that make it difficult to obtain access to the computer.”
In effect, the Australian spy agency is seeking legal authority to do what criminals are already doing. “Australians' personal computers might be used to send a malicious email with a virus attached, or to load ‘malware’ onto a website frequently visited by the target,” says news.com.au. This is the same as a criminal using Facebook ‘friends’ to gain the trust of the real target, or compromising a website of interest to the target in a water hole drive-by ‘attack.’
This would be a powerful weapon for the authorities if used in conjunction with something like the UK’s Communications Bill (the so-called snooper’s charter). For example, the traffic disclosure might note that a journalist is in contact with a known hacker. The journalist would need to develop rapport and trust with the hacker. But the authorities would be able to surreptitiously compromise first the hacker (likely to be less security conscious) and then exploit the trust and communications channel to compromise the true target, the hacker (who is likely to be more security conscious). The only difference in behavior between the spy agency and a cybercriminal is that the spy agency would be able to do it legally.