When Can Police and other Law Enforcement Agencies Access Your Private Data?
Private browsing mode, also known as incognito mode, is a way to surf the web without your activity being recorded in your browsing history.
However, private browsing isn’t as “private” as you may think it is. Here’s why.
How does private browsing work?
When you open a private browsing window, the browser will only retain information whilst the window is open.
Key bits of information stored by browsers include the websites you’ve visited, usernames, passwords and information from forms, all of which are stored as “cookies” or small pockets of data.
Once your browsing window is closed, these cookies are cleared and if someone else uses your computer they won’t see what you were viewing.
However, private browsing doesn’t provide you completely anonymity online.
Various parties can still monitor your internet traffic depending on your network. This could include your employer (or school), your internet service provider, government agencies or even random members of the public if you’re on public WiFi.
Digital forensic experts can also often find “artifacts” on a person’s computer that indicate recent web history, even in private browsing mode. These can include file downloads, bookmarks and other tiny bits of information indicating web use.
There is also the potential that software exists on your computer designed to snoop on your activities, this could include key loggers (which record what you type on your keyboard) or other spyware applications.
The “privacy” obtained through a private browser is simply that someone who uses the computer after you isn’t necessarily going to see recent history. It’s not, nor is it necessary advertised to be, a complete solution to privacy online.
When can law enforcement access your private data?
Both Federal and NSW law enforcement have extensive powers to access data, search premises and seize computers as part of a criminal investigation, if they obtain a search warrant.
Depending on the type of warrant law enforcement can access data from internet service providers, personal computers and other entities that may have relevant online activity data.
In NSW, a search warrant will be issued if a court is satisfied there are reasonable grounds to believe the search is necessary to obtain evidence of a “searchable offence”.
Section 46A of Law Enforcement (Powers and Responsibilities) Act 2002 (NSW) (the LEPRA) states that a “searchable offence” includes:
- an indictable offence,
- a firearms or prohibited weapons offence,
- a narcotics offence,
- a child abuse material offence,
- an offence involving a thing being stolen or otherwise unlawfully obtained,
- a computer offence
For a general search warrant, NSW police will usually have to inform you that your property or data is being searched. However, if police apply for and obtain a covert search warrant or obtain a (recently created) digital evidence access order you can be searched, have your data accessed or have spyware planted on your computer, all without your knowledge.
Section 47(3) of the LEPRA states that NSW Police can apply for a covert warrant if they:
- suspect on reasonable grounds that there is, or within 10 days will be, in or on the premises a thing of a kind connected with a searchable offence in relation to the warrant, and
- consider that it is necessary for the entry and search of those premises to be conducted without the knowledge of any occupier of the premises.
A “searchable offence” for a covert warrant includes a “serious offence” encompassing child exploitation material (“child pornography”) offences, hacking offences, illicit drug supply and manufacture offences and other indictable offences punishable by imprisonment for a period of 7 years or more.
A digital evidence access order allows police to undertake an array of spying and hacking activities without having to notify you. Section 76AA of the LEPRA states that a digital evidence access order may be issued in relation to any search or crime scene warrant, as well as several other pieces of legislation. Similar search powers also exist for the Australian Federal Police.
A range of laws make it easy for law enforcement and other agencies to access your private data
A number of recent law reforms have increased the extensiveness of data capable of being discovered following the execution of a search warrant. These include:
- Meta-data retention laws requiring telecommunications companies and internet service providers to retain “metadata” on consumers for a minimum of two years, and release that information to a range of law enforcement and other agencies without them even having to obtain a warrant. These laws were marketed by the government as necessary to catch terrorists. However, as we foreshadowed even before they came into effect, the laws have been used for a range of other purposes – including by local councils in an attempt to catch those who unlawfully dump rubbish, by police to identify cadets who were sleeping with one another or faking sick days, by the taxation office to identify alleged tax avoiders, and even to identify and persecute whistleblowers and journalists.
- Data access orders compelling individuals to give access to computer networks and other devices.
- Data disruption warrants which allow police to add, copy or delete data to stop or inhibit crimes.
- Network activity warrants and account takeover warrants which gives police access to devices and networks belonging to suspected criminals, as well as the capacity to take over online accounts to gather evidence.
- International data sharing arrangements allowing access to data found through searches conducted overseas.
Given extensive police powers to surveil, hack and monitor computer networks, it’s fair to say that there isn’t a definitive way to ensure complete anonymity whilst online.
What about VPNs?
Virtual Private Network (VPN) technology is often sold as a means to conceal one’s internet activity and location, by establishing a secure, encrypted connection to a private network.
When you use a VPN, your online traffic is routed through a VPN server before it reaches the Internet. This means that your online activities are shielded from your Internet Service Provider and other third-party entities, such as websites and advertisers, which makes it more difficult for them to track your online activities or intercept your data.
However, VPNs are not a fool proof mechanism to evade the eyes of law enforcement. Depending on the VPN, there may still be logs of user activity retained by the company or data sharing arrangements with third parties, including government agencies.
Police can obtain a warrant to search or access data stored on VPN servers just like any other private company. Depending on the location of the VPN, they may be compelled to comply with any data sharing requests issued.
Even if communications on a VPN are fully encrypted there may still be data logged by VPN companies or Internet Service Providers than can ultimately indicate recent internet activity.
Ultimately, there is no bullet proof way to “privately browse” the internet.
New updates: Mandatory Scheme for NSW agencies
Even since 2023, when this article was first published, there have been significant updates in the regulations required for NSW public sector agencies under the Privacy and Personal Information Protection Act 1998 NSW. Since attacks are more frequent in every sector of the state, it comes as no surprise that data regulations have been heightened – but that also means that the police and organisations are easily accessing the public’s data with fewer rules for personal freedoms.
The Australian Cyber Security Centre reported that the cost of reported cyber crime increased between 2022-2023, highlighting how the current schemes were not sufficient enough. In November 2023, the Mandatory Notification of Data Breach scheme replaced the previous programs, which included the following amendments:
- New Mandatory Notification of Data Breach that requires agencies to notify the Privacy Commissioner of data breaches that can harm the affected individual or entity,
- Exemptions from mandatory notifications,
- Providing the Information and Privacy Commission with the power to monitor and report on agencies regarding data breaches, and
- Mandatory requirements for agencies to publish their data breach policy.
Not only does this reduce public freedoms and agencies’ privacy, but it also gives the IPC more power to monitor every single organisation and person with data—which is every person in Australia.
The new obligations for agencies in Australia now include:
- Required to contain a data breach within 30 days,
- Make reasonable attempts to mitigate the harm caused by the breach within the assessment period,
- Decipher if a breach is an eligible data breach,
- Notify the Information and Privacy Commission, and
- Comply with the additional data management requirements.
The additional mandatory data requirements include maintaining an internal incident register and publishing a data breach policy.
Although there are not currently any financial penalties for non-compliance with the updated scheme, businesses need to consider the damage to their reputations if they fail to disclose data policies to the public. Furthermore, noncompliance can lead to the NSW Civil and Administrative Tribunal conducting an administrative review that could result in upwards of $40,000 for the loss.
New Requirements for Businesses: Stay Compliant
For businesses to remain compliant under the new scheme, they should do the following:
- Define roles for management in charge of data breaches,
- Ensure the Privacy Management Plan is compliant with Part 6A of the PPIP Act,
- Publish a data breach policy in accordance with section 59 ZD,
- Update policies and procedures according to the new scheme,
- Maintain a register of data breaches (who was involved, when the breach was recognised, the type of breach, details of actions to mitigate breach, and the cost of the breach), and
- Maintain a public register of notifications made under section 59N(2) that is available for 12 months after the incident.