You could break espionage laws on social media without realising it

Did you know you could be charged with spying if you connect with someone who turns out to be a foreign spy on LinkedIn?

Apparently, not enough of us do. Australia’s domestic spy agency ASIO recently launched its first public awareness campaign, warning foreign spies are using social media and professional networking sites to recruit Australians as unwitting agents.

So, how easy is it to commit espionage by simply making connections on social media? How do we know when a line has been crossed between innocent social networking and a national security offence?

Who is at risk?

ASIO warns foreign spies are targeting Australians who have access to sensitive or valuable information, such as national security, government, intellectual property and commercial information.

This could potentially involve public servants, or others with a government security clearance, academics and researchers, and those in sectors like banking and commerce.

If you have access to this kind of information and/or work in one of these professions, then you are at greater risk of committing an espionage offence. But ASIO warns it is not just these professions at risk — everyone must be cautious about what they share online.

Australia’s espionage laws

The United Kingdom’s domestic spy agency, MI5, provides a good explanation of espionage as,

the process of obtaining information that is not normally publicly available, using human sources (agents) or technical means (like hacking into computer systems). It may also involve seeking to influence decision-makers and opinion-formers to benefit the interests of a foreign power.

In 2018, following revelations by ASIO about an “unprecedented” threat of espionage and foreign interference, the federal government introduced a complex scheme of 27 espionage offences. Penalties for these range from 15 years to life in jail.

Read more: Government needs to slow down on changes to spying and foreign interference laws

Australia’s laws include an offence of “preparing for espionage” which makes it a crime to do something which could later result in espionage, such as buying a laptop that could be used for cyber hacking. So this offence could capture conduct with an innocent explanation, provided it could be shown from surrounding circumstances the person intends to later engage in espionage.

Attorney-General Christian Porter described the regime as

strong new laws against those who seek to undermine our national security and our democratic institutions and processes.

But they have been criticised by academics for their complexity and over-reach. For example, they can criminalise the legitimate conduct of journalists and whistleblowers, and rely on a definition of “national security” that not only includes traditional defence matters, but Australia’s diplomatic relations too.

How could you commit an espionage offence?

Unsurprisingly, you would commit espionage if you work for the government and knowingly revealed classified information to a foreign agent via a site such as LinkedIn.

You would also be committing espionage if you shared your employer’s trade secrets with a foreign spy via Facebook or WeChat — even if you didn’t think the recipient was a foreign agent.

This is the kind of conduct former CIA officer Kevin Mallory was convicted for in the United States in 2019. He was sentenced to 20 years in prison after selling classified US defence information to someone who messaged him on LinkedIn claiming to be a think tank representative. The representative was actually a Chinese intelligence officer.

Less obvious acts are also a problem

“Preparing for espionage” criminalises a much wider range of conduct. Its purpose is to give law enforcement the power to stop espionage before it occurs. This is the offence you are most likely to break unwittingly on social media.

Connecting with a foreign spy on any social media site opens the door for you to potentially reveal sensitive information to the spy in the future. This could be seen as doing an act in preparation for espionage.

This is especially the case if you:

• engage in conversation with the spy

• have access to valuable information of any kind

• think the person seems even remotely suspicious

• hand over any sort of information, even if you don’t think it is sensitive.

If charged with this offence, you could face up to 15 years in prison.

How to spot a spy

It is important to recognise the kinds of profiles that may be malicious.

Foreign agents use social media to pose as fake employers or recruitment consultants who offer you “unique” business or career opportunities.

Read more: ASIO chief Mike Burgess says there are more spies in Australia 'than at the height of the cold war'

These offers usually seem too good to be true, lack detail, and are emphasised as time sensitive or one-off opportunities. The “recruiter” may also be excessively flattering and focus on the role instead of scrutinising you as a candidate. This may involve emphasising perks of the job rather than asking for referees to check your background.

Meanwhile, their real purpose is to gain as much information from you as possible.

They do this by requesting further information about you and your experience, and asking seemingly benign questions. Then they escalate to requests for more sensitive information. They will usually attempt to move you to a different communication platform or set up face-to-face meetings.

As ASIO head Mike Burgess warns,

If a stranger reaches out online, ask yourself if you really know who you are talking to.

How can you protect yourself?

To protect yourself from becoming a target in the first place, there are some simple steps you can follow:

• include only the lowest level of detail necessary on your online profile

• only share your CV or details of specific projects with trusted and verified contacts

• use website settings to control who can view your profile

• if you have access to sensitive information, don’t make details of your sensitive job roles or employers public.

And if you are contacted by an online profile you suspect may be trying to get sensitive information from you, do not respond. Instead, report the contact to your company’s security adviser or ASIO, then remove them from your network. You cannot “prepare for espionage” if you are not connected to the spy and have not communicated with them.

Ultimately, the message is one of caution. Because the consequences of brief recklessness could include prosecution for a serious national security offence.