← Guides

Australia Built the Surveillance Stack First

SurveillanceOPSECOperational security is the practice of minimizing information leaks across behavior, devices, accounts, payments, and routines that can expose identity or intent.Glossary →ExplainerMarch 2026~10 min read

Australia ranks near the top of the surveillance list among liberal democracies. It is a Five Eyes member. It passed the Assistance and Access Act 2018, the first democracy law that forced encryption access capability. It moved early on age checks, built an AUSTRAC surveillance framework for crypto, and is wiring national digital identity into banking and government services.

Key points

2018
AA BILL PASSED
First democracy to legislate encryption backdoor
5 Eyes
INTELLIGENCE ALLIANCE
AU/US/UK/CA/NZ intelligence sharing
A$1,000
TRAVEL RULEA compliance rule that requires financial institutions and many crypto platforms to transmit identifying information about senders and recipients.Glossary → THRESHOLD
AUSTRAC, from March 2026
0
MAJOR AU EXCHANGES LISTING XMR
All delisted under AUSTRAC pressure

This is not theory. It is law, regulation, and public record. The open question is how far it spreads.

The Surveillance Stack: What Australia Has Built

1. The Assistance and Access Act 2018 (AA Bill)

The AA Bill passed with bipartisan support in December 2018. It remains one of the hardest anti-encryption laws passed by a democracy. It created three forms of compelled assistance:

  • Technical Assistance Requests (TARs): voluntary requests for lawful access help
  • Technical Assistance Notices (TANs): mandatory notices that force companies to use capabilities they already have
  • Technical Capability Notices (TCNs): the hard one. These can force companies to build new capabilities for lawful access, including software changes

The Act says TCNs cannot create "systemic weaknesses." Critics, including the Greens, the Australian Privacy Foundation, and cryptographers abroad, call that empty language. If a company builds lawful access for one target, the weakness exists. Law does not change that.

Signal has said it would leave Australia before weakening encryption. WhatsApp has taken much the same line. Australians who rely on encrypted messaging face more legal pressure than users in countries outside Five Eyes.

2. The Digital ID Act 2024

The Digital ID Act 2024 created the Australian Government Digital ID System (AGDIS), a federated identity framework meant to provide one digital identity across government and approved private providers.

Right now the main implementation is myGovID, which can link your identity to:

  • Tax File Number (TFN)
  • Medicare card
  • Driver's licence
  • Passport
  • Centrelink (welfare) records

Officials sell this as convenience. One login. Less friction. The privacy problem is consolidation. One identity layer tying together your government life creates a single profile and a single failure point. The Services Australia breach in 2023, which exposed myGov credentials for thousands of users, showed that risk.

The Act also created an accreditation framework for private identity providers, including banks, telcos, and large retailers. Once that becomes normal, digital ID stops being a government login and becomes a daily checkpoint.

3. Online Safety Act: Age Verification

The Online Safety Act 2021 (amended 2024) gives the eSafety Commissioner power to force age verification on "high-risk" services. It starts with pornography. The power can stretch further.

The age verification methods pushed under Australian frameworks include:

  • Facial age estimation: services like Yoti estimate age from a selfie. The selfie and face geometry still get processed, even when providers say they do not store them long term.
  • Government document verification: you upload a driver's licence or passport to a third-party verifier.
  • Digital ID linkage: you prove age with myGovID, which ties the age check to your government identity record.

The problem does not end at the site you wanted to visit. A facial scan used for age checks creates biometric data tied to identity. The Privacy Act 1988 calls biometric data sensitive information. Enforcement has not kept pace with collection.

4. AUSTRAC Crypto Surveillance

AUSTRAC (Australian Transaction Reports and Analysis Centre) oversees Digital Currency Exchanges. For crypto users, the picture is blunt:

  • All DCEs must register with AUSTRAC. Unregistered exchanges cannot legally operate in Australia.
  • Mandatory KYC applies across Australian-regulated exchanges. No exception.
  • Travel Rule from March 2026: transfers above A$1,000 between registered DCEs must carry sender and receiver identity data, including name, account number, and address.
  • Suspicious Matter Reports (SMRs): the Australian version of SARs. Exchanges file them to AUSTRAC without telling the customer. AUSTRAC can share them with AFP, ASIO, and ATO.
  • Privacy coins flagged as high-risk: AUSTRAC treats Monero, Zcash, and similar assets as elevated ML/TF risk. Major Australian exchanges have dropped them.

5. The Surveillance Legislation Amendment (Identify and Disrupt) Act 2021

Less famous, still ugly: this Act gave the AFP and ACIC power to take over accounts tied to suspects, alter data in those accounts, and use network activity warrants to watch networks. Few democracies hand out powers this broad.

What This Means for Australians in Practice

Australia is a Five Eyes member. Data gathered in Australia can move to the US, UK, Canada, and New Zealand. Communications surveillance and financial surveillance do not stay local.

Practical Protections: What Works in Australia

1
Use a non-Australian VPN. Australian VPN companies sit under AUSTRAC reporting and the AA Bill. The safest picks here are Mullvad (Sweden) and IVPN (Gibraltar). Both take Monero, both passed independent no-logs audits, and both sit outside Five Eyes. Do not trust VPNs based in Australia, the US, the UK, Canada, or New Zealand for sensitive traffic.
2
Use Signal with a non-Australian SIM. Signal needs a phone number to register. Use a surveillance-resistant phone number, such as a Silent.link eSIM, a cash-bought prepaid SIM, or a MySudo number, instead of your AUSTRAC-linked Australian mobile number. That breaks one easy identity link in telco records.
3
Use privacy-respecting email hosted outside Five Eyes. Tuta (Germany), Posteo (Germany), or Proton Mail (Switzerland, with caution after the 2021 IP logging case) are stronger choices. Australian email sits under ASIO warrants and the AA Bill. German and Swiss providers face local court process and higher thresholds.
4
Acquire Monero peer-to-peer. AUSTRAC-registered exchanges no longer list XMR. Use Haveno, RetoSwap, or offshore no-KYC swaps like Trocador through a VPN. The Travel Rule hits registered DCEs. It does not currently hit direct trades between private individuals.
5
Use GrapheneOS on a Pixel phone. Standard Android, including Australian carrier builds, leaks telemetry back to Google and sometimes to telcos. GrapheneOS strips Google services, cuts background telemetry, and hardens the device. Pair it with private encrypted DNS and Mullvad VPN for a cleaner mobile stack.
6
Age verification circumvention. For sites that force Australian age checks, TorThe Tor network uses onion routing to obscure IP addresses and browsing paths by relaying traffic through multiple volunteer-run nodes.Glossary → Browser can reach international services that have not added Australian gates. A reputable non-Australian VPN also shifts your visible location. This sits in a legal grey area. Current enforcement targets platforms, not ordinary users.

The Digital ID: Should You Use It?

myGovID is becoming hard to avoid for Australian government services. Full avoidance is not realistic for most people. Compartmentalization is.

  • Use myGovID only for government services that require it, such as ATO, Centrelink, and Medicare. Those interactions already tie to your identity.
  • Decline voluntary myGovID for commercial services. If a bank or retailer offers Digital ID for convenience, ask whether the extra linkage is worth it.
  • Do not link Digital ID to private sector accounts unless you must. Every extra linkage widens the network that can touch your identity data.

Australia in the Global Context

Australia often passes surveillance law first, then other Five Eyes countries study it. The AA Bill landed before similar pushes in the EU, US, and UK. Australia works as a test case: enough rule of law to keep legitimacy, not enough civil-liberties resistance to stop the machine.

The direction is clear. More centralized identity. More age checks. More crypto surveillance. More legal power to force technical access. If you live in Australia, build your privacy stack before the next layer locks in.

Cunicula receives no funding from any Australian government agency, political party, or lobbying organisation. This analysis draws from public legislation, AUSTRAC guidance, and parliamentary record.

Follow the Money

Australia's surveillance stack runs on contracts with US and multinational tech firms. Many of those firms also sit under FISA in their home countries.

$Australia digital ID and surveillance vendor map
Digital ID vendors
Services Australia runs $500M+ in IT contracts. Mastercard Digital Identity and IDEMIA handle biometric layers. Australia Post pushes retail Digital ID rollout.
AUSTRAC compliance
TRM Labs holds ANZ government work. Chainalysis works with AUSTRAC and AFP. Exchanges burn $10M+ each year on compliance.
US cloud exposure
AWS Australia serves Defence and Home Affairs. Microsoft Azure serves ATO and Services Australia. CLOUD Act exposure still hangs over the data.

Frequently Asked Questions

Is Australia's Digital ID mandatory?

As of 2026, Australia's Digital ID system is still framed as voluntary for most services. The catch is obvious. The Digital ID Act 2024 built the legal base for broad expansion, and more services now push people into it. The stated aim is one federated identity across government and approved private providers. Critics, including the Australian Privacy Foundation, argue that "voluntary" stops meaning much once banks, public services, and major platforms all lean on the same system.

What is Australia's AA Bill and why does it matter for encryption?

The Assistance and Access Act 2018 lets Australian agencies force technology companies to give technical help, including building ways to reach encrypted communications. It does not use the word backdoor, but it can force software changes for lawful access. Signal, WhatsApp, and ProtonMail have all said they would rather leave the market than weaken end-to-end encryption for everyone. Privacy-focused users in Australia face more legal pressure than users in countries outside Five Eyes.

Are Monero and privacy coins legal in Australia?

Owning Monero is legal in Australia. AUSTRAC still labels privacy coins high risk for money laundering, and major Australian exchanges have dropped XMR under pressure. You can still get Monero through peer-to-peer markets like Haveno, RetoSwap, and Bisq, or through international no-KYC swap services outside AUSTRAC reach. The Travel Rule starts hitting registered Digital Currency Exchanges from March 2026 for transfers above A$1,000. It does not cover direct P2P trades between individuals.

Does a VPN protect you from Australian surveillance?

A no-logs VPN stops your ISP from logging the sites you use and helps keep your IP out of Australian logging systems. The VPN provider then becomes the weak point. Australian VPN companies sit under local reporting rules, ASIO warrants, and the AA Bill. Pick providers outside Australia and outside Five Eyes. Sweden, Switzerland, and Iceland are the safer bets. Mullvad and IVPN remain the top options because they keep strict no-logs policies, take Monero, and sit outside Five Eyes.

← PreviousArgentina: How Peso Collapse Drove a Nation to CryptoNext →Best Monero Wallets in 2026: Ranked

Related