A British-Australian citizen travelling through Sydney airport has had his devices seized, and believes his laptop password cracked and his digital files inspected by Border Force officers, in what privacy groups say is a worrying development.

Nathan Hague, a 46-year-old software developer, was detained apparently at random for 90 minutes while the officers took his phone and password-protected laptop into a back room.

Hague said the officers refused to tell him what would be done with his devices, why they were being inspected or whether his digital data was being copied and stored.

“I don’t have anything to hide, but I value my privacy,” Hague said. “So I asked them, if you’re OK to do the bomb inspection in front of me, you’re OK to go through my bags in front of me, why do you have to take my devices out of my sight? What are you going to do with them?”

Hague said he asked the officers whether his files would be copied, and if so, what they would be using the files for. He said the officers refused to answer those questions, or explain what the ABF’s data retention policy was, or detail how long the files would be kept.

The ABF acknowledged that Hague’s devices were examined, but declined to comment on whether the files had been copied.

“Officers may question travellers and examine goods if they suspect the person may be of interest for immigration, customs, biosecurity, health, law-enforcement or national security reasons,” said a spokesperson for the ABF.

Tim Norton, chair of Digital Rights Watch, said the use of these powers under the Customs Act effectively circumvents any judicial oversight and was an “alarming trend”.

“People should have the right to know what information is being collected, for what purpose, who it’s being shared with and why. These powers make a mockery of our right to privacy,” he says.

Under the Customs Act, officers have the right to examine travellers’ personal items, including accessing electronic devices and making copies of their files. The Customs Act imposes no legal threshold or requirement that officers need to meet in order to use this power.

Professor Katina Michael, of the University of Wollongong’s school of computing and information technology, said the ABF’s electronic search powers were “highly invasive”.

“If sensitive information is leaked, say in the case of a lawyer or doctor who is travelling across regions, then there are major concerns for privacy.”

In 2016, the ABF was sued after officers seized a passenger’s phone and used it to send text messages.

Greens senator Jordon Steele-John said overreach on data collection is “happening all the time.”

“Australia’s privacy laws are now so drastically out of step with the rest of the world – especially the EU – that they will cause conflicts and infringe on the rights of citizens from other jurisdictions, especially when you add in the new proposed powers under the Assistance and Access bill,” Steele-John said.

Fears over new search powers

Under new legislation, proposed last week, the ABF would be given additional search powers and the penalties for individuals refusing to provide access to the ABF to evidence held in a device – for example, refusing to share their password to unlock a device – would be up to five years’ imprisonment, or 10 for serious offences.

An exposure draft of the bill revealed the obligation to assist police and other agencies in unlocking devices, including by de-encrypting data, would extend to tech giants such as Facebook, Apple and Google.

Steele-John and other privacy advocates have raised concerns over the new legislation.

“The scope and overreach of the new Border Force powers is terrifying, and has much broader consequences and implications than just individual privacy, in the context of this incident which occurred at Sydney airport.”

Keeping data private

Professor Michaels recommended that people who wanted to protect their data should not carry devices across international borders.

“If you are doing sensitive work, keep your files on your computer encrypted, or go one better and do not take your computer with you through Customs. Put it on the cloud where the GDPR [EU’s General Data Protection Regulation] is in force and lease a laptop in your given destination,” she said.

But that advice is of little comfort to Hague, who said the actions of the ABF officers had put his business in breach of Europe’s tough new GDPR data privacy laws and he would now need to give privacy breach notifications to his clients.

“I don’t mind people looking at the files if that’s one of the directives, but you have to give clear definitions and you also can’t leave the international business travellers exposed like this to having fines or breach notices being served by their own clients.”

“I’m getting messages from fellow business owners that they’re re-thinking their choice to come to Australia to do business over here, they’d rather just do it remotely. They expect that in America, but they don’t expect that behaviour here in Australia.”