House debates

Thursday, 6 December 2018

Bills

Telecommunications and Other Legislation Amendment (Assistance and Access) Bill 2018; Second Reading

9:32 am

Photo of Mark DreyfusMark Dreyfus (Isaacs, Australian Labor Party, Shadow Attorney General) Share this | | Hansard source

The safety of our community and the security of our nation must always be paramount considerations for every member of this parliament. We in Labor have proved, both in government and in opposition, that we always place national security ahead of partisan politics. The Telecommunications and Other Legislation Amendment (Assistance and Access) Bill 2018 is the 16th substantive national security bill introduced over the last five years. I will address the specific reasons for Labor's support of this assistance and access bill shortly, and I will also explain a number of our concerns and the solutions we have insisted on to address those concerns.

But, before I turn to those specific matters, I will first say a little about the general approach that I and the Labor opposition have been taking to national security matters. First, we start from the premise that our security agencies and our law enforcement bodies, to the extent that they are involved in national security matters, must be given the powers and resources they need to keep our community safe and our nation secure. Second, we believe that national security laws that encroach on the rights and freedoms of Australians must always be necessary and proportionate to the threats being faced. Third, Labor holds that, with the granting of new powers, we must also establish new oversight and transparency mechanisms designed to ensure these powers are used for the purpose for which they are granted and in a manner that ensures ongoing accountability for their exercise. And the fourth basic principle guiding our approach is that national security laws conferring extraordinary new powers should treat those powers as extraordinary rather than as the new normal.

These principles are often challenging to apply, but we put a great deal of time and energy into rigorously analysing every national security bill that is presented against these principles. We do this because we understand that in conferring new powers to protect our nation's security it's vital that we do not compromise the very freedoms and way of life that we're seeking to protect. This means that in keeping Australians safe we also seek to uphold the rights and freedoms that we as a democratic society hold dear and that generations of Australians have fought to protect. No deranged or hate-filled terrorists can take those freedoms and rights from us. Only an Australian government that has given in to fear—to the terror that is by definition the primary weapon of the terrorist—has the power to do that. We must also always be aware that, while the laws we pass can be part of the solution to national security threats, if they are improperly designed those laws can become part of the problem, because our agencies can do their critical work only if they have a good relationship—a relationship of trust—with the community they are protecting. This has been shown time and time again with terrorism offences in particular when the vital information to stop terrorist events comes to our agencies from within the community.

David Kilcullen is one of Australia's most accomplished counterterrorism experts. I've quoted him before, but I think the warning he provides is worth repeating today. Mr Kilcullen was a senior officer in the Australian defence forces. He went on to advise on counterterrorism at the most senior levels of the United Kingdom and United States governments and military, working as the chief strategist in the office of the coordinator of counterterrorism at the US state department as well as special adviser to US General David Petraeus in Iraq. Writing about the challenge of confronting terrorism in 2015, Mr Kilcullen warned about the impossibility of making a democratic society entirely safe through the imposition of ever-increasing counterterrorism laws. He wrote:

… a truly effective domestic defensive strategy would turn (indeed, has already gone a long way to transforming) our societies into police states.

A purely defensive stance, if it is to prevent terrorist attacks from within and without, would have to include some or all of the following: perimeter defences on all major public (and many private) buildings, restrictions on access to public spaces, intrusive powers of search, arrest and seizure, larger and more heavily armed police forces, with more permissive rules for use of lethal force, intensive investigations of individuals’ thoughts, words and actions, citizen surveillance …

Mr Kilcullen's list goes on at some length, concluding with:

… the need for a raft of limitations to freedom of expression and assembly. It would also, of course, impose limitations on international trade and require increased state spending—essentially a 'terrorism tax'.

Mr Kilcullen then warns:

… accepting these impositions as permanent, and developing them to the level at which they could actually—in their own right, as the centrepiece of a counterterrorism strategy—protect against the atomised, self-radicalised terrorist threat of tomorrow, would amount to destroying society in order to save it.

While the new powers that will be conferred by this bill will be used for both counterterrorism and police work, I believe that the warning Mr Kilcullen sounds remains entirely relevant.

I turn now to the access bill itself. The Telecommunications and Other Legislation Amendment (Assistance and Access) Bill 2018 was introduced into the parliament on 20 September 2018. Without specifying a reporting date and without any suggestion that it was urgent for the inquiry to be concluded by the end of the year, the Attorney-General referred the access bill to the committee on the same day. Although the government claimed that it had consulted widely on the access bill before its introduction into the parliament, the public consultation was very short, especially for such a lengthy and complicated bill, running as it does to some 175 pages.

An exposure draft of the bill was published on 14 August and submissions closed on 10 September 2018. Disappointingly, it became apparent over the course of the inquiry conducted by the Parliamentary Joint Committee on Intelligence and Security that many affected organisations were hardly consulted at all before 14 August, including, extraordinarily, the government's own Inspector-General of Intelligence and Security and the Commonwealth Ombudsman. In fact, the inspector-general and the Ombudsman told the committee that they found out about the exposure draft of this bill from media reports. A number of Australian companies also indicated to the committee that either they were not consulted by the Morrison government or, alternatively, if they had been consulted, when they had made submissions they were essentially ignored.

The committee heard compelling evidence that in the form the government introduced this bill to the parliament it could well do more harm than good. Specifically, as presented to this House, the bill could, among other things, pose a significant risk to Australia's national security, jeopardise security cooperation with the United States and create unnecessary risks to Australian businesses and, in particular, local technology exporters.

I will briefly expand now on each of those three key risks. First, there's the risk to national security. Encryption plays an essential role in protecting Australia's digital infrastructure. It protects everything from an individual's iPhone to the electricity and telecommunications grids and banking and mass transit systems. As Cisco put it in one of the committee's public hearings:

… it is hard to overstate the importance of strong encryption, not only to the delivery of e-commerce and message functions but also to the protection of critical systems. These systems include computer controlled systems that deliver food, water, transportation services, health, telecommunications and government services.

Key to the concerns about the risk that the access bill could pose to national security is the uncertainty over whether the use of the new powers in the bill could lead to the creation of a backdoor—a weakness that may be applied to just one device, for example, but which could also weaken the security of other devices that use the same system. In the face of overwhelming evidence from many submitters to the committee's inquiry, the government has remained adamant that the access bill could not lead to the creation of backdoors. The government says that this is because there is a provision in the bill that prevents providers from being forced to implement any kind of systemic weakness into a form of electronic protection. But that term is not defined in the access bill, and this has led to confusion about what it even means. Without an appropriate definition of 'systemic weakness' and improved safeguards, a range of stakeholders have said that there is a real risk that the new powers in the access bill could make Australians less safe—and even threaten national security—by weakening the encryption that protects critical infrastructure. Such weaknesses could be exploited by malicious actors, such as terrorists, serious criminals and state-sponsored hackers. This could mean malicious actors disabling telecommunications networks or the national electricity grid. It could mean hackers stealing money from the bank accounts of innocent Australians or compromising the confidentiality of investigations being conducted by Australian law enforcement agencies. The Director-General of Security has assured the intelligence committee and the Australian people that his agency has no intention of using the new powers in the access bill to require a provider to do anything that could jeopardise the security of innocent Australians.

The issue of inserting an appropriate definition of 'systemic weakness' into the legislation has been a major issue of disagreement between Labor and the government that we are continuing to work to resolve, even now. The concern that the access bill could, in fact, pose a risk to Australia's national security was echoed by representatives of Senetas Corporation during a public hearing on 30 November 2018. Senetas is a leading provider of encryption technology, and, as its chairman explained to the committee, it is responsible for securing the systems of Australian law enforcement agencies; royal commissions, including the Royal Commission into Institutional Responses to Child Sexual Abuse; a number of Australian banks; and our defence forces. The chairman of Senetas told the committee that, in its current form, the access bill:

… compromises the security of citizens, businesses and governments because there will be weaker cybersecurity practices. It will be easier for cybercriminals, terrorists, to target systems and be able to break into those systems …

The fact that the government, and the Liberal members of the committee, were a week ago proposing to just ignore the evidence of Senetas—the entity responsible for protecting many of Australia’s most critical systems from malicious hackers—was of great concern to Labor. Fortunately, after the government declared last week that they would cease working with Labor on a joint report in the intelligence committee addressing these problems, on Monday the government backed down from this reckless course and returned to the negotiating table. Since then, we've been able to agree on a number of significant amendments to this bill to address the most significant concerns that have been raised.

I will turn to the risk to security cooperation with the United States. Another key concern raised by a number of submitters in the public hearings on this bill—and, apparently, not even thought of by the government as they prepared and then tabled this bill—was whether it could prejudice Australia's future security cooperation with the United States. A number of submitters drew the committee's attention to the potential problems the access bill could cause for compliance with the US Clarifying Lawful Overseas Use of Data Act, the CLOUD Act, which was enacted in March of this year. Under the US CLOUD Act, it’s possible for Australia to enter into a bilateral agreement with the United States to allow Australian agencies to request the data of non-US persons—like WhatsApp messages sent by or to a terrorist subject—from Australian technology companies directly. This would enable Australian agencies to bypass the existing requirement of making such requests via the US Department of Justice, which can take many months to process. Just to be clear: at the moment, we have mutual legal assistance treaty arrangements with the United States where our agencies, in a cumbersome system that's been in place for many years, can make a request for telecommunications data via those mutual legal assistance treaty processes, but it can take months, and sometimes more than a year, for the data that has been requested to be produced. That's why the US CLOUD Act, passed by the congress in March of this year, offers a tremendous prospect of much, much quicker access for Australian police forces, and for Australian intelligence agencies, to simply make the request, using the CLOUD Act processes, that would go directly to a telecommunications service provider that is based in the United States. And, provided—and this is the basis of the CLOUD Act processes—that the request did not relate to a US citizen and related to foreign—from the point of view of the United States—law enforcement processes, the request will be able to dealt with in a matter of days, rather than the many months that presently afflict our agencies in terms of this cooperation with the United States. But the significance of this is that, in order to enter into an agreement with United States under the CLOUD Act, the US Attorney-General must certify, with the concurrence of the Secretary of State, that the foreign government affords:

… robust substantive and procedural protections for privacy and civil liberties …

If such a certificate is issued, congress is able to object to any such certification within 90 days.

The vast majority of submitters argued that the access bill in its current form—that is, in the form in which it was presented, unthinkingly apparently, by the government to this parliament—does not afford robust, substantive and procedural protections. As such, Labor members of the intelligence committee were very concerned that unless it is significantly amended the access bill could imperil Australia's chances of entering into a CLOUD Act agreement with the United States. Moreover, even if Australia were already party to a bilateral agreement with the United States under the CLOUD Act, Stanford University cybersecurity and cryptography fellow Riana Pfefferkorn said to the intelligence committee:

Absent some clearer authority and better judicial oversight of technical capability notices and technical assistance notices, I'm not sure that such a notice would be eligible to be served at all through any agreement under the Cloud Act on US providers directly.

This evidence, which until this week appears simply to have been ignored by the government, was presented to the committee during a public hearing on 16 November 2018, just before the Minister for Home Affairs and the Prime Minister were calling on the committee to accelerate its inquiry.

It's important that Australia be able to take advantage of this vital new mechanism provided by the United States. In order to put the Australian government in the best position to do so, the committee requires further evidence from experts on the CLOUD Act. While the committee has addressed in its recommendations some of the matters that could undermine Australia's capacity to cooperate with the United States under the CLOUD Act, further work on this critical matter is one of the reasons for Labor's insistence that the committee should continue its inquiry into this bill. It is absolutely vital that this bill, which will be the domestic legislation of Australia from the point of view of the United States authorities, conforms to what the United States regards as robust, substantive and procedural protections for privacy and civil liberties, and that in turn will need to take account of what is known as Fourth Amendment jurisprudence in the United States, a key feature of which is judicial warrants. What the United States and the United States authorities are always looking for in domestic legislation is judicial oversight and judicial warrants authorising compulsive processes. At present, this bill does not contain that form of judicial oversight or judicial warrants.

I turn to the risk to Australian business. Numerous submitters to the intelligence committee said the access bill in its current form could force Australian technology businesses to move offshore. This could threaten over $3 billion in Australian exports and cost thousands of Australian jobs. Remarkably, it has become painfully clear over the course of the committee's inquiry that the government barely considered these issues before the Minister for Home Affairs introduced the access bill into the parliament on 20 September. By way of example, the Australian Industry Group, the Australian Mobile Telecommunications Association, the Australian Information Industry Association and the Communications Alliance have told the committee:

The proposed legislation, through its mere existence, will make Australian exports of IT and communications products and services, or even every Australian website, subject to the same concerns by overseas governments and organisations that recently moved the Australian government to ban certain vendors from supplying hardware for Australia's future 5G networks. Therefore, the draft bill poses a real risk for the IT communications export industry, which Austrade values at AU$3.2 billion for 2016-17 and this figure does not include the value of other exports enabled by Australian websites, IT and communications products.

Collectively, those organisations who gave that evidence to the intelligence committee represent the interests of tens of thousands of Australian businesses, including small and medium sized companies. The committee also received direct submissions from small and medium sized Australian companies who were concerned that the access bill in its current form would make them less competitive in the global technology market, and the committee has heard from at least two Australian companies that may be forced to move their operations offshore if the government gets its way.

Other companies have said that it could lead to job losses. Senetas, for example, has told the committee that it may no longer be able to manufacture in Australia if the access bill were to pass in its current form and that this could result in the loss of 200 jobs. It's not just established businesses that may be affected. The Victorian government's start-up agency, LaunchVic, told the intelligence committee that the access bill could hamper the ability of local start-ups to develop their products in Australia, attract customers and investment and create jobs. In response to questions by members of the intelligence committee, the Department of Home Affairs confirmed that no report was commissioned on the impact the access bill could have on local industry and there had been no direct engagement with the Department of Industry, Innovation and Science during development of the access bill.

Once again we have fought to improve the bill to deal with the most significant of the many concerns raised in this regard. Labor has been consulting with industry and civil society stakeholders both through the committee's process and outside. We have negotiated with the government to give effect to their core concerns. While there are significant outstanding issues, the compromise that Labor has reached with the government will deliver security and enforcement agencies the powers they say they need over the Christmas period and will ensure adequate oversight and safeguards to prevent unintended consequences while enabling continuing scrutiny of the bill into 2019.

Labor members of the committee were prepared to undertake the course of action that they have taken in reaching agreement on the consensus report that was tabled in the parliament yesterday only because of the government's undertaking that the committee will continue its inquiry into the bill into 2019 and that a separate statutory review will be undertaken by the Independent National Security Legislation Monitor within 18 months of the legislation coming into effect. These separate processes provide an opportunity to resolve our ongoing concerns about the bill with the assistance of industry experts and civil liberties groups while also upholding our responsibility to keep Australians safe.

Labor members of the intelligence committee have sought and obtained recommendations in the PJCIS report. If these recommendations are translated into amendments brought to this House or the Senate by the government then those amendments will address many of the core concerns raised by Labor and stakeholders. It is to be noted that the committee will undertake further inquiry immediately after any legislation is passed and that the Independent National Security Legislation Monitor will do so shortly thereafter.

'Systemic weakness' related concerns are to be addressed by amendments that define and clarify the term 'systemic weakness' and also amendments that clarify that technical capability notices cannot be used to create a systemic weakness. Other concerns which will need to be addressed through amendments include the ability for a provider to disclose details of a technical capability notice except to the extent that doing so would compromise an investigation. That point is one of particular significance to industry and to all users of the internet, which is an open system but would cease to be an open system if particular fixes were required to be kept secret. A further point that will need to be attended to in the amendments is authorisation of a technical capability notice requiring the approval of both the Attorney-General and the Minister for Communications.

Further matters to be dealt with in the amendments include that a designated communications provider which has concerns about a technical capability notice will be able to request a binding assessment of whether or not it would indeed create a systemic weakness, whether the requirements are reasonable and proportionate, whether compliance is practically and technically feasible and whether the notice is the least intrusive measure that would still achieve the objective. Two persons, a technical expert and a non-serving judge, would be jointly appointed to conduct the assessment, and their report would have to be provided to the Inspector-General of Intelligence and Security in the case of ASIO and to the Commonwealth Ombudsman in the case of the Australian Federal Police. This essentially means that any request to a provider that might create a systemic weakness would be subject to a merit review style process.

The inadequacy of the oversight and safeguards arrangements provided in the bill produced to this parliament by the government will also be addressed by amendments that will include strengthening the Inspector-General of Intelligence and Security's oversight of the powers. This would include explicit notification and reporting requirements when issuing varying, extending or revoking a notice or request, and limits on the exercise of the powers, including extending the prohibition on systemic weakness to voluntary notices, ensuring that decision-makers consider necessity and intrusion on innocent third parties when they issue a notice. There will also be provision for defences for IGIS officials and clear information-sharing provisions.

The amendments will include, also in this oversight context, establishing clear authority for the Commonwealth Ombudsman to inspect and gather information on the exercise of these powers by the Australian Federal Police, ACIC, and state and territory interception agencies. The amendments in relation to the Commonwealth Ombudsman will include notification requirements and information-sharing provisions which would complement the inspection activities of state and territory oversight bodies. The Australian Federal Police will also be required to approve any state- and territory-initiated technical assistance notices, and must apply the same criteria and go through the same decision-making processes as would apply if the Australian Federal Police were the original issuing authorities.

As honourable members would have gathered by now, this is a large piece of legislation of considerable complexity. In response to the government's demand that consideration of it through the intelligence committee be accelerated, the Labor members of that committee—and the Labor Party as a whole in this place—have assisted in that process. The government produced draft amendments to Labor early this morning. It's anticipated that those amendments will be moved in the Senate. On that basis, I commend the bill to this House for passage in this House—I say again on the basis that the amendments encompassing the recommendations of the intelligence committee will be moved in the Senate.

12:02 am

Photo of Mike KellyMike Kelly (Eden-Monaro, Australian Labor Party, Shadow Assistant Minister for Defence Industry and Support) Share this | | Hansard source

I'd firstly like to acknowledge the particularly fine contribution of the shadow Attorney-General to this process. This speech lays down a great foundation for the debate that will proceed now. Obviously, I also want to pay tribute to the shadow Attorney-General and his staff, who've effectively done the work of the department in providing the wherewithal by which the Parliamentary Joint Committee on Intelligence and Security has addressed and handled all of the legislation that has been brought before it. With that foundation having been laid by the shadow Attorney-General, I would like to just take a step back and perhaps contextualise some of this debate we're going to have on this particular legislation. Before people speak and, perhaps, comment by Twitter or by email to MPs on this bill, I would urge them to read the shadow Attorney-General's speech to make sure they are properly informed about what it is that will be in the public space and discussed in relation to this legislation.

There is no question that the core of this legislation is a threat that has been growing over the years to this nation and to the world in general. We have faced a unique period of increased threat but also of exponential growth in technology that provides challenges to our agencies—there is no question about that. The work of the committee has been unprecedented over these last few years in dealing with the volume of legislation and measures that seek to address those threats. It has highlighted issues of the resourcing of the committee and how the committee operates.

Firstly, I pay tribute to the fact that this committee works in an exceptionally bipartisan way. It is a serious committee; I would argue that it's probably the most important committee of this House. Both sides usually take care in the selection of members of that committee. We have had great collaboration within that committee, with the members that have been serving on it, through this period. I particularly pay tribute to the chair, with whom we've all had the great experience of working through this period of dealing, effectively, with groundbreaking legislation, internationally, which traverses whole new legal and technical concepts. The chair and the committee have worked through a modus operandi which has been very effective. It does take time, and it needs to take time, to work through those issues. The whole point of this parliament and the whole point of a committee like this is to have contestability of policy. We are able to hold public hearings and private hearings to tease out all of the dimensions of what is at stake.

Having been on the other side of this desk, I have worked through those processes myself. Particularly in the lead-up to the 2000 Olympics, the reforms to part IIIAAA of the Defence Act happened in this space. They were very complicated and difficult, and traversed issues and concerns about civil liberties and the rest. That coordination process that I was involved in then took three years. Coordination across departments and consultation with stakeholders are absolutely essential in these processes. In response to the nature of heightened threats, we have seen, obviously, truncated processes in the legislation, which we have dealt with, and that presents great difficulty in drafting this legislation properly and in consultation, so it has really fallen to the committee, the secretariat and the shadow Attorney-General to repair quite a lot of legislation that has come to us in quite a rough state. It just emphasises the need to give the committee due regard, due process and due time to work through those issues.

In this context, we have accepted the advice that we have had from the agencies, and I want to thank them for their work in informing the committee. I'm particularly grateful for the in-depth technical assistance that was provided to us by ASIO and the briefings that we received over in ASIO's headquarters. There is no question that the issue of encryption is a really serious one for our agencies. We're in a new world now where things and capabilities that used to be the preserve of states are now quite ubiquitous. You've got kids in bedrooms who are able to develop encryption apps following instructions on the internet. There are specific aspects of that about which, obviously, we are constrained. We are not able to go into them in detail in the public space because of the nature of these issues and the briefings that we've received, but I think the public should be reassured that the committee and Labor on that committee have prosecuted the case effectively in relation to the civil liberties issues that are presented by that. We have also taken great cognisance, as the shadow Attorney-General has mentioned, of the issues that have been raised in relation to commercial impacts and security impacts. One of the things that has guided me in my time working in security affairs is that sometimes the road to hell is paved with good intentions. That's why we need to work through these things carefully.

The Attorney-General has been working with us very well through these processes since he became the Attorney-General. I know that he's under the constraints of working within the cabinet framework and that there are sometimes dynamics that happen in cabinet frameworks, but the problem that we have had in this process has been the truncation. Within the committee we came to an agreement, we believed, on how that might be managed. This was not a question of Labor trying to force measures to deal with this issue of cutting short the committee's processes. There were coalition members' suggestions that we adopted on how that might be managed because they had equal concerns about the evidence that we received about the security risks and, of course, the commercial risks posed by the bill.

My focus is really on the safety of Australians and the security risks that were highlighted. The problem there is that we need the ability to test that evidence, to properly get informed about that evidence and then to propose measures that might address it effectively. The areas that we were particularly concerned in, I think, crossed the spectrum of the members of that committee. Was this issue of the systemic weakness problem, because of the evidence that we received about that, opening up and exposing lots of systems that regulate our transport systems, our banking systems—every system, these days, that is dependent on protected networks?

So that was of concern, and it needed to be tested. But mostly we needed to come up with a proper definition of 'systemic weakness', and that's going to be a huge challenge.

This is a broad concept that will be very difficult to nail down effectively in a regulatory mechanism. However, we have greater comfort in how that will be managed from the fact that we now have an additional mechanism, through the committee working through these suggestions and processes, to have an independent assessment done, which a company can refer to where it has issues of concern about being forced to a requirement, under a technical capability notice, to engage in unlocking some of these aspects of what it does. So it can go to that independent mechanism, which is going to be composed of a judge and a technical expert, and, importantly, the decision of that independent mechanism will be binding. So there's a fair degree of comfort in that, but there is more work that needs to be done in relation to this definitional issue.

Of course, the shadow Attorney-General mentioned the challenge of the processes under the CLOUD Act. People need to step back from the legal detail here. The evidence that we received indicated that there would be a real question—a real challenge—to negotiations Australia is currently involved in to come within that CLOUD Act framework, which the UK is also processing through. The challenge with coming under the CLOUD Act—which enables us to truncate processes of getting access to data, which is essential for our agencies—relates to US conditions on probity. The UK are moving through that process well because, for example, they have judicial warrants in place for the systems that they have. So we need to just test that evidence. We need to get to the bottom of that and then work out ways around it if necessary.

What I'm happy about is that the measure that the committee, across coalition and Labor members, suggested—that we have an interim bill—is effectively where we're at. We're going to have a bill that enables our agencies to deal with what was presented to us as a period of heightened alert and to just deal generally with managing the threat challenge they have around this technical barrier. But, at the same time, we are going to see the committee continue its process of refining what will no doubt be a significantly improved piece of legislation when that process is complete.

We have had something like 17 bills presented to this committee, and Labor has worked to offer over 300 recommendations in relation to those items of legislation, which have all been adopted in that process. Through the input of all the members of the committee in those processes, we have seen the end product that comes out of the bottom of the funnel being better. Every single time, it has been a better piece of legislation. So allowing the committee to continue its process of analysis, of testing this evidence and of coming forward with recommendations will no doubt refine and improve this legislation and address any issues that emerge, and we will have the benefit of some experience with it as well.

Additionally, the INSLM, the independent monitor of our security legislation, will conduct a statutory review after the 18-month period is complete. To have that extra independent oversight is critical as well. We have been served well by INSLMs in the past who have done a great job in that space, such as Bret Walker.

So those are important facts to be aware of and that the community can be reassured about. We have continuing concerns about how this will play out and how this bill will operate. Of course, there are the concerns of the community. It's one of those rare situations where you have civil liberty concerns and industry concerns being raised from completely different perspectives—a conflation of concerns wrapped up in this bill. Of course, those commercial issues are very important. The evidence that we received in the committee highlighted some risks of an order of magnitude that cannot be ignored; we cannot simply brush those aside. They relate, in addition to the way those large IT companies operate, to the way that Australian companies participate in that global space. So it's something that we must test as well. We need detailed review of that commercial impact and how that might be managed and dealt with.

Certainly I know that we can't just make a blanket complaint about the way Silicon Valley operates in the way the Minister for Home Affairs did. A lot of those companies actually got their start in life through assistance from DARPA and the CIA, which are providing fantastic contributions in the security space. Companies like Palantir, for example, effectively vectored Osama bin Laden's location. We need to work with these companies and capabilities, not ruin relationships with them or prevent Australia from accessing and dealing with those companies, which is one of the risks that are involved in a process like this.

There is another issue, of course, that I should deal with—and I know that there are other elements that the shadow minister went to in terms of the probity concerns. We were really supported well by and benefited from the evidence presented by the IGIS, Margaret Stone, who is a very, very capable person with a very capable team. Through all of these processes and all this legislation, she has provided incredibly valuable input. The role that she and her team perform in giving the community comfort about the way our security agencies operate—she is completely embedded in that process—is critically important and has been critically beneficial to all the legislation and how these agencies operate. Any recommendations or suggestions she makes must be taken very seriously. We must be reassured about how this legislation operates in the way she does business, and certainly that is so for the Ombudsman as well, and we're reassured that that will be taken seriously by the Attorney-General.

In conclusion, though, I must draw my final comments to unhelpful sideline comments from the member for Hume and from the finance minister, in the Senate. Those sorts of comments were extreme and grossly offensive not only to Labor but to me and the member for Solomon personally. I have spent 30 years of my life deeply immersed in the security affairs of this nation. I've watched friends lost and killed in operations against terrorists. I've washed the blood of friends from my uniform. And I won't be told by a member of this House that I am 'running a protection racket for terrorists'. That was grossly offensive and was not a contribution to this debate. I understand that, in the heat of politics, you sometimes say things off the top of your head. But I would request that the member for Hume come into this House and make an apology to the members of the Labor Party and personally to the two members of that party who have served our nation in uniform against that terrorist threat. We have entered into this space in all goodwill and in full endeavour to get this job done.

10:17 am

Photo of Adam BandtAdam Bandt (Melbourne, Australian Greens) Share this | | Hansard source

The Telecommunications and Other Legislation Amendment (Assistance and Access) Bill 2018 will make Australians less secure. It will threaten our tech industry, and it attacks our civil liberties. This now opens up a door into people's private communication with each other. I'm talking not just about messaging services where you want to keep your messaging confidential but about communications that we all have with our banks and with people that we buy things from over the internet. All of this now is going to be required to be able to be unlocked and looked at by government agencies and by others.

The problem is that, once you create a door into what are otherwise encrypted and secure communications, you do not know who's going to be able to access that key. This is why, in other countries, when they've looked at legislation like this, they've said no. They've said that the threat of saying that secure communication is no longer secure outweighs any arguments—any security-related arguments, any arguments about law and order—that there might be to allow people to go and snoop on that kind of communication. It's a very simple proposition: once you introduce a weakness and you require by law the introduction of a weakness into otherwise secure communication, you lose control over who can exploit that weakness. It beggars belief that there is, somehow, some suggestion from the government or from the opposition that: 'It's okay; we're putting in protections about not allowing systemic weaknesses.' And I'll come to that in a moment, and I'll come to these hastily circulated amendments that we're being asked to consider immediately and on the fly—I'll come to all of that in a moment.

But the basic principle is there's no such thing as requiring companies to be able to create a key that unlocks secure communication that doesn't also create a systemic weakness. Of course it does. Once you go down that road and introduce not only a back door but, in some instances, a front door, which the government says can now be opened and can be walked into to look at otherwise secure communication—whether it's between people having secure and confidential messages because you want to keep things private, or whether it's what you buy online, or whether it's between you and your bank, or between financial institutions—and once you say, 'You've got to create that key and allow the door to be opened,' anyone can walk through it. That is a fundamental problem with this bill, and it's why other countries have decided not to go down this road.

This bill says that government and government agencies can, at first instance, go to technology companies, communication companies, Telstra, internet providers and the like, and say, 'We want you to assist by handing over some information about communication between a couple of people.' But it does more than that; it doesn't just say, 'We'd like you to be able to assist us and hand that information over'—that's called a 'technical assistance request'. The bill goes further and creates things called 'technical capability requests', which say, 'We want you to actively change your software—your product—to include a way in.' So, if you as the service provider—for example, the people who run WhatsApp—don't actually know what the information is that's passing between two people, or between a person and a bank, or between two business entities—which is, in many instances, the case; the people who run the app may not know what's being said between two people, because it's encrypted—then the bill says, 'You've got to change it so that there's a way in, so that you can know what it is, and you can find out that information, and you can hand it over to us.'

It's because of that that this bill has managed to raise the ire of people who are concerned about civil liberties. And, for a Liberal government—they should just change their name and junk the word 'liberal', because 'liberal' is completely gone now from anything that they stand for; completely gone. The civil liberties groups are saying, 'Well, hang on; this actually poses a significant threat'—not only because people might want to keep communication confidential but also because, now, even if you never use a confidential messaging app in your life, you presume that the information between you and your bank, or about your online shopping, will be kept confidential. Well, you can no longer presume that, because there is every chance that whoever you're engaging with may have been served with one of these notices and required to include a back door or an open front door into the communication that you're having. Not only are civil liberties groups saying, 'Hang on, there's a reason other countries haven't done this. It's because this is going to mean, in many respects, the end of privacy'—but the tech industry has also said, 'If Australia is now going to be the place where, when you develop software, you've got to include weaknesses in it, then why would people develop their software in Australia? Why wouldn't they go to the other countries where you don't have to have these in-built back doors or front doors that anyone can walk through?'—and not just government agencies but wrongdoers and evildoers as well. You're opening that door. And they're saying, 'If Australia has to go down this road, why would people continue to develop software in Australia?'

These are very, very important questions, and, as we deal with updated technology and what it means to keep Australians safe, they are questions that require the utmost thorough consideration. But what have we got?

We've got a bill where people from across the spectrum are lining up and saying: 'Hang on. There are big red flags here. Go slowly.' Instead what is happening, as is usually the case on the last day of sitting in this place, is all of a sudden there are these urgent things that can't wait. Legislation that could have been dealt with six months ago, and gone through the proper process, is now being pushed through the parliament.

We're told by the opposition: 'It's okay. We fixed it. Trust us. We've had a closed door meeting with the government. We've reached a bunch of agreements. Trust us. We've completely fixed it.' Well, pardon me. Fifty pages of amendments were circulated about 10 minutes ago and we were told: 'It's okay. We've all fixed it.' People say: 'No, hang on. I'm not prepared to take you on face value, because we've seen this before.' We were told, 'Don't worry, if we pass legislation in this place allowing agencies to access metadata there's only going to be a handful of requests. It'll be alright. It's okay. We've got some concessions. We fixed it.'

There has been a significant amount of debate online about this. Dane Pratzky made a good point—remember this promise? 'When the metadata collection laws were passed in 2015 the government said only a limited number of agencies would use them. Now reports suggest that even local councils are using these powers to the tune of 350,000 requests a year.' So pardon us, but we're not prepared to accept on face value this idea that somehow you've fixed it.

They said, 'We fixed it, because we have forced the government to accept a definition of "systemic weakness".' In the time that's available to me I've got to page 5 of these 50 pages. 'Systemic weakness', as defined in these proposed amendments, is:

… a weakness that affects a whole class of technology, but does not include a weakness that is selectively introduced to one or more target technologies that are connected with a particular person.

You could imagine that there's basically a group of people—people under 18 or people in Victoria—all of a sudden now under this proposal. Does that now not count as a systemic weakness, if you say: 'I'm just introducing a backdoor into your app for a particular group of particular people. It's only them that we're going to spy on'? Who knows? Probably.

What does it mean by 'a whole class of technology'? Does that mean a particular app? What if a particular app is operating in a particular state or with a particular group of people, are they exempt? Who knows? It still doesn't deal with the fundamental point that I raised before, which is that, once you open that door, you create a systemic weakness.

Why are we in this situation? We're in this situation because a few days ago the Labor Party showed a bit of spine on this. They were applauded, and rightly so. The Labor Party said: 'We're not going to be bullied into passing something because the government says, "There's a rush before Christmas." If the government want particular laws before Christmas, we'll give them those, but not the broader suite.' Well, that didn't last very long.

What we're seeing here is a repeat of every time that the Liberals bowl up something that threatens people's liberty and security—as long as they put the stamp 'national security' on the front of it, Labor falls into line. It doesn't matter what threat it has to our industry, what threat it has to our security or what threat it has to our safety Labor will do it. Justin Warren put it well on Twitter:

If you want @AustralianLabor to pass a law, just scribble "National Security" on it somewhere in crayon.

That pretty much sums up exactly what we've seen here. Or the way Greg Jericho put it:

In 10 years the LNP will propose everyone having a tracking microchip inserted in their arm, the ALP will protest and then agree to legislation that has it inserted into people's legs instead and they'll say how wonderfully they have improved the bill.

That summarises exactly what has happened here as well.

We've got these amendments that come in and maintain the fundamental problems with the bill. They will now mean that Australia will become a place that people will start avoiding when it comes to developing their tech industry, which is why there are comments online. Adam Chalmers said online:

if the #aabill passes I just won't be able to work in Australia :( I have an ethical obligation to users of my software not to expose their data. Breaking all their crypto/security is just a non-starter.

That is the situation that people are going to find themselves in. I think everyone in the country wants to know that we in this parliament are doing everything we can to keep people safe and that our laws are updated to deal with changes in technology, but they also want to know that the right balance is being struck. One of the ways that you ensure that is by doing this carefully, not rushing it through the week before parliament is due to rise, when you haven't bothered to progress it through the parliament through the usual processes in the last six months, but instead saying, 'We are going to have proper scrutiny and the capacity to deal with this,' which is why Mike Cannon-Brookes said online:

Whatever you feel about the #AABill in Australia, I agree with the @thelawcouncil that rushing such complex legislation through in days is reckless. At the least, these unprecedented laws need far more expert scrutiny & debate.

He is dead right. It may not have dawned upon Liberal and Labor, but no one party has a majority in this House or in the Senate. Why is that? It is because people across the country are saying, 'We do not agree with your having absolute power, cooking up backroom deals and then asking the rest of us to just accept on face value that it's all going to be okay, because we've been down that road before and we've seen what happens.'

We are now in a power-sharing parliament in large part because the Australian people want to shine a bit of daylight and sunlight on the decisions that are being made in this place. They want third voices like the Greens to hold the others to account, especially when it comes to making sure that people are secure online and that people's liberties and privacy are protected online. You don't seem to have got the message, walking in here and saying: 'There are a bunch of amendments. Just trust us. It will all get through. It's alright, we've cooked up this deal. Don't worry.' No, that is not the way you deal with an issue as important as this. This bill should not be proceeding today. This bill should be put to the proper scrutiny and a proper test to ensure that it doesn't affect our industry, our safety and our liberties. If the government seriously needed additional powers to deal with things over the Christmas break, they would have come and asked us six months ago. Instead this is rushed legislation, a bad Liberal-Labor deal that is going to make people less secure online. (Time expired)

10:32 am

Photo of Tim WattsTim Watts (Gellibrand, Australian Labor Party) Share this | | Hansard source

The Telecommunications and Other Legislation Amendment (Assistance and Access) Bill 2018 before the House today is one with the most serious of stakes and it is a bill that the Morrison government has abjectly failed to treat with the gravity that it deserves. It involves policy decisions with the gravest of consequences. It concerns the tools available for our law enforcement and security agencies to ensure the safety of Australians in the face of threats like terrorism and child abuse and it also deals with the tools that Australians use in their everyday lives to protect the security and privacy of their data when using the internet.

The Parliamentary Joint Committee on Intelligence and Security had been treating these issues with the seriousness which they deserve. We should pay some attention to the chronology here: 18 months ago, Malcolm Turnbull, in his infamous 'war on maths' speech, told Australia that the threat of terrorist networks going dark was urgent and that the government proposed to introduce legislation of the kind which we see before parliament today. They did nothing. They subsequently said they would introduce a bill to deal with this in the first quarter of 2018. We saw nothing until September of this year. Then the PJCIS gets the referral and starts doing the substantive, serious, sober work of review, in the national interest, that we know the PJCIS provides this chamber, only for the Minister for Home Affairs to lob into the middle of it and say, 'This is now a matter of urgency.'

Those of us in this House who are not members of the committee but who followed the public hearings that they were undertaking saw a very high quality of interrogation of the issues at hand. I put on the record my thanks and regard for the shadow Attorney-General, the shadow minister for foreign affairs, the member for Eden-Monaro, Senator McAllister and in particular the committee deputy chair, my friend the member for Holt.

Labor always tries to work constructively, on a bipartisan basis, with all members of parliament on national security issues. National security ought to be about keeping Australians safe and preserving the freedoms that we enjoy in a democratic society, not doing harm to your political opponents. The PJCIS has been an institution in our democracy that has lived up to this principle—a place where proposals can be rigorously interrogated in the national interest and where members from both sides of politics can work constructively together on improving these proposals. There are plenty of cynics who will roll their eyes at this—I get that—but, as a party of government, Labor members have to confront the reality that the decisions that we make in this place on these issues have very real consequences; they have human consequences.

Regrettably, my own city experienced a terrorist incident during the conduct of this inquiry. As a member of parliament, I attended Sisto Malaspina's state funeral while the committee did its work. Similarly, as someone who spent a not insignificant period of my time before coming to this place working in an Australian telecommunications company, I gained some appreciation of the seriousness and the prevalence of online child exploitation and the important work that law enforcement agencies, and those who assist them in private sector companies, play in identifying and prosecuting paedophiles. These are not imaginary threats. They are not made up, and they are not abstract. They involve real human beings. They involve crimes that destroy people's lives, and the public rightly expects governments to treat them seriously.

Despite the government's transparent politicisation of national security and law enforcement through this process, this desperate politicisation, they have done this. Some repugnant things have been said in this debate. Members opposite should reflect on the repugnant claims and behaviour we've seen during debate on this bill. Australian democracy is not held in high regard by people outside this building. Indeed, it is held in contempt. Despite this, we treat our democracy very poorly in this building. The trashing of the PJCIS as a bipartisan institution, the debased attacks on the motives and integrity on this side of the chamber—they're accusing people of wanting to assist terrorists and paedophiles—merely for exercising our responsibility as parliamentarians to scrutinise complex government proposals in the national interest has hurt the public's regard for our democracy. Those of us who have gone into public service because we believe in the importance of our democratic institutions have the highest obligation to treat these democratic institutions with respect and not to behave in a way that feeds public cynicism towards them. Those opposite ought to spend the Christmas recess reflecting on that in the lead-up to the next federal election.

That said, I am pleased that the government came back to the negotiating table within the PJCIS process. I want to say a little bit about the context for this bill and the way that we approach it on the Labor side. I understand that there are some on the left of politics who philosophically object to any form of online surveillance. I respect that view and I acknowledge it—it is one that citizens are entitled to hold—but I have never agreed with it. I have not agreed with it as a member of parliament and did not agree with it when I was working in a major telco. Telcos assist law enforcement with their work and have done so for decades. That's not a new thing. Phone taps—telecommunications interception—play an important role in shutting down all name of criminal syndicates. But this principle—the idea that the private sector ought to help, when appropriate, in law enforcement—is a starting point for a conversation about what's possible and what is sensible to do. It is not a conclusion on this bill.

And a big problem with the public debate over this bill has been the government, ministers and MPs saying one thing about the effect of this bill while our security agencies and, indeed, even the Home Affairs department have said quite contradictory things in front of the PJCIS and in front of specialist forums dealing with these issues. For example, in a podcast published just this week, Adam Ingle, of Australia's Department of Home Affairs, said to the Crypto 2018 workshop on encryption and surveillance: 'I know some of you may have heard our Prime Minister Malcolm Turnbull'—a little bit out of date; it was from a speech from some time ago—'say that the laws of mathematics don't apply in Australia. They very much do. And this legislation reflects that. We don't want to undermine security. We don't want to undermine the laws of mathematics.'

Lots of talk from government ministers about this bill has implied that it is a way of breaking strong encryption and about accessing messages delivered via encryption. Despite this, security agencies and technical experts from ASD and AFP who appeared in front of the PJCIS insisted that this was not their intent. Indeed, in hearings on this bill, officials said that this bill would preclude them from requesting a technical assistance notice that provided for a key escrow regime, a regime where the encryption keys for communications are held by some third party in being able to be accessed by government. It ruled out an assistance notice that required an entity to weaken the level of encryption, simplifying the mathematical models that underpin encryption between communications. At conferences, it said that this bill would not allow a technical assistance notice that required password rate limits to be lowered. The bill doesn't allow for a decryption capability to be imposed. These are substantive provisions in this bill that do not reflect the public comments of government.

Let me be clear on another point in this respect: because of these constraints, there will be situations in which this bill is not able to facilitate the access to communications that is desired by law enforcement agencies. It just won't be possible. It's not a total solution to this idea of going dark. Anyone who claims that is crazy. That in itself, though, is not a reason to not do what we can. We can do sensible things.

I also want to point out, in the face of some of the online commentary, that this is not a bill about introducing some kind of mass online surveillance regime. As the Inspector-General of Intelligence and Security confirmed in its submission to the PJCIS process, warrant processes are unchanged by the access and assistance provisions:

… 317ZH(1) provides that a technical assistance notice or a technical capability notice has no effect to the extent, if any, that it would require a designated communications provider to do an act or a thing that would require a warrant or an authorisation under certain Acts.

That is, any law of the Commonwealth or of a state or territory. If you are not a subject of law enforcement inquiries, you are not going to have to worry about being a target of this bill. If you are not a security threat, as identified by ASIO, you are not going to have to be worried about being a target of the bill.

Indeed, these provisions can't require Silicon Valley firms to provide data that they have themselves to our law enforcement and security agencies. This bill doesn't resolve, and may even make more difficult, the mutual legal assistance treaties and the CLOUD Act problems in us accessing data from these providers overseas. In this bill, we can only access information from the targets of these warrants. This bill is not about 'Donald Trump reading your emails', as Senator Steele-John has suggested, nor is it about putting spyware into everyone's devices or spying on unions, as some people have suggested to me. This is a targeted regime that gives ministers the power to issue notices. In this context, the role before the PJCIS was to ensure that the decision-making ability from the responsible ministers, in assisting issuing these notices, did the right thing, made the right decision and enabled providers to assist with things that were sensible but didn't enable assistance notices that caused wider harm.

This is where we come to the provisions in the bill around preventing the installation of a so-called back door. A back door doesn't mean anything in a technical sense. This bill provides for a preclusion on the issuance of these notices where it may create a systemic weakness. This is a complex issue. It is a hard thing to judge even in the technical community. People argue about what a systemic weakness is. Unfortunately, the bill, as originally introduced, provided no definition for this at all. I'm pleased that the PJCIS is, importantly, defining this.

Similarly, checks and balances on this decision-making criteria are also important. The upshot of all this is whether a technical assistance notice will be reasonable and whether it will cause harm more broadly outside the context of that specific notice. That is something that will turn on the circumstances. It will turn on the individual facts of a particular security system of a particular IT platform. That's what we've sought to do through the PJCIS. We've sought to bolster the checks and balances. We've sought to bolster the criteria governing the minister's decision-making so that no harm is done through this.

I do want to make one comment. There has been an information vacuum on this bill, which has been partly created by the contradictory statements of the government and partly created by our law enforcement and security agencies. Their unwillingness not to be specific about the methods that they intend to use is perhaps understandable. But this has created a real paranoia online and in the sector about what this bill may do. So, in the limited time left available to me, I want to bust a few myths about what is in this bill. First, I just want to say really clearly: this bill will not break internet banking. If this bill were going to break internet banking in Australia, there would have been a submission to the PJCIS from the CBA, the NAB, Westpac and ANZ. We are dealing with a targeted regime here. There is nothing in this bill that bans strong encryption on passage. There is nothing in this bill that makes strong encryption unworkable in a banking security system. It is just nonsense.

I want to also specifically say that there is nothing in this bill that provides for the serving of individuals within corporations with these notices. This bill won't create a situation where an individual DevOps guy gets a notice from the government that he or she is not allowed to tell their boss or co-coders about in doing their job. There are provisions in this bill about service of these notices on individuals, but that is only when the individual is a separate entity, when someone has created a product off their own bat.

So what is this bill actually about? It is difficult to speculate, because, as I said before, the different circumstances of each security system will govern it, but I do want to point to some examples that we've seen from overseas of things that might be possible under this bill, might be workable, without breaking encryption. Recently in Germany—a country with a very high regard for strong encryption—we've seen its intelligence agencies intervening in the identity management system of apps to add additional end points to group chats. Indeed, their group chat in Telegram is a very high profile app. It was something that we raised through the PJCIS process, to say: 'Would this be a systemic weakness?' It is fair to say that the answer to that was different from the key escrow and the encryption maths answers. That might be possible. We might be looking at end point exploitation instead of breaking end-to-end encryption. We might be dealing with the way that communications are stored and managed on handsets or at end points rather than getting in the middle of it. These are the things which we could productively do, without breaking encryption, and which could assist our law enforcement and security agencies, without breaking the internet. That being said, it would have been nice to spend more time exploring these proposals through a rigorous committee process.

10:47 am

Photo of Ed HusicEd Husic (Chifley, Australian Labor Party, Shadow Minister for the Digital Economy) Share this | | Hansard source

As is often reflected in this place, we are compelled to consider a range of issues that are very important to the people who are affected by them. They may not necessarily garner wide interest, but the people who are touched by the laws that we pass in this place feel very strongly about them. There is a slice of law-making that is in a realm all of its own. In this instance, I believe that, where matters relating to national security combine with one other item, they demand national attention but also deep consideration by every single person in this place.

National security, twinned with economic security, demands that we ensure that we are fully aware of the impact, the potential consequences, of the laws that we will put in place. In terms of the matters before us under the Telecommunications and Other Legislation Amendment (Assistance and Access) Bill 2018, it has been flagged for some time in the Australian jurisdiction that we would attempt to do something that had eluded our friends in other parts of the world with more resources, more brains and more capability. This is not disparaging our own strengths and abilities. But, if you look in parts of the world like the United Kingdom, they spent an extraordinary amount of time looking at the matters that are at the heart of this bill. They not only took their time in how they would address this but also recognised the immense challenges in being able to do what the home affairs minister reckons he was able to do with the snap of fingers, which is to deal with, to interfere with, to manipulate, something as complicated as encryption in an easy way. Well, you can pretend that you can do that, but the reality is something completely different. While a former Prime Minister said that the laws of mathematics are one thing but the laws of Australia are something else, the reality is that the laws of mathematics apply across the entire globe, and there's nothing inherently Australian about our ability to defy those laws.

The whole thing about encryption, the big worry that a number of people have expressed about this, is—if I can put it this way—that what has been attempted is like feeling in some way, shape or form that you can make a tiny cut in the mozzie net and you won't get bitten. The reality is that people are deeply concerned that, if you weaken encryption in any particular way, it will, in the longer term, be watched by people who want to cause harm and will do it.

There is absolutely no walking away from the fact—and I think there are a lot of joined views in this place—that we do need to absolutely target those who want to cause harm: terrorists, paedophiles, those who want to undertake at a major scale things that are completely beyond the pale. We need to be able to deal with it, absolutely. But, in tackling the people who want to cause harm, we don't want to inadvertently do harm ourselves, so this process needs to be given thought as to how to best architect an arrangement that will allow us to achieve it.

There are a lot of us in this place—I suspect that there are some on the other side as well—who have recognised the challenge in doing this and have been troubled by what has been proposed. The regimes that have been put forward by the government have been the subject of deep examination by the Parliamentary Joint Committee on Intelligence and Security. A number of my colleagues have singled out, in particular on our side, the people who have been able to make a very meaningful impact in that committee process. I want to recognise especially the work of the shadow Attorney-General and the shadow foreign minister, which we're very grateful for, but also my friend Senator Jenny McAllister; the member for Eden-Monaro, Mike Kelly; and the member for Holt, Anthony Byrne. I especially want to single out the last two, who have been open to members of parliament talking with them about the issues at the heart of this bill and working through our concerns with them. And they have, I have to say, given me a greater degree of comfort about what's being proposed.

But, having said that, some of the interventions by the member for Melbourne—who I do get on with but I deeply disagree with in this—show some belief that, on the opposition side, we think that this entire matter has been resolved to our satisfaction. It hasn't. We do have concerns still with what's being proposed. What we are trying to achieve is giving the tools to the security agencies to allow them to do their work but subjecting the types of proposals the government has put forward to ongoing review.

Now, bear in mind that I was one of the few people in this place to stand at this spot and argue against the arrangements on metadata, because at that point in time I was deeply concerned—and I still maintain the belief—that the powers that were granted through that process would potentially be abused, with little oversight and corrective ability. And what's happened in the meantime? We've discovered 350,000 applications for metadata, including from local councils! Why local councils would want my metadata, I don't know. I don't know if they're checking up on the contents of my recycling bin, but I may have caused some sort of offence triggering a need for metadata. People were told, 'We need this metadata for national security,' but we find out that local councils have access to metadata, in 350,000 requests—when we were told that there would be a narrow group of people, agencies and departments that would have access to it. It is astounding. The concern that a number of us have is that, when the government puts this legislation forward, what are the oversight arrangements?

I acknowledge the nous and capability of the Attorney-General. He has been much more adroit at dealing with this matter than his predecessors, who would have gone on afternoon Sky News and found themselves in all sorts of tangles describing metadata with tortured analogies involving the postal service. You have been a very good Attorney-General. When this Attorney-General was asked about the types of circumstances where the legislation would apply, which a lot of people have interest in, to give people comfort and understanding about what's going on—he is a clever boy—he said, 'I can't possibly go through those examples, because I've been told it's not appropriate for me to do so.' Very handy but not very helpful: with a controversial piece of legislation like this it is important to have examples you can walk the public through to build assurance, Attorney-General. I think people want to know the types of circumstances in which these laws would be used and what protections will be in place.

Longer term, if we want to work with arrangements like the CLOUD Act, the type of judicial oversight offered in this process is tissue-tough. I don't think it cuts the grade of what people would expect. People want a specialist judge backed by a team of people who can assess warrants and applications made to gain access under the TCN arrangement. They want to know that people who are capable of making judgements on applications can do so. I've been told privately that I'm being a bit too tough about the notion that a retired judge is the best person to make those decisions. I personally have deep reservations about it. I think we need to have a much stronger form of judicial oversight. I'm not going to get lectured to by people opposite who don't necessarily take the time to care about technology. In fact, if they had the ability to work a remote control on the TV, that's a great day in tech for them, but on this they want to tell us—

Photo of Andrew WallaceAndrew Wallace (Fisher, Liberal Party) Share this | | Hansard source

That's highly offensive.

Photo of Ed HusicEd Husic (Chifley, Australian Labor Party, Shadow Minister for the Digital Economy) Share this | | Hansard source

It's not offensive; it's a genuine reflection, Member. It's offensive? They can disparage decorated members of parliament who have served this country in Iraq, Somalia, Bosnia, Timor or in other capacities, saying that, in raising legitimate questions about this law, they are trying to help terrorists, but the minute you tease them about their capacity to operate a remote control, they get in a huff. It tells you everything about the way those people have approached this and are absolutely—

Photo of Peter KhalilPeter Khalil (Wills, Australian Labor Party) Share this | | Hansard source

Hypocrites.

Photo of Ed HusicEd Husic (Chifley, Australian Labor Party, Shadow Minister for the Digital Economy) Share this | | Hansard source

as some have interjected. While I won't characterise it that way, I endorse what the interjections have said. As I said, this involves economic security. Encryption is a legitimate pathway used by businesses to securely carry data that involves sensitive material about individuals, be it health records or transactions of financial status and wealth. Commercial operations legitimately use those platforms to conduct their business, and we as consumers and members of the public know that that's done. Anything that is being put forward by those opposite that would have an impact on that, needs to be considered carefully. The warrants process is an important mechanism to ensure that, when people make the applications through agencies, someone capable is making the decision on them. I believe that the arrangements that have been put forward by the government are only interim ones. I say that because, in the longer term, judicial warrants and oversight will be critical.

The second thing that I think will be important is parliamentary oversight. Our committees have done a terrific job in oversighting this legislation, but they should also be empowered to a far greater extent to look at the way in which the laws that are passed by this body are actually implemented and operate. We have very little in the way of future reform of the parliamentary oversight committees to give them the same capabilities as those that exist in our allies, such as the UK and the US, to ensure that the types of things that are being proposed now are dealt with properly. We need to have better arrangements there.

The third thing that I think we need to do is to have clarity about the reporting on this. Through you, Deputy Speaker, I say to the Attorney-General: I would be very grateful if, in your reply to the contributions today, you can outline the kinds of reporting arrangements that will let the public know how many times the orders or the arrangements have been accessed over a defined period of time and also the numbers of people that are affected by those orders. With the greatest respect, Attorney-General, I think there would be people in the public who would want to know what arrangements are in that.

So, as I said, I think the oversight arrangements are important, and there are a lot of people in this place who believe that, in the longer term, we need to have those mechanisms in place to give comfort. Again, there are a lot of us who are deeply concerned about this. There have been some reflections made about the views of people in the tech community who rightly raise—they should not be dismissed as extreme libertarians—what impact this has on the local tech sector if they are trying to ensure that the tech sector is able to flourish in this place and have confidence, because it's in an interconnected community with other parts of the world, that the quality of the work that it does here isn't questioned because of the legal arrangements put in by the government. There have, I note, been quite a few views that have been raised online about whether or not this will put the local digital economy at a great disadvantage relative to others. Others have questioned whether or not simple geoblocking arrangements by a lot of the types of platforms that have been raised will see us not having access to some of the apps that have been mentioned in the course of the debate because people and organisations do not want to be subject to a penalty regime as envisaged by the act, which is important as well.

This is not the end of the debate, and I want to emphasise to people who are listening to this and following this debate outside this place that this is subject to ongoing review, and it is also subject to the commitment of parliamentarians who believe that the oversight arrangements, the judicial warrants and the way this system is accountable to others need to be strengthened. We certainly think, in the longer term, that this is the thing that needs to happen and happen quickly.

11:02 am

Photo of Julian HillJulian Hill (Bruce, Australian Labor Party) Share this | | Hansard source

I endorse the comments that have been made by previous speakers on the Telecommunications and Other Legislation Amendment (Assistance and Access) Bill 2018 and seek to build on those. In doing so, I record my strong concerns at the outset at the government's shameful, disgraceful approach to national security, as evidenced by the handling of this bill and the discourse and comment by government ministers, particularly over the last week or so.

Being a serious, responsible party of government is a responsibility which the Labor Party accept. We're not seeking to be populist in relation to national security matters. I don't think anyone could say that, at any point in the last two terms of parliament, we've taken the low road on national security. We've worked sensibly, in a measured fashion and in a bipartisan way, through the Parliamentary Joint Committee on Intelligence and Security, always seeking to listen to the evidence, to take seriously the concerns of our security agencies—and industry in this case—and to reach agreement and compromise with the government. I think that committee has issued more than 300 recommendations in relation to a range of legislation, all of which have been adopted by the government and all of which have improved the initial proposals introduced by the government.

Of course, it's easy being green, as Kermit the Frog used to say, and the Greens political party have chosen the other route: to vote against every single piece of national security legislation, seeking populist headlines and spreading rubbish on social media. They're not serious legislators. Indeed, I think in Gareth Evans's book, he observed that at least back in the day the Democrats were serious legislators. They'd go on serious committees. They'd put in the hours to read the clauses, grapple with the evidence, do the hard yards and actually have evidence behind the claims that they made. But even back then the Greens Party just didn't do the work. It wouldn't surprise me at all if none of them really said much in the Senate after 6 pm because they're not going to get on the telly tonight, so why bother, as we saw with the foreign influence bill when it went through the Senate.

This is yet another badly thought out, badly drafted and rushed bill, just like the Foreign Influence Transparency Scheme Bill 2018 was when it was rushed into parliament and introduced. I was in the chamber then. Everyone else was off having a drink after the marriage bill, but the Leader of the House was waiting to shut the place down, so I had to table an obscure committee report and listen to the Prime Minister's overblown rhetoric coming off the back of their disgraceful politicisation of national security when they were desperate at that point with 'Shanghai Sam' and all this stuff gratuitously insulting China and selling out our national interest at that point. But the pattern is there. When this government is at its most desperate and when even picking on minorities, migrants and the most vulnerable Australians doesn't seem to be working anymore—as we saw in the Victorian election; talking up fear of crime didn't go so well, did it?—its last resort is: 'Break glass. Press "national security"'. That's what we've seen this week in how they've handled this encryption bill.

As I've said, the Labor members have taken the issue seriously. There was a timetable agreed on with the chair of the committee, who's over there. I think he sought to do his best to put a proper, grown-up process in place, to listen to the national security agencies, to listen to technical experts and to listen to other government agencies even when they gave clearly misleading and wrong evidence, like the Department of Home Affairs did. It became apparent that the government's consultation on the bill with the exposure draft was cursory at best, and not genuine. They didn't listen to any of the concerns raised. They just ploughed on ahead, thinking: 'We've ticked the box in consultation. We stuck out an exposure draft—that'll do.'

When the bill was introduced, there was no suggestion from the government that this was urgent. There was no date specified. It was only after the government's shocking week last week—you got smashed in Victoria, you lost Wentworth on Monday and you had a defection and lost the seat of Chisholm on Tuesday—that they then all of a sudden hit the panic button and started heavying the committee and smearing Labor with ridiculous slurs. If we didn't pass the bill immediately, as drafted, with no interrogation and no thought, then somehow we were all friends of paedophiles and friends of terrorists. It was an utterly ridiculous comment by the member for Hume with terrible overreach and hyperbole, and the commentators called him out on it. As if saying we were all friends of paedophiles was somehow going to get the opposition onboard! Indeed, I think it was at that point that the former Independent National Security Legislation Monitor called out the Minister for Home Affairs as being unfit for his office through taking the low road, as the government have done, and politicising national security in the way we've seen in the last week. That is an important point.

I heard the member for Eden-Monaro before remark upon that slur on the opposition and call for an apology. Well, I don't feel I need an apology—that's the normal kind of rubbish we hear when the government is desperate—but I do agree that, if anyone is owed an apology, it is the member for Eden-Monaro. He spent 30 years of his professional life working in the national security establishment of this country, serving in the SAS, serving overseas and fighting terrorists. For a government minister to somehow imply that he, as a member of the intelligence committee, in seeking to fix this flawed bill was somehow a friend of terrorists is disgraceful.

For any of those opposite who wonder why they're held in such low regard by the Australian people now, that's a very good example of the kind of thing that should stop. When it's said in the heat of the moment, perhaps on Sky News, if anyone was watching—I actually was at that moment—then perhaps a withdrawal and an apology would go some way to restoring some trust and decency.

In contrast to this process, the Intelligence Services Amendment Bill 2018 was passed without fuss by the House earlier this week, because that followed a grown-up process where there was early and extensive consultation with the opposition and grown-up behaviour through the committee. The bill had checks and balances in oversight embedded in it, and they were strengthened, but, of course, that was driven by the member for Curtin, when she was the foreign minister. For that, the thanks she got from her party room was 10—or was it 11?—votes to be leader. So, for grown-up behaviour, you're spurned, but for taking the low road and politicising national security, apparently you get rewarded on the other side. In good legislative process, at 6.32 this morning, we got handed the amendments to the bill—100 pages in the report and goodness knows how many amendments. So we're supposed to stand here—like government muppets do—and support a bill, when there's been no chance to properly consider whether the amendments agreed to even reflect the agreements made through the Parliamentary Joint Committee on Intelligence and Security. We've had multiple examples on previous occasions where an agreement is reached, the government runs off, does the drafting, comes back, and it's not right, either through bad intent, in some cases, or just fair, excusable mistakes that may happen when people are working overnight drafting complex legislation.

The shadow Attorney-General has well outlined and summarised Labor's substantive concerns with the bill, but I'd say very clearly the bill is flawed. It was flawed in a serious fashion when it was introduced to the House. The original version was hopeless. Despite the supposed consultation on the exposure draft, as I said, there was no actual listening—we may hear, but we don't listen. There was no credence given to the red alarm bells ringing from industry that the bill, if it proceeded with as drafted, would actually compromise national security, would weaken national security. But we called the government's bluff and said: 'No, there is a line. We've reached the line. We are not going to support legislation that weakens national security, even if the government thinks it's in its short-term political interests to call us all "friends of terrorists". We're not going to do that.'

I'll draw attention to two things that have been remarked upon. Encryption: once it is broken, you can't unbreak it. Encryption plays a critical role in our national modern security, not only in more traditional national security domains of defence and policing and so on but also our economic security—banking, telecommunications and critical infrastructure. And the back doors that have been talked about—that if you require technical providers to build in known flaws—are a serious issue. It's not a trivial issue like the 'big stick' which we hear so much about in question time; it's a serious issue. Industry lined up to point out serious numerous problems, but there was nothing, silence from the government—doesn't matter; we're just going to plough on ahead.

One of the most serious issues, the shadow Attorney-General's identified. When this was raised in committee hearings with officials and government members, there was this kind of stunned silence, like no-one had actually thought of the implications for the security relationship with the United States and the CLOUD Act that was passed in March. In that sense, whilst this bill is less problematic, Labor still have concerns about it. We still believe it's flawed legislation despite the agreements reached. We are going to do the sensible, grown-up thing as a responsible party of government and reach a compromise with the government to pass the bill before Christmas and ensure that the security agencies have the powers that they have said that they need—some of that in public evidence, some of it, of course, in classified evidence, restricted to the committee. It is a fact of life that we have to trust the judgement of those senior members of the House—at least from our side—who are members of that committee.

I do want to draw attention and record my concerns about a couple of aspects of outstanding concern. Firstly, judicial oversight: appallingly, the bill does not provide, even as amended, for judicial oversight of technical assistance notices or technical capability notices. Judicial oversight via warrants does apply to telecommunications interception notices, which is the most obviously reasonable parallel. It's an accepted norm. It has been for decades. An important legislative principle anywhere in public administration but particularly in relation to intelligence and security matters is that, as the legislature grants greater powers to security agencies, there has to be greater accountability and responsibility. It shouldn't be a difficult concept. If you give more powers away to do hidden things then there has to be greater accountability. That's why judicial oversight via warrants is a long-accepted, well-accepted practice. But the government won't agree to that. Point-blank, they will not agree to judicial oversight. There's no sensible, convincing explanation being given as to why the same regime that has applied for decades to telecommunications interception warrants can't apply here. There's just no explanation. It's a basic norm, but it's also a civil liberties and a trust issue. Trust in government is declining. Surely this is one thing that we can agree on to help address some of the concerns floating around the internet or the hyperbole that we've heard from the Greens' political party. This is one issue that we could agree on that would help to moderate some of the legitimate public concerns about trust.

I'm concerned that this legislation allows one government minister—well, the initial proposal was that one government minister could issue the mandatory technical assistance notices or technical capability notices. I'm not remotely comforted by the fact that it's now two government ministers, particularly when one is the very weak Senator Fifield. This double-lock system of two ministers doesn't give much confidence. The best we could get out of this initial compromise was judicial review from a retired judge. A judicial review is a very poor second cousin to judicial oversight. This should be fixed next year, as the committee's inquiry continues. But if it's not fixed by this government, I think it should be fixed by the next federal Labor government.

The other concern, of course, is the definition—or lack of definition—of 'systemic weakness'. Apparently, the protection was that you can issue a technical capability notice—you know, the big stick—to make them build in a back door, but there's no definition of what a systemic weakness, in fact, is. They're ignoring industry on this point. Labor has got the government to finally, after listening to the evidence through the committee, agree to accept that there has to be a definition of systemic weakness. It shouldn't be rocket surgery, even for those opposite, to understand that if you're going to pass a term that is supposed to be the big protection from stuffing up the—

Mr Pyne interjecting

'Rocket surgery' was Warwick Capper's favourite phrase, actually. It's one of my personal favourites. I thought it might help some of those opposite to understand the point I was making. It shouldn't be rocket surgery to understand that you need to define the term 'systemic weakness'—

Photo of Christopher PyneChristopher Pyne (Sturt, Liberal Party, Leader of the House) Share this | | Hansard source

It's 'rocket science'!

Photo of Julian HillJulian Hill (Bruce, Australian Labor Party) Share this | | Hansard source

I know it's 'rocket science'. I think 'rocket surgery' has a nicer ring to it, Leader of the House.

Photo of Clare O'NeilClare O'Neil (Hotham, Australian Labor Party, Shadow Minister for Justice) Share this | | Hansard source

I'm defending you!

Photo of Julian HillJulian Hill (Bruce, Australian Labor Party) Share this | | Hansard source

Thank you. It was deliberate. It was a Warwick Capper term. It's part of my lexicon.

In summary, I do welcome the fact that the PJCIS inquiry will continue. This provides an opportunity to address the serious and outstanding national security concerns—most particularly, but not limited to, the US CLOUD Act and our security cooperation—to address the privacy and civil liberties concerns. I have to say, a lot of what I've seen and received via email is clearly overstated. Warrants remain for the interception of individual communications, as has existed for decades, but we could strengthen it with judicial oversight. Very importantly, as others will talk about, we can take the time to consider the economic impacts and our economic security.

11:18 am

Photo of Andrew WilkieAndrew Wilkie (Denison, Independent) Share this | | Hansard source

It goes without saying that everyone in this House is focused on national security and everyone in this House is doing everything they humanly can to enhance our national security. Yes, we all approach it from different places and look at it through different coloured glasses. But I would just like to say, quite clearly, that the member for Eden-Monaro's comments were justified. The member for Hume's comment was a deeply offensive comment. There have been other deeply offensive comments made over time, when it comes to some people criticising other people in this place when it comes to national security. In fact, although I haven't done the numbers exactly, I think there would be as many, or more, former members of the military and the intelligence and security services serving in the current opposition and on the crossbench than there are in the government. That's not a criticism of the government. It's just to give a sense of balance. We all have our heart in it, and we should keep the discussion about policy issues respectful. Some people see me as a bit of a dud, but I did more than 20 years in the military and intelligence services as well. Even though I am not supportive of the Telecommunications and Other Legislation Amendment (Assistance and Access) Bill 2018, let's all just respect each other's position and where we're coming from, please.

I share the concern of many people—not so much in this place, but many people in the community—and agree that it is a bad idea to be building a known vulnerability into encryption software. That is not necessarily because we have concerns about that access into encrypted communications for government—although there are legitimate concerns about that to be had. But there is the broader concern that to design a weakness, a vulnerability, a back door—some way to access encrypted communications in all communications—is such an invitation to wrongdoers to find the key to that door and to eavesdrop, effectively, or to see in plain text what people thought was a secure communication.

So I think that's the first point to make: that it's a bad idea to, by law, require all the encrypted communications in this country to have a vulnerability by design that can be exploited by wrongdoers. Of course, having that within our own country might be something we accept. Clearly the government and the opposition accept it, and I suspect they're going to vote together on this bill shortly. But it does raise a question: what will our security partners and our business partners think of that? I think it is a reasonable conclusion to draw that there will be concern in other countries and in multinational businesses that have operations in Australia that they will then be partners with a country that has this vulnerability within our ICT. That's another thing that needs to be considered. So I think this bill is ill considered, and I'll be one of I suspect a small number of people who will oppose it.

There is a broader issue, and that is about the power of the state. I've spoken about this on many occasions, and I have expressed the concern of a great many Australians that the power of the state has now grown and been extended so far in this country that it is unacceptable. In fact, since the 9/11 terrorist attacks in 2001, well over 60 security reforms have gone through this place. I understand that when security reforms at the state level are included there have been literally hundreds, many hundreds, of changes to our security legislation—principally, it is said, to deal with the threat of terrorism. I acknowledge that some of those reforms have been sensible, and we should be always reviewing our security arrangements and always looking to improve them where they need to be improved. But there is a widespread concern in the community that some or many of those reforms have not been well considered and have not been justified. In fact, you could even go back to the very start of those shocking events in 2001, the terrorist attacks in the US. I think the whole response was wrong. At the end of the day, that was a shocking criminal act of mass murder, and really that should have been our response way back then. We shouldn't have been racing around the world invading countries; we should have been treating it as a terrible criminal matter. If we need to enhance our legislation to help the crime busters, then let's do that, but let's not overextend; let's not unnecessarily extend the power of the state.

I'm pleased that some people have reminded us of the issue of mandatory metadata retention. I'll take this opportunity to make the point again: that was a bad idea. That is bad policy—the fact that every piece of metadata collected by an Australian telco must be kept for two years and can be accessed without merit. There's no comfort in that. I personally would probably have had a different response to mandatory metadata retention if I had known at least that it could be accessed only with a warrant—and no, it's not. So, there is that issue that the power of the state has already been extended greatly. In the minds of many people it has been extended way beyond what has been necessary. When I wrap that context around what's going on here today, I think this is another case of an excessive extension of the power of the state, and it's another case of the government and the alternative government being in lock step.

I think one of the characteristics of a healthy democracy is that we have a strong, ethical, confident government and that we have a tough opposition that holds the government to account. It doesn't oppose for opposition's sake, which has been the case far too often in this country in recent years, but holds the government to account when it needs to be held to account. And when it comes to issues of national security—and the response to irregular immigration, I would add—far too often, in fact almost always, whoever's in opposition, whether it be the coalition or the Labor Party, will just say, 'Yes, where's the blank cheque? We'll sign it for you.' Far too often, it's out of a fear of being wedged.

I do wonder, in fact, about bringing the encryption bill on at this point in time, after 18 months of it wallowing around the parliament in the lead-up to a federal election. I do wonder: why the haste? To what degree is bringing it on right now a political move? Was it done in the hope of wedging the Labor Party? Well, you know what? I wish the Labor Party had been wedged on it, because they shouldn't be supporting it. I think the Labor Party are letting down many of their supporters by getting behind this bill.

I'd also make the observation that, yes, when you're in government, you do need to be responsive to the needs of the security services. You should ask them: 'What tools, how much money, what resources and what legislative freedom to manoeuvre do you need? What do you need to do your job?' That's good. We asked them and we listened to them. But we should never just say yes to every request, because it's in the nature of the security services to ask for every possible tool they can get their hands on, to the point where they would have way more than is in the public interest if you gave them everything they wanted. So sometimes, in this place, we've got to be prepared to say no.

If the security services were able to access any and all encrypted communications, I agree that that would help the security services. But at what point do you rein them in and say: 'You're asking for too much. You are asking us to extend the power of the state beyond what is reasonable'? If you were to give the security services everything they want, they'd probably have rockets and missiles and be able to do who knows what. You've got to rein them in. That's our job. Our job is just as much to be a check on the power of our security services as it is to give them the tools they need. And I do worry that, in this country nowadays, governments, supported by oppositions, are too quick to give the security services everything they want.

It's telling that several years ago now I gave a speech in here lamenting that Australia had entered a stage of being almost in a prepolice state, with excessive powers of the state and excessive legislation that had gone too far. For example, mandatory metadata can be accessed without a warrant. I was genuinely alarmed a little bit earlier in this debate to hear that councils—local government—in Australia are now accessing, or at least seeking to access, that metadata. What we were promised, only several years ago now, was that it would be used only to go after terrorists and that the list of agencies that would be allowed to use that information would be very small. In fact, the list of organisations was being reduced in size, because I remember that at the time, years ago, before it was mandatory, we were wondering, 'Why does the RSPCA have access to metadata?' We were having, I think, a healthy debate about who should access this sort of stuff and we were absolutely promised that it would only be used to go after terrorists. Then, after a while, the debate morphed into: 'Oh, yes, but also paedophiles and other things.'

The problem with these sorts of reforms is incrementalism. Things are rolled out with lots of promises and grand speeches, but over time the security services want just a bit more, other agencies want just a bit more and ministers give out a bit more, and you end up in a bad place. I do worry about this access to encrypted material. I think the government's saying it's only to assist in the fight against terrorism and the most serious of crimes, like child exploitation, paedophilia and so on. And, yes, they are heinous crimes. But next year it will also be for this and that, and the year after it will be for that and that and that. And before we know it, family law lawyers will be wanting access to information, whether it be metadata or access to what we thought were secure communications between two parties. Then local governments will be wanting access to it and all these other agencies will be wanting access to it. People in civil law courts will be wanting access to it. The idea of a slippery slope isn't just a cliche; it is real.

As the Attorney-General is leaving I will say through you, Deputy Speaker, to him, and I have said it before and I will say it again, that I think the Attorney-General is a decent man and he is not prone to acting recklessly—except in the problem case of Witness K and Bernard Collaery, and I still don't know why we are going after those two. But what happens when in a future government we have a really nasty piece of work or a real fool in a position like that? We need laws to be really tight to protect us from people in the future. Laws should never be rolled out on the assumption that they will never be misused. Any opportunity to misuse, any hole in it, should be closed before we bring it into law.

Why the rush? These ideas have been, as I said earlier, washing around parliament for about 18 months, and all of a sudden we have to get it through the parliament today. We have to have it in place before Christmas. Why the rush? If nothing else, why can't we just delay this, look at it further, consult more broadly and put in place more safeguards? That would keep some members of the community happy.

I come back to my original concern and that is that it's just fundamentally a bad idea to build a back door into encrypted systems, because it is an inherent vulnerability and, mark my words, people will search for that back door. And some very clever people will find it and they will access it. Then once they've found the key they will sell it to someone else. It will become a very valuable commodity. Before we know it, what is being said for the wrongdoers—perhaps the criminals and perhaps the terrorists—will be no secret and it will be used against us. It will make us less safe. It will be because of a government—this government, this opposition—seeking to extend the power of the state just that bit further, and, frankly, to take us that bit closer to a police state, because in so many ways we have already reached a prepolice state—too many laws, too much power for the state and too much power for the security services. I will be opposing this bill today. Thank you.

11:33 am

Ged Kearney (Batman, Australian Labor Party) Share this | | Hansard source

I rise today to speak on this Telecommunications and Other Legislation Amendment (Assistance and Access) Bill 2018. I will just say first that later today I will speak on the Treasury laws amendment bill. I only mention this because there is a similarity in how both these bills have been brought to this House, both in a rush of ill preparedness and, may I say, seeming desperation. The bill being discussed this afternoon was moved in this House without anyone actually having time to properly read it, to properly analyse it and to properly work out a proper response—and I believe even the members of the government's own party. Both bills have been prepared in a rush and in desperation, because this government knows that it is in deep trouble. It knows that it has nothing to offer the Australian people that connects them with the people, or that shows that they are in any way in touch with what is happening in what they would call 'real Australia'. The haste and desperation around about this bill is disgraceful and, quite frankly, deeply concerning.

There has always been a bipartisan approach to matters of national security through the Parliamentary Joint Committee on Intelligence and Security. There has always been a deep and real consideration of issues that befits responsible government, a practice that this government has thrown out the window, and all in the name of what? Certainly not in good national security policy—perhaps trying to be populist. As my friend and colleague the member for Bruce just articulated so well, the government have tried picking on minorities, they have tried race hatred and they have tried vilifying vulnerable Australians, and none of this has worked to improve their popularity or their position with the Australian electorate. So, as we have seen time and time again from the Liberal Party, they resort to fearmongering on national security. Their handling of this encryption bill has been abominable.

Labor members of the Parliamentary Joint Committee on Intelligence and Security have done their job with all seriousness. They have been consulting with industry and civil society stakeholders, both through the committee process and outside. Labor have negotiated with the government to address some core concerns of ours. While there are significant outstanding issues—and I will go to those later—the compromise we are debating today will deliver security and enforcement agencies the powers they say they need in the short term and ensure adequate oversight and safeguards to prevent unintended consequences, while enabling continued scrutiny of the bill until 2019. Labor are prepared to take this course of action because of the government's undertaking that the committee will continue its inquiry into the bill into 2019 and a separate statutory review will be undertaken by the Independent National Security Legislation Monitor within 18 months of the legislation coming into effect. These separate processes will provide an opportunity to resolve our ongoing concerns about the bill with the assistance of industry, experts and civil liberty groups. It will also help uphold our responsibility to keep Australians safe.

The Labor members of the committee have taken on board all evidence from our national security agencies. They have listened to the industry and technical experts. This is serious, complicated business, and it's quite clear that the government's consultation and consideration were not deep enough or good enough to produce an original bill that was in any way acceptable. The government, to begin with, did not suggest that there was any need to rush this. They suggested, indeed, that they would give it the consideration that it deserved, and we started that process in good faith. As the member for Isaacs said this morning, we put a great deal of time and energy into rigorously analysing every national security bill that is presented, and we do this because we understand that, in conferring new powers to protect our nation's security, it is vital that we do not compromise the very freedoms and way of life that we are seeking to protect. We must always be aware that, while the laws we pass can be part of the solution to national security threats, those laws, if improperly designed, can become a part of the problem.

When we tried to explain that this was important to us and that we on this side of the House wanted to make sure of the above—that we needed to slow down—the government said, as if there were a sudden urgency, that if we didn't pass this bill immediately, as drafted and without evidence, we were helping and befriending terrorists and paedophiles. This was an outrageous slur on the Labor Party simply because we wanted to follow due process. As other members of the House have mentioned this morning, this was insulting, and there should be an apology and a withdrawal. What we were trying to do was protect the rights of Australian citizens.

The member for Isaacs and others have outlined Labor's concerns with this bill. Yes, it is not perfect, but the original version presented by the government was a mess. It was hopelessly flawed and completely unsafe. It was clearly rushed and ill-written. Some of our concerns have been dealt with in this bill, and they go to a couple of things that have been spoken about already this morning. We have concerns about systemic weakness and its implications for security, technology and Australian economic competitiveness. We are concerned about inadequate oversight and safeguards, including implications for privacy and civil liberties. Labor members of the committee have sought and obtained recommendations in the PJCIS report that, if translated into amendments, will address many of the core concerns raised by Labor and stakeholders, noting that the committee will undertake further inquiry immediately after the legislation is passed.

Systemic weakness related concerns will be addressed through amendments to clarify the meaning of the term. Now, this is incredibly important and the industry has told us this: we need to clarify the meaning of the term 'systemic weakness' and clarify that technical capability notices cannot be used to create a systemic weakness. We need an ability for a provider to disclose details of a technical capability notice, except, of course, where it would compromise an investigation. There needs to be authorisation of a technical capability notice, requiring the approval of both the Attorney-General and the minister for communications, despite the concerns of my colleague who spoke previously about the capability of the current minister. A designated communications provider that has concerns about a technical capability notice may request a binding assessment of whether it would indeed create a systemic weakness, that the requirements are reasonable and proportionate, that compliance is practical and technically feasible and that the notice is the least intrusive measure that would still achieve the objective.

Two persons would be jointly appointed to conduct the assessment, and the report must be provided to the Inspector-General of Intelligence Security and the Commonwealth Ombudsman. This essentially means that any request to a provider that might create a systemic weakness would be subject to a merit review style process. Inadequate oversight and safeguards will be addressed through the strengthening of the Inspector-General of Intelligence and Security oversight powers, including explicit notification and reporting requirements, limits on the exercise of powers, defences for the IGIS officials and clear information-sharing provisions. There will be clear authority for the Commonwealth Ombudsman to inspect and gather information on the exercise of these powers. The AFP Commissioner must approve any state and territory initiated technical assistance notices, and they must apply the same criteria and go through the same decision-making process that would apply as if the AFP were the original issuing authority. These things were taken up by the Labor Party, and I congratulate the member for Isaacs and the other Labor members of the PJCIS for paring back and amending some of the worst aspects of this bill.

We have another concern, and that is that this bill does not provide for judicial oversight of technical assistance notices or technical capability notices that allow for interception notices, or, in less technical wording, for the gateways to be inserted and to bypass the encryptions. The government will not agree to judicial oversight, and I agree with previous speakers who say that this should be fixed. If it is not fixed before the next election and if Labor is elected, I think Labor should fix this part of the bill, which we are concerned about.

Labor will monitor the implementation of this legislation very carefully. We welcome the necessary changes that Labor members of the committee have brought about, and we welcome the fact that the committee inquiry into this legislation will continue with full review. We will continue to listen to stakeholders, including concerned Australians. While there is some misunderstanding, some misinformation, some hyperbole and, as we have heard, there are some insults that have been thrown about the House with respect to this bill, Labor, I am pleased to say, take this very seriously. We will continue to monitor this bill. We will continue to stay in touch with the stakeholders. We will reassure Australian citizens that we will continue to monitor this bill very carefully, as we go into the future.

11:44 am

Photo of Peter KhalilPeter Khalil (Wills, Australian Labor Party) Share this | | Hansard source

I rise to speak on the Telecommunications and Other Legislation Amendment (Assistance and Access) Bill 2018. National security versus individual privacy, individual rights versus collective rights, privacy versus security—these are the traditional conundrums and the traditional challenges that governments have faced since time immemorial. It's about getting that balance right and what that balance should be. Of course, with the advent of modern technologies, particularly over the last couple of decades, we see that there is a further complication of this conundrum with respect to the entanglement of national security concerns with economic concerns. We've heard, as some of the previous speakers have noted, that members of the Parliamentary Joint Committee on Intelligence and Security have heard evidence from security, intelligence and law enforcement agencies about the risks of the surveillance environment going dark because of some of this technology where terrorists, paedophiles, organised crime and drug traffickers all utilise encrypted technologies and applications for their communications and their planning. But we still have the same challenge that we face here in this parliament and that governments face around the world, and that is making sure that we get the balance right between the security of the collective community against those threats which I just enunciated and, in the case of the bill that we are debating, the security of the data and the content that is transmitted through the encryption service. We need to make sure the privacy of that data and those communications is protected from the eyes and ears of government agencies when it's not necessary for them to access that data.

So it is a difficult balancing act, and this challenge has been compounded by the process we've witnessed, where the government has tried to ram this bill through the intelligence committee. I also want to echo the comments of many of the other speakers and commend the work that has been done by the members of the intelligence committee, who, as some previous speakers have noted, have worked extremely well together in a bipartisan way on this bill. On the 15 different national security bills that have passed here in this place during the term of this parliament, they have made something like 300 amendments. They've done excellent work in trying to get that balance right, and they're faced with getting that balance right in most of the work that they do and the consideration of the different laws before them. Unfortunately—and it is not so much the fault of the members of that committee—the government itself has sought to almost weaponise or politicise this process by trying to rush the committee's very important work and to force their hand by asking them to come out with a report much earlier than I think they would have liked to. They would obviously have needed to spend much more time in consideration of the bill.

The Labor members of that committee obviously have heard the evidence given by enforcement, security and intelligence agencies that there is a real need for some of the powers that we're debating within this bill in order to protect Australians from what they've characterised as increased security threats that are very real, particularly over the Christmas and holiday period. Of course, the Labor members and other MPs have consulted not only with the intelligence, security and law enforcement agencies but also with industry and civil society stakeholders—tech companies and other stakeholders that have a real interest in how this bill proceeds. In many respects, there has been enormous effort through the committee to try to negotiate the issues of concern that have been rightly raised by tech companies and many others about the unintended consequences and effects of this bill, particularly given the rushed fashion in which it has been put to the parliament. Those negotiations have led to a series of substantive amendments which Labor has put forward to try to address those concerns.

I just want to note again for the record that, while there has been excellent work done by the committee, it is most unfortunate that the government of Prime Minister Morrison has tried to force their hand with respect to the work that they were doing. There were a number of Australian companies that indicated that they were not consulted by the government and that, even when they made submissions to the inquiry, they were simply ignored. That, as I said, has meant that this process has been far from ideal. We have the Prime Minister and the Minister for Home Affairs conducting what we would say is unacceptable interference in the work of that committee and seeking to politicise these issues.

There has been strong bipartisan support for national security, including on this side of the House, through the term of this government. Of course, as I said, there have been hundreds of amendments that have been worked through as part of that process, but we on this side see the seriousness and the importance of our responsibility to ensure national security and the collective security of all Australians. But we also want to get that balance right.

We've tried in good faith to work with the government, so there's a real disappointment about what we've seen with this process. And I note, too, some of the comments that were made by the opposite side against members on this side who have worked for most of their lives on national security, like the member for Eden-Monaro and me. I have worked in DFAT and Defence, and I actually served in Iraq with the member for Eden-Monaro. We are absolutely committed to national security, but we also want to get the balance right.

11:50 am

Photo of Christian PorterChristian Porter (Pearce, Liberal Party, Attorney-General) Share this | | Hansard source

By way of summarising all of the second reading contributions, I rise to speak on the Telecommunications and Other Legislation Amendment (Assistance and Access) Bill 2018, a bill which is urgently required to strengthen the ability of Australia's law enforcement and national security agencies to deal with challenges presented by modern communications technology. Australia's prosperity is fuelled by the technologies of our age—that's self-evident—but everyday Australians rely on digital communications for banking, shopping, education, health, communications and other key services. Australians expect the digital platforms they use to be secure. That is why the government strongly supports the use of ubiquitous encryption to protect personal, commercial and governmental information.

Encryption is a vital part of the internet, computer and data security, supporting Australia's economic growth and national security. However, we would be naive to think that digital technologies which drive our economic prosperity are immune to exploitation. The same technologies that protect us online are being employed by terrorists, by paedophiles, by drug smugglers and by human traffickers to conceal their illicit activities from law enforcement and security agencies. Put simply: encrypted communication is helping criminals and terrorists to remain anonymous and to operate beyond the reach of the law.

Tellingly, 95 per cent of ASIO's most dangerous counterterrorism targets use encrypted communications, with encryption impacting intelligence coverage in nine out of 10 priority cases. Encryption has significantly degraded law enforcement and intelligence agencies' ability to lawfully collect intelligence and conduct investigations. The Australian Federal Police and ASIO suggest that, by 2020, almost all communications amongst terrorists and organised criminal groups will be masked by very strong encryption. As we move towards ubiquitous encryption, the challenge it poses for law enforcement and national security agencies will continue to increase.

The assistance and access bill is a very necessary and proportionate response to these challenges. The legislation introduces new tools that complement existing powers available to law enforcement and national security agencies. The bill establishes a framework for agencies to seek assistance from relevant industry stakeholders in support of law enforcement and national security investigations and operations. The reforms ensure agencies can obtain legitimate and necessary assistance from communications providers when it is reasonable, proportional, practicable and technically feasible to do so. Agencies will also be empowered to seek assistance from offshore providers supplying communications services and devices in Australia. This reflects the modern nature of the communications industry and ensures that agencies are able to seek assistance from those best placed in the communications supply chain.

The bill also ensures that our agencies can access lawfully obtained content and data. This is enabled by the introduction of new computer access warrants for law enforcement, enabling them to covertly obtain evidence directly from a device, and the strengthening of law enforcement and national security agencies' ability to covertly access data through warrants and orders for assistance. Importantly, these measures are supported by strong safeguards and limitations to protect the privacy of Australians, maintain the security of digital systems and ensure that agency powers are only ever used appropriately via lawful processes for national security purposes.

The legislation clearly prohibits the creation of so-called back doors for any reason. Companies cannot be required to create systemic weaknesses in their encrypted products or be required to build a decryption capability. The legislation does not allow for mass surveillance. Rather, the provisions in the bill assist authorities in their investigation of individuals who are reasonably suspected of being involved in committing a serious offence or are of national security concern. Access to personal information must be authorised by existing warrants and authorisations, which are subject to their own safeguards, including judicial oversight.

The need for the powers in this bill has become more urgent in the light of the recent fatal terrorist attack in Melbourne and the subsequent disruption of alleged planning for a mass casualty attack by three individuals last month—also, sadly, in Melbourne. Individuals in both of these cases are known to have used encrypted communications. ASIO's Director-General of Security, Mr Duncan Lewis, informed the Parliamentary Joint Committee on Intelligence and Security last week that there is an operational urgency to this legislation. He advised the committee:

The impact of encryption on our operational effectiveness is real.

He said:

It has degraded our ability to identify terrorist activity.

He also noted that the risk of further attacks is heightened as we head towards Christmas. At the same hearing the Commissioner of the Australian Federal Police, Mr Andrew Colvin, told the committee that he is:

… concerned with the increase in criminal communications that are beyond our lawful ability to intercept and/or view. The operational urgency … is … very real …

Commissioner Colvin has also written:

What this bill does, in essence, is give police a fighting chance …

Likewise, Assistant Commissioner Neil Paterson of Victoria Police told the parliamentary joint committee:

At the moment, we're fighting with one hand tied behind our back by not being able to lawfully access the data that we need—

To keep Victorians safe. We on the government benches implore all of our parliamentary colleagues to support this bill and the agreed amendments to ensure law enforcement and national security agencies can lawfully access the data that they need to keep Australians safe over the Christmas period and beyond.

The bill reflects an extensive three-stage consultation process with industry, community organisations and the public. I acknowledge the significant work in this regard by the former Minister for Law Enforcement and Cybersecurity, the member for Hume, and the Minister for Home Affairs, the member for Dickson. I also acknowledge the tireless efforts of the staff in the Department of Home Affairs, their colleagues in ASIO, the AFP and parliamentary counsel and thank them for their work on this legislation. I also thank the Parliamentary Joint Committee on Intelligence and Security for its comprehensive review of the bill.

The amendments recommended by the parliamentary joint committee increase transparency and strengthen the existing accountability and oversight measures. They have been agreed upon and ensure that the powers in the bill are to be used only when required to facilitate the legitimate and lawful operations of law enforcement and national security agencies. The amendments also enhance measures which prevent so-called 'back doors' from being introduced into networks and devices. The bill before the House ultimately strikes an appropriate balance between maintaining the privacy and integrity of networks and devices and ensuring agencies continue to protect the Australian community. For all those reasons I commend the bill to the House.

Photo of Sharon BirdSharon Bird (Cunningham, Australian Labor Party) Share this | | Hansard source

The question that the bill be now read a second time.

A division having been called and the bells having been rung—

Photo of Tony SmithTony Smith (Speaker) Share this | | Hansard source

As there are fewer than five members on the side for the noes in this division, I declare the question resolved in the affirmative in accordance with standing order 127. The names of those members who are in the minority will be recorded in the Votes and Proceedings.

Question agreed to, Mr Bandt and Mr Wilkie voting no.

Bill read a second time.