Joe Ludwig (Queensland, Australian Labor Party, Manager of Government Business in the Senate) Share this | Hansard source

in reply—I would like to thank those senators who contributed to the debate this morning. Before replying specifically to the matters raised, I would like to address the findings of the Senate Legal and Constitutional Affairs Committee in their report on the Telecommunications (Interception and Access) Amendment Bill 2008, which was tabled out of session on Tuesday, 6 May. Let me begin by thanking the committee for its work in examining the bill and all those who contributed to the inquiry. I know the Attorney-General also appreciates the efforts of the committee in reporting in time to enable to consideration of the bill in this session.

In relation to the proposal to extend the network protection provisions, I note that the committee accepted the need to develop a full legislative solution to the issue. Recommendation 1 of the report stresses the need for a thorough and considered response to achieving a balance between individual privacy rights and network protection requirements. The government agrees with and accepts this recommendation. I would add that part of the reason for seeking the current extension is the considerable legal and technical complexity of developing such a solution. However, I am advised by the Attorney-General that the development of a proposal is well advanced and there is the intention to move to wider public consultation in the very near future.

Recommendation 2 addresses the issue of unique identifiers as the basis for device based named person warrants and returns to a point made previously by the committee: the importance of ensuring that devices to be intercepted under a warrant can be accurately identified. The government accepts the recommendation that priority be given to ‘developing a unique and indelible identifier of the source of telecommunications’. Several further points should be made, though, in this area. First, it is important to note that such identifiers in fact do already exist. These include individual mobile equipment identifiers, commonly known as IMEIs, and media access controls, commonly known as MAC addresses. The fact that these may occasionally be inaccurate as a result of illegal tampering does not invalidate the device based regime any more than a forged drivers licence, for instance, invalidates the state licensing system for driving motor vehicles. Second, agencies and carriers take measures to check that the device identified on a warrant is correctly associated with the person of interest. If a mistake is made and material is inadvertently collected from the wrong person, the law already requires that the material be immediately destroyed. Third, the government continues to work with the telecommunications industry and international organisations to improve the reliability of the unique identifiers. These measures are supported by offences in the Criminal Code that penalise tampering with telecommunications equipment.

Recommendations 3 and 4 also deal with device based named person warrants. The bill as introduced proposed to allow a device based named person warrant to permit the interception of multiple devices as well as to allow intercepting agencies to add further devices to the warrant as they are identified. While the committee appreciated the operational rationale for these proposals, they did not agree to the second aspect—the adding of additional devices after a warrant is issued without independent oversight. The committee took the opportunity to emphasise the importance of maintaining the direct role of issuing authorities in authorising any interception. Accordingly, recommendations 3 and 4 proposed an alternative emergency warrant regime. The government appreciates the efforts of the committee in developing this practical alternative. However, I am also mindful that enacting the recommendation would involve some complex drafting as well as consideration of various administrative and operational issues. Given the time constraints that exist, particularly associated with this legislation, this is not something that can be done within the current bill. As such, the government accepts the recommendation for further consideration. In the meantime, the government has sought to introduce amendments to the bill that remove the provisions allowing agencies to add devices to device based named person warrants. We do that in good faith to ensure that the matter can be more fully addressed.

Recommendation 5 seeks additional reporting for device based warrants. The government accepts this recommendation and has introduced amendments to the bill that provide for separate reporting on the two categories of named person warrants—those that are service based and those that are device based. A new provision also requires reporting on the number of devices intercepted under named person warrants. However, I note that the second part of the recommendation relates to reporting of the number of devices added by agencies after a warrant is issued. It is not necessary to consider this at this point, given the government’s amendments that I referred to earlier.

Finally, recommendations 6 and 7 of the report propose an independent review of the T(IA) Act within three years but with the legislative amendment to require further review every five years. The government accepts this recommendation for further consideration. It is certainly true that the pace of technological change continues to require legislative amendments to the interception regime, and it is not a bad thing for an independent reviewer to periodically reassess the state of the regime as a whole. However, I would take the opportunity to point out that the act has been regularly reviewed, with seven Senate committee legislative inquiries and four independent reviews all in the space of the past nine years. I think I participated in, if not all, the majority of the Senate committees.

I now turn to several specific matters raised in the debate today. I note that Senator Brandis seeks to ensure that any future legislative solution that we may bring forward be brought forward in sufficient time for it to be ably dealt with prior to the sunset provision. As I said in the address-in-reply, it is one of those matters that we hope to bring forward well in advance of the time.

In respect of Senator Guy Barnett, I note that he is now chair of the committee. I appreciate his role as chair and for being—in a similar way to Senator Payne—diligent in his work in this area. It is complex, it is technical and it does require a measure of responsibility to ensure that we balance the needs of the rights and privacy of individuals with the requirements of national security and the requirements of the law enforcement agencies in this area.

I thank Senator Bartlett, and I note the criticism he has raised. I understand Senator Bartlett’s interest in this area; it has extended equally with mine for some years. Senator Bartlett raised a couple of matters in respect of the unique identifiers. Recommendation 2 is that priority be given to developing a unique and indelible identifier of the source of communication as a basis for access. The 2006 amendment act did introduce a regime for access to communication based on unique identification numbers within the device based named person warrant regime, so it is there. I note also that tampering with device based identifiers is an offence, as I have said. The Attorney-General’s Department does continue to work with a broad range of stakeholders, both nationally and internationally, to improve the robustness of the unique identifiers.

In respect of the second matter that Senator Bartlett raised, which dealt with the network protection, there is, in the government’s view, no uncertainty about the application of the T(IA) Act to network protection. Under the T(IA) Act, there are a range of network protection activities, such as automated filtering and blocking of emails. Organisations can and do protect their networks without breaching the prohibition on interception. However, it is recognised that changes in technology have caused the T(IA) Act to apply in situations that were not anticipated when the legislation was enacted. This does have the effect of creating a somewhat arbitrary distinction between different types of network protection activities. I am not in a position to know all the details of individual companies or organisations that undertake different forms of network protection, but in those specific matters the Attorney-General’s Department is happy to work with those organisations or individuals who may have concerns about their current practices to ensure that they fall within the general law and do not breach the T(IA) Act itself. Those matters can be pursued. More broadly, I thank Senator Bartlett for his contribution. As I have noted, he has continued to have a significant interest in this area and continues to challenge this area.

In respect of Senator Nettle, there are two matters that I detect that she has raised, and I note them from previous times. One of them relates to comparison with the US. In response to that—and it is a difficult area, I accept; with any comparison of statistics it is usually best to ensure that we are comparing apples with apples and oranges with oranges, to use a well-worn cliche—the statistics I am aware of appear to indicate that the use of telecommunications interception by Australian authorities on a per capita basis is greater than that of our American counterparts. It is not true to claim that Australians are intercepted more than Americans. Direct comparisons between the Australian and US statistics can be misleading, because legislative controls on lawful interception differ widely between jurisdictions. US laws do not require reporting on warrants in the same manner as Australian laws. I am informed that US laws allow one warrant to authorise the interception of services for more than one person and multiple services for each person—for instance, where it becomes possible to identify criminal associates of the original suspect. This does result in fewer statistical returns than under Australian law, which allows a warrant to authorise the interception of a single telecommunications service or the service of one named person only.

I also note that Australia also reports on the total number of services which are intercepted under named person warrants—information which is not reported in the US. Additionally, the statistics published in the US do not include interceptions undertaken pursuant to the Foreign Intelligence Surveillance Act, which covers matters dealing with national security. Australian law enforcement agencies do not have this discretion and therefore all interceptions must be reported. Therefore I only urge, when making comparisons between Australia and the US, that you take those matters into account. They can provide a misleading summary that is not helpful in the debate more broadly.

In terms of innocent parties—a point that you raised, Senator Nettle, and I also acknowledge that you have continued to have a strong interest in protecting privacy in this area—the T(IA) Act contains several provisions to protect the privacy of innocent third parties, including explicit consideration by the issuing authority of how much the privacy of any person or persons would be likely to be interfered with by intercepting under a warrant. An issuing authority may impose conditions or restrictions on the warrant, requiring revocation of a warrant or ceasing interception of a particular service or device where the basis for the warrant no longer exists, and strict guidelines around the secondary use and disclosure of information obtained under an interception warrant, particularly strict destruction requirements which require that any record which is no longer required or not relevant to the investigation is destroyed. It does have regular, independent inspection by the relevant Commonwealth or state ombudsman for the destruction of records. With those matters, I will conclude.

Question agreed to.

Bill read a second time.