Nick Xenophon (SA, Independent) Share this | Hansard source

I too support the second reading stages of this bill and for the bill generally, but I do have a number of reservations. Fortunately we will be having, I hope, what will be a constructive committee stage of this bill in order to discuss those concerns and in order to appropriately consider the amendments that have been put up.

There is no question that one of the key roles of the state is to protect the public from terrorist acts. That is axiomatic. Public safety is a paramount consideration. But, if you accept the necessity of intelligence agencies—and I do; it is a no-brainer—then you have to accept the necessity for those intelligence agencies to operate in secret and have adequate powers and resources to do their jobs. If you do not accept that they must operate in secret, then you are not being serious about protecting the public. For example, for ASIO to exist it needs a high degree of operational secrecy. It needs to assure all its current and future sources and partners, here and abroad, that it will keep their secrets. Failure to do so, in one case, affects its credibility in all cases. Any compromise of ASIO's credibility, when it comes to protecting its secrets, in one area could affect its credibility in relation to sources and methods in all areas. Similarly, if we are to have an effective ASIS it needs a high degree of operational secrecy. To deny its operational secrecy is to deny its ability to exist. National security is and must be a key goal.

A key role of the state to protect its citizens from harm, from terrorist attacks, must never be an alibi for abuse of power. I have grave misgivings, therefore, about some provisions in this bill that impose harsh penalties for disclosure of intelligence information, with no consideration given to a public-interest exemption. Let me give two examples that are not hypothetical. The first relates to so-called witness K. I refer to reports that the Australian government had breached international law by ordering ASIS to bug East Timor's cabinet rooms during the 2004 bilateral negotiations over the Timor Sea treaty relating to oil and gas. This cannot possibly have any anything to do with national security. East Timor is no threat to Australia. At the time of the special operation carried out by ASIS East Timor was the poorest country in Asia, and during the Indonesian occupation it had suffered the largest loss of life relative to total population since the Holocaust.

A key whistleblower here is a former Australian spy, who is said to be the director of all technical operations for ASIS, which allegedly conducted the bugging operation using the Australian aid program as a cover. This aspect of the allegations is extremely disturbing. If the espionage operation used the Australian aid program as a cover then it has endangered the safety of the good, well-intentioned Australians who go overseas to many parts of the globe in order to work with those who are less fortunate. The Age editorial of 11 December 2013 stated:

… deceit of this kind brings suspicion on all non-government aid workers, irrespective of who they are and what they do. It runs the risk of endangering all legitimate aid workers who seek to help the disadvantaged.

…   …   …

Aid agencies operate in extreme and difficult conditions, often on the front line of danger and often in countries where they are constantly at risk from brutal regimes. They dare to help when no one else will. To deploy intelligence agents under the cover of aid workers is to exploit the fragile trust that aid agencies must forge with their host country. It weakens their security because it discredits their altruism.

We should be grateful to the ex-ASIS whistleblower and to others like him. The whistleblower, known in the press as Witness K, has not endangered Australia's national security. Instead he has shone a light on a most disreputable episode in Australia's foreign policy. It is unjust to pass a law that would send someone like him to prison for up to 10 years. It is unjust to pass a law that would deprive someone like him of his freedom for a substantial period of his life without any consideration of his motivations—or, indeed, of the public interest considerations in respect of his actions. Whistleblowers like him do not appear to be motivated by money or career prospects. Rather, they appear to be moved by a sense of duty to answer the call of basic human morality. This bill makes no distinction between people like him and people who would do us harm.

Let me put this in perspective so that the Attorney does not misunderstand where I am coming from on this. If there is a special intelligence operation and, as a consequence of that special intelligence operation, there are people working undercover with a terrorist cell and the identity of a person is disclosed, that is a very serious matter and I support the government in treating it as a very serious matter because you could effectively be passing a death sentence on that person—an undercover operative working in a very sensitive operation—by disclosing their identity. So I get where the government is coming from and I commend it for wanting to strengthen the legislation where the lives of intelligence operatives and our sources are put at risk.

But, in the case of Witness K, there is a clear distinction. That is something that I think is very, very different to the circumstances which I have just set out. In circumstances where, as I believe, it was in the public interest to know about that operation, in a matter where international law, I believe, was breached, that person, Witness K, cannot be treated in the same light as someone who is endangering the lives of security operatives who are working to protect Australia's interests.

My colleagues will also be familiar with the case of Dr Mohamed Haneef, an Indian national who was arrested at Brisbane Airport on 2 July 2007 in connection with a failed Glasgow bomb plot. Dr Haneef was held for 12 days before being charged with providing support to a terrorist organisation. This is an offence for which he could have been jailed for up to 15 years. The charge was unsustainable and was quickly dropped. Meanwhile, his immigration visa was cancelled on character grounds. This was later found to be unlawful. The Hon. John Clarke QC conducted an inquiry into the Haneef case. He concluded that Haneef was 'wrongly charged' because an individual AFP officer, Commander Ramzi Jabbour, had 'lost objectivity' and was 'unable to see that the evidence he regarded as highly incriminating in fact amounted to very little'. No disciplinary action was recommended against Commander Jabbour.

I want to emphasise here that the inquiry found that Commander Ramzi Jabbour was 'impressive, dedicated and capable', yet he was acting selectively, even cynically. He was keeping evidence that might exonerate Dr Haneef from the magistrate who was detaining the doctor in the Brisbane lockup, and also keeping evidence from immigration minister Kevin Andrews, who cancelled his visa. This is where this bill is weak: it assumes a best-case scenario at all times and impeccable behaviour by all concerned. Yet Commander Jabbour was not a bad person. Indeed, the inquiry found that he 'presented as a committed, professional and competent individual, and was held in high esteem by the officers he led'. If this operation or something like it had been a special intelligence operation—the Haneef case was an overt, not a covert, operation, but it could just as easily have been a covert operation—the details could not have been reported unless the reporter was willing to risk up to 10 years in prison. It should not be left to prosecutorial discretion whether a reporter should be tried in such a case. There must be a public interest exemption or, at the very least—and I am moving an amendment to this effect—public interest matters must be considered in the course of fixing a penalty.

On the issue of disruption of target computers and third-party computers—and I am grateful to the Attorney-General's office for the communications I have had with them; I will refer to the response I received just a few minutes ago—I want to set out the concerns that have been expressed to me by people who work in the field of cybersecurity. The bill allows the targeting of third-party computers. In other words, it allows ASIO to break into computers belonging to innocent people in order to obtain covert access to a target. What happens when ASIO accesses the servers of an internet services provider to read the emails of a target? If ASIO has obtained the cooperation of the company or the systems administrator by virtue of the ASIO affiliates scheme, then they will be able to do what they need to do with no disruption to the network. So far, so good—but what happens if ASIO decides to breach a system without the consent of the company? If the company spots the intrusion and tells all its clients it has been attacked, would that be disclosing information about a special intelligence operation? The Attorney-General's office has indicated to me in an email, and I am grateful for the information, that would not be the case; but it would be useful in the context of the committee stages to confirm that, because it is a real concern that has been expressed to me.

Another problem I can foresee is that an attempt to enter a network undetected is usually accompanied by privilege elevation, seeking to elevate low-privilege users to super users. This is because user accounts can only read/write their own data and run some applications but systems accounts can read/write any data and run all applications. Successful privilege elevation would allow ASIO continued access via so-called rootkits or backdoors. A backdoor is a method of bypassing normal system authentication accomplished by installing software on the host using remote access administrative tools and exploiting vulnerabilities in the target system such as default administration accounts. While a symmetric backdoor can be used by anyone, an asymmetric backdoor can only be used by the attacker. A rootkit is a stealthy backdoor which provides persistent, privileged access to a system. It is usually installed after the attacker has gained system-level access. It can alter system logs and registry values. What happens if another outfit—an individual hacker, a group of hackers or a foreign government's signals intelligence directorate—detects a rootkit and also gains access after ASIO has done its job? Won't the target be permanently weakened? So the question I pose, and I pose it genuinely and sincerely, is: what safeguards are there so we will not make systems more vulnerable to those who have evil intent towards Australians as the result of an intelligence operation?

On the issue of oversight, as their own Rt. Hon. David Davis, a leading figure on the backbenches of the UK Conservative Party and editor of The Future of Conservatism: Values Revisited, has argued:

Security services handpick recruits who are intelligent, tricky, quick-thinking and determined: the sort of people who will pull out all the stops to protect the public.

This is exactly what our spies should do. However … it is inevitable that any big bureaucracy–government departments or agencies–will at some point misuse the powers it has and the data it holds.

… … …

If we can't trust government departments, the Met or even our health service to respect our privacy and personal information, we should not trust the security services either.

As David Davis points out, 'We cannot expect James Bond to behave like Mother Teresa. That is why there must be clear limits on the spies' powers.'

I would like the Senate to call on the government to investigate the establishment of a committee, independent from the executive arm of government, to oversee Australia's intelligence services in a similar way to the Foreign Intelligence Surveillance Act, FISA, court in the United States or the Parliamentary Control Panel, the G10 Commission and the Confidential Committee of the Budget Committee in Germany; I move my second reading amendment to that effect. There is clear judicial oversight in the United States. The FISA Court, consisting of 11 federal judges who are appointed by the Chief Justice of the United States, meets in secret, allows only the government to appear before it and provides an annual report to Congress concerning its activities. There is also clear legislative oversight in the United States. The intelligence committees and judiciary committees in the Senate and House of Representatives exercise general oversight over all intelligence collection programs and committee members are regularly briefed. Members of congress receive detailed briefings prior to each reauthorisation. I note that the Attorney's counterpart in the United States, Eric Holder, has done some interesting work in terms of metadata and protocols in place with the media. The media has protocols and safeguards in place so there are not needless metadata searches of journalists, for instance, when contacting their sources. I think that is important and we need to look at emulating that.

There is also excellent oversight in Germany. The parliamentary control commission exercises legislative oversight over the intelligence agencies. The chancellery is obliged to inform this committee at least once every six months about the activities of the intelligence services. The commission can request documents and data and can conduct hearings with members of the intelligence services. The parliamentary control committee's deliberations are kept secret. The parliamentary control committee also appoints the four standing and the four deputy members of the G10 Commission, which serves as a permanent control body for intelligence activities. The commission reviews and authorises all requests for surveillance activities subject to the G10 law. The chair of the G10 Commission needs to have the qualifications to serve as a judge. It meets at least once a month and can schedule on site 'control visits' at German intelligence facilities.

The G10 Commission not only authorises surveillance programs but also controls how these programs are implemented regarding the collection, storage and analysis of personal data. The intelligence agencies have to justify their surveillance requests and specify their scope and targets. The German oversight mechanism belongs to the legislative branch and does not include judicial review. I indicate parenthetically that they have those safeguards in Germany as a result of the excesses of the Stasi in communist East Germany and their enormous surveillance of citizens. When Germany was reunified this was the response, in a sense, to deal with those excesses. These are safeguards so the awful excesses of the Stasi are never repeated in Germany.

By comparison, Australia currently has the weakest oversight mechanisms. This is not a criticism of this government. This is something that has occurred—it is almost a cultural issue—over a number of years. It lacks institutionalised review of surveillance programs from both the legislative and judicial branches of government. Despite claims that Australia's courts may be unable to evaluate intelligence expertly, courts routinely evaluate complex evidence in other areas from complex corporate transactions to elaborate taxation schemes and highly structured trust arrangements. Courts do not typically object that they lack expertise in the complex areas of commercial litigation, taxation, mergers and acquisition deals. I believe our judicial officers have the capacity to provide the sort of oversight that they have in the United States, Germany and the United Kingdom.

Finally, I want to refer to the comments made by Bret Walker SC on the national security amendments on ABC's Lateline program last night in an interview with Steve Cannane, the presenter of the program. I will refer to this more in the committee stage of this bill, but I think it is fair to say that Mr Walker had some views as the former first Independent National Security Legislation Monitor and as someone who is highly respected in the legal profession nationally in this country. There are concerns about what the implications will be of releasing information in the instances I have given of witness K. In the Haneef case clearly there were some issues that were unsatisfactory. If it had been a covert operation, it would have led to significant penalties for anyone reporting on it. Mr Walker SC does distinguish between that and someone deliberately sabotaging a special intelligence operation—and I acknowledge the risk that poses to the men and women of our security services and their associates whose lives would be at risk if that information were disclosed. That is why we need to have appropriate and significant penalties.

But it was put to Mr Walker whether the same sort of penalties ought to apply if, for example, there were politically embarrassing leaks from the intelligence service that did not endanger lives. I think that what Mr Walker said—his caution in respect of that—ought to be heeded. I am concerned that there is no distinction made between someone who is clearly acting in the public interest where there is no question of an intelligence officer's life being at risk or indeed the operation being at risk, such as the witness K example with respect to East Timor.

These are matters that need to be explored in the context of the committee stages. I have provided the Attorney-General's office details in advance of some of my concerns, because I do want there to be a constructive discussion in relation to this. I genuinely want to engage with the government in respect of this, but I have concerns that some parts of the legislation have gone too far without adequate safeguards. I think that is why the committee stage of this particular bill is particularly important.