Thursday, 25 September 2014
National Security Legislation Amendment Bill (No. 1) 2014; In Committee
For those who might be following this debate who are not familiar with parliamentary procedure, the general course of events—and it has been this way for me in the six and a bit years I have been dealing with these bills—is that questions are put to the responsible minister and answers are provided. I do not have to like the answers but they are at least provided to the Senate so that we can make our own judgement about the way that the law will operate. What Senator Brandis is doing today is straightforward abuse of the Senate's powers of question and answer. I can do my bit, but if the Attorney-General is refusing to even provide simple answers about the operation of the law, then that confirms for me that we are being treated with contempt. This includes those on the government side, backbenchers and opposition senators who might, in their own private way as senators, be interested in the answers to some of the questions that I am putting.
The Law Council also noted—and I think this is very important, because Senator Brandis has made repeated references to the Parliamentary Joint Committee on Intelligence and Security as the one that came up with these proposals at the outset and has evaluated the government's bill and then, again, evaluated the government's amendments—that the definitions of 'computer' and 'network' in the bill are not in line with the joint committee's recommendations. In other words, the government has actually departed from the recommendations that the PJCIS made.
The Law Council recommended:
… that the proposed provisions relating to computer access warrants be amended, where the warrant will provide access to multiple computers, to require a more direct connection between the computer accessed and the nominated person of security interest, and to define key terms such as “computer network”.
That is a straightforward proposition that I am putting today. Specifically, the Law Council recommended the provisions of a surveillance device warrant be amended so that:
Where a single warrant is issued in respect of multiple devices, consideration should be given to ensuring that the use each different device is justified.
That is how the law has operated in the past. That principle of proportionality and having to justify why it is that it is a requirement, and an urgent requirement, in the security interest that people's privacy be invaded. I fully recognise that there are instances where that is entirely justified. But the way those powers are circumscribed and reported on, as I think as Senator Xenophon has foreshadowed, is absolutely essential. We know little enough as it is about the operation of these agencies.
The Law Council, obviously, is not the only one that made this very strong point about the definition of computer networks. As cited in the bill digest, Gilbert + Tobin Centre of Public Law pointed out:
… in the absence of a definition of ‘computer network’, the definition of computer could potentially capture every computer on a university or public service network, cloud or peer-to-peer network, home computers used to access work-related networks remotely, and, ‘taken to its logical extreme … any computer that is connected to the world wide web’.
That is the proposition that I put to the chamber this morning and Senator Brandis puffed himself up, objected and called me a liar. He did withdraw that under duress from the chair. However, this is obviously not a concern that the Greens are alone in bring into this chamber.
The Gilbert + Tobin Centre for Public Law in their submission pointed out:
Suggested improvements included a definition of ‘computer network’ that requires the individual computers in the network to be linked in a substantive way, such as having shared storage drives, or that is limited to local area networks.
Professor George Williams of the University of New South Wales was quoted in the Sydney Morning Herald yesterday:
… the laws and their amendments did not address concerns that they could enable agencies to tap, access and disrupt target and third-party computers and networks after getting just one warrant.
Professor Williams previously warned the parliamentary committee that the laws were too broad and could allow ASIO to monitor the entire Australian internet as a ‘‘computer network’’.
It is that serious.
Professor Williams is no fool; he has been studying these issues for a lot longer than I have. The problem, of course, is that this applies to computer networks and the internet as a network of networks, that these systems are distributed globally and that putting no upper limit is what creates such a risk.
Electronic Frontiers Australia, it in their submission, have said:
A network can essentially be anything from three computers on a Wi-Fi modem to potentially an entire corporate network or an entire internet service provider network or at the extreme end the whole internet
EFA asserts that the amended definition of computer in sections 4 and 22 of the ASIO Act is too expensive, and may provide a single warrant holder with an enormous number of possible computers to target. EFA notes that by amending the definition of 'computer' and expanding it substantially to include multiple devices, systems or networks, this single amendment would expand the scope of ASIO's powers in a number of other places within the ASIO Act. This is the question that I will put to the Attorney-General shortly.
EFA also notes that this minor amendment relative to the entirety of the act, would have a wildly disproportionate effect on the scope of every single warrant involving a computer—'EFA cannot condone such a rash escalation of warranted power and recommends that a more carefully-defined definition be provided.'
You will notice that the Australian Greens have proposed that rather than falling back on descriptions or definitions of 'computer' and 'computer network' that do not actually exist—although, Senator Xenophon points out that there will be common law interpretations that are used by the courts—anywhere on the statute books, that rather than fooling around with the definition of computer, that we simply provide a cap on the number of devices that can be accessed.
When I have put this proposition to Senator Brandis he sits there dumbfounded and mute, rather than actually putting a view as to why this is not a sensible idea. Perhaps, as Senator Xenophon points out, 20 is too low. As I said before, I understand why ASIO would not want to submit these warrant applications for every single device. Perhaps it should be 50. I am very open to discussion on this, as I said.
Rather than trying to change the definition of a network, we will insert provisions around the number of computers that a single warrant can obtain to access data to disrupt—to install malware, for all we know—all of the various powers that can be contained or that can be exercised under one of these warrants.
Senator Brandis, this may foreshadow the comments Senator Xenophon made before, but I put to you now whether it is the government's intention—or whether you can provide us with where we could find out—that it be possible for the public to know, through the parliament, either through ASIO's reporting obligations, the aegis or perhaps the PJCIS or your own department, how many devices individual warrants ended up allowing lawful access to.