Nick McKim (Tasmania, Australian Greens) Share this | Hansard source

The Greens have been standing firmly against the government's agenda of warrantless, mass surveillance of Australian people for over five years. We have been standing up for basic human rights of Australian citizens—rights like privacy and correspondence without arbitrary or unlawful interference. Throughout this time, both the coalition and Labor governments, locked in zombie lock step, have engaged in a continual barrage of attacks against the rights of the Australian people. Both the establishment parties have stood united in their disregard for human rights, using fearmongering about national security as an excuse to continually strip back the rights of ordinary Australian people. The telecommunications sector security reforms, the TSSR, proposed in Telecommunications and Other Legislation Amendment Bill 2016 require telecommunications carriers and carriage service providers to detect telecommunications infrastructure in the national interest.

The office of the Attorney-General have the power to collect any type of information from telcos and, in turn, share this information with the AFP and third parties. Without clear guidelines as to the types of data that constitute any information, this legislation extends beyond the existing metadata creation, retention and disclosure regime. Even with the addition of clear guidelines, this legislation still represents duplication of the data retention scheme and for the same purpose. The Greens do not support this dragnet surveillance of Australians under either scheme.

A key difference under this new legislation is the government's attempt at having no defined reporting obligations. While the Attorney-General will be able to choose to collect and access private communications metadata under the TSSR, he had no intention of being held accountable to the same checks and balances, such as they are, that are in place for the metadata creation, retention and disclosure regime. Metadata collection under the TSSR does not require authorisation or notification, and the Commonwealth Ombudsman is not granted oversight powers. But, even with the clarifications of these reporting obligations under today's amendments, what guarantee do we have in this place that the Attorney-General will choose to honour them?

Today I was going to give notice of a motion for the Attorney-General to produce the Telecommunications (Interception and Access) Act annual report for 2015-16. This is the report in which the Attorney-General sets out the extent and circumstances in which eligible Commonwealth, state and territory government agencies have used the powers available under TIA Act. This is the report in which the Attorney-General tells us about the government's data retention activities for the first time. So imagine my surprise when this report was tabled this morning—at one minute to midnight: only minutes before the start of this debate in the Senate. I have seen attorneys-general in the Tasmanian parliament and the Commonwealth parliament treat parliaments with contempt on a number of occasions, but I tell you what: this one just about takes the cake. This is a ridiculous and insulting action for the Attorney-General to take, in withholding this report until, as I said, one minute to midnight—just minutes before the start of this debate today. I want to place on the record that the timing of the Attorney-General tabling this report in the Senate this morning was clearly designed to prevent this Senate from having the opportunity to analyse the information and data in that report and use that information and data to inform our position on this legislation and our contributions on this legislation—an utter disgrace from the Attorney-General.

As the new data retention obligations came into effect on October 2015, that report is the first report from the Attorney-General that includes the new obligations under the data retention act. He has deliberately held back on fulfilling his reporting obligations in a timely way, and yet here he is asking for more open-ended, obligation-free access to the private communications of the Australian people. There had been two whole years of telecommunications interception and access with zero reporting and, therefore, zero government accountability until today. The Attorney-General has held back the vital reporting on the new data retention obligations until, as I say, one minute to midnight, in an attempt to ensure that this Senate remains in ignorance about the matters contained in that report.

We have, however, had time to review the Commonwealth Ombudsman's report on monitoring of agency access to stored communications and telecommunications data for 2015-16. And what a concerning picture that report paints. It is a picture of non-compliance in record-keeping provisions and warrant conditions and restrictions from several agencies, the worst being from the Australian Customs and Border Protection Service, as they then were. Customs were found to be non-compliant or were unable to demonstrate compliance across each of the Ombudsman's inspection criteria. Customs did not have processes in place to demonstrate that they were following regulations relating to lawfully accessing, managing and keeping records of access to communications data, and the ombudsman's report indicated that they were not cooperative or frank for the inspection. That is yet another damning indictment of the now Department of Immigration and Border Protection under the bumbling, incompetent minister for immigration, Mr Dutton. Customs did not have processes in place to demonstrate, as I said, that they were lawfully accessing communications data. There were also a number of instances of warrants being exercised by a person who was not authorised across other departments, including the AFP.

This legislation that we are currently debating also gives power to the Attorney-General to direct telcos to do or to not do something to their networks in the name of national security. It is easy to understand why this is making carriers and service providers uncomfortable. The Attorney-General and the coalition government have proven time and time again that they are digitally illiterate. We have seen their ridiculous demands for access to encrypted communications, and when you add that to their long list of spectacular government system failures—the census fail, the robo-debt fail, the Centrelink and Medicare data links fail and, of course, the rollout of a substandard NBN—it paints a very concerning picture about this government's digital literacy. Let's be clear, just about every computer system the government touch turns to hashtag #fail. This government have shown that, without a doubt, they cannot be trusted to keep government networks and systems safe and secure, so why on earth would we in this place give them the power to dictate network security to the private sector as well?

The industry associations are also concerned that they could face very high costs to rebuild existing networks without limitations on the requirement for carriers and service providers to retrofit or remove existing facilities. The legislation also forces telcos to inform the government of changes to their networks. The joint submission from the telecommunications industry associations to the PJCIS warned:

… the onerous nature of the compliance requirements will act to hamper the responsiveness of … cyber threats—

as well as:

… divert scarce resources away from investing directly in addressing cyber security threats …

They also highlight the prescriptive and one-sided nature of this legislation, and point to more collaborative approaches used in places like the US, the UK and Canada. The US's cyber security act creates a framework for the voluntary sharing of cyber threat information between private entities and the federal government, with the goal of exchanging cyber threat information rapidly and responsibly. It also contains measures to protect privacy by ensuring personal information is not unnecessarily divulged. The UK's National Cyber Security Strategy also employs a far more collaborative approach, in which the government shares threat information with industry and provides advice and guidance to industry on managing risks.

The industry associations note:

… policy makers and Government should give considerable weight to the expertise of network providers in designing and safeguarding their networks and the clear commercial incentive that exists in a highly competitive sector to drive security by design in network architecture to ensure operational reliability and customer trust and loyalty.

'Trust' and 'loyalty': these are not terms that can be attributed to customers of the NBN or of online government systems at the moment, due to the government's epic fails in a range of areas that I have pointed out in this speech.

Industry associations describe this legislation as 'onerous', 'excessive' and 'one-sided'. They warn that the TSSR regime will not be adaptable or flexible enough to tackle risks that will emerge. Much like this government, it will not be agile enough to meet the challenges of the 21st century. Much like this government, it is out of step and, at the same time, it is a massive overreach. It places excessive and onerous demands and obligations on telecommunications companies, demands which are likely to put infrastructure at greater risk. It puts Australians in a position where they will have their rights to privacy stripped away without their knowledge and to no benefit in terms of the public good. It does all this with no obligations for the government to share information of threats with companies or to provide transparency of their actions to Australians.

The Australian Greens have been opposing this government's flagrant disregard for human rights to privacy and its agenda of warrantless mass surveillance of Australian citizens for more than five years, and we have been opposing it no matter what the political stripe of the government of the day. As we have done, we will continue to do by opposing this legislation. We oppose the Attorney-General collecting, storing and accessing Australians' private communications information under any scheme. We oppose the Attorney-General having a choice of schemes whereby he can pick or choose the rules and guidelines under which he accesses this private information. We oppose the Attorney-General, who has more than proven his digital illiteracy on a number of occasions, being in a position to tell telcos and ISPs how to make their networks 'more secure', likely, we point out, actually making them less secure in the process. We oppose these privileges being granted to the Attorney-General when he has already been shown to be prepared to deliberately hold back on fulfilling his reporting obligations under the existing metadata creation, retention and disclosure regime.

We oppose the government's onerous, excessive, one-sided plan to put Australian telecommunications infrastructure at risk by further imposing their incompetence on the Australian telecommunications industry. And we once again urge Australians to stand up and protect their rights to privacy as the government has shown it is not prepared to do and, in fact, that the government has demonstrated it has utter disregard for.

Why is the Attorney-General tabling the Telecommunications (Interception and Access) Act 1979 report only minutes prior to this bill being debated? Just as pertinent, when can we expect the report for the year 2016-17 to be tabled? The 2015-16 one was over a year overdue, so when are we going to get the 2016-17 report? How does the government respond to the industry associations' concerns that the underlying approach of this bill is flawed and that it is more likely to make Australian telecommunications networks less secure due to the one-sided, onerous and excessive nature of obligations for carriers and carrier service providers that constitute the massive overreach contained in this legislation? And why is the government seeking to duplicate data retention under this scheme and how will the overlapping and duplicated schemes and data be handled?

In conclusion, we have zero confidence in this government's capacity to oversee the scheme that this legislation proposes to create, because the government has shown, time after time, that they are digitally illiterate, that they treat their reporting requirements to this parliament with utter contempt and that they simply cannot be trusted to run computer systems and networks securely and to protect the private data of Australians in the 21st century.