Thursday, 6 December 2018
Telecommunications and Other Legislation Amendment (Assistance and Access) Bill 2018; Second Reading
National security requires determination to do what is required to thwart those who could harm our people and nation. It equally requires an acute awareness that we must not damage the rights and democratic freedoms that we should be working to protect at all times. These issues should not be twisted in an attempt to gain partisan advantage. They should be the subject of careful, sober deliberations. That isn't what we've seen from the government over the past two weeks, and it's not what we're seeing in the Senate this afternoon.
Just over two weeks ago, the Minister for Home Affairs, Peter Dutton, cynically sought to exploit a tragic knife attack by an alleged extremist and the arrest of three other terrorist suspects by trying to bully this parliament into passing this controversial encryption bill, the Telecommunications and Other Legislation Amendment (Assistance and Access) Bill 2018, before Christmas without full scrutiny and debate. When Labor suggested that consideration of the bill by the Parliamentary Joint Committee on Intelligence and Security should not be truncated, Mr Dutton accused Labor of being weak on terrorism. Today Prime Minister Morrison hopped on board, declaring that the opposition leader, Mr Shorten, is 'a clear and present threat' to national security. This would be funny if it weren't so disgraceful.
This bill does deal with a serious problem. Encryption is undoubtedly a significant and growing problem for our intelligence and law enforcement agencies. Serious and organised criminals, and persons seeking to harm Australia's national security routinely use telecommunications services and communication technology to plan and carry out their activities. Interception under warrant of those communications as well as access to stored telecommunications information have greatly assisted our law enforcement and security agencies in their efforts to deal with these threats. It is claimed that terrorists and criminals are now effectively going dark by communicating and orchestrating their plans by encrypted messaging apps like WhatsApp, Signal, Telegram and others.
Our law enforcement and security agencies made their case that they are unable to access information, sometimes time-critical information, that was previously accessible. That said, this is not a problem that has developed overnight. The increasingly widespread use of encryption has been identified as a law enforcement and security problem for quite some time. Nor is it the case that counterterrorism, counterespionage and criminal investigations have suddenly come to a halt. The Department of Home Affairs' most recent annual report on telecommunications interception and access shows that in 2016-17, 3,717 interception warrants were issued to law enforcement agencies. During that year, information obtained under interception warrants was used in over 3,300 arrests, over 4,300 prosecutions and more than 2,700 convictions. In 2016-17, law enforcement agencies also made nearly 400 arrests, conducted over 1,000 proceedings and obtained over 440 convictions based on evidence obtained under stored communication warrants. The telecommunication intercept and access statistics relating to law enforcement do not indicate a sudden drying up of valuable information or a collapse in investigations, prosecutions and convictions. On the contrary, comparisons to the most recent figures with earlier years suggest that, notwithstanding the increasing use of encryption, telecommunication interception and access remain very valuable law enforcement tools.
Is there a crisis here? I don't doubt that encryption is a significant and growing problem for law enforcement and security agencies, but one cannot but think that, in making the case for this legislation, some of the advocates may be over-egging the pudding. It is also the case that very serious concerns have been raised by IT companies and security and privacy experts that this legislation will effectively open back doors that may systematically compromise internet security, including services used by Australians every day. The security and law enforcement agencies may differ on this, but these concerns cannot be lightly dismissed. They cannot be swept under the carpet.
One of the big disappointments of this process is the failure of government to consult more closely and more effectively with industry at a much earlier stage in the development of this legislation. An exposure draft was made available prior to the formal introduction of the bill in September, but it is clear that the truncated process was intended to give the appearance of consultation and little more than that. What the government should have done was engage with industry and get our security and law enforcement experts to sit around the table with industry and thrash out solutions that would meet perspectives and concerns of both sides.
And where are we today? The government wants to push the bill through the parliament in a single day and wants to do so after incorporating, only this morning, 50 pages of 173 amendments. While the PJCIS has done a good job in hastily producing an initial report on the legislation, it is far from clear that the government's amendments represent an adequate response to the PJCIS's recommendations. Some of the government's amendments may well improve the bill by adding various safeguards. There are now a few bells and whistles attached. The range of agencies able to seek and demand assistance to overcome encryption has narrowed, but only marginally. After all, the overwhelming bulk of telecommunication interception warrants recorded in the Department of Home Affairs annual report are issued to the major law enforcement agencies. In 2016-17, 3,175 warrants were issued to the Australian Federal Police and state police forces—that's 85 per cent of the total of the 3,717 warrants issued to law enforcement agencies, a figure that doesn't include ASIO's activities. Taking state anticorruption bodies out of the mix is marginal.
Similarly, the introduction of the role of the communications minister in addition to the Attorney-General in relation to the giving of technical capability notices appears to be a worthy measure, but it doesn't amount to much of a safeguard. When it comes to questions of national security and organised crime, I doubt that the communications minister, who is staring at me from across the chamber, would be very much a force of restraint outside the National Security Committee of Cabinet. Moreover, no ministerial sign-off is required for technical assistance notices, which are, in many respects, as far-reaching as the technical capability notices, given that they can also require companies to remove a form of digital security. Unlike capability notices, assistance notices do not require any consultation period with the communication provider and can take immediate effect. Assistance notices can be issued and subsequently varied by delegated officers within the enforcement agency, not just by the head of that agency.
Back doors aren't just an issue for encryption systems; the legislation itself has more than a few back doors. A great deal of discussion has focused on the question of decryption assistance that might introduce systemic weaknesses into communication and other systems. It is remarkable that the bill was originally introduced without any such definitions. In its report, the PJCIS notes:
The Committee notes the evidence of the Director-General of the Australian Signals Directorate that a "systemic weakness" is a weakness that "might actually jeopardise the information of other people as a result of that action being taken". The Committee also notes the evidence of the Director-General of Security, that the powers in Schedule 1 will not be used to require a designated communications provider to do anything that jeopardises the security of the personal information of innocent Australians. Having regard to those assurances, the Committee recommends that the Bill be amended to clarify the meaning of the term 'systemic weakness', and to further clarify that Technical Capability Notices (TCNs) cannot be used to create a systemic weakness.
The government's amended bill now proposes definitions of systemic weakness and systemic vulnerability:
systemic vulnerability means a vulnerability that affects a whole class of technology, but does not include a vulnerability that is selectively introduced to one or more target technologies that are connected with a particular person. For this purpose, it is immaterial whether the person can be identified.
systemic weakness means a weakness that affects a whole class of technology, but does not include a weakness that is selectively introduced to one or more target technologies that are connected with a particular person. For this purpose, it is immaterial whether the person can be identified.
That may be all well and good, but these definitions look more like a quick drafting fix knocked out by the government lawyers overnight than a serious effort to address what is very complex, technical and, indeed, mathematical issue. At the very least, a form of words closer to those employed by the Director-General of the Australian Signals Directorate would be more preferable. What does industry think of these definitions? The initial reactions are negative, but the truth is that no-one had any time to think through any of it properly. Labor's opposition amendments propose definitions that might provide somewhat stronger protection against the sort of unintended consequences at risk here.
On balance, Centre Alliance is prepared to support Labor's proposed amendments, but that doesn't make this whole process in any way acceptable. To suggest that the Senate today should rubber-stamp these very complex proposals, fraught as they are with potential unintended consequences, is plainly ridiculous and downright irresponsible. This is, indeed, the worst type of legislation on the run. The government is trying to push through complex, controversial legislation without the opportunity for serious scrutiny or examination and without the opportunity for a committee stage. At the very least, the government's amended bill should be referred back to the PJCIS for further review, including input and comment from industry. The same should be done with Labor's proposed amendments. Then we might have more confidence that the Senate is not moving to approve measures that contain serious flaws and may bring about unintended consequences harmful to both national security and personal privacy. The PJCIS will apparently continue its encryption inquiry. Clearly its work is not finished.
Meanwhile, there is no excuse for the Senate to pass legislation this week without the further scrutiny it clearly needs. There should be no short-circuiting of the parliament's duty to carefully and methodically scrutinise the executive government, especially the powers and the work of our security intelligence agencies. Unfortunately, it appears that the Labor opposition has buckled and has agreed to a flawed and inadequately considered bill. As that occurs, my sense of deja vu will be complete.