Jim Molan (NSW, Liberal Party) Share this | Hansard source

I rise to speak on the Telecommunications and Other Legislation Amendment (Miscellaneous Amendments) Bill 2019. I have been a member of the Parliamentary Joint Committee on Intelligence and Security for only a couple of months. Many other members of the committee have been on that committee for many, many years, and the corporate knowledge within that committee of human rights, of technology, of the processes that this Senate chamber goes through and that the lower house goes through is deep and very detailed.

People have often asked me why we only have the government and the opposition on the PJCIS. Unfortunately, we've seen today why that is the case. We heard from Senator Steele-John words such as 'anger', 'ignorance' and 'risk'. I don't mind risk. Everyone must look at risk. Everyone must take risk. Governments take risk all day, every day. But how patronising of Senator Steele-John to say that we do not understand the technology. I find that absolutely patronising—as though the Greens have a monopoly on understanding technology. I suggest to Senator Steele-John that, firstly, he read the bill and, secondly, he understand the bill. As for the amendment, which suggested that this legislation should go to the Legal and Constitutional Affairs Legislation Committee, we have put the most amazing amount of time and effort into this, and it is a continuing process, so to derail that process now is totally irresponsible.

Of course, the reason that we only have the opposition and the government on this committee was, I think, shown by the speech made by Senator McAllister. Having been in the Senate now for only 12 months, I am overwhelmingly impressed by the fact that in this committee we do not politicise issues such as this. We have an extraordinarily bipartisan approach to these incredibly important activities. It is extraordinarily robust. It's not as though compromises through ignorance of technology or lack of understanding of human rights occur; it is incredibly robust.

Some of the most important things that have continually come out of this, both in the popular media and in the committee itself, are the issues that industry has brought before us. I understand the concerns of industry; I deeply understand the concerns of industry. They are concerned about systemic weaknesses, which Senator Macdonald has spoken about in some detail, and I will build on his speech. I acknowledge the difficulties of this bill and the complexity of the bill, but, as I say to just about everyone in the debates I've been involved in in the open media, read the bill in the first instance, which so many people have not. I say understand the bill, which is complex and hard, but it is necessary. I then say let's see it in operation. We will report again by 3 April. Let's see it in operation, and then we will learn and then the confidence will come.

I will speak in passing only on the background of this bill, because I think that Senator Macdonald has covered in great detail what the bill is, as has Senator McAllister. I'll speak a little bit about the government reaction and a lot about systemic weakness and back doors. I'll speak about the implementation of the bill, and we've had a period of implementation of the bill. What you've got to do when you put in a complex activity like that is implement it, look at it and learn from it. If there are changes to be made in our continual struggle for perfection, then we make those. I'll talk about the framework that we've implemented to implement it: the speed, the compressed time line that we worked in for operational reasons; issues such as authority creep and metadata, passwords, oversight, how international companies have looked at this, and the harm to Australian industry and other comments. If I can get through that in 15 minutes, I will be astounded, but I'll give it a good go.

On 5 December 2018—and it's very important that we lay down, through Hansard, the process that we have gone through to bring this bill into being—the committee tabled its report on the act, which focused on the urgency and operational benefits of key measures in the act. The government accepted, in principle, the 17 recommendations in the committee's report and moved 167 amendments in the House of Representatives to implement these recommendations on 6 December 2018. The act passed both houses later that day.

On 21 December, the government provided agencies that were going to implement this over the Christmas period with comprehensive interim guidelines to support the use of their new powers until more detailed industry consulted guidance could be developed. The committee has commenced, as Senator McAllister has laid out, another review of the legislation, focusing on implementation and the government amendments, passed on 6 December 2018. We will report by 3 April 2019.

On 9 January 2019, the government approved 21 companies and industry bodies to form a consultation group for the development of administrative guidance material. An issues paper was released for distribution and industry comment on 1 February 2019. The government delivered onsite training, on 24 January and 4 February 2019, on the use of the powers to the police forces in New South Wales, Victoria and Queensland.

On 29 January 2019, the Department of Home Affairs provided a submission to the committee review addressing how the amendments to the legislation are consistent with the committee recommendations and how the act is being operationalised, and from being operationalised we will learn. On 8 February 2019, the Department of Home Affairs provided a supplementary submission addressing concerns raised in submissions to the review by the Inspector-General of Intelligence and Security and the Commonwealth Ombudsman, and this has been mentioned before.

The government has now introduced the Telecommunications and Other Legislation Amendment (Miscellaneous Amendments) Bill 2019. The miscellaneous amendments bill brings forward the review of the Telecommunications and Other Legislation Amendment (Assistance and Access) Act 2018 by the Independent National Security Legislation Monitor. That review will happen before, rather than after, June 2020 and ensures that the Commonwealth and state anti-corruption bodies are able to use the industry assistance powers in the assistance and access act that we're talking about.

Of course, one of the big ongoing questions, which was raised by Senator McAllister quite rightly, is the definition of 'systemic weakness'. The act defines 'systemic weaknesses' or 'vulnerabilities', to be a weakness or vulnerability that affects an entire class of technology—that is, it's a weakness that relates to a whole system rather than to a particular part. Defining 'systemic weakness' or 'vulnerability' as something that affects a whole class of technology ensures that items of technology cannot be made less secure. This means that the government cannot require companies to weaken their product or services in a way that would undermine widely used security measures. Without a definition of 'systemic weakness'—and we spent hours in the committee discussing this definition—a significant threshold is removed from the process of determining if the exercise of the power is prohibited.

Other definitions that have been moved in parliament may create greater ambiguities or may be too descriptive. The act refers to the prohibition against building or implementing a systemic weakness or vulnerability in the context of electronic protection. Without reference to 'electronic protection', which includes passwords, encryption methods and other security layers, it's unclear what kind of weakening is prevented by the prohibition.

There is a framework to implement this, and the government continues to work closely with agencies to facilitate implementation and operationalisation of the act. On 21 December 2018, the Department of Home Affairs provided those comprehensive interim guidelines I spoke about before to support the use of these new powers over the Christmas period. The Department of Home Affairs is delivering onsite training to the police forces that will have to implement these powers. The government has been advised that, in late 2018 and early 2019, agencies have used the industry assistance and computer access powers in the act. I'll just repeat that: the agencies have used the industry assistance and computer access powers in the act, and the world still exists.

Agencies have indicated that they will take a collaborative approach with industry in utilisation of the industry assistance powers, commencing with what's called 'technical assistance requests'—the definition of which and the description of which are in the act—to engender support and cooperation. The government continues to consult with industry stakeholders to ensure their views are incorporated in the ongoing implementation of the new framework. The government has collated a comprehensive industry information package for regular distribution to industry members, providing further details on the intended operation of the act. Twenty-one companies and industry bodies have been identified to form a consultation group for the development of administrative guidance material. An issues paper, as I said before, is out there for them.

We've done this fairly fast. It's was important that it be done fast because we faced an operational challenge over the Christmas period. The use of encrypted messaging applications by terrorists, as Senator Macdonald spoke about in some detail, represents a significant threat to the safety of all Australians, and this creates an appalling blind spot for our agencies as they work to protect us. It's vital they be given the appropriate tools in the 21st century to detect and disrupt attacks. The need for the powers in the act became more urgent in light of the fatal terrorist attack in Melbourne in November of last year. The likelihood for further attacks was heightened, as we've all agreed, during the Christmas period that we've just come out of.

The measures in the act are a holistic answer to the challenges posed by encryption and modern communications. The act allows our agencies to address current and emerging threats in the following ways: by modernising the way they seek industry assistance and allowing them to work together with providers to identify new ways to address extant risks. We are working together with providers by enhancing computer access and alternative collection methods that enable them to work around encryption without compromising it—again, I repeat: to work around encryption without compromising it—and bolstering overt access to devices by compelling users of a relevant device to handover passwords.

The criticism is often made of this act that there is, manifest within this bill, what has been called authority creep, and that authority creep relates to metadata. The act does not allow agencies to request metadata. Interception agencies will continue to request metadata if they need it through the Telecommunications (Interception and Access) Act. The data retention legislation restricted the number of agencies that could make such covert requests through this legislation. A broader range of agencies have always been able to request information from carriers through the telecommunications act itself. This act allows a disclosure of data consistent with the notice-to-produce powers of a Commonwealth, state or territory agency.

The question then arises quite often in popular context: does this address the issue of passwords? Well, no. Passwords are a form of electronic protection. We cannot build a capability to remove passwords. That is in the bill. As has been made very clear, this legislation does not allow new capabilities to be developed that enable the removal of a form of electronic protection, passwords being one of those forms.

What about oversight? If you are going to give people and agencies powers, you must always have an appropriate level of oversight. All requests and requirements of industry are subject to extensive independent oversight by the Inspector-General of Intelligence and Security, the Commonwealth Ombudsman or state and territory oversight bodies. The integrity body must be notified when a notice for assistance is issued, varied, extended or revoked. The integrity body has the authority to inspect agency use of powers at any time and may make a report to parliament on the outcome of their inspection. Compulsory powers carry additional oversight measures to ensure they are used appropriately. One in particular, probably the most complex one, which is called a technical capability notice, may only be issued by the Attorney-General. A company may also refer any requirement to build a capability to an independent assessment panel consisting of a retired judge and a technical expert. This panel must consider whether proposed requirements will inadvertently, as parts of the industry have argued, create a back door. Further, any decision to compel assistance may be challenged through judicial review proceedings.

Some people have asked: why aren't these notices issued by a judge? It is all part of the normal oversight. Judicial authorisation is typically reserved in this country for intrusive powers that access personal information and data. These notices we were talking about before are designed to facilitate industry assistance. Warrants are still required to access content, and that is critically important. There are robust safeguards built into the framework, including a statutory reasonableness test, ministerial oversight and judicial review, as I've spoken about before. These are on top of the prohibition on systemic weaknesses and accessing personal content. That might be complex, but it requires you to actually read the bill and to understand the bill.

What about international comparisons? There is one that you can make, and that is to the Investigatory Powers Act 2016 from the UK. The legislation that we are looking at is far narrower in scope and application than the UK's Investigatory Powers Act. The UK act reformed interception powers, imposed data retention requirements and allowed for bulk collection of data. This act does none of these things. Unlike the Australian legislation, the UK act does not prevent the building of a capability that removes encryption or other forms of electronic protection. The government understands the UK powers can also be used to require providers to build core interception capabilities, and this is not enabled via the assistance and access act.

Australian notices are subject to a global safeguard that means industry can't be required to build flaws in their system, and industry cannot be required to stop making their systems more secure. This comes to a very, very interesting conclusion. Will the act harm Australia's technology industry? During the development of the legislation, the government recognised concerns that the act may harm Australian products' competitiveness at market. However, the legislation includes provisions for companies to publish statistics regarding the number of requests or notices they have received. This will leave most companies unaffected, as they will be able to disclose that they have not been asked to provide assistance, while companies who do assist can demonstrate that their systems are not compromised by the assistance provided, consistent with the act's explicit protections against the creation of back doors and degradation of security features.

This is a very complex, very large and very important bill. It does not require reference to any other committees. It has been worked through in a process of bipartisanship—not politicised—in a very, very robust way, and it is a credit to the PJCIS. I recommend the bill.