Scott Ludlam (WA, Australian Greens) Share this | Link to this | Hansard source

I will speak briefly to each of the three blocks of amendments proposed by the Greens because I have already indicated their intent and recorded the opposition of the government, courtesy of the minister, and the support of the opposition for the concept but not for the actual amendments themselves—which is curious and rather unfortunate. I will foreshadow at this stage that I will not call a division on each of the three blocks of amendments that I seek to move but record the Greens support for them. I move Greens amendment (1):

(1)    Schedule 1, page 3 (line 14), after “network”, insert “, including:

                   (i)    measures to protect the technical integrity and security of the network such as intrusion detection or responding to denial of service attacks; and

                  (ii)    automatic monitoring to ensure network traffic operates as intended and any misconfiguration, failure or user error is readily identified and rectified; and

                 (iii)    automatic or manual copying or recording of communications for purposes such as quarantining, analysing and filtering for malicious content, virus and Trojan protection; and

                 (iv)    installation of automated solutions for network maintenance and protection;

                      but does not include activities not directly related to maintaining the technical integrity or security of the network, such as:

                  (v)    screening or altering the content of communications other than to remove malicious code; and

                 (vi)    monitoring the contents of communications other than to identify threats to the network; and

                (vii)    gathering non-anonymised statistical usage information;”.

The first amendment inserts a definition of what we mean by ‘network protection activities’. It just says ‘including’ and is then followed by a list of factors. We do not intend that this definition be prescriptive but rather that it be read as guidance. It arises from the need, as I said before, identified in submissions and also during the inquiry into the bill—including a contribution from the Privacy Commissioner—for a clearer definition of what constitutes ‘network protection duties’. The whole purpose of the act is to protect the privacy of individuals who use our telecommunications systems and also to protect the integrity of the networks themselves. The act makes it an offence to intercept communications passing over the network and, obviously, it is meant to specify the circumstances in which it is lawful to intercept communications. There needs to be a balance, which the act attempts to provide, between protecting privacy and the public interest in having computer network owners and operators able to respond to security threats to the networks that they are administering.

By having such loosely defined terms in the bill, our concern is that the discretion is too broad for network operators to intercept communications and disclose them. There will be no guidance whatsoever in the event that these matters reach a court. The amendment provides such guidance. It is not all encompassing or restrictive but it includes a sense of the scope of the activities that we believe reasonably constitute network protection duties. It also provides guidance and reasonable restrictions on what can or cannot be construed as legitimate network protection duties. I commend the amendment to the Senate.

Joe Ludwig (Queensland, Australian Labor Party, Manager of Government Business in the Senate) Share this | Link to this | Hansard source

As Senator Ludlam has pointed out, the government does not support the amendment. The government does not consider that defining what constitutes network protection duties in the manner suggested will clarify the scope of the definition. The concept as it currently stands, in the government’s view, is sufficiently flexible to apply equally to small and large entities. The problem that we would perceive—and this would not be the only issue—is that a prescriptive definition runs the risk of inadvertently limiting the range of activities currently engaged in by individual entities. Such drafting would also be inconsistent with the rest of the Telecommunications (Interception and Access) Act, because it is structured on the basis of being technologically neutral, and any variation to this language runs the risk of obsolescence as technology changes. Furthermore, any attempt to define activities covered by the definition itself does raise definitional issues. For instance, the use of the word ‘security’ is problematic as it has a particular meaning under the interception act. For those reasons the government does not support the amendment.

George Brandis (Queensland, Liberal Party, Shadow Attorney-General) Share this | Link to this | Hansard source

We will not find ourselves in a position where we support Senator Ludlam’s amendment either.

Scott Ludlam (WA, Australian Greens) Share this | Link to this | Hansard source

I put to the minister that I was very clear in my second reading contribution to the bill and also in my introduction to this amendment that we are not seeking to be prescriptive and that the amendment is deliberately drafted in an open-ended way in order to provide guidance rather than to completely nail down what we mean. If the definition should not be provided in the bill and therefore make its way into the act, can the minister tell us where network protection operators can find a common-sense or consensus definition of what is meant by network protection duties? If the definition is not in the act, where can it be found?

Joe Ludwig (Queensland, Australian Labor Party, Manager of Government Business in the Senate) Share this | Link to this | Hansard source

The difficulty—and this is why we came back to the issue of not defining—is that, depending on the type of operation that a network operator conducts, they will undertake their own network protection duties, which may vary depending on the organisation, the size of the organisation, the sophistication of the organisation and the types of services that the organisation provides. The point is to try to move away from a definition which pins it down, because you might in fact be imposing duties on some organisations that do not actually require or do not undertake that work. If they are feeling a little pressed about trying to work out how to meet their network protection duties, they can always go to the Attorney-General for a clarification. The difficulty always with trying to provide a prescriptive definition is that, as I indicated earlier, you run into a range of problems by inadvertently limiting activities or, alternatively, by imposing activities on organisations that may be able to meet the network protection duties in some other way. So, by and large, industries will be able to provide that type of protection themselves.

Scott Ludlam (WA, Australian Greens) Share this | Link to this | Hansard source

It seems that we are irreconcilable on this matter. I appreciate the minister’s answer. I guess the take-away message for system operators or network administrators is that, if they find their obligations under this legislation ambiguous, they are to give the Attorney-General’s office a call. I guess we will just have to take that advice and make sure that people know that that is their recourse. With no further comment, I commend the amendment to the Senate.

Question negatived.

by leave—I move Greens amendments (2) to (5) on sheet 6011 together:

(2)    Schedule 1, item 9 (line 19), before “For”, insert “(1)”.

(3)    Schedule 1, item 9 (line 25), after “conditions”, insert “relating to network security”.

(4)    Schedule 1, item 9 (after line 29), at the end of section 6AAA, add:

        (2)    The Minister may, by legislative instrument, determine guidelines to assist in the application of this section, including guidelines on the definition of network security.

(5)    Schedule 1, item 15, page 6 (line 27), after “authority”, insert “that is not an appropriate use of the network”.

These amendments relate to appropriate use of disciplinary actions authorised by the bill. Again, given that the stated objective of the bill is to protect network security and to protect computer networks from malicious access and given that ‘disciplinary action’ is not defined in the bill, our amendments seek to link the disciplinary action to the objectives of network security. You might argue these are technical amendments. The proposers of these, who put these ideas forward through the committee process, acknowledge that they are minor amendments. We believe they would improve the integrity of the drafting of the bill. I commend them to you.

Joe Ludwig (Queensland, Australian Labor Party, Manager of Government Business in the Senate) Share this | Link to this | Hansard source

The easiest way to put this is that it seems to be more of a query on the scope of certain government security and law enforcement agencies to use network protection information for disciplinary purposes. While not removing this capability, the amendments proposed by the Greens would limit the use of the information to disciplinary action relevant to activities that posed a risk to network security. Of course, the term ‘network security’ is not defined. Rather, the amendments include power for the Attorney-General to develop guidelines on the definition. In practice, though, this would require the Attorney to develop guidelines about network security that apply in the workplace of every state and territory law enforcement agency and every Commonwealth security and law enforcement agency designated as such under the interception act. The nature of these types of agencies means that what is appropriate conduct is a matter for each agency to decide internally with its employees.

It may be that in certain agencies the nature of the work and the legal framework within which that work is conducted mean that the personal use beyond an agreed type does pose a risk to the community. The purpose of the provisions, as set out in the government’s bill, is consistent with their precursors—sections 5, 5F and 5G—which were introduced to ensure that workers in security or law enforcement agencies complied with their agency’s professional standards, including with standards that prohibited law enforcement officers from using work networks to access pornography. The government’s bill gives workers greater protection than those provisions by limiting the communication or use of network protection information for disciplinary purposes to a communication or use that does not contravene another Commonwealth, state or territory law. That is probably the best way of putting the position that the government are not minded to support the amendment. We think in practical terms the bill as it stands will achieve a much better outcome.

George Brandis (Queensland, Liberal Party, Shadow Attorney-General) Share this | Link to this | Hansard source

Can I indicate on behalf of the opposition that we will not be supporting these amendments.

Question negatived.

Scott Ludlam (WA, Australian Greens) Share this | Link to this | Hansard source

by leave—I move Greens amendments (6) to (10) on sheet 6011 together:

(6)    Schedule 1, page 8 (after line 9), after item 20, insert:

20A  Paragraph 79(1)(a)

After “restricted record”, insert “or a copy of a restricted record”.

20B  Paragraph 79(1)(b)

After “record”, insert “or copy”.

20C  Subsection 79(1)

After “record”, insert “or copy”.

(7)    Schedule 1, item 21, page 8 (lines 12 and 13), omit subsection 79(3), substitute:

        (3)    This section does not apply to a restricted record to which section 79A applies.

(8)    Schedule 1, item 22, page 8 (line 21), after “record”, insert “or a copy of the record”.

(9)    Schedule 1, item 22, page 8 (line 29), after “record”, insert “or copy”.

(10)  Schedule 1, item 22, page 9 (line 6), after “authority”, insert “that is not an appropriate use of the network”.

This is our third and final group of amendments. They relate to an issue that was raised in many of the submissions to the inquiry. The majority report of the committee noted—and this was acknowledged in the contributions of coalition spokespeople on this issue—the requirements for the destruction of copies of intercepted communications as soon as practicable after it was determined that they were not likely to be required for network security purposes or disciplinary actions, so after they were no longer needed. Not while investigations are still afoot but once it has been determined by those agencies that that material is no longer needed, copies of that material should also be destroyed. That is a fairly common-sense principle. It goes to the standards in the act itself, which require an interception agency to ‘destroy a restricted record’. That is the phrase used. So an amendment is needed to ensure that this provision applies also to the intercepted communications enabled by the bill, which I would have thought was fairly straightforward.

The privacy commissioner suggested that all intercepted records of a communication, whether the original or a copy, obtained for the purpose of network protection should be destroyed when no longer needed for that purpose. This is very important because, unlike the case with paper materials, copies of intercepted electronic records are in many cases completely identical and indistinguishable from the original. In fact, there is no ability to even distinguish between the original and the copy. The purpose of these amendments is to clarify the fact that copies should not be treated any differently from originals. The ALRC contended that they saw no reason why copies of information obtained from a stored communications warrant should be destroyed but that copies of information obtained from an interception warrant should not. We propose to simply clarify that inconsistency. The Law Reform Commission also noted that the covert nature of interception and access to communications required the safeguard that this material be destroyed as soon as it is no longer required. I would be very interested to hear from both the minister and the opposition as to why this common-sense amendment would not be supported. We concur with the Privacy Commissioner and with the Law Reform Commission on this matter. I commend these amendments to the Senate.

Joe Ludwig (Queensland, Australian Labor Party, Manager of Government Business in the Senate) Share this | Link to this | Hansard source

The Greens have proposed amendments to both sections 79A and existing section 79 to require agencies—I think, as Senator Ludlam has outlined—in respect of interception warrant information and all network owners in relation to network protection information to destroy records and copies of records about intercepted information. If I could remind Senator Ludlam, the interception act was amended in 2000, I think before his time, to remove copies of restricted records from the recordkeeping and destruction requirements. Those amendments were proposed by the previous government but they emanated from an inquiry that was conducted by Mr Peter Ford.

13:36:44

The basic tenet, when Mr Peter Ford reviewed this issue in 1999, was that the requirement to track and destroy copies was a costly record-keeping obligation but, more pertinently, did not result in any public benefit. Consequently, the Interception Act was amended in 2000 to remove copies of restricted records from the record-keeping and destruction requirements. The destruction process is not set out in the Interception Act due to the different record-keeping processes of each organisation. However, I think it is fair to add that it is expected that the methods used would be appropriate for the sensitive nature of information accessed under the network protection provisions. Of course, those amendments were made following those to the legislation. The government’s amendments have been drafted in accordance with this finding by the Ford inquiry and any variation to either section would need to be considered in a far wider context in the consideration of that provision itself. The debate would range across issues outside the scope even of this particular bill. The rationale is still sound and the Ford review findings remain sound. It is expected, as I have indicated, that the methods used would be appropriate for the sensitive nature of the information accessed under the network provisions for those organisations to maintain confidentiality for those records.

George Brandis (Queensland, Liberal Party, Shadow Attorney-General) Share this | Link to this | Hansard source

The opposition will not be supporting the Greens’ remaining amendments either.

Scott Ludlam (WA, Australian Greens) Share this | Link to this | Hansard source

I wonder whether we can be clear, from the minister’s point of view, that because this review was undertaken in 1999 it would be too hard essentially to track the whereabouts of copies of material that has been intercepted, that because it would be difficult to do there is then no requirement on agencies either to track or to destroy material that was no longer useful in the course of their investigations, that essentially there is no restriction on material that is potentially relevant to investigations or the original purpose of the interception, that those records can remain on the storage systems of these various agencies effectively in perpetuity, irrespective of their relevance to any given investigation, and can be maintained and that the government believes that is a satisfactory state of affairs.

I do not want to verbal the minister but there is no intention to revisit this issue either in the context of this bill or in any wider context. It seems to me to be a bizarre loophole to say that because it would be difficult to track there should therefore be no obligation on the agencies that are intercepting people’s personal records, people’s personal communications or any kind of data, whether it be conversations, emails, bank records, no matter what it might be. There is no requirement for the destruction of those records. I submit that if this were material that was taken out of a filing cabinet and photocopied there would be a requirement to destroy that material after it was no longer relevant. So I am wondering, first of all, why the minister believes that there should be a distinction between originals of materials and copies, because that I find unfathomable, or why there should be any difference in the way that we interpret electronic materials from the way that we would accommodate the destruction of copies of paper records once they had been seized.

Joe Ludwig (Queensland, Australian Labor Party, Manager of Government Business in the Senate) Share this | Link to this | Hansard source

I do understand that it is a sensitive issue. However, I can add that agencies do have obligations on them. It is certainly expected that the methods used for storage and destruction would be appropriate for the particular sensitive nature of the material. The destruction process is not set out in the Interception Act, but there are secondary disclosure provisions in the act which would mean that if there was a secondary disclosure under the act it would be captured by that provision. This government—and I think the previous government—considered the measures contained within the Interception Act to be reasonable, given the nature of the types of information that are sought and held and the agencies which held them. Therefore, it is not a matter that this government is going to reconsider. We do not support the amendments. We think that the current requirements are sufficient to deal with the records that are currently being maintained.

Question negatived.

Bill agreed to.

Bill reported without amendment; report adopted.