Senate debates

Tuesday, 21 August 2012

Bills

Cybercrime Legislation Amendment Bill 2011; Second Reading

5:50 pm

Photo of George BrandisGeorge Brandis (Queensland, Liberal Party, Shadow Attorney-General) Share this | | Hansard source

This is a bill to make the amendments necessary to facilitate Australia's accession to the Council of Europe Convention on Cybercrime, known as the Budapest Convention. Amendments require carriers and carriage service providers to preserve telecommunications data for specific persons when requested to do so by domestic agencies or by the Australian Federal Police on behalf of foreign countries. In addition to the Council of Europe members, the Budapest Convention has been acceded to by the United States, Canada, Japan and South Africa. The convention was tabled in this parliament on 1 May 2011 and it is the subject of a report by the Joint Standing Committee on Treaties.

The convention is the first international treaty on crimes committed either against or via computer networks. It deals particularly with online fraud, child pornography and the unauthorised access, use or modification of data stored on computers. The convention's main objective is to pursue a common criminal policy by adopting consistent legislation and fostering international cooperation.

The bill makes amendments to the Telecommunications Act 1987, the Telecommunications (Interception and Access) Act 1979, the Mutual Assistance in Criminal Matters Act 1987 and the Criminal Code Act 1995. The principal effects of the amendments are: to require carriers and carriage service providers to preserve the stored communications and telecommunications data of specific persons when required by certain domestic agencies or when requested by the Australian Federal Police on behalf of certain foreign countries to do so; to ensure Australian agencies are able to obtain and disclose telecommunications data and stored communications for the purposes of a foreign investigation; to provide for extraterritorial operation of certain offences in the Telecommunications (Interception and Access) Act; to amend the computer crime offences in the Criminal Code so that they have adequate scope; and, finally, to create confidentiality requirements in relation to authorisations to disclose telecommunications data.

The Joint Standing Committee on Treaties' report, while recommending accession to the convention, identified a number of concerns that would arise from any enabling legislation. In addition to the loss of autonomy in future domestic law reform on the issue, there are concerns about privacy and jurisdictions in particular, to which I will turn.

Dealing first with the issue of privacy, submissions to the Joint Standing Committee on Treaties complained that the convention does not contain sufficiently robust privacy and civil liberties protections to offset the increased surveillance and the information sharing powers that it implements. The powers governing the real-time collection and preservation of computer data were identified as being of particular concern. However, powers for mass surveillance activity, such as wire tapping or eavesdropping, are not enhanced by the legislation because the amendments are limited to telecommunications legislation, which requires the issue of a warrant, and do not extend to surveillance devices. Disclosure of real-time data is limited to investigations relating to a criminal offence punishable by at least three years' imprisonment. In addition, the acts to be amended by this bill contain their own fairly robust privacy safeguards and accountability mechanisms.

On the question of jurisdiction, the proposed legislation may have some effect on state and territory governments because some of those governments do not currently criminalise activity but they will be bound by amendments to the cybercrime offences in the Criminal Code. The government of Western Australia, for instance, submitted that:

It is important to note that accession to the convention should not create further bureaucracy, which could act to stifle established links between agencies, particularly those formed at a state level. WA police already have strong ties with a number of service providers in attempting to tackle cybercrime. It would be detrimental if accession to the convention were to erode those links.

I note, however, that there is a savings clause in the Criminal Code which provides that Commonwealth computer offences are not intended to limit or exclude the operation of any law of a state or territory. This clause will have continuing effect. Despite those concerns, the bill has been welcomed by the information technology sector. Given the nature of computer based offences, there is a need for a mechanism to detect and preserve evidence that is, by its nature, ephemeral and easily moved. International cooperation and mutual assistance is vital in respect of crimes that are not constrained by national borders.

The bill was referred, as well as to the Joint Standing Committee on Treaties, to the Joint Select Committee on Cyber-Safety, which reported on 18 August last year. The committee made 13 recommendations for amendments. Let me summarise them briefly: one, that the thresholds that apply to the issuing of a stored communication warrant under the Mutual Assistance in Criminal Matters Act for the Telecommunications (Interception and Access) Act for an investigation into a serious foreign offence be the same threshold as applies to domestic Australian offences; two, that the Attorney-General investigate whether the proposed part 3A of the mutual assistance act may prevent stored communications warrants being available to foreign countries for investigation into child sexual exploitation; three, that subsection 8(2) of the mutual assistance act be amended to include an additional discretionary ground to decline a request where the requesting country's arrangements for handling personal information do not offer privacy protection substantially similar to those applying in Australia; four, that the proposed section 180F of the Telecommunication (Interception and Access) Act be amended to elaborate more precisely the requirement that the authorising officer consider and weigh the proportionality of the intrusion into privacy against the value of the potential evidence and needs of the investigation; five, that proposed sections 180A(5) and 180C(2) of the Telecommunication (Interception and Access) Act be amended to ensure that, in determining whether a disclosure of telecommunications data to a foreign country is appropriate in all the circumstances, the authorising officer must give consideration to the mandatory and discretionary grounds for refusing a mutual assistance request under section 8 of the mutual assistance act; six, that the disclosure of telecommunications data to a foreign country in the context of police assistance at the investigative stage and in relation to criminal conduct that may attract the death penalty must only take place in exceptional circumstances and with the consent of the Attorney-General and the Minister for Home Affairs and Minister for Justice; seven, that the bill be amended to elaborate the conditions of disclosure of historical and existing telecommunications data to foreign countries, including in relation to retention and destruction of the information and express prohibition on any secondary use by the foreign country; eight, that the Attorney-General investigate the desirability and practicality of a legislative requirement that data subjects be advised that their communications have been subject to an intercept, stored communications warrant or a data disclosure if that advice could be given without prejudice to an investigation; nine, that the proposed new section 186(1)CA of the telecommunications interception act be amended to require that the Australian Federal Police report to the minister on the number of authorisations for disclosure of data to a foreign country, the identity of those countries and any evidence that disclosed data has been passed on to a third party; ten, that the Attorney-General consult with the telecommunications industry, statutory authorities and public interest groups to clarify and agree on the data handling and protection obligations of carriers and trade service providers; eleven, that the bill be amended to require carriers and trade service providers to destroy preserved and stored data when that information is no longer required for a purpose under the telecommunications interception act unless it is required for another legitimate business purpose; twelve, that the exemption of small internet service providers from the Privacy Act as small businesses be reviewed by the Attorney-General with a view to removing the exemption; and, finally, thirteen, that the Attorney-General's Department consult widely with carriers and carriage service providers to ensure that the bill when enacted can be implemented in a timely and efficient manner.

I will return to the last of those recommendations in a moment.

It is a matter of some concern to the opposition that the government would proceed to bring this bill before the Senate without making any formal response to the joint committee's report, which was tabled more than a year ago—that is, the report of the Joint Select Committee on Cyber-Safety, not the Joint Standing Committee on Treaties. The failure of the government to respond to that committee's report is characteristic of a government which trumpets its commitment to being open and consultative—in contrast to its admittedly chaotic, impulsive and paralysed processes—without even paying lip service to a joint select committee of this parliament on such important legislation as this. I am, however, pleased to note that the government has circulated amendments to give effect to most of the substantive recommendations of the joint parliamentary committee on cyber-safety to which I have referred. Those amendments all have the coalition's support.

However, as I foreshadowed, the joint committee's 13th recommendation—that is, that the Attorney-General's Department consult widely with carriers and carriage service providers to ensure that the bill, when enacted, can be implemented in a timely and efficient manner—is very important and must be given effect to. The Attorney-General's Department has advised that it is of the view that the legislation can be implemented within the time frame contemplated by its provisions and that, if carriers and carriage service providers are unable to comply, stopgap measures will be acceptable and the Attorney-General's Department will not insist on strict compliance.

The views expressed to the coalition by the carriers and carriage service providers is that this is a simplistic approach which provides cold comfort to them. It also fails to take into account the additional expense to which carriers and carriage service providers will be put to comply with what we are advised is a totally unrealistic time frame. We understand that these companies have in place cost-recovery arrangements with the Commonwealth and its agencies, but the government fails to acknowledge the expenses to be incurred by these companies, both in making fast-track alterations to their systems and in the assistance they provide to law enforcement agencies free of charge as good corporate citizens.

Ultimately, the coalition has been forced into a fairly unacceptable choice: to take the government at its word—always a risk with this government—or to support amendments that might further delay the implementation of important law enforcement legislation. On this occasion, and on balance, we have decided with some hesitation to take at face value the government's assurances that interim measures will be acceptable and that carriers and carriage service providers will not be put to unnecessary expense in an effort to comply with the legislation. With the lengthy passage of time it has taken the government to bring this bill before the Senate, some of those concerns have been slightly ameliorated. However, the government is on notice that the carriers and carriage service providers remain anxious about the implementation of the bill and will be bringing any departure from those assurances to the notice of the opposition and we, in turn, will be bringing them to the notice of the parliament. With those reservations, I indicate that the coalition will support the bill with the amendments that have been circulated.

6:03 pm

Photo of Scott LudlamScott Ludlam (WA, Australian Greens) Share this | | Hansard source

I have listened with interest to the comments of Senator Brandis and I rise to make some additional comments on behalf of the Australian Greens. We share some of the reservations that Senator Brandis expressed, so we certainly look forward, Senator, to your support for our amendments, which actually give effect to precisely some of the reservations.

I will put one additional reservation on the record at the outset. The Attorney-General, to her credit, has initiated quite a far-reaching inquiry into powers of the national security agencies, particularly with regard to surveillance powers, online and offline. The areas that are of greatest interest to me and that would seem to flow as having the greatest consequences from the terms of reference that the joint committee has put together substantively impact on the matters within this bill.

My first comment in response to the Cybercrime Legislation Amendment Bill 2011, which has been around for a very long time, is that this is now seen as actually being quite pre-emptive. This cuts directly across the inquiry that the Attorney-General, in good faith, has put to the Australian people and to the joint committee. Ironically enough, yesterday was the closing date for submissions. Today we are just going to go ahead and legislate a big slab of it without having bothered to read the submissions. These matters are directly related. These are not tangential issues. We are asking the Australian people to consider far-reaching expansions of surveillance powers, data sharing, data retention and sharing material with overseas governments.

Here is a bill which, if we were to sit down, let the speaking order collapse and not put up any questions—the coalition is clearly not going to put up anything of a fight—would pass, before the joint committee has even had a chance to read the submissions. I respect the fact that this bill has been around for a while. I am not suggesting that this is some kind of ambush that has just dropped out of nowhere out of the sky. It does have some history to it. But it has been floating around for over a year, and my question is why it is being passed now, before the joint committee has been given the chance to do its work and before the public has been given the opportunity to give evidence.

Nonetheless, this bill is before us now. My proposition is that the debate simply be adjourned until such time as that committee has done its work. How are we to take the government in good faith as actually interested in the views of the general public—people who have profound problems with the way that this government is proceeding—and take its assurances seriously if, while that inquiry is underway, we are legislating a big slab of it here tonight?

The bill was referred to the Joint Select Committee on Cyber-Safety in June 2011. That committee, of which I am a member, reported in August 2011, so it is now a year, I am a bit dismayed to realise, since that committee handed down its unanimous findings, holding up a red flag and saying, 'This bill in its current form has some very severe problems.' I have enjoyed working on the Select Committee on Cyber-Safety. It is a bit unusual that a bill would have been referred to it, but in this instance it was. The committee had profound problems with the way that the bill was drafted, and it was unanimous. We signed on. We would have gone a bit further and we put a couple of additional propositions to the committee.

But the Joint Select Committee on Cyber-Safety said: 'Hold. This is not ready to be legislated.' In response, the government has not only ignored the findings of that committee; it has, as Senator Brandis quite correctly indicated, failed to provide a response and is now going ahead and legislating, despite the fact that serious reservations have been expressed by the unanimous report of that committee.

Some of the concerns I have are basically mechanical. I join Senator Brandis in acknowledging that technology moves on. This space is moving very rapidly. Law enforcement agencies need to conduct their important work in tracking and prosecuting organised crime, politically motivated violence, offences against children and so on in qualitatively different ways through telecommunications media that were simply not possible before. I have no objection to the fact that, yes, this is a space in which the law lags and there will need to be a process whereby we update legislation to ensure that our law enforcement agencies have the tools they need to do this extremely important work. However, commensurate with that, we need to ensure that privacy protections remain in place. While we hear a great deal from law enforcement agencies about how their powers have failed to keep track with the expanding ways in which people are communicating with each other, there has been virtual silence on the fact that our privacy protections and our human rights protections have also failed to keep track. No such urgency is displayed.

The inquiry by the Senate Legal and Constitutional Affairs Legislation Committee into privacy protection is working its way through a phone-book-sized batch of amendments with no end in sight. There is no apparent urgency being displayed there about protecting people's privacy online, but there have been repetitive invocations to this chamber to urgently amend and expand surveillance powers. We have concerns about privacy implications and we have real concerns that this legislation actually goes significantly further than the European convention to which we are seeking to accede. There is nothing in that convention about some of the powers that we find in this legislation. This is where I think this debate gets muddied. Legitimate expectations that the government will protect Australian children from abuse online and protect all Australian citizens from organised crime or politically motivated violence are somehow used as a shield for a vastly expanded set of agendas which have nothing to do with those legitimate concerns and those legitimate expectations.

We also have some technical concerns which have been transmitted to us by the carriers and the telco sector about how these powers will be practically applied. Through this bill and also through the national security inquiry—which has touched off something of a storm of outrage online, and I get the sense that the Attorney-General is already keenly aware of this—the intelligence and policing agencies are seeking to outsource to the telco sector responsibilities for data storage and data retention so that it can be used for evidence later. That imposes costs and major technical issues on the carriers that they will then have to pass on to their customers. We do not hear anything from the opposition about a great big new tax on telecommunications—on every tweet you send, on every email you receive, on every Skype chat you have—but that in effect is what it is.

If we are forcing and compelling internet service providers and phone companies to retain all of this data for unknown periods of time, to enable it to be crossmatched, to enable it to be used in court to those sorts of standards of evidence, who is going to pay for that? It will not be the Federal Police. It will not be ASIO. It will not be the other agencies that are pushing for these powers. It will be us, all of us, through increased costs of telecommunications. Again, let us get a hold of what are the legitimate expectations of all Australians in being protected from violence, organised crime and other forms of abuse perpetrated online. Let us grab that agenda with both hands. But let us also be very clear about other agendas that might be advancing at the same time and make sure that we are aware of what they are.

The joint select committee spent a lot of time thinking about the fact that this legislation unnecessarily dumps quite a principled stand, a cross-party stand, on the death penalty that our government will actually cooperate with. This bill is effectively about sharing Australian telecommunications data with law enforcement agencies of other states around the world, those who are also signatories to the European convention. We do not have the death penalty in Australia; we have not for quite some time. There is no political will to reinstate it. In fact, I think all Australians would abhor that the state would murder its own citizens for committing certain kinds of crimes. I think Australia has been quite a constructive global player on the abolition of the death penalty worldwide. Nonetheless, this bill explicitly allows intelligence to be shared with foreign law enforcement agencies for capital crimes. That is something that we can fix. That is something that the cybersafety committee spent a lot of time thinking about. We have an amendment to this bill that would allow that loophole to be closed.

We have concerns about the extent to which this bill is not really about cybercrime at all. Cybercrime includes bank fraud, phishing, taking over computers with malicious software and that kind of thing, and using the internet to transact certain forms of crimes that were not possible before. This is a standard and reasonably accepted definition of cybercrime, although obviously a very broad definition. When we get to the committee stage of the bill, I will put some questions to the minister about the fact that this legislation is actually about the prosecution of all crime and has nothing to do with cybercrime. This is about the tracking of phone calls, emails, Skype chat, social media or any form of communication in pursuit of anything at all—whether it be a crime or not—and has nothing to do with cybercrime. That is a very small subcategory of the range of offences that would be able to be pursued and the range of materials that would be able to be transmitted to foreign law enforcement agencies on Australian activities, including for things that may not even necessarily be crimes in this jurisdiction.

It also essentially lowers the bar on telecommunications intercepts. Again, this is something that I will put to the minister when we get to the committee stage to make absolutely sure that I am clear about what is going on here. At the moment, in order to intercept telecommunications, the offence has to attract a seven-year penalty and above. That is a serious crime. Things like terror offences attract those sorts of penalties. Organised crime and other crimes of violence attract those very severe penalties. Most Australians would understand that if the police are targeting those kinds of offences, there is a legitimate expectation that they should be able to tap a phone, with the judicial oversight of then having to seek a warrant for a serious offence. Those are the two things about which I think there is a general consensus in Australian society, that it is legitimate and appropriate that messages and communications be intercepted given those conditions.

This bill, of course, lowers that bar.

After this bill is passed all of our data can be captured and held, pending a warrant, on the basis of an offence that attracts only a three-year penalty. Obviously, this radically expands the categories of offences that can be caught. If my understanding is incorrect I look forward to the minister correcting the record a little later in the debate. And all this before the joint committee on intelligence and security has provided its views on this very subject! That is pretty ironic. The deadline for that was yesterday.

We share very serious concerns that were expressed by the former ombudsman about the lack of clarity on the essential role that his office would perform with regard to these amendments and the significant changes that are proposed. This bill was sent to the cybersafety committee for inquiry and the committee consulted with experts. We held hearings and we heard from technical experts in the fields of IT, privacy and law, and the committee formed the view, as I did, that the privacy protections in this legislation needed to be extended. The committee also became convinced that there were reasons for amendments to be made so that we do not disclose telecommunications data to foreign countries where the death penalty is possible, and that we would be seeking some kind of assurance, from the government that this material was being transferred to, that the death penalty would not be pursued. That is an undertaking that we should be able to ask for.

The government chair of the committee, when presenting the report, said the following:

If adopted we believe these changes will go a long way in allaying any fears of unwarranted intrusions into privacy or unjustified sharing of data with foreign countries.

Well, what do you know? The amendments have been rejected; they have not even been discussed. Perhaps we will get the minister to go through the reasons for that. In my meetings with the attorney's office subsequent to that report being handed down, the amendments were treated entirely dismissively. It is quite regrettable that 11 out of the 13 recommendations have been dismissed in this fashion. I value the committee system. I enjoy committee work and I know that it is one of the things that attracts many people to this chamber as opposed to the other place—we get the time to do due diligence on legislation.

I must say that, in my brief four years here, I have found the attorney's office is one of the worst in terms of assuming that it has simply got it right and everybody else must be wrong. The Attorney-General's office, by far, under successive ministers, is the most resistant to ideas that did not originate from within its own domain. It then becomes a responsibility of this chamber to examine what the committee has brought forward and to consider whether those proposed amendments might not be a good idea.

I briefly quote from the JSCOT report:

… the Committee holds concerns about the lack of transparency in the review process for this important treaty, in particular, the lack of timely advice to the Committee and the lack of public exposure and certainty about necessary amendments to support Convention obligations.

We are aware that the agenda has moved on significantly since that work was done, but no further information has been provided. It will be our job, as this debate unfolds during this evening and tomorrow, to ensure that those answers are put on the table. This is quite a poor process that leaves considered and consensus recommendations not only unimplemented but also completely disregarded.

Even Premier Colin Barnett—and it would be pretty rare that I would stand up in here and agree with something that the Western Australian Premier has said—and the Victorian Attorney-General called for the bill to be delayed. The former Premier of Queensland questioned its passage. There are mainstream concerns that I am trying to reflect tonight about the passage of this bill. Now we see a vastly larger expansion of surveillance powers proposed by the Attorney-General, and I do not think it is appropriate that this bill is debated in that context.

I will go through some of these matters in detail when we get to the committee stage, but now I come to some of the specific matters that were raised with us. One was Telstra, ironically enough, who warned the committee that the new obligations on them to preserve data were beyond business needs and would place significant burdens on carriers and service providers in the form of cost and manpower. While the government has extended the time Telstra had to prepare, it is not enough, and we have drafted an amendment to fix that. I am very interested to hear what the government's view is on whether the industry is telling it that they are not going to be ready to bring it. Despite the fact that that submission was made a year ago, I suspect that when push comes to shove we will find that we are imposing formidably difficult obligations on telcos to trap this data and to make it available to law enforcement agencies across such a broad band.

In case senators believe that this is simply about a narrow range of phone calls and emails and so on that would be read by intelligence agencies, that is not the case. From the most recent figures that we have, which is the 2010-11 financial year data, there have been somewhere in the realm of a quarter of a million requests for telecommunications data. This is not the communication itself; this is the data that surrounds it—for example, the time that you sent the email, your IP address when you made that Skype call, or your latitude and longitude when you walked down the street and bought a coffee—because smartphones, for the benefit of those MPs who are carrying them, will record in quite fine-grained detail where you are, when you are there, whether you are using the phone or not, whether the phone is switched on not; these devices are keeping track of where people are. This is a category of data that did not even exist when the telecommunications access regime was drafted, and so it has slipped completely under the radar. There is no seven-year threshold for access to that. There is no three-year threshold. There is no threshold at all. And so a quarter of a million of these requests were made in the most recent year for which we have accurate data. This has now become a pervasive problem, and I do not hear the clamour in government circles for fixing that loophole, so the Australian Greens will attempt to do so. We have an amendment afoot that we will move to this bill that does just that.

I note that I have a second reading amendment and I will come to that towards the end of the debate. This has been circulated, and effectively goes to the Telecommunications (Interception and Access) Act. I will be interested to hear whether or not senators believe that this second reading amendment might have been pre-empted by the Attorney-General's review. As I said, I acknowledge and appreciate that that review is underway—that, rather than simply ramming them through this place as a bill, the attorney has had the good sense to put these broad terms of reference to the Australian people and hear what people think.

But this second reading amendment simply says that there should be a holistic review of the Telecommunications (Interception and Access) Act to work out in part whether the act is to continue to regulate effectively communications technologies and the individuals and organisations that supply technologies and communication services. In particular, this review would take a look at whether the surveillance powers that are available to the agencies in question are proportionate to the kinds of things that they are attempting to track. By that I mean the criminal penalty thresholds, which most Australians would support.

In order to have your phone tapped or your latitude and longitude recorded and distributed to intelligence and policing agencies, you should be accused of something. There should be some judicial oversight, and you should be implicated in some kind of crime. But as it is at the moment, and where this national security inquiry is going, all Australians are being treated as suspects, not citizens. That is something on which I call the Liberal Party to go back and examine their roots. You are meant to be the party that supported individual liberties over the power of the government. This goes back hundreds and hundreds of years. Where are you? We need you now. We need those values to come forward. I do not think it is appropriate that all Australian citizens are treated as suspects, as guilty until proven innocent: 'We'll just retain all this data in case you turn out to be implicated in some hideous crime down the track.' It is not the Australian way. Again, we appear to be taking our lead from the United States, which is starting to adopt distinctly authoritarian strands. I think we deserve better than this and I look forward to the debate as it unfolds.

6:23 pm

Photo of Helen PolleyHelen Polley (Tasmania, Australian Labor Party) Share this | | Hansard source

I rise to make a contribution on the Cybercrime Legislation Amendment Bill 2011. It was not all that long ago, I remember, that I would receive a 'pay' envelope containing cash. And later my wages were paid by cheque. That was a time when we were worried about our cheques being stolen or lost in the mail—not that those are not concerns now. But times have really changed, especially in the last 20 years. These days, salaries are paid by direct deposit into a bank account. But that is only the tip of the iceberg.

As can be read on the Australian Institute of Criminology website, our daily lives have seriously changed. The convergence of computing and communications technologies has changed dramatically the nature of our lives, at least for those of us who live in a developed country. We are able to do our shopping and banking from home, work and be paid electronically, and engage in leisure activities using computers. Government benefits are also able to be processed electronically and a wide range of services delivered online. The process of reducing information to electronic streams of '0s and 1s' that are stored on computers has enabled people to communicate more effectively and at a lower cost than in the past. It has also meant that geographical boundaries are able to be crossed more easily. This has enhanced the process of globalisation of the economy and social life enormously.

But these same technologies that have provided so many benefits have created enormous opportunities for various offenders. Fraudsters are able to communicate with each other in secret, disguise their identities in order to avoid detection and manipulate electronic payment systems to obtain funds illegally. They are also able to target a wide range of potential victims throughout the world, all from the comfort of their home or office. The risk of fraud is one of the principal barriers to electronic commerce systems becoming widely accepted in the community. It is believed to be one of the most under-reported offences in Australia, with fewer than 50 per cent of incidents being reported to police or other authorities.

This bill, the Cybercrime Legislation Amendment Bill 2011, will facilitate the accession to the Council of Europe Convention on Cybercrime, also known as the Budapest Convention on Cybercrime or just the Budapest Convention. This is the first international treaty seeking to address computer crime and internet crimes by harmonising national laws, improving investigative techniques and increasing cooperation among nations. It was drawn up by the Council of Europe in Strasbourg, with the active participation of the Council of Europe's observer states: Canada, Japan and China.

The convention aims principally at    harmonising the domestic criminal substantive law elements of offences and connected provisions in the area of cybercrime;    providing for domestic criminal procedural law powers necessary for the investigation and prosecution of such offences, as well as other offences committed by means of a computer system or evidence in relation to which is in electronic form; and setting up a fast and effective regime of international cooperation. To date there are 47 signatories to the convention, with 32 of those signatories having ratified this commitment. These signatories include many European states as well as Canada, Japan, the USA and South Africa.

The Joint Select Committee on Cyber-Safety considered this legislation. However, another report by the same joint select committee—an interim report in June 2011 called 'High-wire act: Cyber-safety and the young'—gives some insight to the scope of the cybercrime issues that now face our youth: cyberbullying; cyberstalking; sexual grooming; sexting; illegal and inappropriate content; privacy and identity theft; technical addictions; online promotion of inappropriate behaviour—for example, use of drugs, alcohol, suicide, anorexia; and child pornography and exploitation. These are just some that are listed. We are all aware of instances where these social abuses have ended tragically—suicide after cyberbullying; or people charged with possessing thousands, even millions, of child pornographic images. Then there are concerns such as cyberterrorism—which, in general, can be defined as an act of terrorism committed through the use of cyberspace or computer resources. Various governments are even concerned about cyberwar. Then most types of organised criminal activity can be cited—drug trafficking, fraud and theft.

I return to this bill. The review of the Cybercrime Legislation Amendment Bill 2011 by the Joint Select Committee on Cyber-Safety made 13 recommendations, but the bill was manifestly supported. The areas covered by the recommendations included: issues of mutual assistance—stored communications and disclosure of prospective data to foreign countries; police assistance to foreign countries—historic and existing telecommunications data; reporting and oversight; industry data handling and privacy obligations; and industry implementation.

However, the main concerns the committee raised regarding the bill relate to:

        The government has considered the recommendations from the Joint Select Committee on Cyber-Safety's report on this bill and welcomes their recommendations. Twelve of the 13 recommendations have been supported through provisions currently in effect in intersecting legislation, contained in the bill or included in the proposed government amendments. The recommendation relating to the discretion to reject mutual assistance requests where foreign information handling laws differ from domestic law will not be accepted. Making an assessment of foreign privacy laws is not practicable and would cause substantial delays. Additionally, the bill and the Mutual Assistance in Criminal Matters Act 1997 already require an assessment of the privacy impact on any person and create limitations on how the foreign country can deal with the information.

        I come to the explicit privacy considerations. This bill introduces a requirement for privacy considerations when authorising the disclosure of historic telecommunications data to ensure that privacy considerations are taken into account for every disclosure of telecommunications data. The government's amendments provide detailed guidance to officers about the factors and privacy considerations which must be weighed before making an authorisation. This proposal responds to recommendation 4 of the committee.

        I refer to the strengthened reporting requirements. The government amendments would strengthen the reporting requirements for instances where the AFP has disclosed existing or prospective information or documents to a foreign country. The proposed government amendments require the head of the AFP to give the minister an annual report that includes the number of disclosures that were made to each country. Consistent with international practice, sensitive information that could compromise international investigations and the strength of Australia's cooperative relationships with foreign law enforcement agencies will not be made publicly available, but will be included in the report to the minister. This proposal responds to recommendation 9 of the committee.

        I come to the delay of ongoing preservation notices. The government amendments will delay the application of the ongoing preservation notices provisions until 90 days after royal assent. Industry currently provides historic preservation to agencies on an informal basis, and therefore can already comply with the requirement to preserve historic telecommunications data. The government amendments will provide industry with sufficient time to ensure compliance with requests for ongoing preservation. Industry has flexibility in compliance because the bill does not prescribe any particular capability or methodology for enabling preservation.

        I come to the technical amendments as to the threshold for provision of prospective telecommunications data. The government amendments regarding the availability of prospective telecommunications data would ensure consistency of thresholds and access for domestic and foreign purposes and will ensure Australia is compliant with article 33(2) of the convention. As the bill is currently drafted, prospective telecommunications data is available domestically for the investigation of 'serious offences' and for offences punishable by at least three years imprisonment. For foreign purposes, prospective telecommunications data is only available for the investigation of a foreign offence that is punishable by at least three years imprisonment. In many cases, offences that meet the definition of 'serious offence' would also meet the requirement of being punishable by at least three years imprisonment. However, as the definition of 'serious offence' in the Telecommunications (Interception and Access) Act 1979 includes some offences punishable by less than three years, there may be some offences that would meet the domestic threshold, but not meet the foreign threshold. This difference in threshold would breach article 33(2) of the cybercrime convention. The government's amendments will remove this differential threshold and ensure Australia's compliance with the convention. On the basis of the amendments that are being proposed by the government and the recommendations by the Joint Select Committee on Cyber-Safety, I support this bill and recommend it.

        6:34 pm

        Photo of Brett MasonBrett Mason (Queensland, Liberal Party, Shadow Minister for Universities and Research) Share this | | Hansard source

        The Cybercrime Legislation Amendment Bill 2011 essentially amends a number of acts, including the Mutual Assistance in Criminal Matters Act 1987 and the Telecommunications Act 1987, to ensure that Australian legislation is compliant with the requirements of the Council of Europe Convention on Cybercrime in order to facilitate Australia's accession to that convention. Madam Acting Deputy President, you would be aware that on several occasions I have spoken on bills that impact or indeed potentially impact on the privacy of citizens, and I do so again today. But, firstly, I will make a few preliminary observations.

        I note in passing Senator Ludlam's remarks before about threats to privacy that are emerging in the context of national security, and he is quite right to suggest that the Liberal Party in particular and indeed no parliamentarian can escape that debate. The Liberal Party, as the good senator reminded the Senate and reminded in particular the Liberal Party, was founded on the balance of power between the state and the individual, and he is quite right to suggest that in the past the resolution of that balance and the resolution of that tension have generally fallen, for the Liberal Party, toward the individual, and that will be a matter that we will have to pursue and debate in earnest no doubt in the future because it is not just a debating point; it actually defines the role and the relationship of citizens in this country to the state and to the government. So it is a huge issue and a very important one, and I acknowledge Senator Ludlam's eloquent contribution.

        The Council of Europe Convention on Cybercrime is the first significant international attempt to coordinate law enforcement pertaining to crimes committed using computers and the internet—sadly, perhaps the fastest expanding area of criminal activity, which ranges from Nigerian scams perpetrated by teenagers from internet cafes right throughout Africa to professional hacking jobs directed at major financial institutions. In addition to computer related fraud and, indeed, violations of network security, the convention also addresses issues such as copyright infringement and, of course, as Senator Polley mentioned, child pornography.

        Globalisation of the economy and globalisation of culture has also brought about the globalisation of crime. Mobile devices, computers, networks and satellites that link us all and enable us to connect to each other and indeed transmit ideas to each other—products and money around the world in the blink of an eye—also enable criminals to do just the same. They also provide criminals rich opportunities to take advantage of others. In a global village, all crime can be local, even if it is perpetrated not by armed floods straight out of gangster movies but by some corrupted nerds ensconced in the twilight of their bedroom, whether it be in Paris, Singapore, Lagos, Bucharest or indeed Sydney. With these new realities in mind, the bill among other provisions requires carriers and carriage service providers to preserve communications and data for specific persons when requested by Australian law enforcement authorities, even if this request is on behalf of foreign law enforcement authorities. This ensures that these authorities can obtain and disclose this stored information for the purposes of investigation.

        With these new powers, however, come vast new responsibilities. While the convention seeks to control cybercrime, it does also allow for the safeguarding of rights. Article 15 states that human rights must continue to be upheld and enforcement powers and procedures under the convention must respect the right to free expression, the right to access information, the right to privacy and other similar rights.

        Despite these guarantees the convention did create some disquiet, I think it is fair to say, both overseas and indeed here in Australia, particularly among privacy advocates. I think Senator Ludlam has indicated that this evening. It is not surprising, as the convention and the bill which gives it effect in Australia seeks to expand the powers of both law enforcement and intelligence agencies to access, gather and share people's private data and indeed their private communications.

        For example, the Law Council submitted that the new section 180F in the Telecommunications (Interception and Access) Act 1979 is inadequate to safeguard personal privacy. That was their contention. The proposed section 180 F merely asked that an authorising officer 'have regard to' privacy impacts. The Law Council rightly submitted that this could be satisfied by merely ticking a box on a form and submitted the following to be inserted in the bill:

        Before making an authorisation, an authorised officer must be satisfied on reasonable grounds that the likely benefit to the investigation which would result from the disclosure substantially outweighs the extent to which the disclosure is likely to interfere with the privacy of any person or persons.

        The Australian Privacy Foundation in their submission had a more general complaint. They submitted:

        As currently drafted, the Bill does not specifically differentiate between traffic and content data and instead merely refers to 'stored communications', which is in fact not defined. The use of this phrase is unnecessarily broad and increases the scope or unwarranted privacy intrusions into personal communications where preservation and disclosure of traffic data alone could be sufficient in terms of an ongoing investigation.

        That was the submission of the Australian Privacy Foundation. It also has to be noted that the bill leaves it to the Attorney-General to decide whether to assist foreign law enforcement agencies where the offence committed carriers a death penalty in the country concerned. The Joint Select Committee on Cyber-Safety recommended that the Attorney-General should make such a decision jointly with the Minister for Home Affairs and Justice and that these decisions should of course be registered.

        I hope that the Attorney-General will exercise her powers wisely and carefully, and I am sure she would. So far all the signatories to the convention, most of them European countries, are democracies with, let's face it, very reasonable protections of human rights. I think that is fair to say. It is perhaps unlikely that any dictatorship and gross human rights violators will at any point in the near future decide to bind themselves to the convention. However, should that happen, we would not want to see Australian law enforcement agencies having to play a part in enforcing the convention at the behest of foreign authorities who are using cybercrime laws to in fact quash domestic political dissent. I do not think anyone in this Senate would want to see that. While this may sound like an unlikely and indeed even a far-fetched scenario, we should nonetheless keep such possibilities in mind.

        Contrary to some very overenthusiastic claims I believe that developments in information technology will not necessarily lead us to some cyberutopia. I do not believe it necessary will. Information technology, just like any other technology, is neither intrinsically good nor bad; it is essentially neutral. Whether it is put to good or bad use is a matter of human intent. Certainly mobile devices, the internet and fast and cheap connections have empowered the individual. That much is true. But also that technology has also empowered the state and surveillance.

        For every instance where oppressed peoples mobilise themselves and world opinion through Twitter, Facebook and YouTube there is another instance of a government that uses essentially the same technologies to increase its powers of surveillance and control over its own people. We have seen that in the People's Republic of China in the recent past and also during the Arab Spring. I do not think I am overstating it. I think it is fair to say that those technologies can be used both by advocates of democracy and by authorities seeking to quash dissent. Technology can be used both ways.

        Under our Constitution the parliament has the power to determine the rights of Australian citizens. This places an enormous burden on members of parliament to be diligent and cautious whenever legislation is introduced that looks to curtail the rights of Australians. This is the case even where it is thought necessary to achieve a greater good, like the stamping out of crime. Some governments curtail freedom and human rights as an end in itself. Many governments and many states, particularly during the 20th century, have done just that. They have curtailed freedom and human rights as an end in itself. We in Australia are fortunate to have governments which might on occasion curtail freedom and human rights, that is true, and I think that we all accept that, but only as a means to a laudable end, and even then they have striven to maintain the right balance between the means and the ends. That is the perpetual conundrum of democracy. It is not an easy balance but it is one we have to strive for.

        While the coalition does support the bill, it is a shame that the government did not have more regard to the recommendations of the Joint Select Committee on Cyber-Safety or to the detailed submissions of the Law Council and others. None of us should ever cease trying to get the balance just right.

        Photo of Claire MooreClaire Moore (Queensland, Australian Labor Party) Share this | | Hansard source

        I see Senator Xenophon is rushing to the door. The papers are being shuffled, Senator Xenophon, while you come to take up your speaking right. You have four minutes.

        Photo of Nick XenophonNick Xenophon (SA, Independent) Share this | | Hansard source

        Thank you, Madam Acting Deputy President. I am surprised that Senator Mason did not use his full 20 minutes. It is quite uncharacteristic of him.

        Photo of Brett MasonBrett Mason (Queensland, Liberal Party, Shadow Minister for Universities and Research) Share this | | Hansard source

        It is.

        Photo of Nick XenophonNick Xenophon (SA, Independent) Share this | | Hansard source

        I was actually shocked. I told my staff, 'He'll keep talking as he usually does.' I think it is a first for Senator Mason, isn't it, not to use his full 20 minutes? The Cybercrime Legislation Amendment Bill is an important piece of legislation and the issue of cybercrime is one which challenges law enforcement agencies throughout the world. This bill does attempt to tackle this, and I note that my colleague Senator Ludlam, from the Australian Greens, will be moving a number of amendments in relation to it. I have a particular interest in relation to cybercrime and the tragic case of Carly Ryan, who was murdered several years ago in Adelaide by a person she met online who purported to be somebody completely different and completely misrepresented his age to her. She tragically agreed to meet with him and the consequences of that led to her murder. Sonia Ryan, her mother, has run a courageous and relentless campaign about cybersafety, and we should all be grateful for the work of the Carly Ryan Foundation and her family and loved ones, who honour her memory.

        I put up legislation that was not successful in this place that related to issues of misrepresentation, so that, if a person misrepresented their age to a minor, it was qualified in those terms, that in itself would be an offence. At the moment, you need to prove an intent for a prurient purpose, in a sense. That is very problematic for our law enforcement agencies, and I think it is worth raising in the context of the committee stages of this bill because I believe it shows how the internet—which is a force for good in terms of communications and bringing people together, of telemedicine and the whole range of wonderful things that the internet can do—can be a source of allowing criminal activities, of allowing predators to ply their trade, in a sense, much more easily.

        Photo of Claire MooreClaire Moore (Queensland, Australian Labor Party) Share this | | Hansard source

        Order! The time allotted for this debate has expired.

        Debate interrupted.