Monday, 24 June 2013
Intelligence and Security Committee; Report
On behalf of the Parliamentary Joint Committee on Intelligence and Security, I present the report of the committee on its inquiry into potential reforms of Australia's national security legislation, and I move:
That the Senate take note of the report.
In May 2012, the then Attorney-General, Nicola Roxon, asked the committee to inquire into a package of potential reforms to Australia's national security legislation. The committee was provided with a discussion paper outlining the reforms the government wished to have the committee consider. The committee was tasked with examining potential reforms to:
The terms of reference contained 18 reform proposals, involving 44 specific items.
Importantly, the context for the committee's inquiry included the serious challenge presented by new and emerging technologies to agencies' intelligence gathering capabilities.
The committee received 240 submissions. Three submissions were received in largely identical terms from some 5,300 individual members of the public. These submitters expressed opposition to the reforms, particularly to a mandatory data retention regime.
The committee was faced with several difficulties. The terms of reference were wide ranging and canvassed some of the most complex and significant reforms to national security legislation ever to come before the parliament.
The absence of detail in the discussion paper concerning mandatory data retention also significantly impaired both public discussion and the committee's consideration of that issue.
Despite these challenges, the committee has produced a comprehensive and unanimous report.
The committee has made 43 recommendations. I will highlight three of them.
First, the committee recommends that the Telecommunications (Interception and Access) Act should be comprehensively revised, with the objective of designing an interception regime which is underpinned by clear privacy protections, provisions which are technology neutral, maintenance of investigative capabilities, clearly articulated and enforceable industry obligations, and robust oversight and accountability which supports administrative efficiency.
Second, to respond to the decline in interception capability caused by technological developments and countersecurity measures, agencies should be empowered to conduct telecommunications interception on the basis of specific attributes of communications.
Third, the committee recognises that there are occasions on which ASIO officers are placed in positions where, in order to carry out their duties, they may need to engage in conduct which may breach the criminal law. To permit this, the committee recommends that the Australian Security Intelligence Organisation Act be amended to create an authorised intelligence operations scheme.
These recommendations, along with the others in the report, include proposals for detailed safeguards and accountability measures.
A critical proposal the committee examined was mandatory data retention; that is, a regime which would potentially require telecommunications companies to retain communications data, such as subscriber details, for a specified period of time.
In the committee's view, ultimately, whether or not to introduce a mandatory data retention regime is a decision for government. However, the committee has taken account of the substantial and serious concerns about this proposal that have been presented to it.
The committee is of the view that no such regime should be enacted unless privacy and civil liberties concerns are adequately addressed, and that an exposure draft of any legislation should first be referred to the committee for examination.
The committee outlines a number of specific features and safeguards it believes any draft legislation should incorporate. These include that any data retention regime should apply only to metadata and exclude the actual content of communications, and that internet browsing data should be explicitly excluded.
The issue of the establishment of a mandatory data retention scheme is very controversial. There are widely divergent views in the community about it and I expect those differences will be reflected within political parties and the parliament. Unsurprisingly, those differences existed within our committee.
The PJCIS has a strong tradition of attempting to reconcile differences and bring down unanimous reports.
Since its establishment the committee has produced 50 reports with only one dissenting report.
All committee members wanted to avoid signing a dissenting report, but I stress: to achieve unanimous recommendations on so controversial an issue as mandatory data retention required hard work and goodwill from all committee members.
The committee does not recommend the establishment of a mandatory data retention scheme—as I have said, we make clear such a recommendation should come from the government.
But, the committee does propose the features and safeguards such a mandatory data retention regime should have if one is to be legislated in Australia.
I acknowledge that this debate will be affected by the recent controversy surrounding leaks by Mr Edward Snowden in the United States of America.
We should be very clear here. The regime under which metadata and warranted content data is accessed is different in Australia to that which applies in the USA.
Nevertheless, these revelations will heighten anxiety in this country about data retention.
We must ensure none of our citizens is surprised if and when our intelligence, security and law enforcement agencies use their legislated powers.
We must ensure any legislation to establish a mandatory data retention scheme in Australia contains the strongest safeguards to protect the privacy of our citizens.
Our challenge will be to achieve the right balance between the safety and security of our citizens, and their personal rights and freedoms, including the right to privacy, if a proposal for a mandatory data retention scheme goes forward.
I want to support the remarks of Senator Faulkner. The committee, in carrying out the Attorney-General's request, was confronted with a number of difficulties. The terms of reference were extraordinarily wide. The lack of draft legislation and the emergence of technology to analyse and collect data electronically means that we virtually have a tiger by the tail. The lack of such draft legislation or any details of some of the potential reforms was very difficult for this committee to deal with.
One of the most controversial topics was, as Senator Faulkner has indicated, data retention. Data retention and management give very high powered computing technology the ability to produce, very quickly, clear and concise answers to intelligence questions. The Attorney-General did not provide a great deal of assistance and neither did her department. That meant that submitters to the inquiry could not be sure what they were being asked to comment on—the moving feast of technology and all of these methodologies were not specifically laid out.
Second, the committee was not sure of the exact nature of what the Attorney-General and her department were proposing. The committee was effectively flying blind to some extent and guessing at where this sort of technological progression was going to lead. Once it commenced its inquiry the committee became very disconcerted, as the report indicates, by the fact that the Attorney-General's Department was found to have much more detailed information, particularly about data retention, than was initially understood. The departmental work, including discussions with stakeholders, had been undertaken previously. Details of this work had to be drawn from witnesses representing the Attorney-General's Department. That is unsatisfactory and of concern.
It took until 7 November 2012 for the committee to be provided with a formal complete definition of which data was to be retained under the data retention regime proposed by the Attorney-General's Department. I will be brief, because Senator Faulkner, quite properly, has set out the main concerns of the committee with respect to this matter. The section concerning data retention attracted a large amount of criticism, and for good reason. People in their day-to-day lives generate an enormous amount of material that can be categorised as data. It can be stored. It can be re-referenced and cross-referenced. It can be used in ways that not many people can contemplate.
There was criticism from organisations and individuals. The organisations generally considered any potential data retention regime a significant risk to the security of their information and to their privacy, which is very understandable and quite proper. The concerns can be grouped as follows: privacy and civil liberty concerns; security concerns; feasibility and efficacy concerns; and cost concerns. The last one is the one that I am most concerned with. In the sphere of national security, the collection and retention of data is very important. The analysis of that data is crucial. The storing of data is an extremely expensive proposition. The protocols surrounding such data need to be spelled out very quickly so that cost-effective protocols can be established.
Without going on, this report had enormously broad terms of reference. I want to pay tribute to the secretariat of the committee for how they dealt with the request of the then Attorney-General. It was nebulous and difficult. This is the forerunner of a very significant report analysing matters that will concern Australians into the future. It highlighted some of the concerns on each side of the ledger, such as how we should better manage data from a national security perspective and with respect to people's privacy. It looked at issues of cost and other issues of ethics and protocol surrounding such data. These are very crucial future questions. I would like to think that this parliament, this committee and, indeed, Australia generally can lead the world in the way we deal with this material and the protocols surrounding the collection of such material, and, more broadly, how we administer national security legislation that of necessity must yield intelligence as to what people are doing in their day-to-day lives.
I will not go on, because Senator Faulkner has said more important things. He participated in the committee to a greater extent than I did. But having lived and breathed with some of these matters when I was Minister for Justice and Customs, the use of CCTV in the future in this country is also all about the storage, management and ethical management of data, which is the background context of the matters contained in this report. I commend the report to the Senate.
I rise on behalf of the Australian Greens to add some comments on the tabling of this report. With the crossbench position on this committee held by Mr Wilkie, the Greens were not represented on the committee, but nonetheless this is a policy area I have followed very closely since it was referred to the committee in the first place. It is actually something I have been pursuing since 2009. This is the second turn of the wheel on this policy. This data retention proposal has been pursued by the Attorney-General's Department through successive ministers. It bobs up every couple of years, and I know this will not be the last time it does. It provokes the kind of outrage that this committee has quite ably documented and then goes back below the surface again in search of an Attorney-General who is willing to try to pull it off. This is the second time we have seen this occur just in the short period of time I have been in this chamber.
The Australian Greens welcome a number of the elements in this report and I want to congratulate the committee secretariat and those who have done the work across the very broad range of the terms of reference. The committee was quite right to push back on the demand to decide for the government on its vague, amorphous data retention proposal. The committee also quite rightly calls for the Telecommunications (Interception and Access) Act to be overhauled from the ground up. That is something the Greens would strongly support.
However, there are other areas of recommendation here that we do not support. As usual, ASIO has been given nearly everything it was after in terms of expansion of powers. Also, the criminalising of encryption is, I think, a dangerous escalation of the encryption and decryption arms race. It is an area we would want to think very carefully about before we pursue this. Making it unlawful for a service provider or a private citizen not to hand over encryption keys, I think, takes us somewhere we need to be very careful about before we go there.
I look forward to hearing some of the reactions from the telecommunications providers, who were dragged into secret meetings, which would not have been disclosed were it not for a whistleblower who, in 2009, went to the Sydney Morning Heraldwhich then disclosed that the Attorney-General had called these closed meetings, demanding that industry tell the Attorney-General's Department what it would cost and what kind of protocols would be required for a two-year data retention proposal.
I want to acknowledge former Attorney-General Nicola Roxon, who copped a lot of heat for this proposal, for at least having the good sense to flip it to a committee where it could be examined in daylight. Also, I acknowledge the extremely strong language, unanimously on behalf of the committee, rebutting the Attorney-General's Department's vague proposal for a data retention scheme, and the fact that they had to extract the nature of the scheme itself because the Attorney-General's Department was so reluctant to admit exactly how much work had been done behind the scenes.
This report sets down on paper a partial and conditional victory but one that we should acknowledge, nonetheless, for the many thousands of people who participated in the process and those in the wider community who expressed their dissent one way or another—people who care about the maintenance of their human rights, online and offline, and people charged with protecting those rights whether it be through law enforcement, as civil libertarians or as plain old-fashioned libertarians. I also acknowledge the Law Society, Liberty Victoria, the Human Rights Law Centre and the Castan Centre, those custodians of legal custom and practice whom we hope would spring to the defence of the rights that were proposed to be abolished. There were also some unusual allies. It is rare for the Australian Greens to line up shoulder to shoulder with the Institute of Public Affairs—rare does not do it justice, actually. Nonetheless, in this instance the Australian Taxpayers Alliance and the IPA are strident in their condemnation—their highly articulate and consistent condemnation—of the proposals here. Then there are the online digital libertarian activists, researchers and campaigners, including Electronic Frontiers Australia and our colleagues in the Pirate Party, who in many ways have led the debate behind the scenes and in public—for example, in a series of detailed freedom of information requests, which was the only way we were able to discover the long-running series of meetings—which were denied in an extraordinarily evasive series of estimates exchanges that I had with the secretary of the Attorney-General's Department in here only a few weeks ago. From this we know for a fact that this proposal was well underway. The committee was not told; it had to go and discover this for itself.
I had a somewhat disconcerting conversation with Mr Wilkins, Secretary of the Attorney-General's Department, during estimates. I was told there were some rather vague draft positions and that a few chats and conversations had been had, and it was nothing to do with data retention, and at no stage was legislation in the process of being drafted. I have since put in a freedom of information request to actually try to get clarity on this, because information released under the FOI Act to Mr Brendan Molloy of the Pirate Party included a number of documents relating to the Attorney-General's Department's secret consultations with telecommunications and internet industries between 2009 and 2012. In October 2012, Logan Tudor, a legal officer with the department, wrote that he had decided the draft national security legislation was exempted from being released under FOI because it contained material that was being deliberated on inside the department.
The documents available on the excellent Right to Know website reveal that the Attorney-General's Department was well advised in preparing a regulatory impact statement on the proposal, and in fact had begun preparing one as far back as 2009. The preparation of an RIS, which must be signed off by what we now know as the Office of Best Practice Regulation and which includes a best estimate of the likely and very significant financial impacts described by the telcos, is a key step before a proposal goes to cabinet. These documents indicate that the government knew all along that the AGD was engaged in developing detailed proposals for data retention and workshopping them with industry, and had in fact initiated the formal process of drafting legislation. That is the detail to which I go in the Freedom of Information Act.
So this proposed culture of transparency, which was heralded with some fanfare, has never really materialised and it is like extracting teeth trying to find out what the Attorney-General's Department is actually up to. Strong language in this report quotes the Victorian Privacy Commissioner, Dr Anthony Bendall, who submitted that data retention was characteristic of a police state—extraordinarily strong language from the Victorian Privacy Commissioner. And a number of advocates right across the board, from industry and the other organisations identified there, have gone through asking exactly why these powers are required in the first place. In the context of the various campaigners and concerned citizens who put up their opposition to this proposal, I would not say it has been condemned outright, because the committee tries to be even-handed in pursuit of tabling a unanimous report. But it certainly does not, as Senator Faulkner has indicated, recommend that such a scheme passes. The report has identified a number of caveats, cut-outs, carve-outs, conditions and procedures that it considers would need to be minimum requirements if any such scheme were to be legislated. It is not exactly a glowing endorsement.
I understand that the Attorney-General, in the other place earlier today, stood and said, 'We will not be legislating for data retention at this time.' This has been set to rest and neutralised as an election issue, which is precisely what Minister Conroy did in an earlier form of the internet filter before the 2010 election, and has been neutralised as a political issue. I predict that if there is a new Attorney-General post-election, or even if there is not, this proposal will come back; I have absolutely no doubt about that whatsoever. It will be exhumed in a different form, with a few of the committee's recommendations attached, and it will be back. And it is a proposal I suspect will have to be fought and contested, potentially, again and again.
We need to pay very careful attention to what has happened in the United States. The only issue I have with Senator Faulkner's contribution—when he said that the regime under which metadata and warranted content data are accessed is different in Australia compared with the United States—is that US legislators by and large had no idea what the National Security Agency was doing under the Patriot Act on the orders of this secret court, which had absolutely no obligations to report to the public at all. I wonder how much Australian legislators, in hindsight, will be able to say they knew about how these powers were being applied in Australia, either warrantless accessing of data by agencies like ASIO and DSD or the wholesale importing of content and non-content data from colleagues in the US national security establishment—sideways, and basically bypassing such due processes as identified in here.
I seek leave to continue my remarks at a later time.