Thursday, 25 September 2014
National Security Legislation Amendment Bill (No. 1) 2014; In Committee
For those following at home, this debate has reached the stage where we are discussing the fact that the government appears to have allowed—and I will not call it a 'loophole' because that implies that it would have been accidental—the ability for a single ASIO warrant to encompass an unlimited number of devices, whether that be a single device, a handset, a room full of them, an entire university campus or an entire city. Obviously, the internet is a network of networks and it appears as though the government has deliberately allowed the drafting in this way, in such an open-ended way, as to allow ASIO to effectively intrude on an unlimited number of devices off the back of one single warrant. I am not clear at all about the reporting obligations as to whether the IGIS, or the Attorney for that matter, would be obliged to report how many devices were covered in a single warrant. My understanding, and I am sure Senator Brandis will freely correct me if I am wrong, I am sure, is that there is no such reporting obligation to the public or to the parliament.
What the Australian Greens amendment seeks to do is to set—and I acknowledge it is arbitrary—a cap. The arbitrary cap that we have proposed would be 20 devices. I think Senator Xenophon has stated quite clearly he thinks that is a bit low. I am very, very open to discussion on how many we think it should be. But I am very firmly of the view that it should not be possible to access an arbitrary number of devices up to and including every device connected to every other device. I think it is extraordinary that the government would even propose that that occur.
This is not something that Australian Greens are alone in having concerns over. If you go back to the parliamentary joint committee—this bill did not go to a Senate committee; it went to the Parliamentary Joint Committee on Intelligence and Security—it proposed, not all but some of, these measures in the first place. The submitters to that very brief inquiry put numerous concerns on the table as to these provisions. There are a number of them, but I will begin with the Law Council, who I do not think anybody in here would characterise as having radical views on these matters. Because the amendments ignore key recommendations in the PJICS report, the Law Council highlighted concerns with this schedule, which enables ASIO to obtain intelligence from a number of computers, including a network, under a single computer access warrant. On page 16 of their submission, the Law council says the following:
…the Law Council is concerned that there is currently no definition of a ‘computer network’. In this respect, the Law Council notes that its own staff use computers on occasion through a remote access network which can be accessed from their homes. Using this example, it is unclear whether the information on staff’s home computers would be covered as part of the warrant in respect of a ‘computer network’.
The Law Council has raised a fairly specific question that has not been addressed in the government amendments that have been circulated. Maybe at this point I would ask Senator Brandis to identify for us, in that instance that the Law Council puts to us, where a warrant has been issued which covers a computer network of people who are in a particular workplace, does the warrant therefore include home computers of that same person? Would the definition of 'computer network' include devices at home or on other premises entirely?
For the record, I will note that is the third or fourth time—Hansard will be keeping track—that the Attorney-General has refused to answer a straightforward question on this matter. I suspect there will be others, so perhaps we should start keeping count. I will continue from the Law Council's submission:
The Law Council understands the need to ensure that processes associated with computer access warrants are efficient.
As do the Australian Greens.
However, the Law Council considers that in order to protect privacy rights from undue intrusion, access to computers should be on the basis that there is a demonstrated sufficient nexus between the computers accessed and the nominated person of security interest.
I guess that is the rub. There is a nominated person of security interest. We have applied for a computer access warrant that surrounds that person. How many devices could such a warrant capture? I think it is an entirely reasonable question that I am putting. The Law Council continues:
Rule of law principles also demand that there is greater clarity as to the scope of conduct which will be permissible under the warrant.
Again, this is from page 16:
For example, ASIO should not be able to seek a warrant to access the computers on a particular network, or at a nominated location unless there are reasonable grounds to believe that the person in relation to whom intelligence is being sought had a direct connection with computers other than his/her own on the network.
I think what the Law Council is getting to there is the arbitrary nature of the fact that these devices are all connected either physically or via wireless networks, and that the drafting appears to allow entirely arbitrary traversals of networks onto computers which actually have no direct connection with the person of interest. Perhaps this exists and it is just that the Law Council is not aware of it. Senator Brandis, could you point us to any definition, either in this statute that we are amending or another, of the key term of 'computer network'? Is there any definition in law that you could point us to to assuage our concerns about the arbitrary nature of the amendment that you have put before us?
I do not purport ever to answer a question on behalf of Senator Brandis, but I imagine if there is not a statutory definition as to what a 'computer network' is there will be a common law definition as determined by the courts. I indicate that I will not be supporting the Australian Greens' amendment in relation to this. But, as a matter of some urgency, I am seeking to have an amendment drafted that I think would go some way to dealing with the concerns of Senators Leyonhjelm and Ludlam. That would be to require the annual report of Inspector-General of Intelligence and Security to give, in broad terms, the number of devices that may be captured by these warrants; something that would not affect an operational issue but would give a broad outline, from a disclosure point of view, as to how that would work. I am actually quite keen for this amendment to be dealt with. That is a matter for the Senate to deal with, but that is where I am at and I hope we can deal with.
For those who might be following this debate who are not familiar with parliamentary procedure, the general course of events—and it has been this way for me in the six and a bit years I have been dealing with these bills—is that questions are put to the responsible minister and answers are provided. I do not have to like the answers but they are at least provided to the Senate so that we can make our own judgement about the way that the law will operate. What Senator Brandis is doing today is straightforward abuse of the Senate's powers of question and answer. I can do my bit, but if the Attorney-General is refusing to even provide simple answers about the operation of the law, then that confirms for me that we are being treated with contempt. This includes those on the government side, backbenchers and opposition senators who might, in their own private way as senators, be interested in the answers to some of the questions that I am putting.
The Law Council also noted—and I think this is very important, because Senator Brandis has made repeated references to the Parliamentary Joint Committee on Intelligence and Security as the one that came up with these proposals at the outset and has evaluated the government's bill and then, again, evaluated the government's amendments—that the definitions of 'computer' and 'network' in the bill are not in line with the joint committee's recommendations. In other words, the government has actually departed from the recommendations that the PJCIS made.
The Law Council recommended:
… that the proposed provisions relating to computer access warrants be amended, where the warrant will provide access to multiple computers, to require a more direct connection between the computer accessed and the nominated person of security interest, and to define key terms such as “computer network”.
That is a straightforward proposition that I am putting today. Specifically, the Law Council recommended the provisions of a surveillance device warrant be amended so that:
Where a single warrant is issued in respect of multiple devices, consideration should be given to ensuring that the use each different device is justified.
That is how the law has operated in the past. That principle of proportionality and having to justify why it is that it is a requirement, and an urgent requirement, in the security interest that people's privacy be invaded. I fully recognise that there are instances where that is entirely justified. But the way those powers are circumscribed and reported on, as I think as Senator Xenophon has foreshadowed, is absolutely essential. We know little enough as it is about the operation of these agencies.
The Law Council, obviously, is not the only one that made this very strong point about the definition of computer networks. As cited in the bill digest, Gilbert + Tobin Centre of Public Law pointed out:
… in the absence of a definition of ‘computer network’, the definition of computer could potentially capture every computer on a university or public service network, cloud or peer-to-peer network, home computers used to access work-related networks remotely, and, ‘taken to its logical extreme … any computer that is connected to the world wide web’.
That is the proposition that I put to the chamber this morning and Senator Brandis puffed himself up, objected and called me a liar. He did withdraw that under duress from the chair. However, this is obviously not a concern that the Greens are alone in bring into this chamber.
The Gilbert + Tobin Centre for Public Law in their submission pointed out:
Suggested improvements included a definition of ‘computer network’ that requires the individual computers in the network to be linked in a substantive way, such as having shared storage drives, or that is limited to local area networks.
… the laws and their amendments did not address concerns that they could enable agencies to tap, access and disrupt target and third-party computers and networks after getting just one warrant.
Professor Williams previously warned the parliamentary committee that the laws were too broad and could allow ASIO to monitor the entire Australian internet as a ‘‘computer network’’.
It is that serious.
Professor Williams is no fool; he has been studying these issues for a lot longer than I have. The problem, of course, is that this applies to computer networks and the internet as a network of networks, that these systems are distributed globally and that putting no upper limit is what creates such a risk.
Electronic Frontiers Australia, it in their submission, have said:
A network can essentially be anything from three computers on a Wi-Fi modem to potentially an entire corporate network or an entire internet service provider network or at the extreme end the whole internet
EFA asserts that the amended definition of computer in sections 4 and 22 of the ASIO Act is too expensive, and may provide a single warrant holder with an enormous number of possible computers to target. EFA notes that by amending the definition of 'computer' and expanding it substantially to include multiple devices, systems or networks, this single amendment would expand the scope of ASIO's powers in a number of other places within the ASIO Act. This is the question that I will put to the Attorney-General shortly.
EFA also notes that this minor amendment relative to the entirety of the act, would have a wildly disproportionate effect on the scope of every single warrant involving a computer—'EFA cannot condone such a rash escalation of warranted power and recommends that a more carefully-defined definition be provided.'
You will notice that the Australian Greens have proposed that rather than falling back on descriptions or definitions of 'computer' and 'computer network' that do not actually exist—although, Senator Xenophon points out that there will be common law interpretations that are used by the courts—anywhere on the statute books, that rather than fooling around with the definition of computer, that we simply provide a cap on the number of devices that can be accessed.
When I have put this proposition to Senator Brandis he sits there dumbfounded and mute, rather than actually putting a view as to why this is not a sensible idea. Perhaps, as Senator Xenophon points out, 20 is too low. As I said before, I understand why ASIO would not want to submit these warrant applications for every single device. Perhaps it should be 50. I am very open to discussion on this, as I said.
Rather than trying to change the definition of a network, we will insert provisions around the number of computers that a single warrant can obtain to access data to disrupt—to install malware, for all we know—all of the various powers that can be contained or that can be exercised under one of these warrants.
Senator Brandis, this may foreshadow the comments Senator Xenophon made before, but I put to you now whether it is the government's intention—or whether you can provide us with where we could find out—that it be possible for the public to know, through the parliament, either through ASIO's reporting obligations, the aegis or perhaps the PJCIS or your own department, how many devices individual warrants ended up allowing lawful access to.
Senator Ludlam: you have asked several times in your contributions today the same question that was asked and answered yesterday. I direct you to the answer I gave to the same question that you have asked several times today. It did not change overnight.
Senator Ludlam: I have not responded for another reason, because I will not facilitate your very obvious attempt to filibuster this legislation and abuse the processes of this place.
Mr Acting Temporary Chairman, I move:
That the question be now put.
The CHAIRMAN: The question is that the question now be put.
by leave—I want to place on record the Labor Party's position in relation to this bill and the way the bill is being managed. As senators would know, the Labor Party has indicated support for this legislation. The Labor Party also indicated yesterday and this morning to the government that we were willing to entertain—we were favourably disposed to—a time-management motion to ensure this legislation was passed next week in accordance with the government's publicly stated timetable. As yet we await the government's proposition in that regard, but we did indicate that because we want this legislation passed. What we are not favourably disposed to is gag motions moved with almost no notice on a bill which we already support. We disagree with the Greens on the substantive issue, but we think the way the chamber ought to be run is to give appropriate notice. As I reiterate, we gave a clear indication to the government we were favourably disposed to a time-management motion to ensure this bill passed in accordance with the government's timetable.
by leave—Senator Wong, I do not want to lose the bipartisanship the Labor Party has commendably shown in relation to this bill. Frankly, if a mistake was made in the judgement of those who manage the opposition's business in this chamber, then a mistake was made.
Nevertheless, this is not—
Opposition senators interjecting—
If I may finish, please. This is not a gag motion. This is a motion to close debate on a Greens amendment which has been debated now for almost three hours. Those of us who have been following the debate could not have the slightest doubt that what Senator Ludlam was engaged in was, in the most obvious way, a filibuster. As a consequence of Senator Ludlam's filibuster, and as a result of the time-management arrangements for next week which Senator Wong has foreshadowed, had the debate on Senator Ludlam's motion not been closed there would be insufficient opportunity for other parties and other senators to have their amendments considered in the committee stage. I thank the Senate for agreeing to terminate Senator Ludlam's filibuster.
by leave—There is no filibuster underway here. The fact is that Senator Brandis has been, as he has so often shown himself to be, his own worst enemy in regard to chamber management. By obstructing debate in the chamber yesterday by refusing to provide a document he had in his possession, and by sitting mute instead of answering sensible questions that myself and crossbenchers have been putting to him for nearly 2½ hours, Senator Brandis once again has been own worst enemy. I understand we will now proceed to the vote, but let no-one be mistaken: Senator Macdonald moved this amendment. The government is now gagging a tremendously important amendment on a bill that will have consequences for all of us.
The CHAIRMAN: The question is that amendments (1) and (2) on sheet 7570 moved by Senator Macdonald be agreed to.
Mr Chairman, I wish to make a personal explanation of less than 60 seconds. Comment has been made about the fact that I actually voted against an amendment I moved. I want to explain to the Senate that in moving the amendment I indicated I was not absolutely convinced of the amendment that I was moving but that I did want there to be debate on it. It looked like there was never going to be debate. Having heard the minister address the amendment, I then indicated that the minister had convinced me, which is what parliament is all about, that the amendment had no merit. You might recall, Mr Chairman, I then even sought leave to withdraw the amendment, but leave was not given. I just wanted to explain that to the chamber.
I move Liberal Democratic Party amendment (1) on sheet 7579:
(1) Schedule 2, page 30 (after line 31), after item 28, insert:
28A After section 25A
25B Collection of intelligence under computer access warrant
Despite anything in section 25A, a computer access warrant issued under that section may authorise access to a computer only to the extent necessary to collect intelligence in respect of the security matter specified in the warrant.
(2) Schedule 2, page 55 (before line 5), before item 46, insert:
46A Before section 32
32A Notification requirements in relation to interference with computer use under warrant etc.
(1) This section applies if:
(a) a warrant was issued under section 25, 25A, 27A, 27C or 29; and
(b) a thing mentioned in subsection 25(5) or 25A(4), paragraph 27D(2)(h) to (k) or subsection 27E(2) was done under the warrant.
(2) The Director-General must cause the Minister and the Inspector-General of Intelligence and Security to be notified of any material interference with, or interruption or obstruction of, the lawful use by other persons of a computer or other electronic equipment, or a data storage device, that resulted from the thing being done.
(3) The notification must be given:
(a) in writing; and
(b) as soon as practicable after the thing was done.
(3) Schedule 3, item 3, page 63 (after line 22), after section 35C, insert:
A special intelligence operation authority must not be granted after the end of 30 June 2025.
(4) Schedule 3, item 3, page 69 (lines 30 and 31), omit "or prejudice the effective conduct of a special intelligence operation".
(5) Schedule 3, item 3, page 70 (lines 2 and 3), omit "or prejudice the effective conduct of a special intelligence operation".
(6) Schedule 3, item 3, page 70 (line 14), at the end of subsection 35P(3), add:
; or (e) of information that has already been disclosed by the Minister, Director-General or Deputy Director-General; or
(f) made reasonably and in good faith, and was in the public interest.
(7) Schedule 3, item 3, page 70 (after line 16), after subsection 35P(3), insert:
(3A) Subsections (1) and (2) do not apply if:
(a) the person informed the Organisation about the proposed disclosure at least 24 hours before making the disclosure; and
(b) the disclosure did not include information on the identities of participants of a special intelligence operation, or on a current special intelligence operation; and
(c) the information concerns corruption or misconduct in relation to a special intelligence operation.
Note: A defendant bears an evidential burden in relation to the matters in this subsection—see subsection 13.3(3) of the Criminal Code.
(8) Schedule 5, items 9 and 10, page 74 (lines 4 to 19), to be opposed.
(9) Schedule 5, item 14, page 79 (lines 1 and 2), omit subparagraph 1(1A)(a)(i).
My amendment is on the same issue as the previous amendment, which was just lost. It is on the issue of how many computers can be the subject of a warrant by ASIO. Senator Ludlam's motion was to limit that to 20, which some people said was impractical. My amendment does not seek to limit it by number; it seeks to limit it by intent. It puts into the bill words that the government itself has put into the revised explanatory memorandum. It states that a computer access warrant under section 25A authorises access to a computer only to the extent necessary to collect intelligence in respect of the security matter specified in the warrant.