Senate debates

Thursday, 14 February 2019

Bills

Telecommunications and Other Legislation Amendment (Miscellaneous Amendments) Bill 2019; In Committee

11:24 am

Photo of Jenny McAllisterJenny McAllister (NSW, Australian Labor Party, Shadow Assistant Minister for Families and Communities) Share this | | Hansard source

I move opposition amendment (1) on sheet 8642:

(1) Page 9 (after line 8), at the end of the Bill, add:

Schedule 3—Systemic weakness or systemic vulnerability

Telecommunications Act 1997

1 Section 317B ( definition of electronic protection )

Repeal the definition.

2 Section 317B ( definition of systemic vulnerability )

Repeal the definition.

3 Section 317B ( definition of systemic weakness )

Repeal the definition.

4 Section 317B ( definition of target technology )

Repeal the definition.

5 Section 317ZG

Repeal the section, substitute:

317ZG Designated communications provider must not be requested or required to implement or build a systemic weakness or systemic vulnerability etc.

(1) A technical assistance request, technical assistance notice or technical capability notice must not have the effect of:

(a) requesting or requiring a designated communications provider to implement or build a systemic weakness, or a systemic vulnerability; or

(b) preventing a designated communications provider from rectifying a systemic weakness, or a systemic vulnerability.

(2) The reference in paragraph (1)(a) to implement or build a systemic weakness, or a systemic vulnerability, includes a reference to implement or build a new decryption capability.

(3) The reference in paragraph (1)(a) to implement or build a systemic weakness, or a systemic vulnerability, includes a reference to one or more actions that would render systemic methods of authentication or encryption less effective.

(4) The reference in paragraph (1)(a) to implement or build a systemic weakness, or a systemic vulnerability, includes a reference to any act or thing that would or may create a material risk that otherwise secure information would or may in the future be collected, accessed, used, manipulated, disclosed or otherwise compromised by an unauthorised third party.

(5) The reference in subsection (4) to otherwise secure information includes a reference to the information of, about or relating to any person who is not the subject, or is not communicating directly with the subject, of an investigation to which the relevant technical assistance request, technical assistance notice or technical capability notice relates.

(6) The reference in subsection (4) to an unauthorised third party includes a reference to any person other than:

(a) the person who is the subject of, or who is a person communicating directly with the subject of, an investigation to which the relevant technical assistance request, technical assistance notice or technical capability notice relates; or

(b) the person that issued, or asked the Attorney-General to issue, the relevant technical assistance request, technical assistance notice or technical capability notice.

(7) Subsections (2), (3) and (4) are enacted for the avoidance of doubt.

(8) A technical assistance request, technical assistance notice or technical capability notice has no effect to the extent(if any) to which it would have an effect covered by paragraph (1)(a) or (b).

6 Application provision

Section 317ZG of the Telecommunications Act 1997, as amended by this Schedule, applies in relation to a technical assistance request, technical assistance notice or technical capability notice given on or after the commencement of this Schedule.

I foreshadowed this amendment in my second reading speech. It goes to the definition of systemic weakness, which this was a core issue in the material that was presented to the committee during our hearings. Essentially, stakeholders were concerned that the protection in the bill which prohibits an agency from forcing a provider to implement any kind of systemic weakness or systemic vulnerability is inadequate because those terms are not defined.

The government sought to address that in their amendments to their own bill in December last year, but the government's amendments have been condemned as difficult to understand, ambiguous and significantly too narrow. In fact, technology experts Dr Chris Culnane and Professor Vanessa Teague have described the government's amendments as an abomination.

The amendments before us now would repeal the systemic weakness definitions that were introduced by the government and give clear legislative effect to the advice provided publicly by the Director-General of ASIO. Our amendments are supported by the main industry groups, and I named those groups in my second reading speech. By contrast, we are not aware of any non-government organisations or individuals who support the government's amendments on this issue.

The critical paragraph on sheet 8642 is to amend 317ZG(4) to include this phrase:

(4) The reference in paragraph (1)(a) to implement or build a systemic weakness, or a systemic vulnerability, includes a reference to any act or thing that would or may create a material risk that otherwise secure information would or may in the future be collected, accessed, used, manipulated, disclosed or otherwise compromised by an unauthorised third party.

These changes seek to protect the information of innocent people, and I commend the amendment to the house.

11:27 am

Photo of Linda ReynoldsLinda Reynolds (WA, Liberal Party, Assistant Minister for Home Affairs) Share this | | Hansard source

The government opposes the opposition's amendments for the following reasons. First, the amendments moved by the opposition propose to delete the definition of 'systemic weakness' from section 317B and leave that term undefined. These amendments also propose to rewrite the prohibition in section 317ZG. The amendment version of section 317ZG removes references to the term 'electronic protection'. This term anchors the current prohibition by explaining what the powers are prohibited from weakening. Electronic protection includes things such as encryption and also authentication. Without reference to electronic protection, it is unclear what section 317ZG prohibits from being weakened. In one instance, for example, these amendments replace 'electronic protection' with 'systemic methods of authentication or encryption'. This includes a narrower set of things than the previous language.

The second reason is that these amendments would also change the legal standard required before the prohibition becomes operative from 'likely' to 'may'. This creates material risk to information security. This standard is too high to be practicable, as it concerns a question of future possibilities. When explaining what is otherwise secure information, these amendments refer to persons other than the person communicating directly with the target person. This concept fails to consider contemporary communication styles, such as forms and broadcast platforms, wherein a communication may not be directly communicated to any person or persons.

Third, the government opposes the opposition's amendments because these amendments refer to an unauthorised third party in order to explain when otherwise secure information has been compromised. This description provides only that the person who is communicating directly and that the interception agency using the power are not unauthorised third parties. We believe this is too narrow. Under this construction, telecommunications companies would become unauthorised third parties.

11:29 am

Photo of Jordon Steele-JohnJordon Steele-John (WA, Australian Greens) Share this | | Hansard source

The Australian Greens will be supporting the amendment put forward by the opposition. They make a bad bill slightly better. I am fascinated to hear Senator McAllister quote from the good Dr Chris Culnane and Professor Teague in relation to this bill. I have been working very closely with individuals, such as themselves, and I can assure the chamber that their preferred outcome would have been for the opposition to oppose the bill and to now have a position of repealing the bill. But, as I said, this makes it a little bit better, so, until we have an opportunity to repeal, it will do.

The CHAIR: The question is that opposition amendment (1) on sheet 8642 as moved by Senate McAllister be agreed to.

11:37 am

Photo of Jenny McAllisterJenny McAllister (NSW, Australian Labor Party, Shadow Assistant Minister for Families and Communities) Share this | | Hansard source

I move opposition amendment (1) on sheet 8643:

(1) Page 9 (after line 8), at the end of the Bill, add:

Schedule 4—Limiting technical assistance requests and technical capability notices to listed acts or things

Telecommunications Act 1997

1 Subsection 317G(6)

Omit "that may be specified in a technical assistance request given to a designated communications provider include (but are not limited to)", substitute "specified in a technical assistance request given to a designated communications provider must be".

2 Subsection 317JA(10)

Omit "that may be specified in a varied technical assistance request include (but are not limited to)", substitute "specified in a varied technical assistance request must be".

3 Paragraph 317T(4 ) ( c)

Repeal the paragraph, substitute:

(c) consist of one or more listed acts or things (other than an act or thing covered by paragraph 317E(1) (a));

4 Subsections 317T(5) and (6)

Repeal the subsections.

In the report from the PJCIS on the original bill, Telecommunications and Other Legislation Amendment (Assistance and Access) Bill 2018, recommendation 10 called on the government to amend the legislation to apply the systemic weakness limitation to all listed acts or things that an agency may be provided to do and to provide exhaustive definitions to the terms 'listed acts or things' and 'listed help' to ensure an agency could only ask or require a provider to do something actually listed in the access bill. There were no government amendments that addressed that first limb of that recommendation back in December, and our proposed amendments to section 317ZG implement that limb of recommendation 10.

With regard to the second limb of recommendation 10, the government's amendments did not address the ability for an agency to issue a technical assistance request to seek voluntary assistance outside of those matters listed in the definition of 'listed acts or things' as prescribed in the act, and these amendments correct that. The government's amendments also did not amend the provisions that would limit the types of new capabilities that a provider may be compelled to develop—that is, a provider may be compelled to develop new capabilities other than those listed in the act. As originally introduced, the access bill allowed the Minister for Communications and the Arts to prescribe other capabilities that would constitute listed help. Rather than removing that power as required by recommendation 10, the government's amendments transferred such decisions to the Minister for Home Affairs, Mr Dutton. These amendments will implement recommendation 10 of the committee's report by removing that power.

11:39 am

Photo of Linda ReynoldsLinda Reynolds (WA, Liberal Party, Assistant Minister for Home Affairs) Share this | | Hansard source

The government oppose this amendment, and I would just like to detail why. There are numerous reasons why we oppose this amendment. Firstly, in response to recommendation 10, the government amended section 317E to ensure the listed acts or things are exhaustive for compulsory industry assistance measures. To balance this amendment against the legislative intention of keeping powers current with new technological developments, it was necessary to add a new item to the list of acts or things.

Section 317E(da) allows the industry assistance powers to be used in facilitation of an activity conducted under a warrant or authorisation under a law of the Commonwealth, a state or a territory or the effective receipt of information in connection with a warrant or authorisation. The introduction of section 317E(da) ensures that interception agencies are able to use the industry assistance measures as intended to give effect to a warrant or to authorisation. This is an appropriate addition as it will only authorise activities that are immediately incidental to doing a thing that has been approved pursuant to an underlying authority, subject to existing safeguards and thresholds, and that also, of course, includes judicial approval. Section 317E(da) will also ensure that the utility of the industry assistance measures continue to be relevant for law enforcement and also, of course, for security agency warrants, which continue to be updated and fitted to technological developments.

The aim of keeping legislation fit for purpose as a regulated industry evolves is genuine and legitimate, particularly when seeking assistance from an innovative and fluid sector such as the communications industry. Without forward-thinking legislation, it may also be necessary to consider wholesale legislative reform in the near future. It would be irresponsible to design a regime that does not consider the implications of technological process where the very issue the regime has been designed to address has been created by technological process. Additionally, this approach finds precedent in section 313(7) of the Telecommunications Act 1997, which specifies that giving help in the context of domestic industry assistance includes giving effect to warrants and authorisations under the T(IA) Act. Given the broader potential use cases of industry assistance, it was necessary to forgo enumeration of the potential warrants and authorisations in section 317E(da).

Technical assistance requests are supported by strong safeguards and limitations to ensure they are used appropriately and only when required. Importantly, the voluntary nature of requests means that providers will not be issued with a penalty for noncompliance. Requests must relate to a relevant objective which forms the core functions of law enforcement and national security agencies. In the case of ASIO, this includes safeguarding national security. In the case of ASIS, this includes the interests of Australia's national security, the interests of Australia's foreign relations or the interests of Australia's economic wellbeing. In the case of ASD, this relates to their cybersecurity functions. In the case of an interception agency, it is enforcing the criminal law so far as it relates to serious Australian offences or enforcing the criminal laws enforced in a foreign country so far as those laws relate to serious foreign offences.

Technical assistance requests are supported by strong safeguards and limitations to ensure they cannot be used for mass surveillance or assessing content without a warrant, and they certainly cannot be used to systematically impact the security of networks and devices. Agencies and law enforcement authorities will only be able to use requests when there is an underlying warrant. There are cost recovery provisions built in to ensure that providers are not penalised for providing legitimate support to agencies. It is important for all of the reasons we've outlined that the Senate does not support this amendment as, I believe, it is absolutely essential to keep the legislation fit for purpose as regulated industry evolves. Making listed acts or things exhaustive for TARs or TANs is problematic for these very reasons. Technical capability notices go to capability building, and it is for those reasons—

Photo of Sue LinesSue Lines (WA, Deputy-President) Share this | | Hansard source

Senator Reynolds, please resume your seat. Thank you. We've reached the hard marker here, so the committee will now report.

Progress reported.