Telecommunications and Other Legislation (Assistance and Access) Bill 2018

House of Representatives, Canberra.

Mr DREYFUS (Isaacs—Deputy Manager of Opposition Business) (09:32):  The safety of our community and the security of our nation must always be paramount considerations for every member of this parliament. We in Labor have proved, both in government and in opposition, that we always place national security ahead of partisan politics. The Telecommunications and Other Legislation Amendment (Assistance and Access) Bill 2018 is the 16th substantive national security bill introduced over the last five years. I will address the specific reasons for Labor's support of this assistance and access bill shortly, and I will also explain a number of our concerns and the solutions we have insisted on to address those concerns.

But, before I turn to those specific matters, I will first say a little about the general approach that I and the Labor opposition have been taking to national security matters. First, we start from the premise that our security agencies and our law enforcement bodies, to the extent that they are involved in national security matters, must be given the powers and resources they need to keep our community safe and our nation secure. Second, we believe that national security laws that encroach on the rights and freedoms of Australians must always be necessary and proportionate to the threats being faced. Third, Labor holds that, with the granting of new powers, we must also establish new oversight and transparency mechanisms designed to ensure these powers are used for the purpose for which they are granted and in a manner that ensures ongoing accountability for their exercise. And the fourth basic principle guiding our approach is that national security laws conferring extraordinary new powers should treat those powers as extraordinary rather than as the new normal.

These principles are often challenging to apply, but we put a great deal of time and energy into rigorously analysing every national security bill that is presented against these principles. We do this because we understand that in conferring new powers to protect our nation's security it's vital that we do not compromise the very freedoms and way of life that we're seeking to protect. This means that in keeping Australians safe we also seek to uphold the rights and freedoms that we as a democratic society hold dear and that generations of Australians have fought to protect. No deranged or hate-filled terrorists can take those freedoms and rights from us. Only an Australian government that has given in to fear—to the terror that is by definition the primary weapon of the terrorist—has the power to do that. We must also always be aware that, while the laws we pass can be part of the solution to national security threats, if they are improperly designed those laws can become part of the problem, because our agencies can do their critical work only if they have a good relationship—a relationship of trust—with the community they are protecting. This has been shown time and time again with terrorism offences in particular when the vital information to stop terrorist events comes to our agencies from within the community.

David Kilcullen is one of Australia's most accomplished counterterrorism experts. I've quoted him before, but I think the warning he provides is worth repeating today. Mr Kilcullen was a senior officer in the Australian defence forces. He went on to advise on counterterrorism at the most senior levels of the United Kingdom and United States governments and military, working as the chief strategist in the office of the coordinator of counterterrorism at the US state department as well as special adviser to US General David Petraeus in Iraq. Writing about the challenge of confronting terrorism in 2015, Mr Kilcullen warned about the impossibility of making a democratic society entirely safe through the imposition of ever-increasing counterterrorism laws. He wrote:

… a truly effective domestic defensive strategy would turn (indeed, has already gone a long way to transforming) our societies into police states.

A purely defensive stance, if it is to prevent terrorist attacks from within and without, would have to include some or all of the following: perimeter defences on all major public (and many private) buildings, restrictions on access to public spaces, intrusive powers of search, arrest and seizure, larger and more heavily armed police forces, with more permissive rules for use of lethal force, intensive investigations of individuals’ thoughts, words and actions, citizen surveillance …

Mr Kilcullen's list goes on at some length, concluding with:

… the need for a raft of limitations to freedom of expression and assembly. It would also, of course, impose limitations on international trade and require increased state spending—essentially a 'terrorism tax'.

Mr Kilcullen then warns:

… accepting these impositions as permanent, and developing them to the level at which they could actually—in their own right, as the centrepiece of a counterterrorism strategy—protect against the atomised, self-radicalised terrorist threat of tomorrow, would amount to destroying society in order to save it.

While the new powers that will be conferred by this bill will be used for both counterterrorism and police work, I believe that the warning Mr Kilcullen sounds remains entirely relevant.

I turn now to the access bill itself. The Telecommunications and Other Legislation Amendment (Assistance and Access) Bill 2018 was introduced into the parliament on 20 September 2018. Without specifying a reporting date and without any suggestion that it was urgent for the inquiry to be concluded by the end of the year, the Attorney-General referred the access bill to the committee on the same day.

Although the government claimed that it had consulted widely on the access bill before its introduction into the parliament, the public consultation was very short, especially for such a lengthy and complicated bill, running as it does to some 175 pages.

An exposure draft of the bill was published on 14 August and submissions closed on 10 September 2018. Disappointingly, it became apparent over the course of the inquiry conducted by the Parliamentary Joint Committee on Intelligence and Security that many affected organisations were hardly consulted at all before 14 August, including, extraordinarily, the government's own Inspector-General of Intelligence and Security and the Commonwealth Ombudsman. In fact, the inspector-general and the Ombudsman told the committee that they found out about the exposure draft of this bill from media reports. A number of Australian companies also indicated to the committee that either they were not consulted by the Morrison government or, alternatively, if they had been consulted, when they had made submissions they were essentially ignored.

The committee heard compelling evidence that in the form the government introduced this bill to the parliament it could well do more harm than good. Specifically, as presented to this House, the bill could, among other things, pose a significant risk to Australia's national security, jeopardise security cooperation with the United States and create unnecessary risks to Australian businesses and, in particular, local technology exporters.

I will briefly expand now on each of those three key risks. First, there's the risk to national security. Encryption plays an essential role in protecting Australia's digital infrastructure. It protects everything from an individual's iPhone to the electricity and telecommunications grids and banking and mass transit systems. As Cisco put it in one of the committee's public hearings:

… it is hard to overstate the importance of strong encryption, not only to the delivery of e-commerce and message functions but also to the protection of critical systems. These systems include computer controlled systems that deliver food, water, transportation services, health, telecommunications and government services.

Key to the concerns about the risk that the access bill could pose to national security is the uncertainty over whether the use of the new powers in the bill could lead to the creation of a backdoor—a weakness that may be applied to just one device, for example, but which could also weaken the security of other devices that use the same system. In the face of overwhelming evidence from many submitters to the committee's inquiry, the government has remained adamant that the access bill could not lead to the creation of backdoors. The government says that this is because there is a provision in the bill that prevents providers from being forced to implement any kind of systemic weakness into a form of electronic protection. But that term is not defined in the access bill, and this has led to confusion about what it even means. Without an appropriate definition of 'systemic weakness' and improved safeguards, a range of stakeholders have said that there is a real risk that the new powers in the access bill could make Australians less safe—and even threaten national security—by weakening the encryption that protects critical infrastructure. Such weaknesses could be exploited by malicious actors, such as terrorists, serious criminals and state-sponsored hackers. This could mean malicious actors disabling telecommunications networks or the national electricity grid. It could mean hackers stealing money from the bank accounts of innocent Australians or compromising the confidentiality of investigations being conducted by Australian law enforcement agencies. The Director-General of Security has assured the intelligence committee and the Australian people that his agency has no intention of using the new powers in the access bill to require a provider to do anything that could jeopardise the security of innocent Australians.

The issue of inserting an appropriate definition of 'systemic weakness' into the legislation has been a major issue of disagreement between Labor and the government that we are continuing to work to resolve, even now. The concern that the access bill could, in fact, pose a risk to Australia's national security was echoed by representatives of Senetas Corporation during a public hearing on 30 November 2018. Senetas is a leading provider of encryption technology, and, as its chairman explained to the committee, it is responsible for securing the systems of Australian law enforcement agencies; royal commissions, including the Royal Commission into Institutional Responses to Child Sexual Abuse; a number of Australian banks; and our defence forces. The chairman of Senetas told the committee that, in its current form, the access bill:

… compromises the security of citizens, businesses and governments because there will be weaker cybersecurity practices. It will be easier for cybercriminals, terrorists, to target systems and be able to break into those systems …

The fact that the government, and the Liberal members of the committee, were a week ago proposing to just ignore the evidence of Senetas—the entity responsible for protecting many of Australia’s most critical systems from malicious hackers—was of great concern to Labor. Fortunately, after the government declared last week that they would cease working with Labor on a joint report in the intelligence committee addressing these problems, on Monday the government backed down from this reckless course and returned to the negotiating table. Since then, we've been able to agree on a number of significant amendments to this bill to address the most significant concerns that have been raised.

I will turn to the risk to security cooperation with the United States. Another key concern raised by a number of submitters in the public hearings on this bill—and, apparently, not even thought of by the government as they prepared and then tabled this bill—was whether it could prejudice Australia's future security cooperation with the United States. A number of submitters drew the committee's attention to the potential problems the access bill could cause for compliance with the US Clarifying Lawful Overseas Use of Data Act, the CLOUD Act, which was enacted in March of this year. Under the US CLOUD Act, it’s possible for Australia to enter into a bilateral agreement with the United States to allow Australian agencies to request the data of non-US persons—like WhatsApp messages sent by or to a terrorist subject—from Australian technology companies directly. This would enable Australian agencies to bypass the existing requirement of making such requests via the US Department of Justice, which can take many months to process. Just to be clear: at the moment, we have mutual legal assistance treaty arrangements with the United States where our agencies, in a cumbersome system that's been in place for many years, can make a request for telecommunications data via those mutual legal assistance treaty processes, but it can take months, and sometimes more than a year, for the data that has been requested to be produced. That's why the US CLOUD Act, passed by the congress in March of this year, offers a tremendous prospect of much, much quicker access for Australian police forces, and for Australian intelligence agencies, to simply make the request, using the CLOUD Act processes, that would go directly to a telecommunications service provider that is based in the United States. And, provided—and this is the basis of the CLOUD Act processes—that the request did not relate to a US citizen and related to foreign—from the point of view of the United States—law enforcement processes, the request will be able to dealt with in a matter of days, rather than the many months that presently afflict our agencies in terms of this cooperation with the United States. But the significance of this is that, in order to enter into an agreement with United States under the CLOUD Act, the US Attorney-General must certify, with the concurrence of the Secretary of State, that the foreign government affords:

… robust substantive and procedural protections for privacy and civil liberties …

If such a certificate is issued, congress is able to object to any such certification within 90 days.

The vast majority of submitters argued that the access bill in its current form—that is, in the form in which it was presented, unthinkingly apparently, by the government to this parliament—does not afford robust, substantive and procedural protections. As such, Labor members of the intelligence committee were very concerned that unless it is significantly amended the access bill could imperil Australia's chances of entering into a Cloud Act agreement with the United States. Moreover, even if Australia were already party to a bilateral agreement with the United States under the Cloud Act, Stanford University cybersecurity and cryptography fellow Riana Pfefferkorn said to the intelligence committee:

Absent some clearer authority and better judicial oversight of technical capability notices and technical assistance notices, I'm not sure that such a notice would be eligible to be served at all through any agreement under the Cloud Act on US providers directly.

This evidence, which until this week appears simply to have been ignored by the government, was presented to the committee during a public hearing on 16 November 2018, just before the Minister for Home Affairs and the Prime Minister were calling on the committee to accelerate its inquiry.

It's important that Australia be able to take advantage of this vital new mechanism provided by the United States. In order to put the Australian government in the best position to do so, the committee requires further evidence from experts on the Cloud Act. While the committee has addressed in its recommendations some of the matters that could undermine Australia's capacity to cooperate with the United States under the Cloud Act, further work on this critical matter is one of the reasons for Labor's insistence that the committee should continue its inquiry into this bill. It is absolutely vital that this bill, which will be the domestic legislation of Australia from the point of view of the United States authorities, conforms to what the United States regards as robust, substantive and procedural protections for privacy and civil liberties, and that in turn will need to take account of what is known as Fourth Amendment jurisprudence in the United States, a key feature of which is judicial warrants. What the United States and the United States authorities are always looking for in domestic legislation is judicial oversight and judicial warrants authorising compulsive processes. At present, this bill does not contain that form of judicial oversight or judicial warrants.

I turn to the risk to Australian business. Numerous submitters to the intelligence committee said the access bill in its current form could force Australian technology businesses to move offshore. This could threaten over $3 billion in Australian exports and cost thousands of Australian jobs. Remarkably, it has become painfully clear over the course of the committee's inquiry that the government barely considered these issues before the Minister for Home Affairs introduced the access bill into the parliament on 20 September. By way of example, the Australian Industry Group, the Australian Mobile Telecommunications Association, the Australian Information Industry Association and the Communications Alliance have told the committee:

The proposed legislation, through its mere existence, will make Australian exports of IT and communications products and services, or even every Australian website, subject to the same concerns by overseas governments and organisations that recently moved the Australian government to ban certain vendors from supplying hardware for Australia's future 5G networks. Therefore, the draft bill poses a real risk for the IT communications export industry, which Austrade values at AU$3.2 billion for 2016-17 and this figure does not include the value of other exports enabled by Australian websites, IT and communications products.

Collectively, those organisations who gave that evidence to the intelligence committee represent the interests of tens of thousands of Australian businesses, including small and medium sized companies. The committee also received direct submissions from small and medium sized Australian companies who were concerned that the access bill in its current form would make them less competitive in the global technology market, and the committee has heard from at least two Australian companies that may be forced to move their operations offshore if the government gets its way.

Other companies have said that it could lead to job losses. Senetas, for example, has told the committee that it may no longer be able to manufacture in Australia if the access bill were to pass in its current form and that this could result in the loss of 200 jobs. It's not just established businesses that may be affected. The Victorian government's start-up agency, LaunchVic, told the intelligence committee that the access bill could hamper the ability of local start-ups to develop their products in Australia, attract customers and investment and create jobs. In response to questions by members of the intelligence committee, the Department of Home Affairs confirmed that no report was commissioned on the impact the access bill could have on local industry and there had been no direct engagement with the Department of Industry, Innovation and Science during development of the access bill.

Once again we have fought to improve the bill to deal with the most significant of the many concerns raised in this regard. Labor has been consulting with industry and civil society stakeholders both through the committee's process and outside. We have negotiated with the government to give effect to their core concerns. While there are significant outstanding issues, the compromise that Labor has reached with the government will deliver security and enforcement agencies the powers they say they need over the Christmas period and will ensure adequate oversight and safeguards to prevent unintended consequences while enabling continuing scrutiny of the bill into 2019.

Labor members of the committee were prepared to undertake the course of action that they have taken in reaching agreement on the consensus report that was tabled in the parliament yesterday only because of the government's undertaking that the committee will continue its inquiry into the bill into 2019 and that a separate statutory review will be undertaken by the Independent National Security Legislation Monitor within 18 months of the legislation coming into effect. These separate processes provide an opportunity to resolve our ongoing concerns about the bill with the assistance of industry experts and civil liberties groups while also upholding our responsibility to keep Australians safe.

Labor members of the intelligence committee have sought and obtained recommendations in the PJCIS report. If these recommendations are translated into amendments brought to this House or the Senate by the government then those amendments will address many of the core concerns raised by Labor and stakeholders. It is to be noted that the committee will undertake further inquiry immediately after any legislation is passed and that the Independent National Security Legislation Monitor will do so shortly thereafter.

'Systemic weakness' related concerns are to be addressed by amendments that define and clarify the term 'systemic weakness' and also amendments that clarify that technical capability notices cannot be used to create a systemic weakness. Other concerns which will need to be addressed through amendments include the ability for a provider to disclose details of a technical capability notice except to the extent that doing so would compromise an investigation. That point is one of particular significance to industry and to all users of the internet, which is an open system but would cease to be an open system if particular fixes were required to be kept secret. A further point that will need to be attended to in the amendments is authorisation of a technical capability notice requiring the approval of both the Attorney-General and the Minister for Communications.

Further matters to be dealt with in the amendments include that a designated communications provider which has concerns about a technical capability notice will be able to request a binding assessment of whether or not it would indeed create a systemic weakness, whether the requirements are reasonable and proportionate, whether compliance is practically and technically feasible and whether the notice is the least intrusive measure that would still achieve the objective. Two persons, a technical expert and a non-serving judge, would be jointly appointed to conduct the assessment, and their report would have to be provided to the Inspector-General of Intelligence and Security in the case of ASIO and to the Commonwealth Ombudsman in the case of the Australian Federal Police.

This essentially means that any request to a provider that might create a systemic weakness would be subject to a merit review style process.

The inadequacy of the oversight and safeguards arrangements provided in the bill produced to this parliament by the government will also be addressed by amendments that will include strengthening the Inspector-General of Intelligence and Security's oversight of the powers. This would include explicit notification and reporting requirements when issuing varying, extending or revoking a notice or request, and limits on the exercise of the powers, including extending the prohibition on systemic weakness to voluntary notices, ensuring that decision-makers consider necessity and intrusion on innocent third parties when they issue a notice. There will also be provision for defences for IGIS officials and clear information-sharing provisions.

The amendments will include, also in this oversight context, establishing clear authority for the Commonwealth Ombudsman to inspect and gather information on the exercise of these powers by the Australian Federal Police, ACIC, and state and territory interception agencies. The amendments in relation to the Commonwealth Ombudsman will include notification requirements and information-sharing provisions which would complement the inspection activities of state and territory oversight bodies. The Australian Federal Police will also be required to approve any state- and territory-initiated technical assistance notices, and must apply the same criteria and go through the same decision-making processes as would apply if the Australian Federal Police were the original issuing authorities.

As honourable members would have gathered by now, this is a large piece of legislation of considerable complexity. In response to the government's demand that consideration of it through the intelligence committee be accelerated, the Labor members of that committee—and the Labor Party as a whole in this place—have assisted in that process. The government produced draft amendments to Labor early this morning. It's anticipated that those amendments will be moved in the Senate. On that basis, I commend the bill to this House for passage in this House—I say again on the basis that the amendments encompassing the recommendations of the intelligence committee will be moved in the Senate.