Government presses on for wider security powers
Australia’s security and law-enforcement chiefs have declined to endorse federal government assertions that proposed new encryption laws must be rushed through parliament in the wake of Melbourne’s recent Bourke Street terrorist attack.
This week, the heads of the Australian Security Intelligence Organisation (ASIO), Australian Federal Police (AFP), Australian Signals Directorate and Victoria Police gave evidence to the parliamentary watchdog committee examining the encryption legislation, as did the Department of Home Affairs. All argued the new powers were needed urgently to allow access to encrypted data and the content of calls and messages.
But ASIO, the Australian Federal Police and Victoria Police would not affirm suggestions that the Melbourne incident, and subsequent arrest of three men suspected of planning a separate attack, had increased the terror threat.
ASIO’s director-general of security, Duncan Lewis, also confirmed the national security agency was not consulted before Prime Minister Scott Morrison and Home Affairs Minister Peter Dutton demanded last week that the bipartisan parliamentary joint committee on intelligence and security (PJCIS) cut short its deliberations over the encryption legislation so that parliament could pass it before rising for the year next week.
Last Thursday, Dutton wrote to the PJCIS urging it to wind up its review of the encryption laws early. The committee is required, by law, to review security legislation.
“The government has introduced this legislation into the parliament in direct response to the serious deterioration in Australia’s national security resulting from the pervasive use of encrypted communications by threats, including terrorist suspects and organised criminals,” Dutton wrote.
He quoted ASIO’s assessment that 95 per cent of people planning and engaging in terrorism, espionage and other unlawful cyber activity used encrypted communications, undermining agencies’ ability to keep Australians safe.
“This situation has become more urgent, however, in light of the recent fatal terrorist attack in Melbourne and the subsequent disruption of alleged planning for a mass casualty terrorist attack by three individuals,” Dutton wrote.
He said the use of encrypted communications was “particularly concerning as we approach Christmas and the New Year” – periods that have been targeted in the past.
The same day, Dutton joined Morrison at a news conference where they stepped up pressure on the committee to finish its review and pass the encryption bill.
“We know from the matters that are currently under investigation, the ability for our authorities to have these powers, to engage in intercepting these communications is incredibly important,” Morrison said at the time. “Our police, our agencies need these powers now and I would like to see them passed. In fact, I would insist on seeing them passed before the end of the next sitting fortnight.”
This is despite submissions from two other key watchdog organisations, the Inspector-General of Intelligence and Security and the Commonwealth ombudsman, that the legislation could lead to security agencies operating without proper accountability and needed significant improvement.
Communications and internet companies are also concerned it could potentially weaken encryption and leave Australian systems, software, devices or components vulnerable to cyber attack – something the agencies dispute.
The companies argue that fear of a weakness, combined with Australian providers being forced to give the agencies secret access to their products and to users’ devices and information, would cause serious reputational damage internationally and see sales and usage plummet.
In a move that suggested the PJCIS did not appreciate being hurried, committee chairman and Liberal MP Andrew Hastie, and his Labor deputy Anthony Byrne, issued a rare joint statement. They said the committee had agreed to hear urgent arguments at special hearings this week, but had not cancelled already-scheduled hearings due later this week and next. At time of press, those hearings were still scheduled.
Called to appear a second time before the PJCIS on Monday, agency chiefs reiterated the need for the powers, warning that criminals and would-be terrorists had already “gone dark”, using encryption to evade detection.
But they would not say the threat was any greater this Christmas than it had been previously.
Duncan Lewis said neither he nor his ASIO deputy, Heather Cook, were advised before Morrison and Dutton demanded the committee wind up deliberations. ASIO also had not briefed them on any need to expedite the review, nor requested it be truncated.
Lewis said encrypted communications had caused problems for ASIO investigations since 2014.
“From my point of view, the urgency began four years ago,” he said. “We’ve said that it has been a necessary step for government to take to get some legislation in place to assist us. That hasn’t changed … I’m not in a position to suggest that there is some sort of sudden ramp-up. It was important initially and it is becoming progressively more important because of the levels of encryption that we face each day, but the detail of the legislation – whether it’s right or not – really is a matter for legislators.”
Lewis said ASIO wanted the legislation passed but wouldn’t nominate a time frame, acknowledging it would still take weeks for agencies to have the systems in place to use it.
The bill itself, which was introduced in September, also had further inbuilt delays for consultation and authorisation.
Lewis said that while the events in Melbourne served as “a timely reminder”, the alert was no higher as a result.
“We’ve not changed the threat level at Christmas time to my knowledge – certainly not while I’ve been in this position – because a general lift of threat would require specific information that there was an attack [planned] at a certain place by certain people at a certain time,” he said. “… And I just want to assure you, members of the committee and members of the public, that we have no such evidence of that at this stage. There is a general heightening of security over Christmas but there is nothing specific to indicate there is an attack coming that would therefore warrant an increase in the threat level.”
The Department of Home Affairs wants the expanded powers to access encrypted information to prevent and prosecute all kinds of serious crime, not only terrorism.
Shadow attorney-general Mark Dreyfus, a member of the PJCIS, indicated the committee might make an interim report recommending amending the legislation to only cover counterterrorism while it considers wider implications, including regarding other crime.
AFP commissioner Andrew Colvin said the operational urgency was “now becoming very real, and continues”. His Victoria Police counterpart, Neil Paterson, said the threat in his home state was “growing in complexity”.
Colvin said the narcotics trade spikes during the summer party season.
Asked if there was an urgent need for the powers over Christmas, he said: “I would have to say that that is at a constant tempo that is so high for us anyway that those peaks and troughs are in the margins. It runs at a very high tempo constantly.”
Paterson declined to agree that Victorians would be at risk if the legislation wasn’t passed before Christmas.
“I don’t know if I can speak on the exact timing,” he said.
The agencies’ comments came after warnings of the need to get the legislation right. The Inspector-General of Intelligence and Security, Margaret Stone, who oversees intelligence agencies, reiterated her concern that the bill’s oversight provisions were inadequate.
Those concerns have been echoed by the Commonwealth ombudsman, who oversees the activities of law-enforcement agencies under the Telecommunications (Interception and Access) Act governing warrants for phone taps and other electronic surveillance and some warrantless requests to access metadata.
As The Saturday Paper reported last week, many federal, state and local agencies and organisations are now side-stepping that process, lodging 350,000 requests for unencrypted metadata yearly using different, broader legislation with limited oversight.
Requests are expected to increase under the encryption laws.
While others among Australia’s Five Eyes security partners – the United States, Britain, Canada and New Zealand – have varying data access laws, none are believed to be as extensive as those proposed in Australia.
While its crime-fighting utility has been acknowledged, the encryption bill has also attracted international warnings about potential downsides. A group of security experts from Australian and international universities, including Cambridge and Harvard, have warned the committee of potential negative implications.
And the United Nations special rapporteur on the right to privacy, Joseph Cannataci, gave videolink evidence this week that he was gravely concerned.
Cannataci said the legislation was badly drafted, vague and too broad.
“This bill remains fatally flawed,” he said. “It does not meet the basic requirements for government-led surveillance as identified by my mandate. It lacks the basics of due accountability to parliament and beyond and it exposes Australia and the world to greater risks in cyber insecurity.”
Margaret Stone and her deputy Jake Blight told a PJCIS hearing on November 16 that their office had not been consulted on the shape of the bill’s exposure draft.
On Tuesday, they revealed the Department of Home Affairs had contacted them on Monday seeking to discuss concerns.
But Stone’s comments suggest they still have very different views about the legislation.
“We would certainly make every effort to meet with them as often as necessary,” Stone assured the committee. “How long it takes to reach a common view is another matter.”
Like the committee overall, she gave little indication she was willing to be rushed.
This article was first published in the print edition of The Saturday Paper on Dec 1, 2018 as "Under data’s orders". Subscribe here.