The following discussion paper authored by the Australian Attorney General’s Department presents a number of proposed changes to the laws governing Australia’s intelligence agencies and their access to telecommunications data. Under the proposed changes, all Australian telecommunications companies would be required to retain user data for two years and intelligence agencies could obtain lawful access to an individual’s computer, phone and internet data using a single warrant. The proposed changes would also allow Australian Security Intelligence Organization (ASIO) officers would be immune from criminal prosecution under certain circumstances when engaged in undercover operations.
EQUIPPING AUSTRALIA AGAINST EMERGING AND EVOLVING THREATS
- 61 pages
- July 2012
At the forefront of the Government’s commitment to Australia is protecting our national security. In recent years terrorism has been an enduring national security threat. The world and our region have suffered numerous major attacks. And significant terrorist plots have been foiled on our soil. We have developed significant national security capability in the fight against terrorism and other enduring threats such as espionage, serious and organised crime, and cyber crime. Our challenge is to ensure that, as Australia evolves as a 21st century society and economy, our national security capability similarly evolves with high levels of agility and adaptability and continues to meet emerging threats.
As Australia advances, so too do threats to our wellbeing. Meeting the challenges of new technologies and methodologies is a key priority for the Australian Government in the national security sphere. Our law enforcement and security capabilities must keep ahead of terrorists, agents of espionage and organised criminals who threaten our national security and the safety of our citizens. So our law enforcement and intelligence agencies must be equipped with contemporary skills and technologies, and backed by necessary powers – coupled with the appropriate checks and balances and oversight mechanisms society rightly demands.
This package of reform proposals, which comprises telecommunications interception reform, telecommunications sector security reform and Australian intelligence community reform, seeks to do just that. The common thread of national security runs through the proposals, which seek to respond to threats from international state and non‐state based actors, terrorism, serious and organised crime and cyber crime.
Just as technology and methodology employed by terrorists, agents of espionage and organised criminals adapts and advances so too must the capabilities and powers of our law enforcement and security agencies. In the absence of action, significant intelligence and evidence collection capabilities will be lost providing criminal elements with a technological upper hand.
Telecommunications interception reform recognises that there are significant challenges facing intelligence and law enforcement agencies in accessing communications, particularly in keeping pace with rapid changes in the telecommunications environment. New, emerging and future technologies impact on the ability of these agencies to access communications to collect intelligence and effectively detect and prosecute crimes. The Australian Crime Commission’s Future of Organised Criminality in Australia 2020 assessment reveals that access to highly effective software, ciphers and other methodologies are increasingly being utilised by organised crime to impede detection by law enforcement. Lawful interception, therefore, is the most important tool in the investigation and prosecution of serious and organised and other technology‐enabled crime, and is vital to effectively collect security intelligence. Proposed reforms seek to allow those agencies to utilise modern technologies to maintain effective investigative techniques.
Telecommunications sector security reform seeks to address the national security risks posed to Australia’s telecommunications infrastructure. The security and resilience of such infrastructure significantly affects the social and economic well‐being of the nation. While advances in technology and communications have resulted in unquestionable benefits to society and the economy, they have also introduced significant vulnerabilities, including the ability to disrupt, destroy or alter critical infrastructure and the information held on it. As Australia’s telecommunications landscape continues to evolve, it is appropriate and timely to consider how best to manage risks to the data carried and stored on our telecommunications infrastructure to secure its availability and integrity in the long term. The ideas included in this discussion paper build on consultation with industry earlier in 2012 about the most effective way to manage national security risks to telecommunications infrastructure.
Australian intelligence agencies have made a significant contribution to our safety by constant and careful assessment of possible threats. At least four planned terrorist attacks designed to achieve mass casualties on Australian soil have been thwarted by agencies since 11 September 2001. To continue this crucial role, it is imperative that Australia’s intelligence agencies remain robust and can effectively deal with the challenges presented by today’s and tomorrow’s international security environment. Following the 2008 Report of the Review of Homeland and Border Security conducted by Mr Ric Smith AO PSM, the Attorney‐General’s Department has worked with relevant agencies to determine the powers required to deal with current and future national security challenges. Australian intelligence community reform is about appropriately equipping and enhancing the operational capabilities of these agencies.
This Discussion Paper contains the terms of reference for the PJCIS inquiry at Chapter One, followed by chapters on each of the proposals which comprise the package of proposals. Chapter Two, ‘Interception and the TIA Act’, deals with telecommunications interception reform and outlines the problems facing law enforcement and intelligence agencies that have arisen from the operation of the Telecommunications (Interception and Access) Act 1979. Chapter Three, ‘Telecommunications Sector Security Reform’ considers possible amendments to the Telecommunications Act 1997 to establish a risk based regulatory framework to better manage national security challenges to Australia’s telecommunications infrastructure. Chapter Four considers ideas for reform of the Australian Security Intelligence Organisation Act 1979 and the Intelligence Services Act 2001.
Although the package is referred to the PJCIS in its totality, in considering the ideas the Attorney‐General has organised the proposals in three separate groupings: those the Government wishes to progress, those the Government is considering, and those on which the Government expressly seeks the PJCIS’ views. Chapter One elaborates on the content of each group. Chapters Two, Three and Four refer to the groups within which the ideas sit, as determined by the Terms of Reference.
• Matters the Government wishes to progress;
o Examining the legislation’s privacy protection objective, the proportionality test for issuing warrants, mandatory record‐keeping standards, and oversight arrangements by the Commonwealth and State Ombudsmen
o Reducing the number of agencies eligible to access communications information
o Standardising warrant tests and thresholds
o Simplifying the information sharing provisions that allow agencies to cooperate
o Removing legislative duplication
o Aligning industry interception assistance with industry regulatory policy
o Clarifying the AMCA’s regulatory and enforcement role
• Matters the Government is considering
o Creating a single warrant with multiple TI powers
o Implementing detailed requirements for industry interception obligations
o Extending the regulatory regime to ancillary service providers not currently covered by the legislation
o Implementing a three‐tiered industry participation model; and
• Matters on which the Government expressly seeks the views of the Committee.
o Expanding the basis of interception activities
o Establishing an offence for failure to assist in the decryption of communications
o Instituting industry response timelines
o Applying tailored data retention periods for up to 2 years for parts of a data set, with specific timeframes taking into account agency priorities and privacy and cost impacts
Should an authorised intelligence operations regime be pursued, it will be critical that it achieves an appropriate balance between operational flexibility and appropriate oversight and accountability. Key features that may contribute to such could include:
• the Director‐General of Security to issue authorised intelligence operation certificates which would provide protection from criminal and civil liability for specified conduct for a specified period (such as 12 months)
• oversight and inspection by the Inspector‐General of Intelligence and Security (IGIS), including notifying the IGIS once an authorised intelligence operation has been approved by the Director‐General
• specifying conduct which cannot be authorised (eg, intentionally inducing a person to commit a criminal offence that the person would not otherwise have intended to commit and conduct that is likely to cause the death of or serious injury to a person or involves the commission of a sexual offence against any person), and
• independent review of the operation, effectiveness and implications of any such scheme, which could be conducted five years after the scheme’s commencement.
Access to communications content and communications data
The TIA Act is also based on the assumption it is possible to reliably access communications which are the subject of an interception warrant at a convenient point on a carrier’s network through which the data must flow. This is problematic as most networks are now based on Internet protocol (IP). With this technology users can access communications via multiple access technologies (fixed networks, wireless, satellite, etc.), multiple physical locations and multiple access service providers, some part of which need not be owned, operated or accessible to regulated participants in the telecommunications industry, such as carriers and carriage service providers (or C/CSPs). As a result, communications cannot be guaranteed to pass over any particular path and therefore it may be necessary to attempt to direct the communications over a particular path to facilitate interception.
In addition, whereas telecommunications services were once provided by a single carrier, in many cases now each communication event typically involves a number of service providers. In a single communications session, a person may access many application services such as a Google search engine portal, a webmail account, a Facebook account, and an online storage repository. Each of these services is provided by a different service provider under separate subscriber accounts and with different unique subscriber ‘identities’. In general, the ISP and the access service providers have no knowledge of the application services passing over their infrastructure. Further, many application service providers operate from offshore making the provision of assistance to Australian agencies challenging.
Currently, authorised access to telecommunications data, such as subscriber details, generated by carriers for their own business purposes is an important source of information for agencies. As carriers’ business models move to customer billing based on data volumes rather than communications events (for example number of phone calls made), the need to retain transactional data is diminishing. Some carriers have already ceased retaining such data for their business purposes and it is no longer available to agencies for their investigations.
At least part of the complexity can be ascribed to changes in the telecommunications industry. It is no longer possible to always be able to clearly identify the industry participant with a single target ‘identity’. The ready availability of anonymous pre‐paid services, inter‐carrier roaming agreements, resold services, calling cards and on‐line facilities to subscribe to new services all make it necessary for agencies to seek data from multiple providers to ascertain whether any data exists.