House debates

Wednesday, 18 March 2015

Bills

Telecommunications (Interception and Access) Amendment (Data Retention) Bill 2014

10:06 am

Photo of Sarah HendersonSarah Henderson (Corangamite, Liberal Party) Share this | | Hansard source

I rise to continue my contribution on the Telecommunications (Interception and Access) Amendment (Data Retention) Bill 2014. Last night in my contribution I was speaking about some of the incidents of terrorism that we have seen in recent months and also the increasing concerns about the rise of lone-wolf terrorism, which makes the uncovering of terrorist plots even more difficult. Terrorism expert Dr Clarke Jones from the Australian National University said in an ABC News story on 20 January 2015:

This year is going to be a year of terrorism in the sense that I think we are going to see more small scale attacks.

There is no doubt that these are very troubling times.

The government does not propose or suggest that metadata will always stop a terrorism attack. I want to make the point—and this was actually made to me on Twitter last night, when I made my first contribution—that the use of metadata in relation to acts of terrorism is vital during an incident, such as the Sydney siege, for investigators and is of course vital for security and law enforcement agencies in the investigation of a terrorist incident. This bill is the vital next step in giving our agencies the tools they need to keep us safe. For that reason, and as I have said, I am very pleased that Labor is supporting this bill.

I certainly want to note again the excellent work of the Joint Parliamentary Committee on Intelligence and Security—and we have just heard from the member for Wannon in relation another matter. The committee has done an excellent job in addressing some of the issues with the original bill. The committee made 39 recommendations, which were of course accepted by the Attorney-General, and we now have those amendments in the bill before us today.

I did reflect on the member for Perth's contribution last night. I note an ABC report on radio this morning, 'Labor MP angry at how metadata was handled', and it was disappointing that the ABC perhaps did not give the same prominence to the fact that this bill is being comprehensively supported by both sides of the House—by the government and by the opposition. I have to say that I think it is a very partisan report. My comments in reply were not reported and yet there were some fairly derogatory comments in relation to the Prime Minister made by the member for Perth that were reported. The fact is that the ABC has not properly reported the member for Perth's speech and has not properly reported the fact that this bill has been comprehensively supported by both sides of the House.

AFP Commissioner Andrew Colvin has advised the government that between July and September 2014 metadata was used in 92 per cent of counter-terrorism investigations, in 100 per cent of cybercrime investigations, in 87 per cent of child protection investigations and in 79 per cent of serious crime investigations. I think the member for Gellibrand in his contribution last night made the point well that this metadata is needed not just for terrorism and terrorism incidents but also for a range of crimes being investigated by law enforcement agencies. Internet service providers are keeping fewer records and it is vital that our law enforcement agencies have the tools they need to do their job. That is why this bill, which requires the ISPs to maintain this data for some two years, is so important.

David Irvine, former Director-General of ASIO, has said that, unless metadata practices are changed, law enforcement and counter-terrorism efforts will be severely hampered—and we must not let that happen. As I mentioned, under this bill, the industry will be required to keep a limited range of metadata for two years. It is important to reiterate that the government is not asking telecommunications companies to retain the content of communications—content such as emails, private social media posts, texts or telephone conversations or information showing a person's web browsing history. Metadata is information about a communication, not the content or substance of a communication. So we are talking about things like IP addresses, phone numbers and email addresses.

I also want to make the point that protecting the security of personal information is a key priority of this government. As a Liberal, I believe in a government that minimises interference in people's lives. That is why this bill has a range of important safeguards. The bill before us today strikes the right balance between protecting the privacy of the community and giving our security and intelligence agencies the help they need to keep us all safe, to maintain a safe and secure Australia. The bill limits access to just the agencies which have a clear need for such access and have well-developed internal systems for protecting privacy, such as law enforcement and intelligence agencies. Data must be reasonably necessary for the purposes of investigating criminal offences and other permitted purposes. The bill also requires the Attorney-General to report annually on the operation of the scheme. We are also introducing a comprehensive oversight by the Commonwealth Ombudsman for any Commonwealth, state or territory law enforcement agencies accessing this retained data. The government is also progressing the telecommunications sector security reforms that seek to ensure the ongoing security and integrity of Australia's telecommunications infrastructure.

I also want to make the particular point that there was an issue in relation to journalists' sources. As a former journalist myself, I do appreciate and understand how important it is to protect journalists' sources as best we can and to support investigative journalism, the free press and a health democracy. After some consideration in relation to this matter, the Attorney-General has made it clear that the data retention bill does not target journalists or their sources. To expedite the passage of the bill, the government has proposed an amendment to require agencies to obtain a warrant in order to access a journalist's metadata for the purposes of identifying the journalist's source. I welcome this move, which provides a greater level of comfort that journalists' sources will be protected. It is an amendment that has been accepted by those opposite, and I am pleased to see that the issue has been resolved.

We are taking a range of measures to combat terrorism, including a $630 million counterterrorism package announced by the Prime Minister in August 2014. That package includes expenditure of $13.4 million to strengthen community engagement programs; $6.2 million to establish a new Australian Federal Police community diversion and monitoring team; $32.7 million for a multiagency national disruption group to investigate, prosecute and disrupt foreign fighters and their supporters; and $11.8 million for the Australian Federal Police, to bolster its ability to respond to the threat of foreign fighters at home and abroad.

As I have outlined, terrorism, very sadly, poses a significant risk to the community. In this country the government is working very hard to do everything we can to keep Australians safe and secure. This bill is an important part of that effort, and I commend the bill to the House.

10:16 am

Photo of Andrew LeighAndrew Leigh (Fraser, Australian Labor Party, Shadow Assistant Treasurer) Share this | | Hansard source

I rise to speak on the Telecommunications (Interception and Access) Amendment (Data Retention) Bill 2014. In considering any bill before the House, it is absolutely vital that we first recognise the status quo. On the issue of telecommunications data, as much as on any issue since the 1999 republican debate, misunderstandings about the status quo have bedevilled the debate about proposals for changing that status quo. So I want to begin by talking about the situation as it currently exists, before the passing of this bill.

At the moment telecommunications companies keep a lot of data about Australians. They keep information about call histories and about the mobile phone towers with which our mobiles have communicated. They keep this information for varying periods of time, sometimes up to seven years.

At the moment this information is accessed a lot. According to the report on the Parliamentary Joint Committee on Intelligence and Security:

In 2012–13, more than 80 Commonwealth, State and Territory enforcement agencies accessed historic telecommunications data under the TIA Act. In total, those agencies made 330 640 authorisations for access to historic telecommunications data, resulting in a total of 546 500 disclosures.

So, at the moment, telecommunications data is being accessed over half a million times a year.

At the moment the range of agencies that are accessing that data is very broad. They currently include: the Department of Foreign Affairs and Trade's passport offices; the Department of Immigration and Border Protection; Racing New South Wales; the Victorian Department of Environment and Primary Industries; the Wyndham City Council; and RSPCA South Australia. So those who argue that we should not pass this bill and should stick with the status quo are effectively advocating for a status quo in which half a million warrantless requests are made annually by agencies that include the RSPCA.

I do not believe this is well-known. Part of the reason for that is the way in which the government has pursued the conversation. On both sides of this, there have been some who have raised extreme concerns. In 2012, one person said of the retention of telecommunications data that it would have 'a chilling effect on free speech'. Another said:

The idea that the government should collect and retain the online records of all Australians for a period of two years I think is disturbing. It appears to go too far and I would have to be persuaded that this was a reasonable request.

On the flip side, one individual said that failing to pass this legislation will cause 'an explosion of unsolved crime'.

We have to put these extremist views to one side. The quotes I have just read into Hansard were from, in order, the member for Wentworth, Malcolm Turnbull, in 2012; the member for Curtin, Julie Bishop, in 2012; and Prime Minister Abbott, when speaking this year. You can understand that when senior figures take such extreme views about this legislation that it is difficult to have a reasonable and moderate debate.

It is certainly true that telecommunications data is an important policing tool. Of the half million requests that currently are made, the overwhelming majority are made by policing agencies. The murder of Jill Meagher was ultimately solved using telecommunications data, by matching the cell tower tracking patterns of Jill Meagher's phone and Adrian Bayley's phone. South Australian police have told the Parliamentary Joint Committee on Intelligence and Security that they were unable to re-open a murder investigation because the telecommunications data was no longer available. They said:

A stalled murder investigation was reviewed about 14 months after the victim's death. Fresh information received during the review identified a suspect who was a known drug dealer. The victim, a regular drug user, had been in contact with the suspect and investigators suspect the victim may have been killed over a drug debt. Historical telecommunications data was sought for the suspect's mobile service for around the time of the murder but it was no longer available.

So the retention of telecommunications data could in that case potentially have helped to solve a murder.

It is into this context—a context of half a million warrantless requests from a range of agencies, including the RSPCA, with few oversights—that the government has moved to change the law.

The bill brought before the House by the c ommunic ations minister last year was inadequate. It lacked appropriate safeguards for the use of telecommunications data. It also lacked an appropriate public conversation about the fact that telecommunications data is primarily used not in counterterrorism operations but in policing operations. That, I think, is one of the reasons why the government has struggled to engage the public on this, because people have felt that this was a new regime. They have felt that, at present, their telecommunications data was not being kept and was not being accessed, and that the government was demanding new rights to store and access telecommunications data.

I believe that it is appropriate to put in place some safeguards around the use of this telecommunications data. Thanks to Labor members on the Parliamentary Joint Committee on Intelligence and Security, this bill has been significantly amended. Those amendments include: listing the dataset in the bill itself, so Australians can know what aspects of our data is being retained; limiting access to telecommunications data to only those enforcement agencies specifically listed in the bill, and not allowing the Attorney-General to add agencies at whim; and providing oversight of the operational use of this legislation by parliament's intelligence community—the first time the committee has been given this power, and a step towards beginning to implement the reforms proposed by John Faulkner.

As a result of amendments championed by Labor members, ASIC and the ACCC are able to access telecommunications data to investigate and prosecute white-collar crime. We did not believe that it was reasonable to say that this information could only be available in prosecuting violent crime. We believe that it also should be used to tackle white-collar crime. The report and the subsequent amendments require telecommunications companies to provide customers with access to their own telecommunications data upon request. It requires stored data to be encrypted to protect the security and integrity of personal information. We, on this side of the House, continue to believe that that storage should be in Australia. It does not matter what level of encryption the system has, it is likely to be useless when faced with somebody with physical access to the servers. That means that offshore servers are always going to be less secure in relation to this information than if the information is kept onshore.

As a result of amendments, this bill will prohibit access to telecommunications data for the purposes of civil proceedings, so it cannot be used, for example, in a case of copyright enforcement. On Q&Alast November it was put to the Attorney-General by Tony Jones that this could be used for prosecutions against internet pirates. The Attorney-General said at the time, 'Well, they can't be and they won't be.' That was not right. As the bill stood at that time, it could be used to prosecute people who illegally downloaded Game of Thrones. That is no longer true as a result of the amendments championed by Labor members.

We have required a mandatory data breach notification scheme to ensure telecommunications companies notify customers if the security of their telecommunications data is breached. We have increased the resources of the Commonwealth Ombudsman to strengthen oversight of the mandatory data retention scheme, and we have ensured a mandatory review of the data retention scheme by no later than four years from the commencement of the bill. Importantly, as well, we have ensured that if journalists' data is to be accessed, that must be done through a warrant.

We have ensured that these amendments have been put in place. As a result, I do not want to claim that this is a perfect bill. There are significant challenges in an area such as this where we are balancing the reasonable concerns of law enforcement with the perfectly reasonable concerns of privacy. I would put it to those who argue that this bill is an inappropriate intrusion into personal liberties—and many people have contacted my office with concerns about this bill—that we currently have a system with more than half a million warrantless accesses. We currently have a system where the RSPCA can access your telecommunications data. We currently have a system without oversight from the Commonwealth Ombudsman and without proper oversight from the Inspector-General of Intelligence and Security. So, this system tightens up access to telecommunications data in a way that ought, I think, to give Australians a little more certainty about the access of their telecommunications data.

This is an ongoing challenge for reform. I have little doubt that when parliament comes back to look at this scheme in four years time there will be changes that need to be made. I am also under no illusions that this telecommunications data regime will catch all wrongdoers. But I do believe that it is possible that it might have assisted in the solving of the 14-month-old murder case that South Australian police confronted where telecommunications data had been discarded. It was by chance that the murder victim was using a particular mobile phone whose carrier did not retain the data for as long as other carriers do.

I do believe that this bill puts in place additional safeguards. For the first time, individuals will be able to access the information that is kept about them. For the first time, individuals will have the certainty that the information being kept about them is encrypted. For the first time, there will be appropriate resources given to the Commonwealth Ombudsman in order to oversee the use of these data.

We need to have this debate in an environment of full information. I understand the busyness in so many people's lives as they confront these conversations. The conversation has not been helped by overblown rhetoric such as that, indeed, of Malcolm Turnbull and Julie Bishop in 2012. We do not need to claim that this reform solves all the world's problems, but we do need to acknowledge that the current system is, in some sense, a bit of a Wild West for the agencies that can access it and the oversight that is provided. This bill takes a step along the way towards a better regime for telecommunications storage and access and I commend it to the House.

10:30 am

Photo of Warren EntschWarren Entsch (Leichhardt, Liberal Party) Share this | | Hansard source

I rise to speak to the Telecommunications (Interceptions and Access) Amendment (Data Retention) Bill 2014 and indicate that I very much support this bill. There comes a point, when the safety of the Australian people is at stake, that the Australian government is certainly obliged to step in—when the government has no choice but to make firm decisions to help safeguard our country against those who would destroy our free, democratic way of life. We are blessed to have incredible communications technology here—technology that lets us speak instantly with family across the world; technology that lets us download our favourite movies and music in mere minutes; technology that crosses national and cultural boundaries and lets us tweet or blog about our lives to a potential audience of literally billions.

But not everyone is using it for good. There are groups out there who use this same technology to commit crimes—to steal personal information, to distribute child pornography and to plan terrorist attacks. These are not pie-in-the-sky, far-off fantasies; they are happening on our shores and they are certainly happening in our own backyard. Against such faceless attacks, national security becomes everybody's responsibility. Every Australian man, woman and child, every business owner, every company and every agency has to play their part. The resources of our national security agencies, ASIO, ASIS and the AFP, are certainly limited and it would take an obscene amount of money, time and other resources for them to cover every base. We need a whole-of-country effort and, against these threats, we need metadata.

Metadata is the who, when and where—not the content—of communication. It is information such as an email address or telephone number and the time the email was sent or the call was made. It does not include the content of the communication, not even the email subject line. The government already works with our major telcos, Telstra, TPG, Vodafone and the like, to fight crime on an international, electronic level using metadata. In fact, the degree to which metadata is used in investigations already would probably surprise you, Mr Deputy Speaker. Between July and September last year it was used in    92 per cent of counterterrorism investigations, 100 per cent of cybercrime investigations, 87 per cent of child protection investigations and 79 per cent of serious organised crime investigations. I rise here today to say that I support this amendment, I support data retention and we will support our country's fight against those who will use technology to commit crimes against us.

The value of data retention was seen most recently in the Europol child exploitation investigation called Operation Rescue. The perpetrators involved shared much of their information online, and so physical evidence was very hard to get. In the UK, which has data retention laws, authorities were able to identify 240 of 371 suspects, two-thirds of them, using telecommunications data. The police stings that followed led to 121 arrests and convictions. Compare that to Germany, which has no data retention laws. In the very same operation, 377 suspects were believed to be living in Germany but German authorities were only able to positively identify seven, less than two per cent. They also were not able to gather enough evidence to arrest or convict a single person. The same situation was repeated in Austria, Sweden, the Czech Republic and Norway, which, at the time, did not have data retention laws. Had these countries had legislation in place, they would have been able to potentially convict hundreds of child molesters. But, because police were not able to access the metadata they needed, those perpetrators, unfortunately, are still out there.

Do we want to find Australia in a similar situation? I think not. We need to have the foresight to support our law enforcement authorities to fight against crime, espionage, cyberattacks and terrorism. We need to learn from the experience of our European friends, not repeat their mistakes. Our law enforcement heroes depend heavily on data retention and metadata for catching paedophiles. Just last year, the AFP received a tip-off regarding a person suspected of uploading child pornography to an image-sharing website. The AFP sent the IP address to the relevant telco and were able to identify the subscriber and their location. With this information, they gained a search warrant of the individual's home, where they found a large amount of child pornography material and information indicating possible abuse. That man is now behind bars, thanks to our police being able to use metadata.

Now consider this. Again last year, the AFP received information from Interpol about a suspect who had made a statement online that they intended to sexually assault a baby. Interpol provided the IP address details to our police, but, because the Australian carrier only kept their metadata for seven days, the suspect was able to disappear into the dark depths of the web. This is precisely why data retention is a vital asset. It is a front-line defence against criminals and a valuable tool to hunt them down.

If we do not make these amendments to enforce that that metadata be kept for two years, our law enforcement agencies will no longer be able to do their job effectively. The New South Wales police commissioner recently said:

There's not a terrorism investigation since 9/11 that hasn't relied on metadata.

He said:

This information is available right now. All we're saying is keep it for a little longer.

We need to accept that there is a risk out there. We have already seen that, despite our physical distance from other countries, terrorists are targeting Australians. It happened in Bali in 2002 and of course again in 2005. More recently, it is happening on our own soil as well, unfortunately.

We know of at least 90 Australians actively involved in terrorist groups in Iraq and Syria, and another 140 onshore actively supporting them. We cannot afford to stick our heads in the sand and block our ears. We cannot vainly hope that our distance from other countries will always protect us. We cannot continue to believe, when all the evidence indicates otherwise, that 'she'll be right, mate'.

There have been some very specific concerns by the public about our push for data retention. One of my constituents from Cairns, Mr Trent Yarwood, is a member of the organisation Future Wise. He argues that there is:

… no provision for the privacy of the data in the bill, and no provision for the law enforcement agencies to fund storage of this ... data, or to securely delete it once access is no longer required.

Mr Yarwood goes on to say that he and the Future Wise team are concerned about the effectiveness of the proposed regime as well as a number of secondary impacts of the bill, which he said include the impact on personal privacy and the presumption of innocence; warrantless access to personal data; cost implications for internet service providers and end users; and that the length of the retention period is not necessary or proportionate.

I certainly appreciate Mr Yarwood's comments and I have forwarded them to the minister's office but, in the meantime, I want to make a few points in response to his concerns. The government is not asking internet service providers to keep any data that would reveal their web browsing history. We are not asking for the content or substance of emails or social media posts; we are only asking telcos to keep certain specific metadata—the who, when and where of communications—for two years to assist with criminal and national security investigations.

My constituent Mr Yarwood talked about the cost. I can tell you the estimated up-front capital cost of this regime to all business is less than $319.1 million—that is less than one per cent of the $43 billion in revenue generated by the telecommunications industry each year. The government has also constantly said that we will make a reasonable contribution to this.

Mr Yarwood talked about personal privacy. It is our top priority, which is why this bill proposes several safeguards. Firstly, the data will continue to be held by the industry. Secondly, only specific government agencies will be able to request access, and only for specific circumstances. Thirdly, there will be multiple oversight bodies in place to make sure that agencies respect those controls.

We also recognise that the principle of freedom of the press is fundamental to our democracy. That is why the government is open to further measures to protect journalists' sources, and I am aware that these conversations are continuing. We have decided that a further amendment will be moved that will require agencies to obtain a warrant in order to access journalists' metadata for the purposes of identifying a source. Most importantly, this legislation is not about identifying journalists' sources; it is about making sure our security and law enforcement agencies continue to have access to metadata.

The Telecommunications (Interception and Access) Act 1979 also provides a framework that governs who can access the data. But we are actually going much further. We are reducing the number of agencies that can apply to access this data from 80 down to around 20. Our law enforcement officers cannot just trawl through telecommunications data whenever they like—that would be a criminal offence and they could be charged. Data has to be reasonably necessary—not just helpful or expedient—for investigating criminal offences and other permitted purposes.

Our federal law enforcement agencies are subject to ministerial oversight, as you are well aware, Mr Deputy Speaker Vasta—Senate estimates, parliamentary committee inquiries and the Australian Commission for Law Enforcement Integrity. Finally, requests for information by law enforcement agencies from telcos are reported annually, released publicly and subject to oversight by the Commonwealth Ombudsman. Having these layers of independent oversight means that any agency that accesses the data is certainly subject to some very intense scrutiny.

As you can see, we are not taking any risks with this telecommunications metadata. We need it to conduct criminal investigations, but the data will be held behind lock and key and only accessed when absolutely necessary.

Before I finish, I want to acknowledge the recent inquiry into this bill by the Parliamentary Joint Committee on Intelligence and Security. As you know, this committee was bipartisan. Both Liberal and Labor came together to unanimously create a bill that protects Australians from those who would harm us, while also protecting our privacy. The committee's inquiry made 39 recommendations, and I am pleased to say that we will be supporting all of those as we move forward.

In conclusion, this amendment is a string in our law enforcement bow that will require telcos to keep specific metadata for two years. It is a vital measure to help us, as a country, stop online criminals—not the petty pirates who illegally download the Game of Thrones or the latest Hobbit movie but the hard-core criminal organisations who engage in child exploitation, identity theft and terrorism.

We cannot wait for another major crime to occur against an Australian child, against an Australian family or against our nation. We need to put processes in place so that we will have a strategic defence against tech-savvy terrorists so that our law enforcement agencies can respond quickly and effectively against threats to our Australian way of life.

The law has strong safeguards in place to protect our own citizens and measures that will ensure that only those who need access to data for major law enforcement activities can see it. Quite frankly, the only people who need to be concerned about these amendments are those major criminals. To them, I say: 'Australia certainly will be ready.'

10:44 am

Photo of Adam BandtAdam Bandt (Melbourne, Australian Greens) Share this | | Hansard source

The Telecommunications (Interception and Access) Amendment (Data Retention) Bill 2014 is a bad law. This law is for smartphone and internet surveillance and it turns every Australian into a suspect. There is a basic principle in this country and in many others that, unless you are suspected of having done something criminally wrong, governments have no right to intrude into your private life and monitor what you do.

This bill trashes that principle and it trashes it in, at least, two respects. This bill treats everyone in this country the same, whether or not they are suspected of having done something wrong. In other words, someone on a train, who is just using their smartphone to browse the web on their way home, is treated exactly the same as someone who is suspected of having committed a crime. The same data is kept about you, is stored and is able to be accessed.

The second way in which it trashes this fundamental principle is that you do not even need a warrant to get access to this information. There are suggestions that an amendment will be moved to give some protection to journalists but, if the protection can be given to journalists, why can it not be given to everyone? In other words, why are we now departing from the principle that says that, if a police officer or an enforcement agency thinks someone has done something wrong, they go to a judge and they convince them that this person is such a suspect that their private life now needs to be intruded upon and looked at by government? The government is saying, 'We don't need that anymore.' In other words, it will be as it is at the moment, as simple as filling in a form to say, 'We want access to this person's metadata.' What is metadata? What is the kind of information that will be captured?

Our Attorney-General tried to explain that to us. And, frankly, watching that interview where Attorney-General Brandis tried to explain what metadata is was like watching my dog try to play chess. He was completely out of his depth—going on national television and saying, 'We really need this power,' and then when the interviewer said, 'What information do you actually want?' he could not explain it. The government tries to hide behind that uncertainty and that obfuscation by saying, 'Don't worry; it's only a little bit of information.'

If you call your doctor from your phone and then jump on a bus to visit your doctor and browse the web while on the bus and then, when you get home from the doctor, use your phone to call your close friends and family, you could, just from that, paint a bit of a picture about what you have been doing just in that afternoon alone. Because when you have enough bits of data, you do not need to listen in on a phone call; you know what someone has been doing. That is exactly what the heads of the national security agencies in the US have said about this. NSA General Counsel Stewart Baker said:

Metadata absolutely tells you everything about somebody’s life. If you have enough metadata, you don’t really need content—

because you can put together that picture. A former director of the NSA and CIA went on to say, 'That's absolutely correct.' And further:

We kill people based on metadata.

That statement is from a former head of the NSA and CIA. Their view, as security agencies, is that, nowadays, if you can put enough pieces of information together you do not need to listen anymore into the content of calls. We can just put together enough of a picture and know what someone is doing. That is in the context of law enforcement and, potentially, international activity. Now these same laws and principles will be brought to every citizen in this country without safeguards.

There was a suggestion from the previous speaker that this will somehow help us catch tech-savvy criminals. This law applies to Australian service providers. Let us just take email. If you do not want your email metadata to be caught, all you need to do is use Google webmail and then you will not be caught. Wow! I wonder which tech-savvy supercriminal will not work that out. This law immediately suggests that you can get out of having your email metadata collected by jumping on an online web server that is hosted in another country. But, more than that, there currently exist numerous ways that are legal and freely available to disguise your identity online and to have privacy. And people are now doing that.

Five minutes on the internet will tell you how you can work your way around this law. If this law catches any criminals, it will only catch the dumb criminals, who have not spent five minutes googling to work out that if they just use Google Webmail they will not be caught by this law, they can send whatever they like and you will not be able to catch the metadata. But it will catch everyone else—people who would not think about moving to some virtual private network or shifting from an Australian server to a Google-based international webmail server because they are not suspected of having done anything wrong. Why would they go to the trouble? Those are the ones who will be caught by this bill.

We are told that there will be protection for journalists in this bill. The Labor Party comes in here and says, 'We will give a struggling Prime Minister a leg up on national security and sign up to this.' And no amendment has even been circulated to give protection to journalists. Where is the amendment? We are now debating this legislation and no amendment has been circulated in the chamber, no amendment has been made publicly available and the Labor Party is prepared to take this government on faith. Well, we are not and why should we? Why should this parliament be required to vote on legislation without a chance to properly look through all these amendments? This is complicated legislation and giving people protections from these kinds of laws is complicated and that is exactly why this should not be rushed. But the government comes in here and says, 'We want this done in the next fortnight.' Labor says, 'Yes, we're happy to do it, even though we haven't seen any amendment.' That is not the way for a parliament to behave when we are talking about infringing on people's privacy and taking away rights that they have enjoyed for a long time.

What we also do not know is how much of this information is going to be available in civil suits. We are told: 'Don't worry. You won't be able to be prosecuted if you illegally download Game of Thrones.' But what if the media companies want to take you to court for it? What if the media companies, in a civil suit, want to go the government and say, 'I am going to issue a subpoena for all of this information that is available'? This was raised in the committee that oversaw this, and they said, 'This is a serious question, but we don't have an answer to that.' Yet we are being asked to take it on faith.

Potentially, this gives a massive leg up to every large media conglomerate who wants to sue someone for downloading Game of Thrones, and the government cannot rule that out. It has been put squarely on notice that that is an issue, and they are ploughing on ahead anyway, with Labor's full support. Although there are some agencies listed in the bill who will have access to this, the Attorney-General can add more agencies as he likes, so that the scope of who has access to this information get broader and broader.

There has not been a compelling case made that there are crimes somehow going unsolved if only we had this information. In fact, the Prime Minister gets up here and tells us about how much metadata so far has assisted in investigations. In other words, the existing laws work. The evidence has been clear that most of the requests for metadata go back only three months or so, but we are going to be required to keep them for two years. So even if you could make out a case for that, no case has being made out as to why we should deviate from the principle that you should get a warrant—absolutely none.

You expect that from the conservatives because they do not care about individual liberties and they are quite happy to take them away with the stroke of a pen. But it is surprising that the Labor opposition also has been prepared to say, 'Instead of fixing the existing system by changing it so that agencies have to get a warrant, we're just going to make sure that they can get whatever they like.' No-one has to get a warrant for anything. You just have to fill out a form to find what an ordinary Australian citizen has been doing and where they have been and who they have been talking to for the last two years, even though they are not suspected of having done anything wrong.

The European Union and the Netherlands do not go down this road, and for good reasons. You have to ask the question: why is the government taking these steps? Why is there such zeal to monitor what people do online? Going online should be a place where you are free to speak, where you are free to organise, where you are free to browse, provided that you do not break the laws of the land that you were in. It should be a place where people, free from government surveillance and are able to share their views, and it is incredibly scary to the government that such a place exists. So, what do we do? We will make sure that everyone is now subject to ongoing surveillance as if they were a suspect.

In an era where a lot of people's lives are lived online, individuals should have the right to have a digital forgetting of things that they have done in the past. I want to quote from something that the now communications minister said about this a couple of years ago. Malcolm Turnbull said:

Surely as we reflect on the consequences of the digital shift from a default of forgetting to one of perpetual memory we should be seeking to restore as far as possible the individual's right not simply to their privacy but to having the right to delete that which they have created in the same way as can be done in the analogue world.

I agree, and many other people around this country agree. The government is trashing that principle. So I am not prepared to listen to anything this government says about wanting to protect individual rights when they come here with this piece of legislation, because they are utter hypocrites, and Labor, in joining them in turning every citizen into a suspect, are also tarred with the same brush.

In that respect, I move the following amendment:

That all words after "That" be omitted with a view to substituting the following words:

"the House declines to give the Bill a second reading until a review is carried out with particular reference to:

(1) how civil litigants would be able to access the data collected;

(2) the adequacy of data destruction requirements for data acquired under the scheme; and

(3) consider the impacts on, and implications for, journalism and other sensitive professions and their work under the legislation."

This amendment should be supported by everyone in this House because these are issues that were raised during the committee inquiry into this bill. As for those who are not aware, the committee that inquired into this bill was made up just of Labor and Liberal. It is a closed shop. It recommended that the bill be passed, with some amendments, but did say there are some concerns, and these are some of the concerns that have been raised, and they are not addressed in this bill.

We have talked about journalism already. There are supposedly going to be protections for journalists but where is the amendment? We are being asked now to vote for this without any amendment being circulated so that we can test whether it is, in fact, going to do the job. The committee was also put on notice that there are questions about what is going to happen in civil litigation. There will be a mass of information sitting there about who does what and who did what when online or on their smart phone. You can bet your bottom dollar that someone who wants to sue someone else—a big company that wants to sue an individual, a company that wants to sue another company—will want to get access to that. Are they going to be able to? We do not know.

The House should defer consideration of this bill until those issues have been resolved. Anyone who cares about proper process, anyone who cares about an individual's right to some kind of privacy and anyone who does not believe that every individual should be automatically treated as a suspect should support this amendment. But even if you disagree with all of that, if all you do is agree with what the joint committee said, then you should support this amendment. You should not allow this bill to be rushed through this House when there are big question marks over the use in civil litigation. You are potentially exposing people to being sued for downloading Game of Thrones. You should not pass this bill until you have worked out what you are going to do about journalists or about data destruction. So I commend the amendment to the House, and this bill should be voted down.

Photo of Ross VastaRoss Vasta (Bonner, Liberal Party) Share this | | Hansard source

Is the motion seconded?

Photo of Andrew WilkieAndrew Wilkie (Denison, Independent) Share this | | Hansard source

I second the motion and reserve my right to speak.

11:00 am

Photo of Jason WoodJason Wood (La Trobe, Liberal Party) Share this | | Hansard source

The Greens contribution from the member for Melbourne is very good but it is not quite what we are after. As a former member of the Victorian police force, I had the great pleasure on Monday night to meet with their current serving presidents and secretaries of all police associations across Australia. In particular, I had a great chat with the President of the Victorian Police Association, John Laird, and the Secretary, Ron Iddles. For those who do not know him, Ron Iddles is a bit of a legend in the Victorian police force because he has worked so many years in the homicide squad and done such great work. We had a conversation about the bill and about metadata. As Ron said, we have been using metadata for 20 years. As a former police officer, I have been heavily involved in using what we call metadata.

Most police detectives across the country would know about CCRs and reverse CCRs, terms which most members of parliament and most members of the public have never heard of. A CCR is a call charge record. When a person makes a phone call, there is a call charge record that identifies who they have called. And then we have a reverse call charge record, which obviously identifies who has been calling that person. The legislation in this country has required telecommunications providers to keep this information for six months. Police forces and law enforcement around the country have been using this information for years and years. The difference now is that we are looking at changing to two years the period they have to hold onto that information. The reason for this, when I speak to law enforcement, is the complexity with, in particular, terrorism cases—for example, September 11. Khalid Sheikh Mohammed was one of the instigators and planners of September 11. It was not something that happened overnight, it was planned for a number of years. That is why police and law enforcement need this information.

To give you an example of how valuable I personally have found CCRs, I will go back to my time in the organised crime squad. Our unit received a file relating to drug crops discovered at Mount Disappointment. The file came from the internal investigations department. They had made a big investigation believing, sad as it may be, that there were some corrupt police officers involved in this crop. Why? Because a week or two before the special operations planned to arrest people on site, no offenders ever came back. So we got the file. The first thing they did was supply the internal investigations department with a list of their potential suspects et cetera. Our analyst, Tracy O'Neill, a very good analyst, went through that list and we tried to work out potentially who could be involved in this. As I said, we had our targets. So we started looking at call charge records to see who potential suspects had been calling. Interestingly, a government department came up, and that was the park rangers at Mount Disappointment. So we then looked at reverse call records for a park ranger and found that almost everyone potentially involved had been calling him. It was at that time that we realised he was our main suspect. What then happened was that other police tours went on—surveillance and all those other issues. That ended up with people being imprisoned and the breaking up of a drug cartel.

The member for Melbourne spoke about warrants. Well, I have taken out warrants for telecommunications interception devices. It is not easy to take out a warrant. You have to provide a hell of a lot of information when it comes to an affidavit to prove the case. The member for Melbourne would say people are innocent until proven guilty—and I accept that—but all the CCRs and reverse CCRs are looking at is potentially a link to whether a person has made a phone call. Everybody should realise that their own telecommunications provider keeps on record who you have been making telephone calls to. The difference, especially for this, will be that the information about telephone calls is retained for two years instead of six months.

Sadly, Australia is now in the grasp of a terrorism threat. The government has raised our national terrorism public alert level from medium to high. The advice is based not on knowledge of a specific plan but, rather, a body of evidence that points to an increased likelihood of terrorist attacks in Australia. The Criminal Code Act 1995 defines a terrorist act as an act, or a threat to commit an act, that is done with the intention to coerce or influence the public or any government by intimidation to advance a political, religious or ideological cause and that act causes death or serious harm or endangers a person, causes serious damage to property, causes serious risk to the health or safety of the public or seriously interferes with or disrupts critical infrastructure such as a power supply.

It is interesting to note that since we first wrote this speech, sadly, we have had two incidents. We had the incident in Melbourne where police officers were stabbed by a terrorist—sadly, a very young man who had been influenced by extremists. We also saw what happened at the Lindt Cafe in Martin Place in Sydney. That was a classic example of putting fear and anxiety into the public. We go back to days gone by, when in 1978, the bomb exploded outside the Hilton hotel—and that was an awful incident. Two garbage collectors, Alec Carter and William Favell, were killed, along with police officer Paul Birmistriw, who died later from injuries he received.

We have had other incidents such as the Bali bombings and the planes flying into the World Trade Centre, and I will just take up a point made by the member for Melbourne. He is half-right: not every criminal is the smartest criminal around. For example, in the Australian Embassy bombings in Jakarta, the video footage shows a person driving a truck laden with explosives. He actually drove around two or three times—why? Because, sadly for him and for those present, he was the mule who did not even know how to drive a car, so he drove round two or three times before crashing it.

Terrorism attacks are still occurring and, since 1978, communications have dramatically improved. The internet in all its forms plays a big part in garnering groups of radical and disenfranchised people to terrorise others. Some of their tools of terror have become more sophisticated, although the beheadings of people with a simple knife still have the desired impact. We have all seen public beheadings in the media, and it is absolutely disgraceful and tragic.

One of the roles of law enforcement is to ensure that we have all the tools to protect Australian citizens and also in the case, God forbid, of another terrorist attack in Australia to ensure that the police have the ability to track down those responsible. If you look at al-Qaeda, for example, they spend years planning most of their terrorist attacks. It is crucial that metadata is stored in this country to ensure the police have those tools.

Tragically, we now have young Australians travelling to Syria and Iraq, joining Daesh and becoming terrorists, and at least 60 of these fighters have returned to Australia. This puts great stress and pressure on police to monitor these people.

The bill we are looking at today is about metadata—and I will explain a bit about metadata. The best way to explain it is a telephone call between two people. The metadata of this phone call could include the following information: the two telephone numbers, the time and length of the phone call, and the locations of the people making the phone call. The actual conversation is not recorded. To get that information, the police must take out a warrant and, as I have said before, in order to do this they have to go before a Supreme Court judge and write an extensive affidavit. I have sat down at the Organised Crime Squad and put these warrants together: it takes weeks and weeks.

That brings me to another point: when detectives all of a sudden understand that they may have potential suspects in a case, they cannot wait two weeks to get information. Unless this process has changed in the Victoria police, members put in a request that goes before a detective inspector, who looks at the information, why it is required and who makes the order if appropriate. At the same time, if someone is charged, it goes before the courts where everything comes out about how the police got that information.

On the internet, every machine has a unique number, just like a telephone number. The number is called an internet protocol address, or the IP address for short. For machines on the internet to talk to each other, they need to have a unique IP address, similar to a telephone number. In this case the metadata, the data on data, on the internet connected machines could include: the two IP addresses of machines communicating with each other; the start and length of the internet connection on the machines; the location of the machines connecting via the internet; the names of the people who are allocated to the IP address of the machine; the email addresses used on the two machines, if there is email; and internet connected machine visitor logs for chat room sessions.

Metadata on chat room sessions is important because paedophile groups and others involved in terrorism go into a cyberworld where communications take place. It does not mean that everyone involved in chat rooms is going to be a terrorist or a paedophile but, at the same time, this information may be vital to a police investigation down the track, when they are looking at who has visited certain chat rooms. It gives them a start to an investigation, and that is just so vital.

The email content or subject, the chat room conversation and the input or output data to the software application, is not captured. So the conversation is not captured; just when someone has been in a chat room. It does not disclose what they browsed either. It is also important to remember: this bill expressly includes information relating to web browser activities being stored as metadata.

Summing up, Minister Malcolm Turnbull, in his second reading speech, spoke about the impacts of keeping appropriate metadata not being limited to law enforcement agencies in Australia. During the recent Europol child exploitation investigation, investigations relied heavily on access to telecommunications metadata, because perpetrators primarily shared information online, meaning that physical evidence was rarely available, and 371 suspects were believed to be in the United Kingdom. Using related metadata, UK authorities were able to positively identify 240 suspects, leading to 121 arrests and convictions. At the same time, in Germany, 377 suspects were believed to be involved, but because they did not have metadata, sadly, they were not able to track the offenders. And when it comes to issues of paedophilia and terrorism, I am sure every member in this place believes that those people should be imprisoned, and to make that happen the police need the tools to ensure that this takes place. Finally, they do already have access to metadata. It is just an extension from six months to two years. So, I fully support this legislation. Thank you.

11:15 am

Photo of Michelle RowlandMichelle Rowland (Greenway, Australian Labor Party, Shadow Assistant Minister for Communications) Share this | | Hansard source

I come to speak on the Telecommunications (Interception and Access) Amendment (Data Retention) Bill 2014 with a long interest in this issue as both a practitioner and someone concerned with observing the way in which technological change is matched—or in many cases not matched—by regulation. It is true that we have crime, and new forms of crime have evolved. And the interception and access regime that we have in Australia has evolved sometimes in consequence to and sometimes in spite of different occurrences in our society. There used to be a plain differentiation between whether a matter was covered purely by the Commonwealth interception regime or by the listening devices legislation of the various states and territories. Fifteen years ago this was probably one of the most common and complex questions, and it was all concerned with voice—whether or not this particular voice communication was covered by a state or territory regime. And if we even look at the way the interception regime was enacted at a Commonwealth level, it was essentially drafted on measures to deal with SP bookmaking, which, of course, has now gone by the wayside. I think that gives you an illustration by way of background of the way in which this area of the law has evolved.

As someone who also worked in-house advising an operator on very complex issues relating to warrants and the law enforcement and access regime—in particular during a very significant incident several years ago in Sydney, which was a highly anxious time for all operators—I think it is an area in which I have had an enormous interest. And to set the scene also, I think it would be worthwhile quoting from a paper that I co-wrote in July 2008 for the Third Workshop on the Social Implications of National Security. I ended with these words:

Given that the use of warrants is already extensive in Australia, perhaps it is time to review whether the legislative framework and the associated regulatory regime represent the appropriate balance between the needs of law enforcement agencies and citizens. After all, the probable cause test is not so onerous that it could not be applied in Australia and members of the Administrative Appeals Tribunal will likely be just as available to the relevant agencies as they are for the existing warrant regime.

They were my views in 2008, and I have been consistent on a couple of points. The first is in highlighting that this is about balance, about proportionality and, in particular as we implement this regime, about oversight, about scope. I think it is also worth remembering that even when in opposition members of this government were some of the most vociferous opponents of the notions contained in this bill. The current Minister for Communications openly spoke of his grave misgivings on data retention. We had the member for Moncrieff saying:

I think that this proposal is akin, frankly, to tactics that we would have seen utilised by the Gestapo or groups like that.

Now, I do not mention that to in any way take away from the views that have been expressed in the past, and indeed with many of the reservations the sentiment is something I certainly share. But I think, where we are today, the task at hand is to improve on an extremely flawed bill that was presented by that very person, now the Minister for Communications, in October last year. And by no means do I believe that this bill is optimal. I think it has been improved by process. In some respects there have even been some positive and possibly unforeseen consequences arising from its recommendations in areas that will affect privacy, including the recommendations relating to privacy alerts. I want to make it clear that citizens, residents of Greenway—and many of them have contacted me—have been concerned about the way in which this bill may influence their rights. I have received numerous thoughtful direct representations from constituents, a broad cross-section of people—citizens who value their privacy. And the only rule that I think is possible when trying to predict technology and the interplay with regulation is: never underestimate technology.

But I do want to turn to some of the substantive issues. One of the most fundamental when I am talking about the improvements in this bill is that we now have a recommendation and supporting amendments that a dataset actually be defined, to give parameters to what we are talking about here. This was not in the original bill. There was a comprehensive series of recommendations relating to the dataset, including the most fundamental—primary—first item of recommendation here: that the bill be amended to include the proposed dataset in primary legislation. And it goes on, through recommendation 3, for example—how to declare items for inclusion in the dataset. There is even a series of recommendations that the explanatory memoranda be amended to make certain things clear. Now, why is that important? It is important of course for interpretation—extrinsic materials when looking at how these provisions will end up being applied in practice. I think that is probably the most fundamental change from the outset—to be improving on these measures.

The other issue that I think is important to mention—and it gives rise to some other substantive provisions in the recommendations—is the issue of proportionality. The committee that looks at this from a human rights perspective, the parliamentary joint committee of which I am a member, raised these questions in its initial consideration. They were very serious concerns about proportionality, particularly relating to the time for retention. I do not have entire visibility of the deliberations that occurred within the committee. What I do have to go on is the report and the recommendations in chapter 4. Looking, for example, at paragraph 4.39 where it mentions:

ASIO and the Attorney-General’s Department advised the Committee that the proposed two year retention period is the result of ‘extensive’ engagement between the Attorney-General’s Department, and law enforcement and national security agencies.

And I note in particular:

ASIO had advocated for a retention period of up to five years, however the Department concluded that the shorter, two-year retention period would be proportionate to the legitimate ends of safeguarding national security and public safety, and the enforcement of the criminal law.

There was clearly evidence also in paragraph 4.41 from the Australian Federal Police, emphasising that:

…while the majority of criminal investigations relate to relatively recent conduct, complex and serious investigations often require access to telecommunications data from a considerable time ago …

I want to stress again, that in spite of that I recognise that citizens will still have concerns about that two-year period.

I want to go to an issue that I believe will end up having substantive implications in the immediate and long term, and that this issue of costs. PwC commissioned a report estimating capital implementation of between $189 million and $319 million—that is capital expenditure. It is still unclear how smaller operators, especially smaller ISPs, will meet their obligations. I note recommendation 35, having regard to the regulatory burden on smaller providers with an annual turnover of less than $3 million, and a recommendation that the bill be amended to require all service providers to be compliant in respect of retained data with the Australian privacy principles or binding rules developed by the Australian Privacy Commissioner.

I point, in particular, to a letter from the Communications Alliance signed by the CEOs of its member companies, including Telstra, Optus and Vodafone Hutchinson, who have pointed out the need for clarity as to the government's intention to provide a contribution to up-front capital expenses that may fall on the industry following the anticipated passage of this bill. And they note:

… the Government has variously indicated it will make a 'reasonable' or 'substantial' contribution to these costs …

…   …   …

It is evident that the extent to which the Government's contribution falls short of the total cost to industry will determine the quantum of additional costs to be absorbed by carriers or carriage service providers or passed on to Australian telecommunications users.

This is significant for a number of reasons not only because of the potential implications for smaller operators, in many cases small businesses, and the implications for innovation; also, earlier today we had the announcement of another red tape repeal day. On its own website this government claims annual savings of over $2.1 billion in what it calls 'reduced compliance costs for businesses, community organisations, families and individuals'.

The reality is this scheme will cost. Costs, which we often take for granted, are just as important as compliance measures. I will watch this with interest. I am not alone in having concerns about these cost issues. It was interesting to read a recent opinion piece from the IPA, an organisation with whom I do not think I agree on much, noting, 'Communications minister Malcolm Turnbull will preside over the largest increases in the regulatory burden since the telecommunications market was liberalised two decades ago.' I think that is probably right. That is exactly what Mr Turnbull said in his 2012 Alfred Deakin lecture:

Leaving aside the central issue of the right to privacy, there are formidable practical objections. The carriers, including Telstra, have argued that the cost of complying with a new data retention regime would be very considerable with the consequence of higher charges for their customers.

Another extremely vexed area is of course that of the implications for journalists, and the flagged amendment on journalists and their sources. It is pleasing to see that the opposition's intervention in this matter has led to what we hope will be positives result in this area. It is frustrating that it has taken so long, but I will note, for example, the concerns in the community and the sector. The head of the Internet Society of Australia, Laurie Patton, told The Australian on 7 March, before the Prime Minister flagged his backdown on this:

There is no certainty that an effective mechanism to protect journalists and their sources can be retrofitted if the data retention bill is passed in haste.

This will be a significant issue. It will be a significant issue even for some of the most fundamental definitions. In the Evidence Act, for example, and we have definitions of what an informant is and what a journalist is. Journalist means:

… a person who is engaged and active in the publication of news and who may be given information by an informant in the expectation that the information may be published in a news medium.

'Informant' is defined separately. I am happy to stand corrected, but I actually have not seen the amendment in its final form on this issue, but many constituents have raised with me the issue of whether this will be a narrowly defined definition of a journalist. Will it be the same as the definition in the Evidence Act? Considering that so many of us are participants in a scheme where we participate in the new media as commentators, are we all active participants who would end up being covered? Can we define this separately for the purposes of an Act, and thereby have a different definition of journalists for one act or another? This is no trivial matter. I see this morning Chris Merritt writing very succinctly on this issue of the relationship between the metadata bill procedures and the shield law provisions. He encapsulates well the conundrum of benchmarking the tests that are in the shield laws with those already form part of the Evidence Act. He ends by saying:

Unless these requirements form part of the metadata bill, the shield law and the values championed by Brandis in opposition will become irrelevant as authorities turn to the metadata scheme instead.

There are some positive outcomes arising from the recommendations. For example, the original bill did not provide for individuals to access their own data. There was no provision for the encryption of data, even though this had been recommended in 2013, and the privacy alerts mechanism is certainly welcome.

I end by quoting one of the people who gave evidence to the committee:

The threshold proportionality issue—of whether retention of data that enables pervasive surveillance of all Australians is a reasonable and proportionate response to the threats of terrorism and serious crime—remains itself largely untested and therefore controversial …

It certainly is, but this parliament will have a very important role. After this debate is finished, it is not a matter of us walking away. Parliament will have a crucial role in the operation and oversight of the provisions of this bill, which will be enacted. We will have responsibilities that I believe our citizens expect us to take very seriously.

11:30 am

Photo of David ColemanDavid Coleman (Banks, Liberal Party) Share this | | Hansard source

I am very pleased to have the opportunity to speak on this extremely important legislation, dealing as it does with the security of our nation—the security of the people in my electorate of Banks and across the country more generally. I start by summarising the essential question when dealing with these matters of national security: does the benefit of addressing matters of security through legislation, enabling law-enforcement officers to do their jobs better, outweigh any perceived or potential cost to civil liberties? The answer with respect to this legislation is: absolutely. That benefit far outweighs any perceived cost.

Metadata has been around for a long time. This is not a new category of information that has been created through the passage of this legislation. The central point of this legislation is to ensure that material that has been accessed historically continues to be accessed. That is the central point. This is not a regime of materially expanding the capacity of government to access metadata, it is to make sure that we can continue to access metadata in a way that enables our law-enforcement officers to stop acts of terrorism or crime before they occur. That is entirely appropriate.

It is very important to understand that under this legislation no content of any information can be accessed without a warrant. As is the case now, in order to access the content of information—be that the content of a phone call, web-browsing session or email—a court warrant will be required. A court warrant is not easily acquired and the courts, rightly, have high standards that must be met before a warrant is granted. It is also worth noting that under this legislation the number of agencies that can access metadata will reduce from the current number of about 80 to about 20, with a sharp focus on law-enforcement and terrorism-prevention agencies. This is the most important use of this material. This is sensible, measured legislation, which will help keep Australians safe. It is very important that it becomes law.

We need to back up a moment and focus on the issue of why this legislation is important now. One of the key reasons is that commercial practices in the telecommunications industry are changing. Historically, in this industry, a range of data—generated through phone calls, internet and email usage—was kept by telcos and generally kept for an extended period of time. That information was often used in things like analytics, within the business of how customers are using particular services and for billing purposes on occasion. As software becomes more and more sophisticated the commercial requirement to maintain that information reduces.

Telecommunications companies, being ultimately commercial entities, would say that if there is a cost associated with retaining this information, and if it is not essential to their commercial operations, there would be a tendency for less of that information to be retained over time. That is the essence of this legislation. What we as a government are saying—and we are supported by the opposition—is that it is very important for this material to be maintained for up to two years. This is the material that time and again has been used by our law-enforcement agencies to stop crime and acts of terrorism and to investigate crimes after they have occurred. The ideal use of metadata is for it to pre-empt any terrorist or other action before it occurs. We also should not discount its use as a means of solving crimes after they have occurred. Both are important, but prevention is the most important.

We know that metadata works. There is very little controversy about this point. We know that metadata, on many occasions, has helped to stop acts of crime and terrorism before they occur and allowed agencies to address the sources of crime after they have occurred. The AFP said recently that between July and September last year 92 per cent of cases relating to terrorism involved the use of metadata. For 92 per cent of the time that our agencies sought to investigate potential acts of terrorism—in the most recent quarter they published—metadata was used. So we know that this material is extremely important.

One of the best examples was of course Operation Pendennis, which was back in 2005. Under that operation, agencies were able to use metadata to identify a previously unknown terrorist cell that was operating largely in Victoria and planning to stage a major attack on the MCG and other institutions within Victoria. By being able to access the metadata, agencies were able to detect a series of relationships and a series of ongoing interactions between individuals who were a known concern to them. Through the use of that metadata, they were in fact able to stop the attack from occurring and it led to significant convictions of people who aimed to do us harm. Thirteen men were convicted on terrorism charges, with sentences of up to 28 years in jail. So the attack on the MCG did not occur and those people were taken off the street, which was entirely the right thing to occur. We also have another example where the provision of a single phone number by a foreign government to Australia, expressing their concerns about a particular individual and the potential for that individual to cooperate with others in acts of terrorism, allowed ASIO to identify a cell that was indeed planning terrorist attacks. So it is extremely important information.

It is also important in the context of cybercrime and cyberterrorism. What we are seeing now, unfortunately, is a rise in the use of internet networks to breach the security of nations, including ours. Sometimes that is done by rogue organisations and sometimes it is done by states. The accessing of metadata in the context of cyberterrorism enables our agencies to detect an IP address. As we know, an IP address is an identifier which an internet service provider will be able access for different individuals at different times. Metadata analysis allows the agencies to talk to that ISP about linking the IP address to a specific individual or organisation. Once you have been able to match an IP address to an individual, you can then, through the analysis of metadata, determine who that person is interacting with online and, if any disturbing patterns emerge, seek further investigation. Of course, that is the point at which our agencies would seek warrants to conduct further investigations.

We need to understand very clearly what the information is and what it is not. Frankly, there is a lot of misguided analysis in this area, where there is not always a clear description in the media of what metadata is and what it is not. The way I think of it is that it is about the interactions between individuals but not about what actually occurs within those interactions. If a phone call is made from A to B the metadata will track that that call was made but it will not say what A said to B or what B said to A. If an individual emails somebody, the metadata will track that interaction occurred but it will not track what actually happened inside the email. The only scenario in which that information can be provided is when the agencies obtain a court warrant for that purpose, and that is an appropriate protection. Of course web browsing is not metadata. It is very important to understand that. If somebody visits 50 websites tomorrow, the information as to what sites they visited is not metadata and is not in a form that can be accessed by agencies under this legislation. In order to access that information they would need to seek a more detailed warrant.

We know that metadata works and we know that, as a nation, we do face significant threats. We cannot pretend that is not the case. We have seen tragedies in recent times. We saw them in my own city, in Martin Place, and in Melbourne at Endeavour Hills Police Station. There is absolutely nothing to be gained by pretending that a problem of this seriousness does not exist. We all know it exists. The question is: what can the government do about it? One of the things that we can do about it is addressing this legislation.

There are significant protections in the legislation. I want to commend the Parliamentary Joint Committee on Intelligence and Security, which was so ably led by the member for Wannon. They went through this legislation in great detail over summer and around Christmas and they came back with 39 recommendations where they thought there could be certain subtle changes and improvements to the legislation. The government adopted all of those improvements. It was very pleasing to see—and is worthy of commendation—that the opposition and indeed the member for Holt, who served as the deputy on that committee, worked in a very constructive fashion with the government, so that we as a parliament can come to a largely agreed view on this legislation. That is very important, because we want to send a message to those who would do us harm that we as a nation are united in ensuring that we have the protections in place to stop them from doing what they want to do.

One of the protections in this legislation is that the circumstances in which metadata can be accessed will not change. So, effectively, what was available five years ago in metadata analysis by the agencies will continue to be available and will continue to be kept for up to two years. That is the central point here. We are not talking about a new category of information; we are talking about ensuring that the information is retained so that the commercial imperatives of the telecommunications companies do not disrupt the operation of national security.

One of the points that has been raised in the context of the commercial operations of the telcos is the cost of implementing this legislation. The government certainly acknowledges that there is a cost involved. It has been estimated at between $189 million and $319 million. That is a capital cost and, as such, is a cost that can be spread over a number of years. This is not something that would hit the profits of a company all in one year. It would be spread over a number of years, probably five to 10 years, depending on the depreciation approach the telco takes. Indeed, the government is willing to contribute to those costs. Discussions are continuing in that area.

What we can never do is allow a relatively modest cost to stop us from implementing something that is so important for the security of the nation. We have seen time and time again that metadata can be used to stop acts of terrorism before they occur. We must do everything we reasonably can to ensure that continues to be the case. By passing this legislation, this parliament will be sending a very clear message that we are going to be very vigilant in protecting the people of Australia.

11:45 am

Photo of Andrew WilkieAndrew Wilkie (Denison, Independent) Share this | | Hansard source

Regrettably, it is looking increasingly as if everyone in this place will vote in support of the Telecommunications (Interception and Access) Amendment (Data Retention) Bill 2014, with the exception of the member for Melbourne and me, and perhaps one or two other crossbenchers. In other words, virtually everyone in this House is taking the position that the end justifies the means. That has in fact been made clear in a number of speeches we have heard in this place already in regard to this bill. Just about every person has jumped up and made the point that compulsory retention of metadata for two years will in fact help law enforcement and security agencies to do their work. I do not dispute that. As someone who served in the military for 20 years, including a stint in intelligence, I have no doubt that if the security services could have access for a period of two years to all of this metadata on everyone with a computer, a smartphone, a tablet or whatever it will make their job a little bit easier.

The question is: where do you draw the line? The point is that we should never let the end justify the means. During the last parliament I was on the Parliamentary Joint Committee on Intelligence and Security, which looked into this matter previously. I came to the conclusion—and without giving too much away I think a number of my colleagues on the committee came to the same conclusion—that this would be an unreasonable extension of the power of the state. That is the challenge for us in this place: to work out where to draw the line. If you said to the security agencies that you could do whatever you wanted to about any matter, I reckon they would solve a lot of matters. If you summarily executed every suspected shoplifter, I am sure we would very quickly reduce the incidence of shoplifting. But that of course is a ludicrous proposition. It would never be done, because we know where to draw the line.

But when it comes to national security we always seem to be tempted to move that line just a bit further and extend the power of the state that little bit further. That puts us on a slippery slope, because where does this end? I recall that when this was mooted a few years ago mandatory metadata retention was only to be about national security and defeating terrorism. The government at the time was very careful to emphasise that. People in this House were very aware that that was what we were talking about. But in speeches and comments made both inside and outside this place we hear about all sorts of other forms of crime. So, already, we are seeing incrementalism at play, where it is not just about terrorism. It is that we want to keep for two years the electronic footprint of every person with some sort of smart device, perhaps so that we can track them down and prosecute them for any number of offences short of terrorism.

Rather than talking about the expansion of the metadata arrangements and making them mandatory, I think we in this place should be questioning the metadata arrangements that are already in place and asking why there is already so much metadata stored without any sort of legal cover, and why the authorities are accessing it so many times without necessarily having a warrant. In fact, when I look at the figures for the last couple of years, I see that in fiscal 2011-12 federal and state security services accessed metadata 290,358 times. In fiscal 2012-13 federal and state security agencies accessed metadata 319,874 times. This was done all without any sort of legislative framework, and none of it with mandatory recourse to a warrant. I think that is the sort of thing we should be discussing in this place. So much metadata is already sloshing around and it is already being accessed. Why should we already be allowing metadata to be searched, without a warrant, when we accept that for someone's property to be searched normally there should be a warrant. This is their property. Surely a requirement for warrants should be introduced right now.

I do not accept the comment made by a previous speaker that getting a warrant is just too hard. That is the whole point. The whole point of getting a warrant is that there should be a tension in the process—that it should be a bit difficult. The onus should be placed on the security official to make the case to a judge, and it should be a bit difficult, because we want to have that tension and make it a bit hard. We want warrants to be issued when the case for a warrant can be unambiguously made when a judge, without any doubt in his or her mind, is convinced that a warrant is necessary.

I have already made the point that I am intrigued by the incrementalism that has already crept in—the fact that this was originally all about terrorism, but now we are talking as much about paedophiles and other heinous and serious crimes. I am the first to say that we must track those people down and prosecute them. But where do you draw the line? I fear that we are already on a slippery slope and we do not know where this slope is going to take us. Before we know it, there will be this massive volume of metadata before stored and people will be making applications to access it perhaps in civil matters. What will the government of the day make of that?

I fear that eventually this will be a resource for anyone to access. That would be so far removed from the original purpose both in this country and in other countries where they have looked at metadata or mandatory metadata retention.

I have made the point that mandatory metadata retention will assist the security agencies, but I worry that in this place some members have been too quick to take at face value the assurances of the security agencies about just how much use metadata is. We know from history—we know without any doubt from history—that the most clever terrorists know what they are doing. We saw this on 9/11 when a very small group of people using innovative means carried out those shocking attacks in 2001. We know that these days fortunately most would-be terrorists are not very bright, and we are able to track them down and detect them, and take action against them. But there are a small number out there who are very clever and know how we operate. They know with these new laws that, if they come to pass, there will be ways to defeat them. It will not be hard for them to defeat them. It will not be hard for them to use foreign-based telecommunications environments to beat our laws because for them the relevant metadata will be stored in another country which we cannot access.

We also know that a large amount of the World Wide Web is not accessible normally, and it not accessible normally to the security agencies. This is where the real evildoers hang-out. This is where terrorists will sometimes communicate. This is where paedophiles will sometimes share their pictures. This is where all sorts of unspeakable things go on in places like the Deep Web—that portion of the World Wide Web content that is not indexed by standard search engines—or the dark internet, which is made up of computers that can no longer be reached via the internet. That is where we will push the real evildoers. This means that mandatory metadata retention will end up being much more a matter for law-abiding people like ourselves who are having our electronic footprint recorded, and lesser criminals who have not got the smarts to go to places like the Deep Web and to use facilities like the dark internet or have not got the nous to use a foreign-based communications environment.

I worry that we will not achieve what we are trying to achieve to the full extent—even though we will be paying the enormous price that our electronic footprint will be stored for two years. Let us not underestimate what that footprint means. Speakers are very quick to say, 'Don't you worry about that; it will be just the fact that you made a call.' It will be a darned sight more than that. For example, every time your phone is recorded as having a location, it will be recorded for two years. In other words, the security services will know where every phone has been located, while it has been turned on, for the last two years. This is an unprecedented extension of the power of the state. I do not know that people in this House understand the scope of the extension of the power of the state that is being contemplated in here and likely to pass the parliament. Not even in the United States have they contemplated such a remarkable extension of the power of the state, and most countries in Europe have baulked at going anywhere near this because they know it is an unprecedented extension of the power of the state. It is. I do not mean to sound overly dramatic, but it is a step towards the police state, when all of a sudden our security agencies will have in their possession, or access to, your electronic footprint for the last two years. They will know every time you have made a phone call; every time you have sent an email; everywhere your phone has gone, which presumably is on your person—quite remarkable.

When I was on the Parliamentary Joint Committee on Intelligence and Security in the 43rd Parliament and we did look into these matters, I was quite affected by the volume of public submissions and the breadth of public submissions. There were thousands of submissions from all sorts of individuals and organisations, and not from your usual suspects. Mostly these submissions were from people and organisations that should be listened to, and they were overwhelmingly opposed to mandatory data retention. So why are we ignoring them? I cannot fathom it. I can only assume that members of the government and members of the PJCIS in this parliament have gone inside the tent, and when secrets are shared with you it is intoxicating—you start to drink the Kool-Aid; you start to believe everything that is being said. When the security agencies are asking for a cheque, you hand them a blank cheque because you have drunk the Kool-Aid and you are believing everything they have said. Of course they will ask for everything, that is their job. It is our job to limit what they get; to limit it to what is acceptable to the community; to limit the power of the state to acceptable levels.

I might have had a different response to this bill if a couple of aspects were addressed. They will not be addressed. I have raised them before. One is that there needs to be much more effective parliamentary oversight of the intelligence services. I think it was the member for Greenway who was expressing some confidence in this bill because she was able to say that we in the parliament would keep a close eye on this—we would know what is going on and monitor it, and be able to take remedial action. I support the member for Greenway's sentiment, but the reality is that parliament has no oversight of operational matters of the security services. The Parliamentary Joint Committee on Intelligence and Security only has a remit of administrative oversight of some of the security services. It is, in fact, the ministers who have oversight of the relevant agencies. That is fine when you have good ministers, but what happens in the next parliament, or the one after that, or the one after that, when you have a dud minister—someone who is prepared to go just that bit further. Again, we are back on the slippery slope.

I might have had a different approach to this if we had taken this opportunity to ask: why is it that already, every year, the security services access metadata without warrants hundreds of thousands of times? That is effectively searching someone's property. There should be a warrant arrangement in place now. Surely any sort of mandatory metadata storage and access arrangement must include warrants for any access—not just for journalists but to access anyone's metadata.

Yes, that will be hard. It will slow things up. But it will ensure that the security agencies less and less unnecessarily access our property and more and more focus on the property of people who should be scrutinised. That is what is required. Again, this is a missed opportunity to give the parliament greater oversight and to put in place a warrant requirement for all access to all metadata. Instead, the parliament is doing what it does.

I hope I am wrong. I hope more than the member for Melbourne and I and perhaps one or two other crossbenchers oppose this bill. I will certainly oppose this bill. I will continue to oppose it and speak out strongly against it. I will call on a future parliament to wind it back.

12:00 pm

Photo of Paul FletcherPaul Fletcher (Bradfield, Liberal Party, Parliamentary Secretary to the Minister for Communications) Share this | | Hansard source

I am pleased to rise to speak on the Telecommunications (Interception and Access) Amendment (Data Retention) Bill 2014, a bill which amends the Telecommunications (Interception and Access) Act and the Telecommunications Act. It contains a package of reforms to ensure the continuing investigative capabilities of Australia's law enforcement and national security agencies.

This bill has generated a fair amount of community debate. In the time available to me, I would like to make three points. Firstly, I would like to emphasise what this bill is not about. Secondly, I would like to cover what the bill does. Thirdly, I would like to respond to some of the concerns that have been raised as part of the debate and address the measures that are included in response to those concerns.

Let me come, firstly, to the question of what this bill does not do. I should say that I bring to this debate a perspective from having worked in these areas for quite a number of years. In a previous life I was director of corporate and regulatory affairs at Optus, the second largest telecommunications company in Australia, and dealt regularly with the kind of matters that this bill addresses. At Optus, as is the case at the other large telecommunications companies, there is a law enforcement liaison unit which deals regularly with state and federal police and other agencies in relation to requests under the Telecommunications (Interception and Access) Act for information and content, in each case compliant with the various requirements under that act.

I want to emphasise that this bill does not provide law enforcement organisations and security agencies such as ASIO and the Australian Federal Police with new powers to access metadata. The powers that they have to access metadata are set out in the Telecommunications (Interception and Access) Act 1979, particularly in division 4 of chapter 4. There are no new powers to access metadata granted by this bill. Nor does the bill expand on the range of telecommunications metadata which the police and security agencies are able to access. Again, that is not something which is contained in this bill.

Indeed, I want to highlight just briefly some of the points made in the report of the Parliamentary Joint Committee on Intelligence and Security about the existing law in relation to police and security agency access to metadata. The report highlights the point that I have just made, that today so-called enforcement agencies as well as ASIO are permitted to access telecommunications data under an internal authorisation which is issued under part 4-1 of the Telecommunications (Interception and Access) Act. I hasten to add that enforcement agencies are defined to include the Australian Federal Police, state police and a range of other agencies, including state crime commissions and so on.

I will come to what telecommunications data includes under the terminology of the existing act before I go to the bill. Telecommunications data includes such matters as: the time, date and duration of a communication; the identifiers of the services and devices involved; certain information about the location of the respective devices, such as, for example, which mobile base station a mobile phone was connected to; and information about the parties to the communication, such as their name, address, contact details, billing and transaction information, and so on.

I want to emphasise again that I am speaking here about the current law which is contained in the Telecommunications (Interception and Access) Act 1979. This is law which has been in place for many years. It is worth bearing that in mind when you consider some of the things that are being said in this debate about what people are concerned that the bill before the House today may do. A number of the comments that have been made appear to have been made from a lack of knowledge on what the law presently says on this matter and has said for many, many years.

I also want to emphasise that this bill does not deal with the content of a communication. It deals with information about a communication, which is referred to by the term 'metadata', which we have all now come to know and love. It is referred to in the existing legislation as 'telecommunications data'. I want to make it clear that there is nothing new in this bill in relation to the scope of metadata. In fact, as I will come to, in some ways the scope is narrowed. I again want to emphasise that the bill does not change the grounds on which metadata can be obtained by enforcement agencies and security agencies.

I also want to make the point that large amounts of this data is today stored by telecommunications companies and internet service providers for their own business purposes. In the day-to-day operation of a telecommunications network, enormous amounts of information are generated. For example, each time a mobile phone is connected to a particular base station, that generates a piece of information. That information may be kept for some time or it may be kept for very short period of time. But it is information that is generated in the ordinary operation of a telecommunications network, and so are many other kinds of information. Information is generated and retained, for example, for billing purposes. All of this is done for the ordinary operational purposes of running a telecommunications network.

Let me turn, secondly, to the question of what this bill does. This bill deals with specific categories of metadata—that is, certain classes of information about telephone calls and so on. The primary purpose of this bill—and let us be very clear and specific on this, because again there has been a lot of confusion in the commentary—is to standardise the approach for how long metadata is retained. Let me make this point: today the law says, as I have sought to explain, that if the security agencies and police comply with the processes set out in the Telecommunications (Interception and Access) Act, they can obtain metadata from telecommunications companies and internet service providers. That is not information about the content, for example, of a telecommunications call, but certain information in relation to the call—the name of the A party, the name of the B party, the time of the call, the duration of the call and so on. The law as it stands today gives those powers, but it does not impose any particular requirement on the telecommunications companies and internet service providers as to the length of time for which they retain that data. That is what is new about this bill. That is the essence of the bill before the House today: it will impose on the telecommunications companies and internet service providers an obligation, which they hitherto have not faced, to retain the classes of metadata specified in the bill for a period of two years. We need to be very clear about what this bill does do and what it does not do. A lot of the public commentary about the effect of this bill misunderstands that fundamental point.

If we come to the policy intention behind imposing this new obligation on telecommunications companies and internet service providers, it is, firstly, that metadata is a vital investigative tool. Many speakers before me have quoted the statistics as to the very high proportion of particular kinds of investigations in which telecommunications data is used—for example, in 87 per cent of child protection investigations. But at the moment the position is that the success or failure of a particular investigation by the police or the security agencies can depend upon a random factor—that is, which telecommunications carrier or internet service provider happened to provide the service which was used by the person of interest to the police or to the security agencies and, in turn, what the particular business practices of that company are with regard to the retention of metadata. At the moment, the success or failure of an investigation—which could well be an investigation into a matter that goes to the physical safety and security of large numbers of Australians, depending upon the nature of the threat being investigated—can depend upon the random outcome of which particular network is used and the particular business practices of the relevant telecommunications company or internet service provider. A desire to systematise the retention requirements is the policy purpose and intent of this bill, and it is very important to be clear that that is what this bill does. It does not, for example, change the law as to the circumstances in which metadata is authorised to be obtained by the police or by the security agencies.

Let me turn, lastly, to some of the concerns that have been raised and the ways in which the bill before the House seeks to address those concerns. I note that the Parliamentary Joint Committee on Intelligence and Security conducted a very detailed examination of the bill and presented its report on 27 February. The government said that it would carefully consider recommendations made by the committee. The report makes 39 recommendations, including the recommendation that the parliament should pass the bill, and the government has supported all of the committee's recommendations. The recommendations in the committee's report focus largely on specifying the dataset in the primary legislation instead of regulations, specifying the agencies in the primary legislation instead of regulations and increasing oversight mechanisms and privacy protections. The government agrees that the bill should be amended to include the proposed dataset in primary legislation and also agrees that enforcement agencies be specifically listed in the legislation. The bill will also implement additional oversights for the new data retention regime and particularly will significantly reduce the number of agencies that are permitted to access metadata.

The point I want to make to the House this afternoon is that, if you listen to some of the commentary, you might think that this bill creates new powers for information to be accessed, that it greatly widens the scope of information that can be accessed and that it widens the range of people who can access that information. In fact, as I have sought to explain, it makes no change to the circumstances in which information can be accessed. It will limit the range of agencies that can access information and, indeed, by giving a specific definition of metadata, it makes quite specific what the obligations will be on the telecommunications companies and internet service providers.

A key issue is the cost of implementing these arrangements, because clearly there are costs incurred in storing data. PricewaterhouseCoopers has been retained to look at this question. Evidence was provided to the committee on the conclusions drawn by PricewaterhouseCoopers, which were that the up-front capital cost across industry was going to be between $188 million and $319 million. The government has consistently said that it will make a reasonable contribution to these costs, recognising of course that the industry participants are private sector companies and that there is a public policy purpose in imposing this data retention obligation.

The government also acknowledges the reality that it takes time to put in place new IT systems and processes, and therefore the bill allows individual telecommunications companies and internet service providers to develop an implementation plan to allow a pathway to compliance over a period of up to 18 months. That is very important, because what typically happens in telecommunications companies is that there is an annual IT upgrade cycle. This will allow the relevant information technology work to be accommodated within that annual IT upgrade cycle.

I conclude by reiterating the point that what this bill is about, despite some of the confused commentary, is the imposition on telecommunications companies and internet service providers of a uniform period for which they must retain metadata. That data is already extensively retained, but the key issues are that the period for which it is retained varies materially between different companies and that there is an underlying public policy purpose in retaining data, which is to ensure that the agencies and police are best equipped to do their work of seeking to maintain the security of Australians. It is a very important public policy purpose.

12:15 pm

Photo of Melissa ParkeMelissa Parke (Fremantle, Australian Labor Party, Shadow Assistant Minister for Health) Share this | | Hansard source

I rise to speak on the Telecommunications (Interception and Access) Amendment (Data Retention) Bill 2014. The proposal to introduce a mandatory data retention scheme is of deep concern to many Australians and organisations, particularly with regard to its potential impact upon privacy, media freedom and freedom of expression, cost and competition.

The amendments brought about through the work of the Parliamentary Joint Committee on Intelligence and Security have done much to improve what was really just a shell of a bill presented by the government. I thank the shadow Attorney-General and shadow minister for communications in particular for their consultative approach to this issue and I also thank the individuals and organisations who have taken the time to make submissions on the legislation.

It will perhaps be a surprise to many people in the community that over 80 agencies, including local councils, can already access anyone's metadata without a warrant. To the extent that this bill imposes some limitations and oversight around this process it is clearly an advance. It is, however, apparent that even with the amendments significant concerns remain regarding the lack of evidence as to necessity and the lack of adequate safeguards ensuring proportionality, security and oversight.

It is worth noting at the outset that the primary purpose of the Telecommunications (Interception and Access) Act, which this bill seeks to amend, is to ensure the privacy of telecommunications and to prohibit the accessing or interception of telecommunications. That purpose meets the human rights imperative identified in article 17 of the International Covenant on Civil and Political Rights, to protect from arbitrary interference a person's privacy, family, correspondence or home, and article 19, the right to freedom of opinion and expression. In protecting these rights, the Telecommunications Act has always provided for exceptions under which law enforcement and national security agencies can access data in appropriate circumstances.

We are informed this bill is needed to ensure that law enforcement agencies can keep pace with rapidly evolving telecommunications technology and services. I note the evidence given to the intelligence committee that, while preservation notices issued under the Cybercrime Legislation Amendment Act 2012 can secure information into the future, law enforcement agencies frequently require historical data. There is a concern that such data will become increasingly unavailable as service providers adapt to new technology; the term used is 'going dark'.

As per the intelligence committee recommendations in its March 2013 report, which have not been implemented by the government, what is needed is a comprehensive revision of the TIA Act and the entire interception and access regimes. This is supported by the Law Council of Australia, which in its submission to the committee noted that the bill should have been 'preceded by rigorous and comprehensive review of the alleged deficiencies in current processes and unavailability of data needed for investigatory purposes'.

In its attempt to sell this bill, the government has given the community many inconsistent messages. It claimed that the retention of and warrantless access to metadata are less intrusive to privacy than access by warrant to content, and therefore we should not be concerned. The Attorney-General and Prime Minister described metadata as akin to the address on an envelope. This view has been comprehensively debunked in many of the submissions as well as by the Parliamentary Joint Committee on Human Rights, which stated in its report on the bill:

Communications data can reveal quite personal information about an individual, even without the content of the data being made available, revealing who a person is in contact with, how often and where. This in turn may reveal the person’s political opinions, sexual habits, religion or medical concerns. As the European Court of Justice has stated in its recent ruling that held that blanket retention of metadata was disproportionate, such data 'taken as a whole, may allow very precise conclusions to be drawn concerning the private lives of the persons whose data has been retained such as the habits of everyday life, permanent or temporary places of residence, daily or other movements, the activities carried out, the social relationships of those persons and the social environments frequented by them.

Indeed, the Victorian Commissioner for Privacy and Data Protection's submission quotes former CIA and NSA director General Michael Hayden as saying, 'We kill people based on metadata,' and that metadata without content is capable of telling the government 'everything' about an individual. The Western Australian internet service provider iiNet has stated that metadata reveals even more about an individual than the content itself'.

At the same time as the government has been telling the community that metadata access is no big deal and that it is not intrusive of privacy, we are informed by the government that metadata is absolutely vital to investigations. The Minister for Justice has in question time cited the example of the joint ASIO-law enforcement operation in 2005 that prevented a mass-casualty terrorist attack at the MCG, in which telecommunications data was critical. But, as noted by the Pirate Party in its submission, this case study serves to demonstrate that law enforcement and intelligence agencies already have sufficient capabilities.

Furthermore, other more recent confirmed or suspected terrorist attacks such as those in Boston, Ottawa, Paris and Sydney were committed by people already known to authorities or acting alone. The Pirate Party notes:

Thus, data retention would not have helped to pre-empt them. Resources should be directed towards current law enforcement efforts and targeted surveillance rather than placing an entire nation under suspicion and thereby diverting, diluting and distracting their efforts.

Indeed, as many submissions, including from a number of councils for civil liberties point out, the review set up by President Obama following Edward Snowden's revelations reported it could find 'no evidence that sweeping collection of the telephone metadata of Americans led to a single major counterterrorism breakthrough', and a German parliamentary study referenced by European Digital Rights showed that blanket data retention would have made a difference in only an infinitesimal 0.002 per cent of criminal investigations.

On the other hand, the proposed data retention regime would ensure that police and intelligence agencies would have a large source of information with which to hunt down whistleblowers and the journalists and others, including MPs, to whom they may have provided public interest information, thus potentially having a chilling effect on media freedom and public interest disclosures of wrongdoing. Crikey's Bernard Keane notes in his submission that 'the Australian Federal Police has admitted in Senate Estimates that in hunting for whistleblowers it obtains the metadata of journalists and even politicians'. The Human Rights Law Centre notes that AFP Commissioner Tony Negus admitted in December 2013 that up to five MPs had been the subject of data surveillance without a warrant.

The firm pressure from the Labor opposition and a strong campaign by media organisations has prompted the government to agree to introduce an amendment requiring law enforcement agencies to obtain a warrant for access to journalists' metadata. The Media Arts and Entertainment Alliance has objected that this does not go far enough to protect media freedom, since access to information by warrant is still access, which should not be permitted. Indeed, as noted by Bernard Keane in yesterday's Crikey, a judge would likely issue warrants to police who claimed that laws had been broken by a public servant leaking a story. The MEAA says that such data could be used to capture the communications between a journalist and a source and, once that is known, the other tranches of national security legislation, particularly National Security Legislation Amendment Bill (No. 1) 2014 can be used to jail both the source and the journalist for up to 10 years and to tamper with the media organisation's computer network.

I share these concerns about the unacceptable threat to media freedom from this suite of national security laws. The Law Institute of Victoria and the WA Law Society have also pointed out the danger to legal professional privilege of the warrantless access regime. One of the reasons the EU Court of Justice found the EU data retention directive—on which this proposed scheme is modelled—to be invalid was that 'it does not provide for any exception, with the result that it applies even to persons whose communications are subject...to the obligation of professional secrecy'.

The requirement to force ISPs to retain, and in some cases create and store, data for two years in advance of the telecommunications sector security reforms is, in my view, putting the cart before the horse. The issue of where data will be stored is a matter of concern to many Australians, including notably the Director-General of ASIO David Irvine, who this week described himself as a 'cyber nationalist' and said he would feel much more comfortable with data governed by Australian law than law by some other country. It is significant I think that another of the reasons that the EU Court of Justice ruled the EU data retention directive invalid was because it did not require data to be stored in the EU.

The Australian Lawyers for Human Rights has noted that the bill 'outsources' compliance to private companies. This arrangement unfairly imposes an enormous cost, which will be passed on to consumers, will have anti-competitive results as it is likely to drive smaller operators out of business and unfairly penalises companies with eligible infrastructure in Australia as against overseas companies.

The government has indicated it will pay 'a substantial share' of the cost of implementing this regime and the Prime Minister has named a loose figure of $400 million. An amendment to the bill provides that the Commonwealth 'may' make a grant of financial assistance to a service provider to assist with compliance under the scheme, but this discretionary provision is unlikely to give comfort to service providers that their costs will be covered. Whether it is via taxpayers or costs passed onto consumers from service providers, it is clear that Australian citizens and businesses are expected to pay for their own surveillance, as well as any damage that may result from the inevitable misuse of metadata or unauthorised access to such data.

A number of submissions also noted that the massive 'honey-pot' of data that the legislation will require business to create and retain under the legislation could in fact be a magnet for cyber attacks. The Law Council notes that the bill does not provide a minimum set of standards for government agencies and service providers to ensure storage and security of telecommunications data; it does not require data to be stored in Australia; nor does it require the destruction of stored metadata at the expiration of the two-year period, unlike the requirement for information obtained pursuant to a warrant which must be destroyed when no longer required for the particular purpose.

The sweeping scope of the data retention scheme, together with the permissive nature of the access regime, presents very real risks to the rights and freedoms Australians are entitled to expect. The UN High Commissioner for Human Rights concluded in her July 2014 report on the right to privacy in the digital age that mandatory third-party data retention is neither necessary nor proportionate.

The Human Rights Law Centre observed that:

… the absence of a warrant or other independent authorisation process prior to access and use of the stored data gives rise to serious concerns regarding the propriety of the access and use.

The PJC on Human Rights and many other submissions to the Intelligence committee recommended that access should only be granted on the basis of

…a warrant approved by a court or independent administrative tribunal, taking into account the necessity of access for the purpose of preventing or detecting serious crime on defined objective grounds.

The government has made much of the need for data retention laws to enable law enforcement and national security agencies to identify people involved in serious crimes, such as child pornography, and those who present a serious threat to public safety. Yet there is no requirement in the bill that access to metadata may only be for the purpose of investigating serious crime or national security matters. Police forces gave evidence to the committee that metadata is used primarily in general crime investigations, rather than for serious crimes, which account for only around two per cent of the cases of access to metadata.

The AFP Commissioner has even conceded the information could also be used to investigate copyright infringement. While the amendments made to the bill as a result of the intelligence committee recommendations generally preclude disclosure of information for civil litigation purposes, including by way of subpoena, they do not address a requirement imposed by a court on an individual to disclose information under the rules of court or an obligation of discovery and inspection.

I am also concerned about the ability of the Attorney-General under this bill to make declarations as to items for inclusion in the data set, additional classes of service providers or additional authorities as law enforcement agencies, as well as regulations providing for exceptions to the prohibition on disclosure of information for civil litigation purposes. In my view the period of 40 sitting days—approximately six months—before the Attorney-General has to bring a bill before the parliament, or the declaration or regulation lapses, is too long.

The final issue I want to raise is that of the oversight provided in this bill. Under the bill the Commonwealth Ombudsman is charged with responsibility for oversight of law enforcement agencies' use of powers and the intelligence committee is to do a review of the scheme two years after the conclusion of the implementation phase. These are worthwhile measures, but they are directed at reviewing access powers after they have been exercised. The Ombudsman's oversight does not extend to the use and handling of data by the service providers required to retain the data. Furthermore, there has been no watertight assurance by the government that the Ombudsman will receive the significant additional resources needed to carry out the oversight function. As mentioned earlier, an independent warrant process for access to the stored data would constitute a greater safeguard and provide some measure of reassurance to the general community.

In short, this bill, which has been introduced with too much haste and too little concern on the government side, proposes a quantitative and qualitative expansion of data retention and access over the private communications of millions of law-abiding Australians. There should have been a comprehensive review of the data access regime, including the question of whether any warrantless access should continue to be allowed at all. These and other issues around security and storage of data, and oversight mechanisms, should have been investigated before this bill was embarked upon. Such legislative change—with implications for fundamental rights of privacy and freedom of expression and media freedom as well as the significant implications for businesses—should only occur very carefully, and with the utmost rigour in its design. Unfortunately, notwithstanding the best efforts of the Labor opposition and many others outside the government, that is not the case with this bill.

12:30 pm

Photo of Luke SimpkinsLuke Simpkins (Cowan, Liberal Party) Share this | | Hansard source

I welcome this opportunity to speak today on this bill, the Telecommunications (Interception and Access) Amendment (Data Retention) Bill 2014. It was very long time ago that I was a member of the Australian Federal Police and at that time, in the mid-eighties, there was not a whole lot of talk about metadata or digital communication. The sum of the high-tech investigations at the time was in the early days of credit cards: where a card was put under a three-ply sheet of paper, the swiping machine was run across it, and then people had to sign it. And when they had signed that piece of paper, they put their thumb on the corner of it and pulled out their copy—from the middle of that three-ply piece of paper. The reason I am talking about this is that lots of people who were up to no good—with credit card fraud, and things like that—were subsequently caught, because that piece of paper offered a brilliant thumbprint of the person who had used the credit card. Those were the high-tech days of the past! But of course, time has moved on—with credit cards now, you pretty much just type in your four-digit PIN, and that is all you have got. But in those days there was no concept of metadata or of digital communication. Obviously, things have changed a lot.

More needs to be done. There are serious circumstances now: we have terrorism; we have child exploitation, and crimes against children in general—and so many of the most serious crimes in society around the world are now directly linked through the internet and through digital communication. We need to step forward and look for other ways of investigating, and it is through metadata and through looking at digital communication that this action takes place—and many serious investigations now use metadata that already exists.

Before I turn to the bill—and I do not intend to speak for a long time on this bill; I do not intend to go through each minute detail of the bill or anything like that, because that has already been covered on so many other occasions. But, after listening to the member for Fremantle, I would make the observation—and I know that she has passionate views about this and I respect passion—that it is amazing how she could speak for 15 minutes about the problems—according to her—with the bill, and then at the end of the day say, 'we will nevertheless support the bill'. I sometimes wonder about the courage of our convictions in this place: if you stand up here and you disagree with something, have the courage of your convictions to vote against it. But, of course, there are problems on the other side with that technicality.

This bill is all about data retention, and about how the retention of data can assist law enforcement and the security agencies of Australia in their investigations. This bill is not about keeping more data, but about retaining the data for longer. Through this bill, if passed, the carriers and the internet service providers will be required to keep a prescribed set of telecommunications data for a period of two years. The situation is concerning—and I am not talking about this bill but the reasons why we need this bill. There is a threat; there are those that are planning terrorist attacks. The opportunity to access metadata up to two years after it was generated is essential. There has been a lot of misinformation over the last year about this metadata. It would seem that the opportunity for the police and the national security agencies to access metadata is somehow a new concept. This is wrong, of course; they have that opportunity now, and they will have that opportunity in the future.

Metadata is, in the most basic sense, a communication, but not the actual content of the communication. As the Prime Minister and other ministers have said, metadata is a vital investigative tool in police investigations of serious matters; not just in the investigation of terrorist activity and planning but also in the identification and investigation of child abuse crimes and organised crime. Clearly the need is for ASIO and our police to be able to access metadata so that crime in many areas can be attacked and dealt with. The trouble is, with increasing technology, the telecommunications companies can conduct so much of their business without retaining metadata for long periods. This means that government must now act to ensure that the investigative asset which is metadata is not lost as a result of these technological advances. This bill sets the time frame as two years.

The main issue of opposition to these laws is—as I said before—the false belief that metadata access is somehow new, but obviously it is not. The second issue of interest that has been raised is protection for journalists, or rather, protection of sources, because no-one would really suspect that journalists would be likely to be involved in any of the crimes we have spoken about. Interestingly, metadata can currently be obtained without a warrant, even with regard to journalists. It is only through this process and through the recommendations of the Parliamentary Joint Committee on Intelligence and Security that the need for a warrant in the case of journalists has been added. So this is a good thing; it will improve the freedom of the press. I say again: this requirement is not currently there. There should therefore be greater support for this bill, because it adds more protections.

As I said before, it is not merely my intention to restate the details of the bill that the minister has already laid down in his second reading speech and that others have also talked about. I would like to pursue a related matter—a matter for the future, perhaps. It is well known that one of the great challenges to our efforts to combat the Daesh extremists in Australia is the slick social media that they put out. It is also true that the tweets and the Facebook posts are encouraged by Daesh, and that influence reaches to the smartphones and out into the homes of Australia. They might influence those that might be tempted by what these murderous extremists offer. The sadism, the paedophilic tendencies and the other evil the lurks in the deep darkness of the souls of some people can be attracted to what Daesh offers. It is bizarre that the worst in human nature and the incomprehensible for most of us can actually inspire others.

To combat this, I believe that it should be a criminal offence to share F acebook posts or tweets , or other social media , of those that are part of a prescribed terrorist organisation or those that support or promote such an organisation. By this, I mean that if a person is a F acebook friend with a person that disp lays an IS flag, or is in Syria or Iraq with IS or a l-Nusra, or with Hamas in Gaza, or with other such terrorist groups, and they receive a post, to share that post sh ould be an offence. To retw eet a tweet from such a person sh ould also be an offence. That is what I would propose. Obviously , a defence to such an offence would be where the social media is forwarded to the police or an Australian security agency.

Again, it is not my intention to merely restate what has been stated already about the detail s of the b ill. But , in co nclusion, I will say that this b ill is about preserving our security and law enforcement capa cities . It is also about requiring that existing and accessible metadata b e retained for two years. This b ill initiates protection for journalists that does not currently exist and ensures that metadata is strictly and properly controlled. As someone who believes in every aspect of this bill and in every aspect of the need for this bill, I completely and utterly endorse the bill as it is and I look forward to its passage through the parliament.

12:39 pm

Photo of Andrew GilesAndrew Giles (Scullin, Australian Labor Party) Share this | | Hansard source

I rise also to spea k on the Telecommunications (Interception and Access) Amendment (Data Retention) Bill 2014. Debate around this bill is very important. It concerns challenging and complex legislation that raises some fundamental questions. How do we, on the one hand, enable effective law enforcement, while, on the other hand, preserving the foundations of our democracy and safeguarding privacy?

The bill the government introduced to this House in October of last year failed to satisfactorily grapple with these questions. I could not have supported it and I hoped that this House would not have supported it in that form. Now, on balance, as a consequence of the considered and firm approach Labor has taken to this legislation, and the hard work of the members of the Joint Committee on Intelligence and Security, I am persuaded that I should support this legislation, subject to the many amendments arising from the committee's report and those additional matters proposed and outlined by the shadow Attorney-General in his contribution to this debate.

In my view, however, there are significant matters that remain outstanding, particularly in respect of oversight. I again echo the contribution of the shadow Attorney-General in talking to what have been described as the Faulkner reforms, which would elevate to a more appropriate level parliamentary and democratic oversight of the operation of our security agencies. That is, of course, only a small part of the remit of this legislation, but, in my view, it is a critical piece of unfinished business for this parliament to attend to.

Let us be clear in having this conversation about the circumstances that this legislation is concerned with. As the member for Fraser said at the start of his contribution earlier today, with any law we must start with the status quo—as this government did not in October last year and as some who continue to oppose this legislation, or any such legislation, do not. As we speak today, a vast amount of data is retained by telecommunications companies. This information is, in large volume, being accessed by a wide range of law enforcement agencies. Last year, we understand that over half a million applications were made to access metadata. This, of course, represented a very significant increase on applications made in the previous year. This legislation, this debate, does not arise in a vacuum.

The data that is retained is not in a standard form, nor is it kept for common or standardised periods of time. The bodies accessing the data right now are not just police and security agencies. They include local governments and, indeed, the RSPCA. As we are having this debate, this area is effectively unregulated and without any meaningful oversight. We know very little about the use and, indeed, the misuse of such data—a very important point made by the member for Blaxland in his contribution. This is the problem we are trying to solve, or the problem we should be trying to solve, through this legislation and this wider debate. This should have been the starting point for this conversation. Should we seek to regulate these activities and, if so, how? What safeguards should we seek to introduce? What balances should we strike? I believe that we should be regulating both the retention data of data and the question of access.

As the member for Isaacs has noted, this bill differs in several important respects from the national security laws that were supported by Labor last year. This bill is not primarily concerned with national security. Evidence presented to the joint committee made clear that telecommunications data is used in law enforcement of all kinds, and that counter-terrorism and counter-espionage make up only a very small proportion of this data use in Australia. The majority of requests for access are made by state and federal police for general law enforcement purposes. The data retention regime, as set out in this bill, is not specifically directed towards current national security concerns. This is a point that must be stressed. Rather, the scheme proposed provides for the retention of certain telecommunications data generated by all Australians who use the internet or a mobile phone.

This bill, as I said earlier, raises difficult and complex questions, as the Attorney-General demonstrated in one of his media contributions. Fundamentally, we are considering questions of balance, not absolutes. That is another point which has been insufficiently stressed here by government members and, indeed, by some of those opposed to any regime of this type. Across the provisions of this proposed legislation, we must be prepared to run the ruler over their efficacy to maintain security and lawfulness, on the one hand, and to weigh this against infringements on privacy on the other. It is important that we consider questions of process here. This bill was introduced in the House last October. It was not in a state, as I said at the start of my remarks, to be properly dealt with, much less passed. The process undertaken at some length by the joint standing committee makes this abundantly clear, and I take this opportunity to acknowledge the work of the members of this committee—all of them but in particular the Labor members. Their report is comprehensive and I certainly found it helpful in considering my response to this legislation.

I say again: the retention of very large volumes of telecommunications data by private companies has been occurring in Australia for many years in a largely unregulated manner. This data has been accessed under the current act by a large number of agencies hundreds of thousands of times at least. This is something that has not been greatly appreciated by the general community, and this lack of understanding clearly extends to members of the government, which is not helping an informed debate. The Attorney-General has clearly been out of his depth in these matters. This has raised community concern about the supposed powers in this bill, the cruel irony being that the majority of the security agency powers that people have contacted me about are already in existence.

I am concerned, like many other speakers on this side of the chamber, about the implications of this legislation on the media. I am not convinced that it is appropriate that we should be waiting to move to address such concerns, which go to the heart of how we enable, or facilitate perhaps, truth to be spoken to power. I note that the government has had to be dragged kicking and screaming to provide any such protection, thanks to Labor's resolve on this issue, but this is worrying and it is also telling. It depicts a government in the thrall of security agencies and one that has had seemingly very little regard to other sources of information. Of course it is vital to pay careful attention to what these agencies say, but this cannot properly be to the exclusion of all other voices. The fact that Labor has had to close so many loopholes, like protection of whistleblowers, is evidence of this government's slapdash approach to legislating on these critical questions. Labor keenly await the government's amendments in the Senate and we will make sure the government is held to its reluctantly given agreement to our warrants proposal to protect journalists, journalism and sources.

Due attention must also be given to the question of how data is preserved, and this is a matter that remains outstanding. In large part, of course it is the case that assurance in this regard turns on the question of where data is stored. If this were to be solely a question of cost, it is obvious that ISPs would choose lowest cost options—that will be the market simply doing its work. But how secure would this data be? In this regard, I note comments reported in The Australian Financial Review by former director-general of ASIO David Irvine, who voiced strongly held concerns about where Australians' data would be stored. Mr Irvine makes the perfectly sensible point, in my view, that this bill does not presently require the onshore storage of data but that it should, describing himself as a 'cyber-nationalist', as I think he should be and we should be in this regard.

It is clear, however, that the government does not have any meaningful answer to this proposition, and why would it? It has not sought to ask this question. Indeed, this bill is silent on the important related process of telecommunications sector security reform, a process commenced under Labor, underlining our strong record in seeking to protect people's personal information across a range of policy areas. Consistent with this approach and these principles, Labor will continue to articulate the case for this data to be stored in Australia. I note also on these points that Labor has argued for the bill to be amended to impose stringent standards for data security, and I am pleased that these arguments were accepted by the committee, which recommended a requirement for stored data to be encrypted. Labor has also pressed for a recommendation that a scheme of mandatory data breach notification be introduced so that anyone who has had their data compromised is informed of this breach and so is placed to take appropriate measures to respond and to protect their privacy.

The question of who pays for this data to be stored, wherever that may be, is, of course, a question the government has been reticent about, but it is not sufficient for consumers to carry the costs of the implementation of this regime. The original bill was silent on who would bear the cost of the scheme and the government refused to release the cost of the scheme. Through the work of the committee, Labor has insisted that the government bear the cost of the scheme. Business and consumers—small business in particular—should not have to bear solely the cost of law enforcement or, indeed, national security operations. Labor has demanded that the government consider the interests of competition in small business in structuring their contribution to industry. This scheme should not—indeed, must not—harm the interests of small ISPs. It should not entrench the market dominance of major players. Labor has also made sure through this process that members of the public are informed of the cost of the scheme. We have insisted the government release the cost figure ahead of the parliament's consideration of the bill.

As my contribution, I hope, has made clear, I am far from being opposed in principle to implementing a mandatory data retention regime. Indeed, I am persuaded, having carefully read the report of the committee, that such a regime is warranted, for a variety of reasons, of which national security is only one. For example, and importantly to me, the ACCC and the Australian Securities and Investments Commission require access to metadata, in my view, to build their case against those whom they suspect of insider trading. So Labor has moved to enshrine their access for this vital law enforcement purpose.

Having said this, though, we should be much clearer about the purposes for which this regime is to be introduced. Only in this way can we be assured and assure our constituents that it is appropriate in all respects and strikes the correct balances—and we should take the time to get it right.

These laws were introduced with unseemly haste under the auspices of national security, but their remit goes much, much further. This should give pause for thought for all of us, as it did for all of us on this side of this chamber. Labor recognises, for instance, the world of difference between someone downloading the latest episode of Vikings and someone plotting a terrorist attack. On this, the words of the shadow Attorney-General, the member for Isaacs, bear repeating:

The bill as introduced by the government would have allowed access in ordinary civil proceedings to private information retained under the regime for the purpose of national security and criminal law enforcement. This could have led to serious intrusions into the privacy of individuals by civil litigants for purposes entirely unrelated to the reasons for which the data retention regime is being established. To respond to this problem, Labor argued for and the intelligence committee recommended amendments to ensure that retained telecommunications data cannot be used for civil litigation purposes, including enforcement of copyright claims.

I pause to say that this is a matter that the member for Melbourne might have considered in his contribution.

Exceptions to this prohibition will be able to be made by regulation. The government has proposed amendments to give effect to this recommendation.

As with the issue of whistleblower protections, we keenly await the government's formal response. Time is available, and we should make use of it. We should not forget that successive governments have already given security agencies a wide range of powers. As the review into the Martin Place siege found, these powers had been used to monitor Man Haron, the perpetrator of this attack. This is really an indication that these powers will not always prevent such attacks. We should be up front about this. The Martin Place siege review recommended that we should broadly maintain the current balance in our existing regulatory and legislative framework.

With the limited time available to me, I note, firstly, that there are a wide range of important aspects of this bill that I have not had the time to consider; but I say this: there is genuine community concern about this bill. To the extent that people's fears are well founded in the community, I believe the Labor Party has played an essential role in listening to and acting on this community response. But the response on the part of all of us in this place cannot end with this debate. There are outstanding matters that we need— (Time expired)

12:54 pm

Photo of Dan TehanDan Tehan (Wannon, Liberal Party) Share this | | Hansard source

I stand today to speak on the Telecommunications (Interception and Access) Amendment (Data Retention) Bill 2014 not only as the member for Wannon but also as chair of the Parliamentary Joint Committee on Intelligence and Security. I would like to talk about a few things today just to be clear about the process which has led to us being here today. I would also like to talk a little about the process that has led to some members putting forward amendments—I would call them pious amendments—the recommendations that the committee has made, the environment we are dealing with currently and why this piece of legislation, which is before us today, in my view, needs to be passed.

The committee took its time in considering this legislation. It considered every significant, important matter that this bill brings before this place and has dealt with it in a very systematic way. I would like to take this opportunity to commend all members of the committee who participated in this inquiry—the five coalition members and the four Labor members. Everyone who was involved in the committee process acted in very good faith and in a truly bipartisan way. I think it is significant for this parliament that, when it comes to issues of national significance, we can act in a bipartisan way. It is reassuring to the Australian community and the Australian people that when a bill like this comes before us, which deals with national security and individuals' rights, we can consider it in a way which brings all those concerns together and to put in place a piece of legislation which I think makes this nation safer but at the same time also puts in place greater protections than there are currently. The way the committee has been able to do this, I think, has been very, very significant.

It is why I have found the contribution of the Greens in this place, and in particular the contribution of the member for Melbourne, so disappointing. For the member for Melbourne to suggest that the data retention regime is being put in place without safeguards, sadly, shows that he is on a completely different planet. In an example that he gave, he said that it was like watching his dog play chess. It was a tiny bit enlightening because, obviously, he has spent far too much time watching his dog play chess and not bothered to read the committee's report and consider, in particular, the evidence that was received by the Australian Federal Police, other law enforcement agencies and our national security agencies.

This debate brings together two important elements, and I think that not to consider one of those elements is concerning, worrying and, as a matter of fact, downright disturbing. I would say to the Greens that, when it comes to considering this bill, there are serious national security implications that are involved and you should consider them, not just turn a blind eye.

Having got that out of the way, I would now like to turn to what the committee recommended when it considered this legislation. The data retention bill will implement a mandatory telecommunications data retention regime. It contains measures to require telecommunications suppliers in Australia to retain certain data for two years, with web-browsing history and the contents of communications excluded. It does not involve the storage of content. The bill also seeks to limit the organisations able to access telecommunications and store data to those with a demonstrated need and with appropriate internal procedures to protect privacy, and expands the role of the Commonwealth Ombudsman in overseeing the exercise of these powers.

The report recommends that the bill be passed by the parliament and makes 38 further recommendations aimed at strengthening the regime and improving oversight and safeguards. These include: including the proposed dataset in the bill rather than in regulations as proposed; listing all criminal law enforcement agencies and enforcement agencies in legislation; establishing emergency declaration powers, subject to safeguards, for the Attorney-General to include items in the dataset, or declare an additional agency able to access data; prohibiting civil litigants, with appropriate exceptions, from accessing telecommunications data being held solely in compliance with mandatory data retention requirements; and strengthening the safeguards around the use of telecommunications data for the purpose of determining the identity of a journalist’s sources by requiring agencies to provide a copy to the Commonwealth Ombudsman or the Inspector-General of Intelligence and Security of any authorisation for access to such data. The Ombudsman or the IGIS would then be required to notify the committee as soon as practicable and provide a briefing accordingly. This was a major safeguard when it came to the media. We have now, as a result of further bipartisan work between the two major parties, sought to put an additional safeguard in there by requiring a warrant.

There is also additional funding for the Commonwealth Ombudsman, commensurate with the office's expanded oversight role. Not only have we given increased oversight powers to the Ombudsman; we have also agreed that he needs to get more funding. Privacy and data security measures, including a mandatory breach notification scheme, will also be introduced.

The committee recommended that the government make a substantial contribution to the up-front capital costs incurred by service providers in implementing their data retention obligations. The committee also recommended that, when designing funding arrangements, the government ensure that an appropriate balance is achieved that accounts for significant variations between the services, business models, sizes and financial positions of different companies. This was something that the previous speaker spoke about. The committee has sought to ensure that both the small end of town and those larger providers are taken into account when it comes to how those capital costs contributions will be rolled out.

There are other aspects to what was agreed—and this is important—including when it comes to the proposals which were put forward by former Senator Faulkner. The committee has agreed, and this is of particular significance to parliamentary oversight, that the committee be able to look at operational matters in the limited area of authorisation of access to telecommunications data relating to ASIO and the AFP, consistent with the committee's remit. This is the first time that the committee will be granted those powers. This is a significant recommendation, which has been agreed to by the government and which goes a huge way in increasing the remit of the committee. That is the seriousness with which this government has taken the bill before us.

We received more than 200 written submissions from a broad range of sources and heard from 30 organisations over three days of public hearings. The committee's report also built on previous work done by this committee in the previous parliament. I commend the deputy chair of the committee, Anthony Byrne, for the role he played in that preliminary report, which was produced by the committee in the previous parliament. It has very much led a path to where we are today. So when others talk about a process which is being rushed, that is utter, utter nonsense. This is a process which has been to a committee in the previous parliament, the government has put legislation to this parliament, the committee has further looked at that and made further recommendations, and that is why we are here today now looking at and examining this bill.

This has been an extended process and an extended bipartisan process and one which all members of this place, in my view, should commend, particularly given the current security climate that we are operating within. For the first time in its 11-year history we saw the national terrorism public alert system raised to 'high' last September. There are 90 Australians known to be fighting and supporting terrorist groups in Iraq and Syria. Over 30 have returned to Australia. At least 140 people in Australia are actively supporting extremist groups. Since December 2013, 24 people have been charged as a result of seven joint counter-terrorism team operations.

Metadata is important in dealing with these threats. Operation Pendennis was a joint investigation between the AFP and ASIO and state law enforcement agencies in New South Wales and Victoria into terrorist cells based in Victoria and New South Wales. It was the first serious counter-terrorism investigation prosecuted in Australia. As a result of the investigation, a total of 13 individuals were charged in Victoria with a variety of terrorism offences. A further nine individuals were charged with similar offences in New South Wales. A number of trials were subsequently held in Victoria and New South Wales. The Victorian trial of 13 individuals for membership of a terrorist organisation concluded in 2009 with seven accused found guilty, two accused pleading guilty and four accused acquitted. Historical data was a crucial tool supporting the investigation and was used to identify a covert phone network that was being used in New South Wales in an attempt to conceal illicit terrorist planning activities from law enforcement.

We have to take these things into consideration when we are dealing with these matters. I understand, and the committee understood, the importance of getting right the privacy aspects of this bill and other individual freedoms that potentially could have been challenged. But we also had to take into account the evidence that was put to us by the AFP and ASIO. My view is that the committee has got the balance right. My view is that this legislation, with the recommendations and the amendments that have come before it as a result of the committee's work, ensures that we have got the balance right. This bill should now be passed by this House and it should be passed by the Senate and should become law.

1:09 pm

Photo of Terri ButlerTerri Butler (Griffith, Australian Labor Party) Share this | | Hansard source

The Telecommunications (Interception and Access) Amendment (Data Retention) Bill 2014 demonstrates, to my mind, just how disorganised and hopeless this government has been, in its first year particularly, as the government. The Attorney-General was a member of the Parliamentary Joint Committee on Intelligence and Security in June 2013 when it published its report into national security, which considered in some detail whether there should be a mandatory data retention regime. What we have had in this country for a very long time is a situation where telecommunications companies store telecommunications data, like the phone numbers you call, the location you were in when you made the call, the location that the recipient was in when you made the call and how long you spoke for.

In 2012-13, there was 330,000 warrantless accesses of that data. In 2013-14, that had grown to 500,000 warrantless accesses of that data. Yet, did the Attorney-General see fit to act on the idea of looking at better regulation for data retention when he was elected? He spent more than a year before even getting a bill into a position where it could be brought into the House. What was he doing in that year? Was there some other issue that was so important that we could not possibly be talking about data retention? I know what he did in his first year as the Attorney-General. He decided to tinker with hate speech laws. He decided to try to take away protections for people from hate speech. For some reason, the Attorney-General thought that that was more important than working on the regulation of data retention in a situation where we have had massive amounts on warrantless accesses to people's telecommunications data with very limited regulation. The state that this bill was in when it was first introduced suggests to me that he spent no time at all in that first year worrying about data retention, because the bill itself, when he finally got around to thinking, 'We should do something about data retention,' and rushed it into the House, was in a completely ridiculous state that could not have been supported.

It took the Labor Party to insist on a time frame for appropriate consideration, for appropriate review and for appropriate consultation. It was our insistence that got that time, that allowed for the many organisations to have the proper opportunity to make submissions, to review the legislation and to lobby their members of parliament. What level of revision was needed? To the extent that we have pages of amendments, we have further amendments to come and we had 38 recommendations from the Parliamentary Joint Committee on Intelligence and Security required just to get this bill into a state where it could be supported, I have to say that when I first read the bill I had a number of concerns, and why not? This is a very complicated issue.

There are so many competing considerations for us to take into account, considerations like the importance of law enforcement in this country and the availability of a tool for law enforcement to crack crimes such as murders, kidnappings—those serious offences—and the availability of telecommunications data to assist in those investigations. On the other hand, there is also an importance in people being able to use this data themselves to help them with their own legal rights. For example, if you need to prove that you were in a particular place, then this might be very helpful in legal proceedings. So people need to have access to that if it is available as well. On the other hand, again, there are cost considerations. This government has been finally dragged kicking and screaming into telling Australians what the costs of this legislation will be, but it took Labor to force them to do that. It took Labor to force them to even undertake the costings in the first place, which had not even been done when this bill was tabled. It was in the months since the bill was tabled that there was some costing work done. The human rights aspects of this bill and of the existing data retention scheme are vastly important. The existing data retention scheme has been around for many years and under it there are many warrantless accesses —in fact, there are hundreds of thousands—every year. Those human rights issues, like privacy, are of fundamental importance to this nation and to any nation that claims to be a modern, democratic nation where people have appropriate respect for human rights.

There are a range of other competing considerations. There is the consideration of the effect on competition when smaller ISPs have to scale up their operations in order to meet the proposed data set. In fact, the data set itself was not even settled when this bill was introduced. It was not even in the bill. There was an idea that it would just be done by regulation. The ridiculousness of that speaks for itself. To say 'we're going to have a mandatory regime where everyone has to do retain the same data but we can't tell you what data that is going to be' suggests to me that this government is yet again being shambolic, disorganised, chaotic. And what have we seen this year? They are too busy fighting amongst themselves, too busy fighting over the leadership. Luckily for this government—and, more to the point, luckily for the people of this nation—the Australian Labor Party has reviewed this bill and has forced this government to take appropriate steps to make improvements to this bill, which I will touch on.

Before I do that, I want to join with others in this place and express my thanks to the Parliamentary Joint Committee on Intelligence and Security. I acknowledge the chair of the committee, who has spoken in this debate previously, and also the four Labor members of the committee—members Byrne, Dreyfus and Clare, and Senator Conroy. Each of those four has made a phenomenal contribution to moving this bill from being shambolic and unpassable to being a bill that will now seek to improve the regulation of the existing data retention scheme in the interests of Australians.

Those of us on this side, who are being thoughtful and considered about this bill, have raised issues about cost and privacy and the appropriateness of use for law enforcement purposes and about oversight and about data security. It is our advocacy that has forced the improvements in this bill. Despite the impression that some people have been trying to give, the parliament is not considering a choice between introducing or not introducing data retention. Data retention has been happening for many, many years. The choice is not whether we should have data retention, but whether we should better regulate data retention in the interests of human rights and other issues I have already mentioned. In addition to recording my thanks to the committee, I want to record my thanks to Bill Shorten, the Leader of the Opposition. It is his advocacy, his interventions, that has forced the Prime Minister and the government to give further time for consideration and to agree to further improvements. Most recently it was the Leader of the Opposition who procured from a very reluctant and begrudging Prime Minister a commitment to introduce protections for journalists. We think it is very important that the Prime Minister and the government provide their amendments so that, once they are considered in the Senate, we can properly scrutinise whether that commitment is being met in a way that appropriately meets the needs of journalist.

The Leader of the Opposition has strongly recommended to the government that they consult with media organisations about those amendments and about the content of those amendments. I know that is a new idea for this government—to actually consult with stakeholders—but we would like to see appropriate consultation with media organisations when it comes to how best to protect journalists and ensure that we do not see the chilling effects that journalists and the Media, Entertainment and Arts Alliance have raised in respect of their concerns about this bill. We also have other concerns that we continue to raise. One is a concern that Labor shares with the former head of ASIO, David Irvine. David Irvine was recently in the media talking about where the data is to be physically stored. This is something that we continue to raise and advocate for. Like Mr Irvine, we are 'cyber-nationalists' in that we believe Australian's metadata ought to be stored on Australian soil—and we will continue to advocate for that.

A very significant matter on which we continue to advocate is the Faulkner reforms, which are named after Senator John Faulkner. As the shadow Attorney-General said in his contribution in this debate, it was Senator Faulkner's view that the parliament is the body to which security agencies are accountable and, therefore, the parliament should have a formal oversight role in respect of those agencies. If you read the amendments to this bill, you will see that one of the changes we have procured is to increase parliamentary oversight of national security agencies and the use of telecommunications data. If you look at the reports that are made under the TIA Act every year in respect of the interception powers that currently exist and the data storage powers which relate to the storage of data, including content, and the telecommunications data retention powers, you will see that, while there is a significant level of detail for interception and storage use, there is much less detail in respect of the way telecommunications data accessed without a warrant is used.

When you have got agencies from the RSPCA, to local councils and all the way up to ASIO accessing that data without much scrutiny, you know that something needs to change. That is what Labor believes and that is why we support greater regulation. For example, one of the great improvements we have procured in this bill is to ensure that only a very limited range of agencies can access data without a warrant. The original draft left out a couple of very important white-collar crime agencies—ASIC and the ACCC—which we have required to be re-included in the bill. The existing law allows any agency with responsibility for investigating serious offences or protecting the revenue or enforcing civil pecuniary penalty provisions to access metadata. That is why we have the RSPCA and local councils being able to access metadata. Having such a broad definition of the agencies that can authorise themselves to access your metadata, my metadata, the member for Aston's metadata and the member for Canberra's metadata is a problem with the existing law. This bill will deal with that problem by articulating the agencies that can access metadata without a warrant. Should the need arise, it will also allow for further agencies to be added in a way that can be disallowed by the parliament and can only be done temporarily unless legislation is moved to amend it for a more permanent reason.

That in and of itself is an important reform in the legislation that we are now considering, but I want to mention a few others. One of the very important reforms in this legislation is to apply the Privacy Act to telecommunications data. At the moment, there is no express provision applying the Privacy Act to telecommunications data, and there is a difference of views and opinions about whether telecommunications data is always covered by the Privacy Act. Importantly—and those who are opposing this bill might want to think about this—you are opposing a bill that will apply the Privacy Act to the telecommunications data of every person. I think that is an extremely important provision of this bill, because the Privacy Act, as members here would know, has in it the Australian Privacy Principles, one of which requires destruction of personal data. It is quite useful to think that we are going to have for the first time an express provision applying that Privacy Act, including those principles, to the telecommunications data that is already being kept by telecommunications companies.

Those who are opposing this bill ought to think about this: this bill, as amended by Labor's hard work, will include a provision to actually require encryption and secure storage of the telecommunications data. Why would you oppose a provision to require encryption and secure storage? It is irresponsible to allow the status quo to continue. It is irresponsible to allow the current, very limited regulation to continue when it comes to the amount of metadata that is being kept and the way in which it is presently being accessed.

I would also say that the bill would require more detailed reporting, there are more opportunities for the parliamentary joint committee to have oversight and, importantly, there is much more oversight because the Ombudsman will have oversight of the telecommunications data regime for the first time. As the previous speaker said, we have also procured from this government an obligation, a commitment, to provide further funding to the Ombudsman to allow the Ombudsman to discharge that obligation to have that oversight.

It has also been noted by a number of speakers that at the moment the agency authorises itself to get metadata without a warrant. The threshold for that authorisation is being lifted so, by supporting this bill, we are introducing into the telecommunications data regime a threshold of proportionality and justifiability, and that there has to be reasonable grounds. That increase in the threshold and the introduction of proportionality, in and of itself, is a vast improvement to the existing regime that has too much access without warrants with too little regulation by too many agencies. We want to see a much more appropriate and detailed regulation of those opportunities for access.

The point has been made that this bill would also put limits on the use of telecommunications data in civil proceedings, including, importantly, for a number of people, the enforcement of copyright rights. I commend the bill to the House.

1:25 pm

Photo of Steve IronsSteve Irons (Swan, Liberal Party) Share this | | Hansard source

I too rise to join with my colleagues in speaking on the Telecommunications (Interception and Access) Amendment (Data Retention) Bill 2014, which has been the focus of much debate and confusion within the community and in the media since it was introduced in this place on 30 October 2014. I highlight that perhaps the latter confusion is the cause of the former and has largely surrounded concerns that Australians' privacy would be breached and that our law enforcement agencies—and by extension the government—will have unprecedented access to our personal information, if this bill is passed in this place. It is the 'Big Brother is watching you' concept and it is raising concerns for many people. I know there are some in my electorate who have been concerned about the privacy of their data.

With this confusion in mind, I would like to take this opportunity to clarify and highlight three key things: (1) the bill will in no way expand the type of metadata that law enforcement agencies can access; (2) it will not allow law enforcement agencies to tap a person's phone or read their personal emails without a warrant; and (3) the bill expressly precludes a person's web browsing history from being accessed. To make this clearer: law enforcement agencies will not be able to access any more information about me, the member for Swan; the member for Griffith, who has just spoken; the member for Canberra; the member for Aston—I noticed the member for Griffith also mentioned them in her speech—or any other member of the Australian public, if this bill is passed, than they can already access today.

I believe greater clarity has now been given to the government's intent in introducing this legislation following last Friday's release of the Parliamentary Joint Committee on Intelligence and Security's response to the provisions outlined in this bill. The committee made 39 recommendations with the last being for the bill to pass through this and the other place, and I thank all the committee members for their invaluable contribution.

I take this time to also highlight that this report has bipartisan support from the Labor government, and therefore thank the committee's chair, Dan Tehan, the member for Wannon, and its deputy chair, Anthony Byrne, the member for Holt. I must admit that the member for Holt has been a driving force within the Labor Party for this type of legislation, and his advocacy on all matters related to border security and security have been helpful and worth recognising. I thank them for their dedication to ensuring an effective scrutiny processes is also undertaken, and I thank the opposition leader for recognising the true intent and importance of this legislation's passage.

As I previously highlighted, there have been a number of concerns raised about the bill's impact on everyday Australians' privacy. The key thing that all members in this place should note is that the bill before the House will in no way change the scope of the metadata that can be accessed. Instead it is about ensuring this important data, which is helping our law enforcement agencies to investigate a range of crimes every minute of every day, is retained by the telecommunications service providers for a mandatory minimum period of two years.

Before I proceed, I think it is important to first explain the concept of metadata, so there is further clarity about what this word means in terms of information. Metadata is actually being collected about each and every one of us by service providers and, more importantly, it is what data can then be accessed by our law enforcement agencies.

Metadata is simply the information that identifies that a communication exists; it is not the content of that communication. One form of communication that we all use regularly in the digital world is email, so I will use that as an example—I see the member for Longman and I know he uses email and many forms of communication. When we say that the metadata of an email is retained, this means that the sender, recipient, time, date and location of where the email was sent from is retained by a telecommunications service provider, and that this information is able to be accessed by law enforcement agencies. The contents of that email or its substance will not be able to be accessed, though. This is the same for a phone call. An agency could use metadata to show that one individual called another at a particular time on a particular date, but what was said during that conversation would not be known. The importance of our law enforcement agencies being able to access this information cannot be undervalued, but the issue they are currently faced with is that telecommunications service providers across Australia are progressively reducing the amount of time they retain—

1:30 pm

Photo of Bruce ScottBruce Scott (Maranoa, Deputy-Speaker) Share this | | Hansard source

Order! The debate is interrupted in accordance with standing order 43. The debate may be resumed at a later hour, and the honourable member will have leave to continue his remarks at that time.