Senate debates

Thursday, 18 August 2011

Committees

Cyber-Safety Committee; Report

12:34 pm

Photo of Catryna BilykCatryna Bilyk (Tasmania, Australian Labor Party) Share this | | Hansard source

I present the report of the Joint Select Committee on Cyber-Safety on the Cyber­crime Legislation Amendment Bill 2011 and move:

That the Senate take note of the report.

Today I table the report of the Joint Select Committee on Cyber-Safety on the provi­sions of the Cybercrime Legislation Amend­ment Bill 2011. All members of the committee were in agreement, including the Greens, who have complimented the quality of the report. There are some additional comments by the Greens, who would obviously have liked us to go further, but I will leave those matters to Senator Ludlam.

The bill deals with the subject of cybercrime, a subject that has increasingly occupied the attention of all Australian governments and this parliament. The globalisation of communication technology has brought many benefits but it has also enabled transnational crime to flourish. Hacking, the spread of malware, denial of service attacks on private corporations and the institutions of government is the modern face of cybercrime. Large-scale online fraud can net organised crime vast profits. We are no longer dealing the nuisance hacker who gets his kicks from showing off his hacking prowess.

The bill amends the Telecommunications (Intercep­tion and Access) Act, and the Mutual Assistance in Criminal Matters Act, to enable Australia to accede to the Council of Europe Convention on Cybercrime. The convention and the bill are intended to enable law enforcement agencies to keep up with criminal networks that attack computers and computer systems or use the internet to facilitate their criminal enterprise. Before speaking about the report, I would like to outline what the bill does and correct some of the misinformation that is circulating.

What the bill does

There are four main aspects to the bill. First, it introduces a new mechanism for the preservation of communications to prevent the destruction of potential evidence until a warrant for access is obtained. This new preservation mechanism will be available to law enforcement agencies and to ASIO.

Second, the bill also allows the AFP to apply on behalf of a foreign country for a stored com­munications warrant. So, while the AFP must issue a preservation notice at the request of a foreign country, there is no access to this material without a warrant. The AFP can only apply for the warrant once the Attorney-General has agreed to a formal request for mutual assistance from the foreign country.

Thirdly, the bill allows the AFP to share telecommunications data—that is, non-content data—with a foreign country without the need for a formal mutual assistance request. This may occur only where that data has already been obtained for a domestic investigation. This is intended to speed up international cooperation.

Fourthly, the Ombudsman will have oversight of the preservation regime and stored communications warrants obtained for a foreign country. The Inspector General of Security and Intelligence will have oversight of ASIO's use of the preservation regime for intelligence purposes.

What the b ill does not do

It is important to be clear that neither the convention nor the bill seeks to implement a general data retention scheme. It does not, as has been claimed by Crikey this week, 'open the door to mass surveillance of internet usage'. No country can demand the transfer of any data—the content of communication or the 'traffic data'. It simply is not true, as Crikey has claimed, that a country like China will be able to obtain volumes of communi­cations data about dissidents in Australia.

The powers available under the bill, and indeed the powers that already exist under the Telecommunications (Interception and Access) Act, can only be activated where there are legitimate law enforcement require­ments or, in the case of ASIO, legitimate security purposes. Access to the content of communications is provided under warrant and only after a mutual assistance request has been agreed to by the Attorney-General.

The bill makes no change to the range of countries to which police can provide police-to-police assistance. The bill does not allow ASIO to share communications with foreign counterparts.

The committee received 23 submissions and heard from several witness on Monday, 1 August. We also carried out an inspection of the Australian Federal Police high-tech crime operations facilities in Barton. We were conscious of the sensitivity that goes with any expansion of covert police powers, especially powers that involve access to private communications. We are mindful of the importance of subjecting these powers to proper standards and safeguards.

It is with this in mind that we have proposed a range of realistic, modest and practical changes. If adopted, we believe these changes will go a long way toward allaying any fears of unwarranted intrusions into privacy or unjustified sharing of data with foreign countries.

The time for presentation of this report is short. I will forgo a detailed explanation of each recom­mendation. The general approach of the committee was to ensure that thresh­olds that apply to domestic investigation are equally applied to foreign countries seeking access to communications material.

We have proposed that the AFP guidelines on police-to-police cooperation in possible death penalty scenarios be tightened and should only occur in exceptional circum­stances and with the consent of the relevant ministers. This means that telecommuni­cation data cannot be shared even at an early investigative stage in such matters without the minister's consent.

We also proposed that the general privacy safeguard in proposed clause 180F be elaborated in more detail to provide greater guidance to the AFP. That guidance is already in the explanatory memorandum, but putting it in the statute will provide better visibility to the police and the public.

Finally, the committee proposed that the government consider in more detail what privacy obligations might apply to carriers and carriage service providers. Of course, the Privacy Act already applies. But better visibility and clarity can be achieved if there are clear obligations to destroy material held by a carrier.

Law enforcement agencies already have an obligation to destroy this material when it is no longer relevant to an investigation. The recommendation is that this obligation be replicated for the industry, unless there are other legitimate business purposes for keep­ing the information such as billing.

The intention of the committee is to improve public confidence in the scheme and we are sure that public confidence is equally important to the industry.

In conclusion, I wish to thank the committee members and the secretariat for their work in this inquiry. I commend the report to the Senate.

12:40 pm

Photo of Scott LudlamScott Ludlam (WA, Australian Greens) Share this | | Hansard source

I am very pleased to follow the remarks of Senator Bilyk, the chair of the Joint Select Committee on Cyber-Safety. I will be fairly brief. First of all, I would like to thank the chair, the deputy chair and the rest of the committee for putting together what I think is a very important and very focused report in a very, very short time frame. As usual when bills such as these come through from the Attorney-General's Department, they are always in an inordinate hurry and they are always on fire for the parliament to urgently to dispose of the bills. I thank the efforts of the chair, the deputy chair and the secretariat for getting a coher­ent report into this bill.

I think the chair, Senator Bilyk, has perhaps undersold the efforts of the commit­tee to the extent that the committee majority report made some very strong recommend­ations for changes to the Cybercrime Legislation Amendment Bill 2011. I hope that the Attorney-General does not simply give the report of the cyber-safety committee a once-over and present the bill unamended to the chamber next week. I strongly advise the government against pursuing that course of action and advise it to read the report and to read the unanimous recommendations that the committee put forward because they actually recommend major surgery to this bill both in terms of amendments and in terms of clarifications.

The Senate is used to dealing with instan­ces of expansions of surveillance powers and expansions of law enforcement agencies in Australia. In my experience, it seems we get amendments to the Telecom­munications (Interception and Access) Act every couple of weeks. This is something a little different because this bill does not just relate to Australian security and law enforce­ment agencies; this bill relates to how data is shared with overseas law enforcement agencies, principally of course because the convention relates to Europe. But obviously if Australia is signing on, other countries around the world are signing on as well. This will allow data to be stored not just about serious crimes but about any offence at all.

If a foreign law enforcement agency wishes to prosecute or pursue an investi­gation, it will now be able to access data stored on Australian servers or in the hands of Australian service providers and that will be able to be used for law enforcement purposes overseas.

Senators may remember the polarised debate on the net filter that occurred over the last couple of years. Everybody who partici­pated in that debate advocated better coord­ination between Australian law enforcement agencies and international agencies, for the obvious reasons—for example, if you are chasing child pornography offences on servers in Eastern Europe or in South-East Asia, or places where it is very difficult for the AFP to execute warrants and so on, you need tighter cooperation to prosecute those offences. I think everybody was unanimous on that.

The underlying intent of the bill to enable that kind of collaboration in a globally networked media is entirely sound. The problem, as often happens with bills from the Attorney-General's Department, is that there is a colossal overreach; there are all sorts of agendas being advanced behind the cover of the ostensibly sensible objectives of allowing law enforcement agencies to collaborate and to cooperate better. This does not just pertain to acts of terrorism, child pornography or child abuse material being stored on overseas servers, or indeed on Australian servers; this relates to everything—any offence and any form of data that is being stored. Keep in mind of course that there are various kinds of data now that did not even exist 10 years ago. Now, as our lives move online, we leave digital footprints everywhere we go, as do other citizens in highly industrialised count­ries. All this material is now up for grabs. For example, the Attorney-General's Depart­ment floated a bit of a thought bubble, and perhaps the public got onto it a bit sooner than they were intending, about data reten­tion. This is about forcing internet service providers to hold not only material from people suspected of major crimes but also all digital material: records of emails; phone calls; GPS records of your tele­phone—in other words, everywhere you have been; anybody you have communicated with; ever­ything you have done online and every eBay purchase. Why don't we retain all of that in case one of us turns out to be a criminal? That agenda was very strongly rebuffed and we did not hear a great deal about it, but then here it comes again, sneaking in under the cover of an otherwise sensible bill about signing onto this European convention.

Do not forget that these police powers in many European countries occur against the backdrop of very strong human rights protections that do not exist in Australia. The Australian Constitution is silent on human rights. Things like free speech, the protection of privacy and so on are implied rights. In Europe and in North America that is not so; those rights are very firmly stated. In Australia we do not have that safety net.

Having to fast-track this bill, the commit­tee was forced onto a very tight timetable and it forced witnesses, who are largely vol­unteer organisations, to pull together submis­sions at very short notice. To the committee's credit, many of those concerns have been picked up. In this instance, I have chosen to draft and submit additional comments. It is not a dissenting report, but material in addition to the work of the committee. For example, regarding recom­mendation six that deals with the death penalty, we had a very interesting discussion in the committee over a couple of days. How do we feel about the potential for Australian law enforcement agencies sharing informat­ion to aid an over­seas law enforcement agen­cy that would then lead to a prosecution and then an execution? I think there is unanimous opposition in this chamber to the death penalty here in Australia, but if you look at the international instruments that we have signed up to they are also about not enabling judicial murder to occur in other jurisdictions either. We have left the door open for that. Read recommend­ation six—we have enabled that. We have allowed the door to remain open for that information to be transferred and then for people to be executed by their states. I think that is completely unacceptable.

The Ombudsman asked that his powers to inspect and audit compliance with the preservation and data retention regime be clarified to ensure that he can check compli­ance with the act and not mere record keep­ing. That is another very important point. Try to imagine the grey areas that we stumble into when a foreign law enforcement agency comes after a warrant or data retention order for something that is not even a crime in Australia or something of which there is no easy equivalent. Some of the language in the bill regarding those ambiguities is gobbledy­gook and will be extraordinarily difficult to interpret.

'Traffic data' is not the words that you spoke on the phone or the content of your email but the metadata about who it was sent to, when it was sent, where you might have been at the time that it was sent and so on. Traffic data is quite well defined in the European convention but it is not defined in this bill. It does not use the same termin­ology as the convention and there are going to be really serious mismatches in the inter­pretation of that. A number of witnesses brought that up. It means that we can accede to the convention, but I think we are going to stumble into a swamp of interpretation when citizens or law enforcement officials wish to know what their obligations are under the law. The Privacy Foundation argued along similar lines. Keep in mind that the actual status of the traffic data or metadata that surrounds communications is not about serious and organised crime, terrorism, child prostitution or anything like that; this is about all of the records of all of the moves that we make, and their imprints in cyber­space, now being accessible to foreign law enforcement agencies.

There are very serious grey areas in this bill. My real plea is that the government read not only the minority report put up by the Greens, which talks about the overreach and goes into some of the specifics that we think should be improved in the bill, but also the majority report that was signed off by all members of the committee this morning. Do not simply serve up the bill unamended just because you imagine that you are always right and that the bill is perfect. This one needs a second thought. Some of these things are probably a bit unusual at the moment—there is not a great deal of this sort of activity occurring—but as we move into the online age, as we move our lives online and as the National Broadband Network rolls out, these things will become routine and we need to get the settings right at the outset. I thank the chamber and I thank the chair, and I look forward to a debate on an amended bill. I seek leave to continue my remarks later.

Leave granted; debate adjourned.