Submission to the Parliamentary Joint Committee on Intelligence and Security

SubmissionNo185

Inquiry into potential reforms of National Security Legislation

Name:DrVivienneThom

Organisation:InspectorGeneralofIntelligenceandSecurity

Parliamentary Joint Committee on Intelligence and Security

Inquiryintopotentialreformsofnationalsecuritylegislation

SubmissiontotheParliamentaryJointCommitteeonIntelligenceandSecurity

DrVivienneThom Inspector-Generalof IntelligenceandSecurity

23August2012

Contents

Executive summary...... 3

Background...... 4

Role oftheInspector-GeneralofIntelligenceandSecurity...... 4

Basisofthissubmission...... 5

Telecommunications (Interception andAccess) Act1979...... 6

ToR1– Strengthening the safeguardsand privacyprotectionsunderthe lawfulaccesstocommunicationsregime in the Telecommunications (Interceptionand Access)Act1979 6

ToR2– Reforming the lawfulaccesstocommunications regime...... 8

ToR3– Streamliningand reducing complexity in the lawfulaccesstocommunicationsregime...9

ToR4– Modernising theTIA Act’scostsharingframework...... 9

ToR8– Streamliningand reducing complexity in the lawfulaccesstocommunications...... 9

ToR9– Modernising theIndustryassistanceframework...... 10

ToR14– Reforming theLawful Access Regime...... 10

ToR15– Modernising the Industryassistanceframework...... 12

Australian SecurityIntelligence OrganisationAct1979...... 14

ToR5– Amending the ASIO Acttomodernise and streamline ASIO’swarrantprovisions.....14

ToR6– ModernisingASIO Actemploymentprovisions:...... 16

ToR10– Amending theASIOActtocreate anauthorisedintelligence operations scheme.....17

ToR11– Amending theASIOActtomoderniseand streamline ASIO’swarrantprovisionsto:..19

ToR12– Clarifying ASIO’sabilityto cooperate with theprivatesector...... 21

ToR13– EnablingASIOtoreferbreachesofsection 92 oftheASIOActtoauthorities...... 21

ToR17– Amending theASIOActtomoderniseand streamline ASIO’swarrantprovisions:....21

Intelligence ServicesAct2001...... 23

ToR7– Clarifying the DIGO’sauthoritytoprovide assistancetoapproved bodies...... 23

ToR18– Amending theIntelligence ServicesAct2001...... 23

TelecommunicationsAct1997...... 26

ToR16– Amending theTelecommunicationsActtoaddresssecurityandresilience risks.....26

Executive summary

Thetermsofreference forthis inquiry setouta rangeofhigh-levelproposalstoensurethatAustralianlawenforcement,intelligenceand securityagenciesareequippedtoeffectivelyperformtheirfunctionsandcooperateeffectivelygiventheadvancesintechnology,thechangestothewaysthattechnologyisused,andthe needfor increased cooperationbetweenagencies.

Thissubmissionacknowledgesthesechallenges andsupportstheneedforthelegislation tobereformedtoensurethatitmeetscurrentandfuturerequirements. Thesubmissionfocuses ontherequirementtoaddresstheneedsof nationalsecuritywhileensuring thatanyresponseis proportionaltothethreat,safeguardstheprivacyofindividuals,andincludeseffectiveaccountabilityandoversightregimes.

Thesubmissionhighlightsthefollowingissuesthatarisefromtheproposals:

1.Proposalstosimplify, streamlineorreduceadministrativeburdens mustbeexaminedcloselyto ensurethatanyproposalstostandardisetestsandthresholds fortheuseofpowerstakeintoaccountthenatureof eachofthesepowersandthelevelofintrusiveness.Whilehavingasingletestmightbeadministrativelyconvenientitcouldallowtheuse ofmoreintrusivepowerswherelessintrusiveonesareappropriate.

2.Proposalstoincreasethescopeofexistingpowersortheir durationneedtoensurethatsafeguardsexistsuchthattheextendedscopeorlongertimeframesdonotbecomethenorm, and that thewarrantsarenotundulybroadandareexecutedreasonablyandin accordance withthespecificsofthelegislationaswellastheoverarchingprivacyand proportionalityobjectives.

3.Proposalsthateffectivelytransferthelevelofdecision-makingfromministeriallevelto withinanagencyneedtoconsider appropriatereviewswithintheagency,provideforindependentscrutinyand considerexternalreportingrequirements.

4.Proposalstoincreasetheretentionorsharingofdata andpersonalinformationneedtotakeaccountofthesecurity,record-keepinganddestructionrequirementsthatarenecessaryto safeguardprivacyand ensurethatthereis adequateoversightinplace.

5.TheproposalforASIOtoconductauthorisedoperationsneedstoensure anappropriatebalancebetweentherequirementtoprotectsensitivenational securityinformation withthebenefitsofindependentauthorisationanddetailedoversight and publicreporting.

TheOfficeoftheInspector-Generalof IntelligenceandSecuritywillcontinuetoreviewactivities of intelligence andsecurityagencies toensurethatthateachagencyactslegallyandwithpropriety,complies withministerialguidelinesanddirectives,andrespectshumanrights.Theproposed reformsarenotinsignificantand continuingproperoversight willbeessentialifParliamentandthepublicaretobeassuredthatagenciesusethesepowersappropriately.Althoughcurrentfundingfortheofficeisadequate,theproposedreforms wouldrequireadditionalfundingfortheofficeto continuetoperformitsrole effectively.

Background

RoleoftheInspector-GeneralofIntelligenceandSecurity

TheInspector-GeneralofIntelligenceandSecurity(IGIS)isanindependentstatutoryofficer who reviewstheactivities oftheagencieswhichcollectivelycomprisetheAustralian IntelligenceCommunity(AIC):

• Australian SecurityIntelligenceOrganisation–ASIO
• Australian SecretIntelligenceService–ASIS
• DefenceSignalsDirectorate–DSD
• DefenceImageryandGeospatialOrganisation–DIGO
• DefenceIntelligenceOrganisation–DIO
• OfficeofNationalAssessments–ONA.

TheOfficeof theIGIS is situated withinthePrimeMinister’sportfolioandreports totheSpecial MinisterforStateforthePublicServiceandIntegrityforadministrativepurposes;however,theIGIS isnotsubjecttogeneraldirectionfromthePrimeMinister,orotherMinisters,onhow responsibilities undertheIGISActshouldbe carriedout.

TheprimaryroleandfunctionsoftheIGISaresetoutinsections8,9and9AoftheInspector- GeneralofIntelligenceandSecurityAct 1986(theIGISAct).ThisActprovidesthelegalbasisfortheIGISto conductinspectionsoftheAICagenciesand to conductinquiries, ofvaryinglevelsof formality,astheneedarises.

TheoverarchingpurposeoftheseactivitiesistoensurethateachAICagencyactslegallyandwith propriety,complieswithministerialguidelinesanddirectives, andrespectshumanrights.Asignificantproportionoftheresourcesoftheofficearedirectedtowardson-goinginspectionand monitoringactivities,soastoidentifyissues,includingaboutthegovernanceandcontrol frameworkswithinagencies,beforethereisaneedfor majorremedialaction.

Theinspectionrole oftheIGISis complementedbyaninquiryfunction.TheIGIS hasownmotion powerstoinvestigate mattersandconduct inquiriesinadditiontoconsidering requestsfromMinistersandcomplainants. Inundertaking inquiries theIGIShasstronginvestigativepowersincludingthepowertoobtaininformationandcanrequireanypersontoanswer questionsand producerelevantdocuments,takeswornevidence,andenteragencypremises.IGISinquiriesareconductedinprivatebecausethey almostinvariablyinvolvehighlyclassifiedorsensitiveinformation, andthemethodsbywhichitiscollected.

AlthoughtheprimaryfocusoftheIGISrelates totheactivitiesoftheAIC agencies,anamendmentto thelegislationmadeinlate2010allowsthePrimeMinistertorequesttheIGIStoinquireintoan intelligenceorsecuritymatterrelatingtoanyCommonwealthagency.Thisprovisionhasbeenused twice.

Basisofthissubmission

Ingeneral,itisnottheroleoftheIGIStocommentoncurrentorproposedgovernmentpolicy. However,thereare somemattersonwhich Ihaveparticularexperiencebecause ofmyoversight of theactivitiesoftheAIC.Thisexperiencemayassistabodysuchas theParliamentaryJointCommittee onIntelligenceandSecurity(the Committee) inconsideringlegislativeproposals. Itfollowsthen thatmycommentsarefocusedonarewhethertheproposals:

• haveproperaccountabilityandoversightmechanisms
• poseriskstolegalityorpropriety
• areconsistentwithhuman rights
• addressissuesthatIamawareofthroughmyexaminationofagencyoperations.

Ihaveaparticularinterestin whetherproposedpoliciesplacesufficientweightonmaintainingtheprivacyofindividuals,and whetherproposalsreflect the concept ofproportionality–thatis,thatthemeansfor obtaininginformationmustbeproportionatetothegravityofthethreat posedand thelikelihoodofitsoccurrence.Astheexerciseofagencypowerswillinthevastmajorityof casesnotbeapparenttothesubject,andastheyarebytheirnatureoftenhighlyintrusive,thesepowersshould onlybe considered forusewhen other,lessintrusive, meansofobtaininginformationarelikelytobeineffectiveorarenotreasonablyavailable.

Ihavecompleteaccessto alldocumentsoftheAICagenciesandam oftenproactivelybriefedabout sensitiveoperations.ItismyexpectationthatAICagencieswillbeforthrightinbriefingmeonanylegalandproprietyissuesthatariseinoperationalplanningoractivity.Thisfamiliaritywithagencyoperationsand capabilitiesalsoallowsmetogivemyviewsaboutsomeofthe challengesoutlinedin thediscussionpaper.1

Mycommentsarenecessarilylimitedtotheagenciesandtype ofactivitiesthatIoversight.Icannotcommenton theseproposedlegislativeamendmentsinsofarastheyrelatetotheactivitiesoflawenforcementagencies,ortheimpactuponthetelecommunicationssector.

Inaddressingthetermsofreferenceandcommentingontheproposals,thissubmissionalso sets outsomeofthecurrentoversightarrangementsthatareinplace.

Whilethissubmissionmentionssomeinternational comparisonstheseareindicativeonlyasIhavenotconducted acomprehensivecomparison.

Thissubmission is structuredtoaddressthe termsofreferencebyaddressingeachpieceof legislationinturn.Numbersintheheadingsalignwiththenumberinginthetermsof reference(ToR).Relevantpartsofthediscussionpaperarecrossreferenced.

1EquippingAustraliaagainstemergingandevolvingthreats,

Telecommunications(InterceptionandAccess)Act1979

ToR1–StrengtheningthesafeguardsandprivacyprotectionsunderthelawfulaccesstocommunicationsregimeintheTelecommunications(InterceptionandAccess)Act1979. Thiswouldincludetheexamination of:

a.thelegislation’sprivacyprotectionobjective

b.theproportionalitytestsforissuing ofwarrants

c.mandatory record‐keeping standards

d.oversight arrangementsbytheCommonwealthandStateOmbudsmen

Thediscussionpapersuggeststhatitmaybetimelytorevisit whetherthe privacyframeworkwithin theTelecommunications(InterceptionandAccess)Act1979(TIAAct) remainsappropriate.Itproposes ‘reviewing the currentchecks, balancesandlimitations ontheoperationofinterception powerswillensurethattheprivacyneedsofcontemporarycommunicationsusersareappropriatelyreflectedinthe interceptionregime’.2Thepaper doesnotsetout specific proposalsastohowthisis tobeachieved.

Thediscussionpapernotesthatcommunityviewsaboutaccesstocommunicationsmayhavechangedalong withtheiruseandexpectationsoftechnology.3Itiscertainlytruethatmanyinthecommunityshare personaldata including theircurrentlocation,emailcontent,photographs,dataof personalcontacts,personalinterests andbuyingpatterns. Itisnotclearto whatextentthissharing isconscious.Inmyview,itwouldnotbeappropriatetoextrapolatefromthisbehaviourto concludethat thereis anydiminishedinterestinthe communityaboutprivacyissuesandthedesirabilityof havinglimitsongovernmentcollectionofinformation.Itiscleartomefromcomplaints tomyoffice that thereisstill widespreadconcerninthecommunityaboutcovert,albeit lawful,accesstopersonalinformationbyintelligence andsecurityagencies andtherecordingandcommunicationof thatinformation.

Inlightofthis,anychangestothe currentsystemof checks,balancesandlimitations wouldrequirecompellingarguments andshouldbegivenveryseriousconsideration.

Thepaper alsostatesthat consideration is being given to ‘introducing a privacy focused objects clause that clearlyunderpinsthisimportantobjective ofthelegislationand which guides interpretation of obligations under the Act’.4

Although theprimaryobjective oftheTIAActistoprohibit interceptionoftelecommunicationoraccesstostored communicationexcept in certainprescribed andregulated circumstances,therangeofexceptionshasgrownand, iftheproposalsinthediscussionpaperareacceptedbyParliament,the waysin whichinterception can occur will continue toexpand.Aprivacy-focused objects clause mayaddressthisapparentimbalanceand ensurethat the legislationis interpreted with theemphasis onprotecting communicationsandprivacyratherthanfacilitatingexemptions.

The termsofreference also contemplateexamining theproportionalitytestsfor theissueof warrants.Asdiscussed underToR 2(b) below,anyproposaltorationalise thetypesof warrantsor

2Discussionpaper,page23

3Discussionpaper,page23

4Discussionpaper,page23

align thresholds willneed to beexamined carefullytoensurethat it doesnotcompromise proportionality tests or privacyobjectives.

Thediscussionpaperaddressesrecord keeping andaccountability obligationsforlawenforcementagencies.5Theseagenciesare required to keeprecords relating todocumentsassociated with the warrantsissuedand particularsrelatingto warrantapplications andeachtimelawfullyintercepted informationisused,disclosed, communicated, enteredintoevidenceor destroyed.

Chiefofficers oflaw enforcementagenciesarerequiredto reportto the Attorney-Generalon theuse and communicationof interceptedinformation andthe Attorney-Generalmusttablea statistical report in Parliament. The CommonwealthOmbudsmanoversightstheuseofTIA powersby Commonwealthlaw enforcementagenciesand reporting requirementsaresetout intheTIAAct.

TheoversightregimeforASIOisnotspecified in theTIAActbut, inpractice,my officeoversights ASIO’s use of TIA powers under the inspection function in the IGISAct. Toassist the Committee in understanding the way thisoversightoccursIhavesummarisedthe currentinspection regimebelow:

Warrantrelatedpapersareexaminedsothat wemaybeproperlysatisfied that:

• theintelligenceorsecuritycase thatASIOhasmadeinsupportoftheapplication issoundlybasedandthatallnecessarylegislativerequirementshavebeenmet
• theindividualsidentifiedineach warrantareactuallyidentical with,orcloselylinkedto,persons ofsecurityinterest(thisisparticularlyrelevantwherea‘B- Party’telecommunications interceptionwarrantis beingsought6)
• appropriate internalandexternalapprovalsfortherequesthave beenobtained
• theDirector-GeneralofSecurityhas identifiedinwritingthoseindividualswho mayexecutethewarrant,orcommunicate informationobtainedfromthewarrant
• writtenreportstotheAttorney-Generalontheoutcomeofexecutedwarrantsarefactualandprovidedin atimelymanner
• theactivityconcerneddidnotbegin before,orcontinueafter,the period authorisedbythewarrant
• in thesmallnumberofcases whereunauthorisedcollectionhasoccurred,thatprompt andappropriateremedialactionhasbeenundertaken.

Inaddition toourregular warrantsinspections OIGIS staffundertakespotaudits ofASIO’s interceptionmanagementsystems.ThepurposeofthesechecksistogainindependentassurancethatASIO’s collection activities areonly occurringinaccordancewiththeterms of arelevant warrantand relatedinvestigative authorities.

Ifanyissues withwarrantsareidentified,they areraisedwiththeDirector-General of Securitytoensurethatappropriateactionistaken.WhereappropriateIcanalsoadvisetheAttorney-Generalofanyconcerns.Ialsoincludeasummaryof inspectionactivityinmy

5Discussionpaper,pages25-26

6Aso-called‘B-party’warrantallowsASIOtoaccesstheservicesofassociatesofpersonsofsecurityinterestsee

s.9(1)(b)oftheTIAAct

annualreport.Generallythestandardofwarrantmaterialsisveryhighandtheerrorrateis low.7

Comprehensiverecord-keepinginASIOisessentialtoensureASIOcomplies withthelegislationand toenable effectiveoversight.Anyproposaltochangetherecord-keeping regime mustconsidertheaccountabilityrequirements.

ToR2–Reformingthelawfulaccesstocommunicationsregime.

a.reducingthenumberofagencieseligibletoaccesscommunicationsinformation

Ihaveno commentonthisproposal.

b.thestandardisation ofwarranttestsandthresholds

Thediscussionpaperreferstofourwarrantsforlawenforcementagenciestoaccessthecontentof communicationsandthetypesofoffencesfor which a warrant canbe obtained.Thepaperdoesnot givemuchdetailin relationtoASIOwarrants,stating that‘ASIO’sabilitytointercept communicationssupportsitsfunctionsrelatingtosecurity’8.ASIOcan currentlyobtaintwotypes of telecommunicationinterception warrantsfromtheAttorney-Generaltofurtheritssecurityfunctions:atelecommunicationsservice warrantandanamedpersonwarrant.9Thesecanincludeauthoritytointercept‘B-party’services.10ASIOcanalsoobtain threetypes of warrantsthatrelateto foreignintelligence includingaservicewarrantanda namedpersonwarrant.11ASIOwarrants automaticallyauthoriseaccesstostoredcommunications.12SeniorASIOofficers canauthorise accesstoexistingorprospectivedata.13

Thetestsandthresholdsforeach ofthecurrentASIOwarrantsvary,correspondingtotheintrusivenessofthe warrant.Forexampleanamed personwarrantisonlyavailable whereaservicewarrantwouldbe‘ineffective’14and a‘B-party’warrantisonlyavailable where ASIOhasexhaustedallotherpracticablemethodsorinterceptionwould nototherwisebepossible.15

Inmy2010-11annualreportI notedthat,in respectof‘B-Party’ warrants:

Inthecourseof ourwarrantinspectionsduring2010–11,OIGISstaffaccessedandreviewedevery‘B- Party’warrantwhichASIOobtained.OnthebasisoftheseactivitiesIamsatisfiedthatthistypeof warrantcontinuestobeusedsparingly,andonlywherethespecialcircumstancesofeachcase dictatedthat itwasappropriateandnecessary.16

Broadlyspeaking,requests forwarrants(otherthanB-Partywarrants)to interceptcommunications inpursuit ofASIO’ssecurity functionneedtoexplainwhytheinterceptionisnecessaryandwhyitis

7Inspector-GeneralofIntelligenceandSecurityAnnualReport2010-2011,pages27-29

8Discussionpaper,page24

9Seess.9and9Aofthe TIAAct

10Aso-called‘B-party’warrantallowsASIOtoaccessthe servicesofassociatesofpersonsofsecurityinterest

11Sees.17(1)(e)oftheASIOActandss.11A,11Band11CoftheTIAAct.

12Sees.109oftheASIOAct

13This‘data’doesnotincludethecontentofacommunication.Seess.175and176oftheTIAAct

14Seess.9A(1)(c)and11B(1)(b)(iii)oftheTIAAct

15Sees.9(3)oftheTIAAct

16Inspector-GeneralofIntelligenceandSecurityAnnualReport2010-2011,page28

reasonablysuspectedthat theindividualbeingtargetedisengaged,orlikelytobeengaged,in activitiesprejudicialtosecurity.17Foraccesstodatathethresholdis onlythatitbeinconnection withASIO’sfunction.18

Bywayof comparison,thethresholdthatneedstobemetintheUKisthataproposedactivity underawarrantneedstobenecessaryintheinterestsofnationalsecurityandtheconductproportionatetowhatissoughttobeachieved19.InCanadathejudgeissuingthewarrantmustbesatisfiedthewarrantis requiredtoenableinvestigationofathreattosecurityandthatotherinvestigativeprocedureshave beentriedand failedorareunlikelytosucceed.20IntheUS interceptionisonlyconductedundercourtordersand,amongstotherthings, fortheFederalBureau of Investigationstoobtaina warranttointerceptcommunicationsthejudgemustbesatisfiedthata particular seriousoffenceis,orisabouttobe,committed,the courtalsoplaysaroleintheongoing supervisionofthewarrant.21

Anyproposalstostandardisesecuritywarranttestsandthresholdsmusttakeintoaccountthenatureofeachof thesewarrantsandthelevelofintrusiveness.Asingletest couldallowtheuseof more intrusivepowerswherelessintrusiveonesareappropriate.

ToR3–Streamliningandreducingcomplexityinthelawfulaccessto communicationsregime.

a.simplifyingtheinformationsharingprovisionsthatallowagenciestocooperate

b.removinglegislativeduplication

Thediscussionpapersuggeststhatsimplifyingthecurrentinformation-sharingprovisionswould supportco-operativearrangementsbetweentheagenciesandthatfurtherconsiderationcouldbegiventothewaysin whichinformationsharingamongstagenciescouldbefacilitated.22Thereisno specificdiscussionofhowthisproposal wouldaffect ASIO.IamnotawareofspecificlegislativeimpedimentstoASIOsharinginformationwith otheragenciesthatIoversightbutIwouldnotethatanyproposaltoincreasethesharingofinformation betweenagenciesshouldaddressthesecurity,record-keepinganddestructionrequirementsthatarenecessarytosafeguardprivacy.

ToR4 – ModernisingtheTIAAct’scostsharingframework

a.alignindustryinterceptionassistance withindustryregulatorypolicy

b.clarify ACMA’sregulatory andenforcementrole

Ihavenocomments ontheseproposals.

ToR8–Streamliningandreducingcomplexityinthelawfulaccessto communications

a.creatingasinglewarrantwithmultipleTIpowers

Havingmultiplesetsofwarrantapplicationsforasingleinvestigationis administrativelyinconvenientforASIOanddoesnotnecessarilyprovidetheAttorney-General withaclearviewof

17Seess.9(2)(b)and9A(2)(c)oftheTIAAct

18This‘data’doesnotincludethecontentofacommunication.Seess.175(3)and176(4)oftheTIAAct

19Seess.5(2)and(3)oftheRegulationofInvestigatoryPowersAct2000(UK)

20Sees.21oftheCanadianSecurityIntelligenceServicesAct(R.S.C,1985,c.C-23)

21SeeforexampleElectronicCommunicationsPrivacyAct(18USCch119)

22Discussionpaper,page25

thetotalityofproposedactivities. AnyproposaltostreamlinethisandgivetheAttorney-Generala betterpictureofthesituationisworthy of considerationbutissuesofproportionalityandlevelsof authorisationwillneedcarefulconsideration.

Myunderstandingisthat currentlyASIOcouldlegallycombinemultiplewarrantapplicationsintoa single ‘bundle’fortheAttorney-Generalto consider.However,asdiscussedunderToR2above,therearecurrentlydifferentthresholdsandtestsdependingontheintrusivenessof whatis proposed.The warrant applicationbundle wouldneedtosetouthoweachtest wassatisfiedsothattheAttorney-Generalcouldmakeadecisionabouttheuseofeach warranttype.

Oneinterpretationoftheproposalin thediscussionpapercouldbethattheAttorney-Generalisto beasked onlytoagreebroadlyto ‘interception’ against aparticularindividual,grouporpremisesforaspecifiedperiodandtothenallow theDirector-GeneralofSecurityoradelegatedASIOofficerto decidewhatformthatinterceptionshouldtakeduringthe warrantperiod(includingwhetherB- Partyinterceptionis appropriate).Inotethata‘namedpersonwarrant’currentlyallowsthe Director-GeneralofSecuritytoaddor removeservicesfrominterceptioncoverageduringthelifeof thewarranttoenableinterceptionofcommunicationsmadebyortothespecifiedindividual.23 Anyproposalto effectivelyfurthertransferthelevelof decisionmakingfromMinisteriallevelto within

anagencyneedstoensurethatappropriatereviewstakeplacewithintheagency,makeallowanceforindependentscrutinyandconsiderexternalreportingrequirements.

Ifsuchaproposal wasimplementedmyofficewouldmonitor whethertheuseofthemoreintrusivepowersincreasedwithtime.

ItisalsonotclearhowToR8 combineswithToR14 (characteristic-based interception)andwhethercharacteristicswouldalsobeabletobevariedwithoutreferencetotheAttorney-General.

ToR9–ModernisingtheIndustryassistanceframework

a.Implementdetailedrequirementsforindustryinterceptionobligations

b.extendtheregulatoryregimetoancillaryserviceprovidersnotcurrentlycoveredbythelegislation

c.implementathree‐tiered industryparticipationmodel

Ihavenocomments ontheseproposals.

ToR14–ReformingtheLawfulAccessRegime

a.expandingthebasisofinterceptionactivities

Iunderstandthis reformtobeproposing whatisdescribedinthediscussionpaperasawarrantregimethatis ‘focusedonbettertargetingthecharacteristicsof acommunicationthatenableitto beisolatedfrom communications thatarenotof interest’.24

Myunderstandingis thattheproposalwouldnotactually enableagenciestocollectcommunicationsthattheycannotcurrentlylegallycollectunderawarrantoracombinationof service,deviceandnamedpersonwarrants.Howevertheproposedschemewouldenablethe

23Seess.9Aand11BoftheTIAAct

24Discussionpaper,page25

warranttobespecificabout particularcharacteristicsof communicationstobeprovidedand therebypotentially obligethecarrierstosortthosefromothertelecommunicationstrafficthat couldbe coveredbytheexisting warrants.I amalsoadvisedthatASIOconsiderstheproposalwould beadministrativelymoreefficientthanhavingtopotentially obtainacombinationofotherwarrants;Ihavenoreasontodoubtthis.

A keyissuetobeconsideredinthisproposaliswhetherthewarrants wouldbelimited to interceptionbased onthe ‘characteristics’describedinthe initialwarrant(similar to aservicewarrant) or whetherASIO woulditselfbeabletovary the warranttoaddorremove‘characteristics’ (similartoanamedpersonwarrant).Iftheproposalisforthelatterthenthereneedstobe certaintyasto theparameterswithinwhich‘characteristics’canbeadded.

Inthe UK,forexample,the relevant agencycanvarythe ‘characteristics’upon which interception fornationalsecuritypurposesisundertakenbuteachwarrantislimitedtointerceptionagainstone personorpremises.25MyunderstandingisthatintheUSandCanadathecourtorderauthorisingtheinterceptionistospecify theperson orpremises andcanbemadeby referencetoa‘typeof communications’butthese‘types’cannotbelaterunilaterally bevaried bytheagency.26

Iftheproposed warrant isnotlimitedtoa specified personorpremisesand allowsASIOtoaddand remove ‘characteristics’during thelifeof thewarrantitwouldsubstantially changethebalance betweenwhatiscurrentlydecidedbytheAttorney-Generaland whatiswithintheauthorityoftheDirector-GeneralofSecurity.Suchachangeshouldtakeintoaccounttheneedforeffectiveinternal andexternalreviewandconsiderreporting requirements.Iftheproposedchange waslimitedto interceptionagainstaspecifiedperson itwouldbemoreakintothe currentnamedperson warrants.27

A furtherissueisthetechnologicalcapacitytoactuallyundertake thistypeof‘characteristic’-based interception–includingwhetherthecarriersshouldberesponsible for collecting,processingand deliveringthecommunicationsofinterestor whethertheagenciesshouldbepermittedtocollectandretainlargeamountsofinformationinordertofindthe communicationsofinterest.Itis outsidemyarea offocustocommentonthe technology,cost orburdensharingaspects oftheproposal. HoweverIwouldexpecttoseeanyregimeincludeappropriatemeasuresto ensure thatthecontentof communicationswhich werenotthespecifictargetofthe warrant werenotretainedlongerthan necessaryfor‘sorting’and toensure thatsuchinformationiskeptsecure.

OneoftheimportantaccountabilityandoversightrequirementsofthecurrentregimeistherequirementthatASIOprovideareport tothe Attorney-General aftertheexpirationorrevocation ofeach warrant.Thereportmustincludedetailsofthetelecommunicationsservicetoorfromeach intercepted communicationwasmadeaswellastheextenttowhichthewarranthasassistedASIO

25Seess.8(1)and10(6)oftheRegulationofInvestigatoryPowersAct2000(UK)

26Seeforexamples.21oftheCanadianSecurityIntelligenceServicesAct(R.S.C,1985,c.C-23)andElectronicCommunicationsPrivacyAct(18USCch119).Howevernotethatthissubmissionisnotbasedonadetailedstudyoftherelevantoverseaslegislation

27NamedpersonwarrantscancurrentlyallowtheAttorney-Generaltoauthoriseinterceptionofcommunicationsmadetoorfromanyserviceusedbythespecifiedperson(seeforexamples.9A(1)(b)(i)oftheTIAAct).DuringthelifeofsuchawarranttheDirector-Generalcanaddorremoveanysuchservicesfrominterceptioncoverage.HowevertheDirector-GeneralcannotcurrentlyaddaserviceusedbyathirdpersonwithoutaspecificB-PartywarrantnorcantheDirector-Generaladdorremoveservicestobeinterceptedbasedonlyonproximitytoalocation.

incarryingoutitsfunctions.28Thismeasurewouldbeparticularlyimportantinmaintainingoversightandaccountabilityofanydiscretiontoaddnewcharacteristicsforinterception.

ToR15–ModernisingtheIndustryassistanceframework

a.establishanoffenceforfailuretoassistinthedecryption of communications

b.instituteindustryresponsetimelines

Ihavenocomments ontheseproposals.

c.tailoreddataretentionperiodsforupto2yearsforpartsof adataset, withspecific timeframestakingintoaccountagencypriorities,andprivacyandcostimpacts

This officehasaninterestintheamountofinformationretainedbyASIOandthesecurity ofthatinformation.However,Idonothavea roleinrelationtowhatinformationisretainedbycarriers. Inrelationto theretentionofdatabyASIOthe 2009-10 IGIS annualreport noted:

OurinterestinASIO'sretentionanddestructionofdataarisesfromtheAttorney–General's GuidelineswhichwereissuedtoASIObythethenAttorney–General,theHon.PhilipRuddockMP,in October2007(the2007Guidelines).Theseguidelinesreplacedearlierguidanceissuedbythethen Attorney–General,the Hon. MichaelDuffy MP, inDecember 1992 (the1992Guidelines).

Aroundthetimethatthe2007Guidelineswereissued,[thethenIGIS]commentedthatwhilehewas supportiveofmanyofthechanges,theofficewouldtakeacloseinterestinASIO'sinformation management governance framework,with a particular focus onwhat data ASIO retains or destroys in future inspections.

Thisisadifficultissuebecausetherealsignificanceofsome(butnotall)datamayonlybecome apparentwhenitiscorrelatedwithotherdatawhichbecomesavailablesubsequently.Atthesame time,ASIOisrequiredtocomplywithMinisterialGuidelineswhichprecludeASIOfromretaininghigh volumesofdata,includingsignificantdataholdingswhichprovetohavenorelevanceto organisational objectives.

The1992Guidelinescontainedanexpressprohibitiononso–called'speculativedatamatching'which doesnotappearinthe2007Guidelines.Instead,the 2007Guidelinesare morepermissiveastowhat dataASIOmaycollect,includingas'reference'data,althoughthisissubjecttothegenerallimitation thatmaterialbe 'relevant tosecurity'.

DatasetsareonlyoneelementoftheinformationwhichASIOcollects.Inrelationtoothermaterial thereisalsothequestionofwhatshouldbedonewithindividualrecordsovertime,particularlydata whichprovesnot tobe,ortonolonger be,relevanttosecurity.

Clause11.2ofthe2007Guidelinesstatethat:Whereaninquiryorinvestigationconcludesthata subject'sactivitiesarenot,orarenolonger,relevanttosecurity,therecordsofthatinquiryor investigationshallbedestroyedunderdisposalschedulesagreedtobetweenASIOandtheNational Archives of Australia.

ThereisarequirementonbroadlysimilarlinesintheTelecommunications(InterceptionandAccess) Act1979forinterceptedmaterial(section14),andintheAustralianSecurityIntelligence OrganisationAct1979inrelationtocertainrecordsobtained under warrant (sections 31 and34ZL).

28Sees.17(1)oftheTIAAct

ThechallengecontinuestobetoensurethatASIOperformsitsfunctionstofulleffectandwithinthe legislativeframework.29

IcontinuetomonitorASIO’sdataretention anddestructionpoliciesandpractices. OIGISstaffalso undertakespotaudits ofASIO’s interception managementsystems.The purposeofthese checks is togain independentassurancethatASIO’sdata collection andretention activitiesare onlyoccurringinaccordancewiththetermsofasupporting specialpowerswarrantandrelated investigativeauthorities.

Itisnotclearfromthediscussionpaperwhatsafeguardswillbeputinplaceifcarriershavean increasedobligationtoretaindata.Inourinspectionworkwenotethatmosterrorsrelatingto telecommunicationinterceptoccurasaresultofserviceprovidererror:

During2010–11thisofficeeitheridentified,orhadbroughttoourattentionbyrelevantASIOstaff, nineinstancesinwhichanerrorhadoccurredinthecourseoftelecommunicationsinterception activities…OfthesenineerrorstwoweredirectlyattributabletoASIOandsevenoccurredasthe resultof actionswhichrelevant telecommunicationsservice providerseither took orfailedtotake.

Whileanymistakeorerrorisregrettable,itisimportanttoclearlyrecognisethatmostoftheerrors we identified werenotdirectlywithinASIO’scontrol.

Insomeofthecaseswhereaproblemwasidentified,acombinationoftechnical,productdelivery andadministrative errorsinpreparationfor, or subsequentto, the executionof thesewarrants ledto collectionoccurringagainstpersonswhowerenottheintendedtargetofthesewarrants,orthe potentialexistedfor such collectiontooccur.

In oneinstanceinterceptedmaterial whichwasintendedtobedeliveredtoASIOwas misdelivered to alawenforcementagencywhichhadsimultaneouslyobtainedtelecommunicationswarrantsonthe sameperson of interest.

InseveralotherinstancesappropriatepreliminarycheckshadbeenundertakenbyASIOtoproperly identifythetelecommunicationsservicesbeingusedbypersonsofinterestonlyforthatinformation tosubsequentlybe foundtobe inaccurate.

InatleastonecasethetelecommunicationsservicewhichASIOwishedtointerceptwas disconnectedintheperiodbetweenwhensubscriber checkswereundertakenandwhenthewarrant wasissued.AlthoughASIOshouldhavereceivedadvicefromthetelecommunicationsservice providerthatthetargetedservicehadbeendisconnected,thisadvicewasnotprovided.Aftera quarantineperiodduringwhichtheserviceinquestionwasnotallocated,itwasthenreallocatedto anindividual with noconnectiontoanymattersof securityinterest.30

Inotethat thenumberoferrorsislowcomparedtothenumberofserviceinterceptedandthatdespitebestefforts administrativeandtechnical errorswillalmostinevitablyoccur.Buttheseobservationsdohighlighttheneedforsafeguardstobeput inplace iftheobligationsplacedon carriersareincreased.

29InspectorGeneralofIntelligenceandSecurityAnnualReport2009-2010,pages18-19

30Inspector-GeneralofIntelligenceandSecurityAnnualReport2010-11,page28

AustralianSecurityIntelligenceOrganisationAct1979

ToR5 –Amendingthe ASIOAct tomodernise andstreamlineASIO’swarrantprovisions

a.toupdate thedefinitionof‘computer’insection25A

Thediscussionpapersetsoutthedifficultiesofthecurrentprovisionand suggestsamendingthelegislationsothata computeraccess warrantmay beissued inrelation to‘a computer,computers on aparticularpremises,computersconnectedtoaparticular personoracomputernetwork’.31

Computingtechnologyandusagepatternshavechanged andcontinuetochange,howevertheproposedresponsemayintroducefurtherissues.Forexample,theterm‘computersconnectedtoa computernetwork’ispotentially verybroad inscope.Itisdifficultto contemplatewhenitwould bereasonabletoaccessallcomputersconnectedtoanetworkintheabsenceoffurtherlimitations. Similarly‘computers onaparticularpremises’ couldinadvertentlyincludecomputersthat canhavenoconnectionwhatsoever withtheindividualofinterest.

Myunderstandingis thatthe ‘mischief’thatthe proposedchangeisseeking toovercomeis much narrowerthanthepotentialbreadthoftheproposalinthediscussionpaper.Iamadvised thatthe‘mischief’arises whereawarrantisexecutedonaspecificpremisesandthesubsequentsearch reveals notonlythe computersystem thatwasexpected tobefound but alsoadditional computers thatarenotinsome wayconnected to thecomputersystemspecifiedinthe warrant.32 Thecircumstancesmaybesuch that ASIObelievesitislikelythattheindividualofsecurityinterestmayhavesavedrelevantinformationontheseparatecomputerorcomputer systemsaswellasthoseoriginallycoveredbythewarrant.InthisscenarioitwouldbeadministrativelymoreconvenientforASIOtobeabletoobtainaccesstoallsuch computers withouthavingtoobtainfurtherwarrants (whichmaybeimpracticalinthetimeavailable).

Thedraftingofanyspecificlegislative proposalshouldbeable toaddressthistype ofissue withouta disproportionateincreasetothescopeoftheexistingwarrantpowers.

a. EnablingwarrantstobevariedbytheAG,simplifyingtherenewalofthewarrantsprocessandextendingdurationofsearch warrantsfrom90daysto6months.

Variationof warrants

Thediscussionpapernotesthatthereiscurrentlynoprovisiontovaryawarrantandthatanewwarrantisrequiredwhen thereisa ‘significantchangeincircumstances’.33(Thepaperdoesnot canvasswhethers.33(3)oftheActsInterpretationAct1901applies,aprovision whichwould generallyallowadecisionmakertovaryaninstrumentthattheyhavemade.)

InotethattheAttorney-Generalcanalwaysissueanewwarrantwheretheyconsider itappropriatetodoso.Further, ifthe‘significantchange incircumstances’ amounts to‘thegroundson whichthe warrant wasissuedhaveceasedtoexist’thens. 13oftheTIArequiresthattheAttorney-Generalbeadvisedforthwith andinterceptiondiscontinuedtherebycontemplatingthatanewwarrantwould berequiredtocontinueinterception.

31Discussionpaper,page41

32Warrantscancurrentlyauthoriseaccesstomorethanonecomputerordevicewherethosecomputersformpartofonesystem(sees.25Aandthedefinitionofa‘computer’ins.22oftheASIOAct)

Durationofwarrants

Thediscussionpapersuggestsextendingthemaximumdurationofa search warrantfrom90daysto sixmonthstobe consistentwithothertypesofwarrantsandtoprovideoperational benefitsas there havebeensomeinstances whereASIOwasunabletoexecutethewarrantwithin90days.34Inotethatthemaximumdurationofawarrantwasincreased from28daystothecurrent 90daysin 2005.35

Inmyview,itwould beunusual,with theexception ofonetypeofsearch,forASIOtonotbeableto executeasearchwarrantofapremiseswithin90days.Ifthatperiodisextendedtosixmonthsthen thisshould clearlybesetas themaximum possibleduration– notthedefaultstandardfor all warrants.Ifthisprovision wasenactedIwould monitorsearch warrantrequests closelytoseewhether thedurationofeach warrantrequestwasconsideredonanindividualbasistoensureitwasvalidfor anappropriatetime,which wouldusuallybelessthansixmonths.

Iamawareofonegeneralcategoryofwarrantswherethereissometimesdifficultyexecutingthewarrant within90days.To ensurethelegislativeresponseisproportionateitmaybe preferable to allowthisparticularcategoryofsearchwarrantstobeextendedratherthanallsearchwarrants.

NotingToR11(a)(establishinganamedpersonwarrantformultipleASIOActpowers) itmaybethatthepolicy reasonbehindthechangefrom90daysto6monthsisdirectedatadministrativeeaseand consistencyforsuchwarrants. Howevermyviewisthat administrativeeaseandconsistencyare, in themselves,not compellingreasonsto increasewarrantpowersorextendtheirduration.

Renewalofwarrants

Thepaperproposesarenewalprocessinsteadofanewwarrantbeing requiredininstances wheretherehasbeennochange totheintelligencecase.36Thepapernotesthat currentlyASIO‘must apply foranewwarrantwhichnecessitatesrestatingtheintelligencecaseandcompletelyreassessingthelegislativethresholdininstances wheretherehasnotbeenasignificant changetoeither,andtheassessmentof theintelligencecaseremains unchanged’.37

Section30oftheASIOActwouldseemtorequireongoingmonitoringoftheintelligence caseand need forthewarrant.Section 30requiresthat if‘theDirector-General issatisfiedthatthegrounds on whichthe warrantwasissuedhaveceasedtoexist,theDirector-GeneralshallforthwithinformtheMinisteraccordinglyandtakesuchstepsasarenecessarytoensurethatactioninpursuanceof thewarrant(otherthantherecoveryofalisteningdeviceortrackingdevice)isdiscontinued’.

MyexperienceisthatASIOactivelymonitorschangesincircumstancesandisgenerallypromptin ensuringthatactionunderawarrantisdiscontinuedwhenthegroundsfora warranthaveceasedto exist.Myunderstandingisthatthereisnointention inASIOtoreducethescrutinygiventotheintelligencecaseonrenewalorre-issueofwarrantsortheongoingmonitoring ofthegroundsforthewarrant–theseessentialinternalassuranceprocessesmaylimitthe‘streamlining’benefitstheproposedamendmentcoulddeliver.

34Discussionpaper,page42

35SeeSchedule10oftheAnti-terrorismAct(No.2)2005

36Discussionpaper,page43

Current provisionsalsorequireASIOtoprovideareporttotheAttorney-Generalontheoutcomeof everywarrantwhichisissuedtoit.38Thisisanimportantaccountabilitystep,andonethatIwould expecttocontinueifawarrantwasrenewedrather thananewwarrantbeingissued.

ToR6–ModernisingASIOActemploymentprovisions:

a.providingforofficers tobeemployedunderaconceptof a‘level,’ratherthanholding an ‘office.’

b.Making thedifferingdescriptions denotingpersons as an‘employee’consistent

c.ModernisingtheDirector‐General’s powersin relationtoemploymenttermsand conditions

d.Removing an outdatedemploymentprovision(section87oftheASIOAct)

e.Providingadditionalscopeforfurthersecondmentarrangements

The changesrelatingto the ‘requirementtoholdan office’,‘descriptorsofemployeesin theASIO Act’, ‘specialprovisionsrelatingtoASIO employees’ and‘modernisingtheDirector-General’spowers inrelationtoemploymenttermsandconditions’appeardirectedatbringing ASIO employment provisionsin-linewithotherCommonwealth governmentemployees.39IhavenocommentontheseproposalsotherthantonotethatIexpectthatIwill continuetohavegeneraloversightoftheASIO redressofgrievanceprocedures40andtodealwithcomplaintsfromASIOemployees aboutpromotion,termination,disciplineandremunerationmatters.41

Theproposedchangerelatingtosecondmentsmaysignificantlychange whatpowers individualscan exercise. Forexample,currentlyan ASIS staff member‘seconded’toASIO orwhois cooperatingwithASIOunderas.13AISAarrangementmaynotundertakeanactivityforthepurposeof producing intelligenceonanAustralianpersonwithouttheapprovaloftheForeignMinisterunlessthestaffmemberisonleavewithoutpayfromtheir ‘home’ agency andhasbeen employed byASIO. Undertheproposedchangesanindividualmight‘switch’frombeinganASISstaff member,whois notpermittedtoproduceintelligenceonan Australianwithoutministerialauthorisation,tobeingan ASIOstaff memberwho is permittedtodoso.Though while on ‘secondment’individualswould not beabletorely onpowers specifictotheir‘home’agency soforexampleASIS staffmembers ‘seconded’toASIO couldnotcarry weaponsorrely onthepartialimmunity ins14oftheISA.

Ifthe secondmentproposalisadoptedIwouldbelookingtoensurethatthe changesareappliedin sucha waythatitiscleartoindividualofficerswhichagencytheyareundertaking anactivityforand that‘secondments’areatrue changein workingarrangementsfor areasonable period.In myviewit wouldnotbeproperforsuchamechanismtobeusedtocircumventlimitsplacedonemployeesinotherlegislation.Forexampleit wouldnotbeproperforanASISstaffmember tobe‘seconded’ toASIOforaday ortwotoenablethemtoperformanactivitythattheywouldotherwisenotbepermittedtoundertake. My understandingis thatthisis notapracticetheagenciesintendtoadopt.

Carefulconsiderationalsoneedstobegiventohowtheproposedsecondmentprovisions would interactwiththeproposedauthorised operationsregime(ToR10).

My understandingis thatthereisnointentionfor‘secondments’toapply outsideofAustralian Governmentagencies(noteToR12–ASIOcooperatingwiththeprivatesector).

38Sees34oftheASIOAct

39Discussionpaper,pages42-43

40Sees.8(1)(b)oftheIGISAct

ToR10–AmendingtheASIOActtocreateanauthorisedintelligenceoperationsscheme.

This willprovideASIOofficersand humansourceswithprotectionfromcriminalandcivil liabilityforcertain conductinthecourseofauthorisedintelligenceoperations.

ThediscussionpaperstatesthatASIOhasarequirement:

…tocovertlygainandmaintaincloseaccesstohighlysensitiveinformation.Thisactivityoften involvesengagingandassociatingcloselywiththosewhomaybeinvolvedincriminalactivityand thereforehasthepotentialtoexposeanASIOofficerorhumansourcetocriminalorcivilliabilityin thecourseoftheirwork.42

Anexampleiscited where,inthecourseof collectingcovertintelligenceinrelationtoaterroristorganisation,anASIOofficerorsourcemaybeopento criminalliabilityundertheCriminalCodeif theyreceivetrainingfromthatorganisation.

Intelligenceandsecurityagenciesmustact lawfully.Itis notacceptableforagenciestooperatein ‘greyareas’.IfParliament decidestopermitASIOemployeesandsourcestoengageinactivitythatmayotherwise beillegalthen, inmyview,thereshould beacarefullyconsidered regimetoregulatethis.

Thepapersuggeststhatanauthorisedintelligenceoperationsschemewouldbe‘similarto’the controlledoperationsschemethatoperates inrelationto theAustralianFederalPolice(AFP), theAustralianCrimeCommission(ACC)andtheAustralian CommissionforLawEnforcementIntegrity(ACLEI)underthe CrimesAct1914(CrimesAct).Itisusefultobrieflysetoutsomeofthekeyfeaturesofthatscheme:

Acontrolled operationisacovert operationcarriedoutbylawenforcementofficers forthepurposeofobtainingevidencethatmayleadtotheprosecutionofapersonforaserious offence.Theoperationmayresultinlawenforcement officersand otherapprovedpersons engagingin conductthatwouldotherwise constituteanoffence.Specificanddetailed externaloversightandreporting mechanismsaresetoutinthelegislation.

Generally,controlledoperationsmaybeapprovedinthefirstinstancebydesignatedSeniorExecutiveServiceofficers(exceptformajorcontrolledoperations intheAFP whichmustbeauthorisedbytheCommissionerorDeputyCommissioner).43Theinitialperiodgenerally cannotexceedthreemonths.Theoperationmayonly beextendedpastthreemonthsupto amaximumof24months withtheapprovalofanominatedmemberoftheAdministrativeAppealsTribunal(AAT).44Thisprovidesanindependentexternalreviewofthecaseforan ongoingcontrolledoperationeverythree months.

TheChiefofficerofthelawenforcementagencymustprovidedetailed reportstotheMinisterandthe CommonwealthOmbudsman.45Theannualreport ofoperationsmust betabledinParliament(excludingsensitive matters).

42Discussionpaper,page46

43Sees.15GFoftheCrimesAct1914

44Sees.15GTofthe CrimesAct1914

45Seess.15HMand15HNoftheCrimesAct1914

TheCommonwealthOmbudsmanisrequiredtoinspectthecontrolledoperationsrecordsof theAFP,theACC andACLEIatleastonceeverytwelvemonths.46TheOmbudsmanis required tosubmitareporttotheMinisterand thereportistabledinParliament.47

Thediscussionpaperstatesthat any schemeforASIOwouldneed‘appropriatemodifications’.48The proposalisthattheDirector-GeneralofSecurity couldissueauthorisedintelligenceoperation certificates whichwouldprovideprotectionsfromcriminalandcivilliabilityforspecifiedconductforaspecifiedperiod(suchastwelvemonths).Thediscussion paperissilentonhowlonganyrenewalcouldbefororwhattestwouldbeappliedto determineifarenewalwasappropriate. Consistentwiththelawenforcementregime,thelegislationwouldspecifywhatconduct couldnotbeauthorised49

Theabilitytogive itself immunityfromAustralianlawwouldbeasignificantnew power forASIO. Engaging inactivities thatwould otherwisebeillegal carriessignificantrisk–particularlyforhuman sources.Iamawarethatoveraperiodofsomeyearsmyofficehasreceivedasmall number of complaintsfromcurrentandformerASIOhumansourcesthat demonstrate thecomplexityoftherelationship. ThepaperdoesnotexplainwhyASIOcouldnot requesttheAFPorACCtouseexistingpowerstoperformthesefunctions,includingwherenecessaryauthorisingASIOofficersorsourcesundertheexistingschemes. Similarly,wheresuchanactivitywastooccuroutsideAustraliatheschemealreadyprovidedforASISunders.14of theIntelligenceServicesAct2001(theISA) would appearrelevantandtheCommitteemaywanttoconsiderwhy suchoverseasactivities couldnotbemanagedinconjunctionwithASISperhapsby wayofASIO staffandagentsbeingmadeavailable to ASISundertheexistingprovisions.

IunderstandthatthereareoperationalimpedimentsforASIOinbeingrequiredtooperateunderschemesdesignedforlawenforcementagencies,particularlywherethoseschemesemphasisethecollectionofevidenceorare designedforshort-termoperations.IamconscioustoothatASIO considersitneedstodevelopandmaintainsourcesovermanyyears.

Theproposed schemeforauthorisedoperationsbyASIOissilentontheissueofindependentauthorisationanddetailedoversightorpublicreporting.Notwithstandingthesensitivematters relatingto nationalsecurity, theCommitteemaywant toconsiderwhetherit wouldbedesirableto have independentexternalrevieworministerialapprovalof theintelligencecaseatregularintervals.ThisexternalreviewcouldbeprovidedbysuitablyclearedmembersoftheAAT.50

Thediscussionpaperdoessuggestthatmy officewouldhavearoleinoversightandinspection.This couldbe carriedoutundertheIGISActbuttheCommitteemayalsoliketo considerwhetheritwouldbepreferablefortheoversightandreportingregimetobesetoutindetailinthelegislation,asisthecaseforcontrolledoperations,toprovideassurance that thescheme operatesaccordingto thelegislation.Being notified thata schemehasbeen‘approved’maynotnecessarily beenoughto maintainoversight,particularlywhereoperationsrunformanyyears.

46Sees.15HSoftheCrimesAct191447Sees.15HOofthe CrimesAct191448DiscussionPaper,page46

49Discussionpaper,pages46-47

50NotethattheAdministrativeAppealsTribunalAct1975(theAATAct)andtheASIOActmakeprovisionfortheAATtoreviewsensitiveASIOsecurityassessmentdecisionsunderspecialproceduresintendedtoprotectsecurity–sees.21AAoftheAATActandPartIV,Division4oftheASIOAct.

Additionalresourcesformyofficecouldbe requiredformyofficetoeffectivelyoversighttheproposedauthorisedoperationsscheme.

ToR11–AmendingtheASIOActtomoderniseandstreamlineASIO’swarrantprovisionsto:

a.Establishanamedperson warrantenablingASIOtorequestasingle warrantspecifyingmultiple(existing)powersagainstasingletarget instead ofrequestingmultiplewarrants againstasingletarget.

As faras I amawarethereis nolegalreasonwhyASIO cannotcurrently ‘bundle’warrant applications sothat theAttorney-Generalisaskedtoauthorisetheuseofmultiplepowersin relationtoaspecificindividualatthesametime.Suchanarrangementwould,however,requiretheAttorney-Generaltoconsiderthethresholdandcaseforeachindividualpower. Seemycomments inrespectofToR8(a)–singleTIwarrants.

Thediscussionpapersuggeststhatasingle warrantcouldbeissuedcoveringallASIOwarrantpowerswheretherelevant legislativethresholdsaresatisfiedratherthanrequiringmultiple warrantsforan individual.51

Thepaperdoesnot explain howthe currentdifferentlegislativetestsandthresholdsfortheissuingofdifferenttypesofwarrantswouldbereconciledinasinglewarrantprocess orwhetherthereisan intentiontoeffectivelytransferthe decisionastowhat powersshouldbeexercisedfromtheAttorney-GeneraltotheDirector-GeneralofSecurity.Thedifferenttypesofwarrantsinvolvedifferentactivitiesandconsequentlydifferentlevelsofintrusiveness(seealsomycommentsaboveinrespectofToR2(b)–standardTI warrantthreshold).Whileastandardisationoftestsand thresholdsmaybeadministrativelyconvenientIwouldbeconcernedifthere was,ineffect,a lowering ofthethresholds withoutcarefuljustificationoftheneedtodothis.

Whilesuchaschememightbeadministrativelysimpler,thereistheriskthatthe warrant would authoriseactivitiesthatwerenotproportionateto thethreattosecurityandmayshiftthebalancebetweenwhatiscurrentlyauthorisedbytheAttorney-General andwhatisauthorisedbytheDirector-General–seemycommentsinrespectofToR2(b) and8(a)above.

b.Alignsurveillancedevice provisionswiththeSurveillanceDevicesAct 2004

ThediscussionpaperproposesaligningthesurveillancedeviceprovisionsintheASIOActwiththemore modernSurveillanceDevicesAct2004toovercomeimpedimentstocooperationwithlaw enforcementpartneragencies.52

While cooperationisdesirable,itisnot clearwhatthespecificchangeswouldbe.Anychangesmustalsoconsiderexternalreviewandoversightmechanisms.InotetherearesubstantialdifferencesbetweenthecurrentASIOregimeandwarrantsundertheSurveillanceDevicesAct.Forexample SurveillanceDeviceAct warrantsareissuedbyeligiblejudgesornominatedmembersoftheAAT.53 TherearealsospecificprovisionintheSurveillanceDevicesActrelatingtoreportingandoversightbytheOmbudsman.54

51Discussionpaper,page47

52Discussionpaper,page47

53Sees.oftheSurveillanceDevicesAct2004

54Seess.49to61oftheSurveillanceDevicesAct2004

If theproposalisonlytomodernisethelanguageoftheASIOAct–whichforexampleratherconfusinglyincludesadeviceforrecordingimageswithin thedefinitionofa‘listeningdevice’55– thenthisisamorefocussedproposalthatdoesnot raiseproprietyconcerns.

c.Enablethedisruption of a target computerforthepurposesofa computeraccesswarrant

The ASIOActcurrently restrictsASIOfromdoinganythingunderacomputeraccesswarrantthatadds,deletesoraltersdataorinterfereswith,interruptsorobstructsthelawfuluseof thetargetcomputerbyotherpersons.56Thediscussionpapersuggestsanamendmentsuchthattheprohibition wouldnotapplytoactivity thatis proportionatetowhatisnecessarytoexecute thewarrant.

IunderstandthattheproposalistoenableASIOtodoonlywhatisnecessarytocovertly retrievetheinformationsoughtunderthewarrant. Thatis,theprimarypurposeofanydisruption wouldbeto avoiddisclosingtothepersonorgroupundersurveillancethatASIOwasmonitoringthem.This seemsto beareasonablesolution tocurrent operationalproblems.

Asthisproposalcould directlyaffecttheactivitiesofpersonsunrelatedtosecurityinterestsitwould beessentialtohaveto clearlyjustifythecaseastowhyitisappropriatetoaffectanylawfuluseof thecomputer.Thereasons wouldneedtobalancethepotential consequencesofthis interferencetotheindividual(s)withthethreattosecurity.Thereshould beappropriatereviewandoversightmechanismswithparticularattentiontotheeffectofanydisruptiononthirdparties.

d.Enablepersonsearchestobe undertakenindependentlyof a premisessearch

TheASIOActdoesnotprovidespecificpersonsearchpowersforASIO,althoughawarranttosearchapremisescanalsospecify,ifappropriate,thatthewarrant providesthepowertosearchaperson whois atornearthepremiseswheretherearereasonablegroundstobelieve thatthepersonhas,onhisorherperson,records or otherthingsrelevanttosecuritymatters.Thisneedstobespecified inthewarrant.57

Thediscussionpaperstatesthatitisnotalwaysfeasibletoexecuteasearchwarrantonapersonof interestwhiletheyare‘atornear’thepremises specifiedinthe warrant.Thepaperproposes addressing‘theexisting limitation’byenabling ASIOto requestawarrantto search a specified person.58

Itseemsthatthecurrentprovisionsconsiderthesearch ofthepersonasincidentaltothesearch of thepremises. Aproposaltointroduceawarrant tosearchaspecifiedpersonisnotanextensionof theexistingpowertosearchpremisesbut isratheraproposaltointroduceanewclassofwarrant. Thiswillrequire carefulconsiderationoftherestrictionsandconditionsthatshouldapply.

IamawareofonecategoryofactivitieswhereASIOcurrentlyreliesonpremisessearchwarrantsto achieve whatisineffectapersonsearch.WhileIdonothaveconcernsaboutthelegality ofthecurrent approach,fromanoversightandtransparencyperspectiveitwould bepreferableforthelegislation toprovideaspecificmechanismforpersonsearcheswithappropriatelimitsratherthan usingapremisessearch warrantforthis purpose.

55Sees.22oftheASIOAct56Discussionpaper,page4857See s.25oftheASIOAct58Discussionpaper,page48

Careneedstobetakenthatthoseundertakingapersonsearchhaveappropriatetraining and qualifications.Tothisenditmaybepreferabletorequirethat, were possible,suchsearchesareundertakenbylawenforcementofficers whohavespecifictraininginthisregard.

e.Establishclassesofpersonsable toexecutewarrants

ThediscussionpaperproposesthattheDirect-GeneralofSecurityshouldbeabletospecifya class ofpersontoexecuteawarrantratherthan namedindividuals.Whilethiscouldbeoperationally effective,itwouldbeessentialforASIOtoensurethatallofficersinaparticular classwerefully trainedandunderstood thelimitsoftheir authorisation.Asnotedabove in relationto ToR11(d) theremaybecaseswhere thebestqualifiedofficerstoconductaparticularsearcharelawenforcementofficers.

ToR12– ClarifyingASIO’s ability to cooperatewith the privatesector.

Thediscussion paperproposesamending s19(1)of theASIOActtoavoidany doubtabout ASIO’s abilitytocooperatewiththeprivatesector.59

My officeregularly inspects thefiles ofASIO’s interactions with,for example,Statelawenforcement agencies.Wealsohave the abilitytoreviewASIO’s cooperation withprivate sectorentitiesif appropriate.

ToR13–EnablingASIOtoreferbreachesofsection 92 of theASIOActtoauthorities

Ihaveno commentonthisproposal.

ToR17–AmendingtheASIOActtomoderniseandstreamlineASIO’swarrantprovisions:

a.Usingthirdpartycomputersand communicationsin transit toaccessatarget computerunderacomputeraccesswarrant

ThediscussionpaperproposesamendingtheASIOActtoenableathirdpartycomputerorcommunicationintransittobeusedbyASIOtolawfullyaccessatargetcomputer.60

Anysuchchange mustensurethattheimpactonthethird party,includingprivacyimplicationsas wellasanyimpactonthesecurityor lawfuluseof thethirdpartycomputerareconsideredcarefully intheapprovalprocess.

CurrentlytheTIAActallowsASIOtoobtainawarrantfromtheAttorney-Generaltointerceptcommunicationsviaathird partyonly whereallotherpracticablemethodshavebeenexhausted orwhere it would nototherwisebepossibletointercepttherelevantcommunications.61This appearstobeanappropriatesafeguard.

59Discussionpaperpage49

60Discussionpaper,page50

61Sees.9(3)oftheTIAAct

b.Clarifyingthattheincidentalpowerinthesearchwarrantprovisionauthorisesaccesstothird partypremisestoexecuteawarrant

Thediscussionpaperproposes‘clarification’ofthescopeofthepowers incidental totheexecution ofasearchorcomputerwarrantinrespectofentry toa thirdparty’spremises.62

Anysuchchange mustensurethattheimpactonthe thirdparty,includingprivacyimplicationsas wellas thepotentialforanydamagetoproperty,isconsidered carefully.Ifthis entryis pre-planned–forexampleasaccess toapremises–it couldbespecifiedandauthorisedinthewarrantdocumentation.

Myunderstandingisthatthe operational driverbehindtheproposedamendmentistoallowforan unplannedorunforseenemergencyexitingbyASIOofficerswhoare covertlyexecutingawarrant. Thislimitation could tobe setoutinthelegislation.

c.Clarifyingthatreasonableforcemaybeusedatanytimeduringtheexecutionofawarrant,notjustonentry.

Thecurrentdrafting oftheASIOActsuggestthattheuseofforceislimitedtoauthorisationofentrymeasures.63Thediscussionpapersuggest that‘theprovisions relatingtotheuseofforce are not limited insucha way’ andproposes anamendmentto‘correct’this is a‘drafting anomaly’.64

Itis not clearwhetherthis is infacta ‘draftinganomaly’ but,inany event,tobroadentheuseof forcetoincludeallwarrantedactivities couldenableASIOtouseforceinconductingperson searches.

Myunderstandingisthatthepolicyintention behindthe proposedamendmentrelatesonlyto secondaryuseofforcebyASIOofficers against‘things’ when conductingpremisessearches.Forexampleforcemayberequiredtoinitiallygetthroughthefrontdoorandfurtherforcemaybeneededto,forexample,opena lockeddrawer.IunderstandthatthereisnointentiontoauthoriseASIOofficers touse forcetoconductpersonsearches.

Fromtimetotimemyofficehasreceived complaints aboutsearchesofpremises.Thisisahighly intrusiveactivityand Iwill continueto monitorASIO’sactivitiesinthisregard.

d.Introducinganevidentiarycertificateregime.

Ihaveno commentsonthisproposal

62Discussionpaper,page50

63See,forexample,headingaboves.25(7)oftheASIOAct

64Discussionpaper,page50

IntelligenceServicesAct2001

ToR7– ClarifyingtheDIGO’sauthoritytoprovideassistancetoapprovedbodies.

Thediscussion paperproposes amendmentstoDIGO’s function under s.6B(e)oftheISAto ensure thatDIGOhasclearlegislativesupporttoundertakeitsgeospatialandimageryrelatedfunctions,and includeanexpressreferencetospecialised imageryandgeospatial technologies.65

Idonot needtocommentonwhatmighthavebeentheoriginalparliamentaryintentionor whetherthereisactually anyambiguityinthecurrentlegislation,butI willnotethatIhavenoproprietyconcernswiththeviewthatDIGOshouldbeabletoprovide CommonwealthandStateauthorities andotherapprovedbodies,assistanceinrelationtotheproductionanduseofallimageryand geospatial products orassistance withtheuseandapplicationofspecialised imageryandgeospatial technologies.Ifsuchassistancewasalsoforthespecificpurposeofproducingintelligence onan AustralianpersonmyexpectationisthatDIGOwouldcontinuetoberequiredtoobtainministerial authorisation.IalsoexpectDIGOto continuetoapplythePrivacyRulesmadeunders.15oftheISAtoanydisclosureofintelligenceaboutan Australianperson,regardlessof which functiontheintelligencewascollectedunder.

ToR18–AmendingtheIntelligenceServicesAct2001

Theministerialauthorisationsschemeensuresappropriateministerialoversightofthemostsensitivefunctionsoftheforeign intelligenceagenciesincludingsettingoutthelimited circumstancesinwhichitispermissibleforthoseagenciestoundertakeanactivityforthespecific purposeofproducingintelligenceonanAustralian person.Twochangesareproposed.

a.Adda newministerialauthorisationgroundwhere theMinisterissatisfiedthatapersonis, oris likelytobe,involvedinintelligenceor counter‐intelligenceactivities.

Thefirstchange concernstheadditionofanew provision which wouldallowtheMinister to authorisetheproductionofintelligenceonan Australianpersonwhois,orislikelytobe,involved in intelligenceorcounter-intelligenceactivities.66Theproposedchangeisconsistentwiththestructureofexistingapprovalmechanisms.Ihavenoproprietyconcerns withtheproposed change.Oversightoftheuseofsuchaprovision couldbemanagedinthesameway thatthisofficeinspectstheexerciseofotheractionsbasedonsimilarapprovalsbytherelevantMinister.

b.EnabletheMinisterofanagencyundertheISAtoauthorisespecifiedactivitieswhichmayinvolveproducing intelligence onanAustralianperson orpersonswheretheagencyis cooperating withASIOintheperformanceofan ASIOfunctionpursuanttoasection13Aarrangement.Aministerialauthorisationwillnotreplacetheneedtoobtainawarrantwhereoneiscurrentlyrequired.

ASIOcollectsintelligencerelevantto‘security’.67ASIScollectsintelligenceabout the capabilities,intentionsoractivitiesofpeopleororganisationsoutsideAustralia.68Whilethestatutoryfunctions

65Discussionpaper,page44