Senate

Supplementary Explanatory Memorandum

(Circulated by authority of the Attorney-General, the Honourable Christian Porter MP, for the Minister for Home Affairs, the Honourable Peter Dutton MP)

Amendments to the Telecommunications and Other Legislation Amendment (Assistance and Access) Bill 2018

1. These amendments are compatible with the human rights and freedoms recognised or declared in the international instruments listed in section 3 of the Human Rights (Parliamentary Scrutiny) Act 2011.

Overview of the amendments to the Bill

2. The Telecommunications and Other Legislation Amendment (Assistance and Access) Bill 2018 (Bill) will amend the Telecommunications Act 1997 (Telecommunications Act) and related legislation, including the Telecommunications (Interception and Access) Act 1979 (TIA Act), Surveillance Devices Act 2004 (SD Act), the Crimes Act 1914 (Crimes Act), the Mutual Assistance in Criminal Matters Act 1987 (MACMA), the Australian Security Intelligence Organisation Act 1979 (ASIO Act) and the Customs Act 1901 (Customs Act), to assist agencies to adapt to an operating environment characterised by ubiquitous encryption.

3. The amendments to the Bill will:

•

enhance existing oversight arrangements for agencies and provide review mechanisms-namely legislative review by the Independent National Security Legislation Monitor within 18 months of commencement, and review by the Parliamentary Joint Committee on Intelligence and Security in early 2019

•

provide for explicit inspection powers of Schedule 1 measures by the Commonwealth Ombudsman and enhancing the ability of the Ombudsman to inspect the exercise of these powers in conjunction with underlying interception and surveillance device warrants

•

add to reporting requirements on the use of Schedule 1 and Schedule 5 powers

•

ensure the Inspector-General of Intelligence and Security and the Commonwealth Ombudsman are notified of the issue, variation, extension and revocation of all industry assistance measures

•

define 'systemic weakness' and 'systemic vulnerability' to enable technical reporting to assist in whether a technical capability notice would breach the legislative limitations, and applying this definition more broadly to Schedule 1

•

enhance the independent assessment (on referral) of whether requirements to build a new capability create a systemic weakness and are reasonable, proportionate, practicable and technically feasible

•

extend decision-making requirements and the limitation against building or implementing systemic weaknesses to voluntary measures in Schedule 1

•

narrow the functions for which intelligence agencies can seek voluntary assistance

•

limit the application of the industry assistance measures to the investigation and prosecution of serious offences (offences with a maximum period of imprisonment of 3 years' or more)

•

make the activities that may be required by a notice in Schedule 1 exhaustive and clarify that they can be used to facilitate or assist in giving effect to warrants and authorisations

•

ensure decision-makers consider the necessity of measures under Schedule 1 and that any conduct would be the least intrusive to third parties

•

impose time-limits of 12 months for technical assistance notices and technical capability notices

•

allow for 'designated communications providers' to disclose information about a technical capability notice with agreement from the relevant agency and subject to conditions

•

clarify that disclosures can be made between law enforcement agencies and oversight bodies for Schedules 1 and 2

•

clarify the appropriate civil penalties in line with other similar assistance obligations under the Telecommunications Act

•

clarify that for the purposes of Part 15 of the Telecommunications Act a reference to 'Minister' is a reference to the Minister for Home Affairs

•

provide for Commonwealth scrutiny of technical assistance notices by the chief officer of an interception agency of a State or Territory

•

allow designated communication providers to refer technical capability notices to the Attorney-General for review to determine if the notice creates a systemic weakness

•

limit the definition of 'interception agency' to Commonwealth, State and Territory police

•

require double-lock approval of technical capability notices by both the Attorney-General and the Minister for Communications

•

limit the circumstances in which a technical capability notice may be varied and require approval of both the Attorney-General and the Minister

•

ensure that 'ASIO computer access intercept information' and 'general computer access intercept information' is subject to restrictions on use, disclosure and requirements which relate to destruction

•

allow for notification on concealment activities for ASIO and law enforcement computer access warrants, and

•

place further safeguards on the exercise of compulsory powers in Schedule 5.

Human rights implications

4. The amendments are consistent with Australia's human rights obligations and engage the following human right, which was identified in the Statement of Compatibility in the Explanatory Memorandum to the Bill, as introduced and read for a second time in the House of Representatives on 20 September 2018:

•

protection against arbitrary or unlawful interference with privacy contained in Article 17 of the International Covenant on Civil and Political Rights (ICCPR)

Human rights impacted by the Government amendments

Protection against arbitrary or unlawful interference with privacy - Article 17 of the ICCPR

5. Article 17 of the ICCPR provides that no one shall be subjected to arbitrary or unlawful interference with his or her privacy, family, home or correspondence, nor to unlawful attacks on his or her honour or reputation, and that everyone has the right to the protection of the law against such interference or attacks.

6. The right to privacy under Article 17 can be permissibly limited in order to achieve a legitimate objective and where the limitations are lawful and not arbitrary. The term 'unlawful' in Article 17 of the ICCPR means that no interference can take place except as authorised under domestic law. Additionally, the term 'arbitrary' in Article 17(1) of the ICCPR means that any interference with privacy must be in accordance with the provisions, aims and objectives of the ICCPR and should be reasonable in the particular circumstances. ^[1] The United Nations Human Rights Committee has interpreted 'reasonableness' to mean that any limitation must be proportionate and necessary in the circumstances.

7. Amendments have been made to the Bill to strengthen existing limitations, which ensures key measures do not arbitrarily or unlawfully interfere with the right to privacy, while equipping law enforcement and national security agencies with the tools to investigate and prosecute serious criminals and terrorists. These amendments, which relate to Article 17 of the ICCPR, include:

•

Introducing additional definitions for 'serious Australian offence' and 'serious foreign offence' for the purposes of Part 15 of the Telecommunications Act concerning industry assistance (section 317B) to ensure the powers set out in Schedule 1 of the Bill can only be used against a law of the Commonwealth, a State or a Territory that is punishable by a maximum term of imprisonment of 3 years or more, or for life. These definitions further clarify that the exercise of powers in Schedule 1 are a permissible limitation to the right to privacy as they are reserved for serious offences including terrorism and child exploitation offences. Invoking the powers in Schedule 1 is a reasonable and proportionate interference with the right to privacy given the nature of the offences under investigation.

•

Requiring decision-makers under the Telecommunications Act to consider if the requirements under a technical assistance notice or technical capability notice are the least intrusive known form of industry assistance when compared to other forms of industry assistance in relation to the impact on the privacy of innocent third parties (sections 317JC for technical assistance requests, 317RA for technical assistance notices and new section 317ZAA for technical capability notices). This requirement to assess whether the proposed requirements are the least intrusive further limits the ability of Schedule 1 powers being used to arbitrarily or unlawfully interfere with the privacy of innocent parties.

•

Section 317P of the Telecommunications Act ensures that technical capability notices can only be issued if the decision-maker is satisfied that the requirements in the notice are reasonable and proportionate. Section 317V in the Bill ensures that technical capability notices can only be issued if the Attorney-General is satisfied that the requirements in a notice are reasonable and proportionate, and that compliance with a notice is practicable and technically feasible.

The amendments include considerations of necessity in new sections 317JAA, 317RA and 317ZAA of the Telecommunications Act which strengthens the aforementioned decision-making criteria to ensure that decisions-makers have regard to whether a technical assistance notice or technical capability notice is necessary for achieving legitimate beneficial outcomes for law enforcement and national security.

The amendments at sections 317JAA, 317RA and 317ZAA provides confidence that, under the oversight of the decision-maker, any limitation to the right of privacy under a compulsory notice in Schedule 1 of the Bill is permissible as being necessary to ensure national security and public order.

•

Imposing time-limits of 12 months for technical assistance notices and technical capability notices in new sections 317MA and 317TA in the Bill. This mandatory time-limit (extendable for a period of a further 12 months with the agreement of the provider) ensures notices are not in perpetuate existence, and that decision-makers re-evaluate the reasonableness and proportionality of a notice if it is required for more 12 months.

•

Extending consultation requirements to all compulsory powers in Schedule 1. New section 317PA of the Telecommunications Act requires the decision-maker to consult with the provider prior to the issuing of a technical assistance notice. This section does not apply if the provider voluntarily notifies the relevant agency, in a form they deem to be appropriate, of their decision to waive the right to be consulted. Specifically, new section 317PA allows providers to highlight the requirements that will undermine those systems that protect the security of personal information.

The purpose of this provision is to give certainty to providers that requirements in a notice have been issued with due regard to their legitimate concerns. It also legislates the steps agencies are likely to undertake when determining the requirements in a notice, which involves direct engagement with the provider to ensure the requirements achieve agency objectives and do not adversely impact the provider and the wider community. This amendment also supports other consultative measures in the Bill including the requirement for notices to be provided in writing to the provider under new section 317M.

By giving an opportunity to raise any concerns associated with the proposed notice, this amendment ensures that the compulsory powers in Schedule 1 are not exercised arbitrarily, and ensures that the decision-maker is made aware of, and can consider, any unintended consequences that may result from the issuing of a notice under Schedule 1.

•

Amendments in section 317MAA require decision-makers to notify the provider of their right to complain about an agencies' activities to the relevant Commonwealth, State or Territory oversight body, ensuring that they have a clear avenue for redress.

•

Limiting the listed act or things in new section 317E of the Bill to be exhaustive for technical assistance notices and technical capability notices. Prior to this amendment, technical assistance notices could be issued for matters that were determined by the decision-maker to meet criteria in section 317P of the Bill but were not provided for in the listed acts or things.

The types of assistance listed in section 317E are broadly cast in order to be responsive to operational needs and to reflect the rapidly changing capabilities of the communications industry. The listed acts or things are necessary to ensure agencies can continue to discharge their functions which are critical to maintaining national security and public order. This exhaustive list provides further clarity as to the situations that permit the use of Schedule 1 powers which ensures that notices are not issued arbitrarily.

Clarifying the intent, and strengthening the operation of section 317ZG

8. The amendments which support the intent of new section 317ZG of the Telecommunications Act positively engage the prohibition on arbitrary or unlawful interference with privacy under Article 17. Section 317ZG establishes an explicit prohibition against providers being required to implement or build a systemic weakness or vulnerability into a form of electronic weakness. This includes actions which would make systemic methods of authentication or encryption less effective. In other words, the amendments prevent decision-makers from issuing a technical assistance notice or technical capability notice if the requirements in the notice would contravene new section 317ZG. The provisions also ensure that decision-makers cannot issue technical assistance requests if it would contravene new section 317ZG. Furthermore, the original decision-maker does not ultimately determine if the proposed requirements to build a new capability would lead to a contravention of new section 317ZG, a robust independent assessment process can be enlivened by a provider to determine the ultimate security implications, and reasonableness, of any capability.

9. New section 317ZG limits the privacy implications of the powers in Schedule 1 by ensuring the security of third parties' communications are not impacted. Specifically, this section prevents requests and notices from being used as vehicles to introduce systemic weaknesses and vulnerabilities which can fundamentally undermine the security of networks and devices. The amendments enhance the operation of new section 317ZG by clarifying existing ambiguities associated with systemic weaknesses and vulnerabilities, and strengthens measures that prevent the undermining of those systems that protect the security of personal information. This further strengthens provisions that prevent the powers in Schedule 1 from being used to arbitrarily or unlawfully interfere with the privacy of innocent parties.

10. New section 317ZG is an important safeguard that supports Schedule 1 and ensures that the related powers reflect a permissible limitation on the right to privacy as they are a necessary, reasonable and proportionate means of ensuring effective law enforcement and national security.

11. These amendments include:

•

Introducing a definition for 'systemic weakness' and 'systemic vulnerability' in new section 317B to clarify and prohibit those proposed requirements in a technical assistance request, technical assistance notice or technical capability notice which will lead to unlawful and systemic intrusions into innocent parties' devices. This definition makes clear that anything that weakens whole systems, and consequently puts the security of innocent users at risks, is prohibited. It clearly states a carve-out for targeted use of powers that are isolated to particular targeted devices and do not undermine system security.

•

Introducing a non-exhaustive definition of 'electronic protection' in new section 317B to clarify those technologies which must not be undermined as they are critical to protecting the security of personal information.

•

Introducing a definition of 'target technology' in new section 317B to clarify the targeted use of the powers.

•

Introducing new section 317WA in the Telecommunications Act which establishes a framework for providers to request the carrying out of an assessment of a new capability. The independent assessors, which are appointed as per subsection 317WA(2), will consider whether requirements to build a new capability create a systemic weakness and are reasonable, proportionate, practicable and technically feasible.

•

The Attorney-General must consider the report when issuing the notice. The assessors are persons eminently qualified to scrutinize the security implications of new capabilities, one being a technical expert and the other a retired senior judge.

•

This is an additional safeguard to the consultation requirements under section 317W. The purpose of this amendment is to ensure providers are afforded an opportunity to challenge the requirements in a notice if they believe it may lead to the introduction of a systemic weakness or vulnerability or if the requirements are not reasonable or proportionate. This is an important measure as it ensures that the requirements in a proposed notice are altered before the notice is issued in order to prevent those systems which maintain the security of personal information from being undermined.

•

Broadening the scope of new section 317ZG to include technical assistance requests. This ensures providers do not unwittingly introduce a systemic weakness or vulnerability into their networks or devices.

Enhanced approval, inspection and oversight

12. The amendments establish a process whereby technical capability notices require joint authorisation by agreement from both the Attorney-General and Minister for Communications and the Arts. This will ensure that technical capability notices will only be issued when an appropriately high level of authorisation and scrutiny has been applied to a relevant request.

13. Further, the amendments include a suite of enhanced oversight measures, including robust notification requirements and clear authority for the IGIS, Commonwealth Ombudsman and State and Territory oversight bodies to inspect and report on the use of powers under the Bill.

14. Existing reporting regimes have been augmented to allow the Commonwealth Ombudsman to further scrutinise the use of industry assistance measures in conjunction with underlying interception and surveillance powers. Further, the Bill now establishes clear channels for information exchange between oversight bodies to ensure the necessary information is available for assessing agency compliance with the law.

15. Reporting requirements have been set for powers across the Bill, including in classified ASIO annual reports that are scrutinised by Parliament and Government.

Additional protections Schedules 2 & 5

16. Additional restrictions, reporting and notification measures have been placed on the exercise of computer access powers and compulsory orders for access to data by the Director-General of ASIO. These amendments further bound the use of intrusive and covert powers and allow oversight bodies to better monitor their exercise.

Conclusion

17. The amendments are compatible with human rights because they clarify and strengthen limitations which reduce the impact to the right to privacy, and to the extent that the amendments limit the right to privacy, those limitations are necessary, reasonable and proportionate.