Second Reading - Telecommunications Amendment

I rise to speak in support of the Telecommunications and Other Legislation Amendment (Miscellaneous Measures) Bill 2019. National security, keeping Australians safe from harm, is the highest priority of every government, but it is a particularly important priority for this government. That's why, on Monday, the Prime Minister spent quite some time outlining our plan for keeping Australians safe and secure. The Prime Minister highlighted many of the existing threats to the freedom and the security of all Australians. They include the dangers that arise from organised crime; the consequences of trafficking in drugs; the issue of border security and the risks of people smuggling; and the threats of terrorism, corruption and online predators, particularly those who do so for the sexual exploitation of children. In the many years before I came to this place, I served as a Commonwealth prosecutor, and I don't think I'm exaggerating in saying that I've prosecuted near enough to all of these offences at one time or another. I've seen how hard our agencies work to stop crimes of this nature and I've seen how difficult it is to mount a case to hold accountable those who engage in this kind of conduct in the digital age. These threats are continually growing and continually evolving. This isn't something we need to be scared of but something that we need to deal with. We need to prepare our agencies and give them the tools they need to be able to be effective in the interests of all Australians.

Today our security agencies face one of the most significant technological challenges we have ever faced in our history. With fatal terrorist attacks overseas, the recent disruption of alleged planning for a mass casualty attack by three individuals in Melbourne—incidents like this highlight the threat to all Australians that is presented by those who would seek to harm Australians using terror and who plan to do so and communicate using encrypted messaging applications.

The government supports the use of strong encryption to protect personal, commercial and government information. We understand it has a positive commercial and public role to play. However, the increasing use of encryption to conceal communications has significantly degraded law enforcement and intelligence agencies' ability to collect intelligence, to conduct investigations and to detect intrusions into Australian networks. Our intelligence agencies have told us some facts about which we should all be concerned and of which we should all take note. The first is that encryption impacts at least nine out of every 10 of ASIO's priority cases. The second is that 95 per cent of ASIO's most dangerous counterterrorism activities target those who actively use encrypted messages to conceal their communications. The third fact is that over 90 per cent of data that is being lawfully intercepted by the AFP now uses some form of encryption. The fourth is that effectively all communications among terrorists and organised crime groups are expected to be encrypted by 2020. And let's be frank about it: near enough to all of them are already using these services.

It's a reality to which we must adapt. The Telecommunications and Other Legislation Amendment (Assistance and Access) Bill 2018 was passed at the end of last year to help equip our agencies with the tools that are necessary to adapt to the increasing use of encryption by terrorists and serious criminals. We now seek to improve upon this legislation by bringing forward a review of the act and by ensuring that Commonwealth and state anticorruption bodies are able to use the industry assistance powers in the act. Those who have concerns about this act should feel reassured by the bringing forward of that review. It demonstrates this parliament's commitment to transparency in the use of powers like this.

The Parliamentary Joint Committee on Intelligence and Security supports the government's position that Commonwealth and state anticorruption bodies should have the same access to industry assistance powers as law enforcement agencies. The use of industry assistance powers by these bodies will be subject to appropriate oversight, and that will be effected by the Commonwealth Ombudsman. Access to the industry assistance measures will help corruption bodies in identifying and investigating serious crime and serious law enforcement misconduct and corruption across the public sector. At a time when other people in this building have spent a lot of time talking about the need for institutions like a federal ICAC, one would think that facilitating the use of evidence-gathering techniques such as this by those who would seek to stamp out corruption would be something that would have some appeal.

There have also been claims by some that these laws have been rushed through the parliament. That's not right. The use of encrypted messaging applications by terrorists represents a significant threat to the safety of all Australians, and it creates a real and critical blind spot for our agencies. It's vital that they be given the appropriate tools to detect and disrupt attacks, and it's vital that we do that in a way that is sufficiently prompt and sufficiently responsive to ensure that Australians' safety, that which is protected by the investigations our agencies undertake, is not prejudiced by our failure to act.

The need for the powers in the act was highlighted—became more urgent—in light of the fatal terrorist attack that occurred in Melbourne in November 2018. It was a tragic and awful day for all Australians, and it should serve as a wake-up call for us all about the need to act. The likelihood for further attacks was heightened during the Christmas and New Year period. The measures in the act provide a holistic answer to the challenges posed by encryption and modern communications. We can see that this is a difficult balancing act, and it's important that we get it right—and this bill does. It allows our agencies to address current and emerging threats, first, by modernising the way that they seek industry assistance and allowing them to work together with providers to identify new ways to address existing risks; second, by enhancing computer access and alternative collection methods that enable them to work around encryption without compromising it; and, third, by bolstering overt access to devices by compelling users of a relevant device to hand over passwords in particular situations.

Claims by some in this chamber that the laws weaken online security by breaking encryption are false. Quite simply, under the legislation, a company cannot be compelled to create a decryption capability. It cannot be asked to make encryption less effective for general users, and it cannot be compelled to build backdoors. It will not jeopardise the information security of general users. Importantly, access to private communications and personal information remains subject to existing requirements for a judicially authorised warrant or an authorisation of a similar kind. Requests for metadata will continue to be governed by the current requirements. The act places obligations on companies supplying communication services or devices in Australia to provide reasonable assistance to law enforcement and security agencies. The act also enhances existing search warrants and introduces new computer access warrants to modernise the search and seizure powers of law enforcement. Quite simply, this legislation does not allow for mass surveillance, as the Greens would have you believe—they love a good scare campaign. In fact, the act has considerable oversight arrangements. For instance, all requests and requirements on industry are subject to extensive independent oversight by the Inspector-General of Intelligence and Security, the Commonwealth Ombudsman or state and territory oversight bodies.

It's worth noting that the integrity body must be notified when a notice for assistance is issued, varied, extended or revoked. Further, the integrity body has the authority to inspect agency use of powers at any time and may make a report to parliament on the outcome of their inspections. Compulsory powers carry additional oversight measures to ensure they are used appropriately. For example, technical capability notices may only be issued by the Attorney-General. Furthermore, a company may also refer any requirement to build a capability to an independent assessment panel, consisting of a retired judge and a technical expert. It's quite sensible, really, that the technical expertise needed to get this right be coupled with the judicial expertise that's necessary to ensure that individual rights continue to be protected. The panel must consider whether proposed requirements would inadvertently create a back door, again using that combination of legal principle and technical expertise. Further, any decision to compel assistance may be challenged through judicial review proceedings, providing transparency and accountability for those who don't believe the powers have been exercised in the way that they should or providing opportunities for review for those who strenuously object.

The act does not allow agencies to request metadata. Interception agencies will continue to request metadata through the Telecommunications (Interception and Access) Act 1979. The data retention legislation restricted the number of agencies that could make covert requests through this legislation. A broader range of agencies have always been able to request information from carriers through the Telecommunications Act 1997. This act allows disclosure of data consistent with the notice-to-produce powers of a Commonwealth, state or territory agency. There are also a number of misconceptions posed around the definition of 'systemic weakness'. The definition of 'systemic weakness' is sufficiently clear about what would amount to creating a back door. For example, the government moved amendments to the Telecommunications and Other Legislation Amendment (Assistance and Access) Act 2018 on 6 December 2018 to further strengthen and clarify the prohibition against requiring providers to create or implement a back door. This included providing a definition of 'systemic weakness' that was clear and also providing a definition of 'systemic vulnerability'. This prohibits requirements in a request or a notice which would have the effect of leading to systemic intrusions into devices or networks. The effect of this is to enhance the safeguards that exist to prevent the creation of back doors.

Defining systemic weakness or vulnerability as something that affects a whole class of technology ensures that general items of technology like a type of operating system or a commercially available encrypted messaging service cannot be made less secure. Other definitions that have been moved in parliament may create greater ambiguities or, in effect, be too prescriptive. These other definitions that have been proposed may not achieve the policy intent of ensuring the overall security of devices and services, and it's important that we make sure that remains intact. For example, amendments to the definition of 'systemic weakness' use the language of 'communicating directly' to designate what constitutes 'otherwise secure information'. This language may be too narrow and exclude popular methods of communication such as private internet forums and online broadcast platforms. And I can tell you from my experience in prosecuting that these private internet forums in particular are extremely popular among those who would seek to be involved in organised crime; those who would seek to exploit children online; those who would seek to produce some of the most barbaric, predatory material for others on the internet to use; and, as we have all, I think, become aware in recent years, those who would seek to plan terrorist acts against this nation.

Additionally, the language of 'may create a material risk to otherwise secure information', may be too broad and may create an unworkable standard for assessors. The current test, which uses the language 'likely', is an appropriate legal standard. It clarifies that requests and notices must not jeopardise information security of any other person. The amendment to the language also further enhances the prohibition on any inadvertent impact on broader cybersecurity that might arise from the activities that are being targeted by an agency.

Other amendments propose the removal of the anchor of electronic protection, which makes the prohibition unnecessarily ambiguous. Without reference to 'electronic protection', which includes passwords, encryption methodology and other security layers, it is unclear what kind of weakening is prevented by the prohibition.

There have also been questions asked as to why there is a definition of 'systemic weakness'. In the Telecommunications and Other Legislation Amendment (Assistance and Access) Bill as originally tabled, these terms were subject to their ordinary meaning. However, this approach was subject to considerable public debate and scrutiny. Leaving these terms as subject to their ordinary meaning provided maximum flexibility for providers to raise concerns as to what would be considered a systemic weakness or vulnerability. So, in response to concerns raised by industry and by the public, the Parliamentary Joint Committee on Intelligence and Security recommended that the meaning of the term 'systemic weakness' be clarified and made more precise and so that's what's happening.

The government has also strengthened the prohibitions and limitations by: clarifying what is meant by 'systemic weakness' and 'systemic vulnerability'; strengthening the prohibitions against an agency requesting the building of a systemic weakness or systemic vulnerability; clarifying the limitations for technical assistance requests, technical assistance notices and technical capability notices; and introducing an assessment panel to consider and report on whether technical assistance would result in a systemic weakness or systemic vulnerability. Let's be clear. It doesn't allow for mass surveillance or require the construction of decryption capabilities or so-called back doors. It doesn't require companies to jeopardise information security for innocent users. It doesn't require employees of companies to work in secret without their employer's knowledge. It doesn't discriminate between Australian and foreign companies. It doesn't require Australian citizens to do things by virtue of their citizenship or allow our Five Eyes partners to request Australia circumvent human rights obligations. None of that is facilitated by this bill.

National security and keeping Australians safe from harm is our highest priority. The heads of ASIO and the AFP and the National Cyber Security Adviser support these laws. The government will continue to listen to the concerns of our intelligence agencies and provide them with the tools they need to continue their good work to protect Australians from those who would seek to do us harm.