Note: Where available, the PDF/Word icon below is provided to view the complete and fully formatted document
Legal and Constitutional Affairs References Committee - 21/07/2014 - Comprehensive revision of the Telecommunications (Interception and Access) Act 1979
Go To First Hit


ARNOLD, Associate Professor Bruce Baer, Law School, University of Canberra

[10:47]

ACTING CHAIR: Welcome. The committee has not received a written submission from you. Is there anything you would like to add about the capacity in which you appear?

Prof. Arnold : I am appearing on a personal basis. In terms of affiliations, I have no political affiliation but I disclose that I am a director of the Australian Privacy Foundation. My statements today are independent of the foundation.

ACTING CHAIR: Understood. Would you like to make a brief opening statement before we go to questions?

Prof. Arnold : I am conscious that time is fairly short today, so I will try to be very quick. Listening to the previous speaker—a man for whom I have considerable respect—I would try to wrap up by saying: with this legislation, with surveillance generally, whether it is by the Australian Federal Police or the various state police forces, or the RSPCA or one of the various councils, local government that is accessing a range of information, ASIO and so on, essentially we are dealing with questions of trust. One of the reasons that I think this inquiry is important is that for at least the last 10 years people have been dealing with essentially the same questions. At least once a year questions with this legislation come up. You have bodies such as the Law Council of Australia, the Law Institute of Victoria—these are hardly howling Bolsheviks—warn, fairly persuasively, against what seems to be continual pressure by law enforcement agencies of a form of bureaucratic creep: give us more power, allow us to do things, require the telcos, for example, to do things that simply do not make economic sense—'Gimme, gimme gimme'. The legal community is saying: 'Hold on. We're keen on law enforcement. It's essential. However, it has to be proportional. It has to be more than simply legal.' It is very easy to legalise bad behaviour. What we should be concentrating on is behaviour by all of the stakeholders that is proportional and that we need trust.

Unfortunately, governments—whether they are coalition or Labor—have not really induced trust. We are told to trust law enforcement, and particularly we are told to trust national security. Necessarily, national security is a black box. It is not appropriate to open up every aspect or probably most aspects of that black box. However, as consumers, as citizens of Australia, as people within the legal system, we are more likely to give government leeway and we are more likely to support the national security agencies, the police agencies and so on if there is greater transparency and if there is a strong sense within the community that these bodies are accountable. So, among other things, in my opinion there is a huge issue with the plan to slash the Independent National Security Legislation Monitor—a body that has done excellent work, that is very keen on law enforcement and national security; but, apparently, we do not need it. Why not? Well, we just don't need it and, besides, it will allow us to save money. Of course, what will we spend the money on? We will spend the money on accommodation for a ballet school. This strikes me as a really strange attitude on the part of the current government to law enforcement, to accountability and, ultimately, to national security.

Senator JACINTA COLLINS: Excuse me, Professor, we had a backflip on that last week.

ACTING CHAIR: 'Backflip' is very strong language. We had a rethink, and the monitor will now remain.

Prof. Arnold : My concern there is that we should not have had to have a backflip or a rethink or a realignment or whatever nice sort of language that we are using. Again, we have huge savings with what at the moment is the Office of the Australian Information Commissioner by getting rid of it. Rather than getting rid of it, we should strengthen it. Governments of either persuasion should be strongly endorsing the recommendations that have been made by the Australian Law Reform Commission over a number of years. And I note the fairly succinct submission made to this committee by Professor Croucher earlier this year, where I think she has hit on a couple of key points on points that were raised this morning. Why is this information being retained potentially indefinitely by a range of bodies? How is it used or misused?

ACTING CHAIR: Thank you very much. I suppose the two areas we are traversing that have direct bearing on what we are dealing with here are the proposed reforms to the Telecommunications (Interception and Access) Act or its modernisation. It might be the one single point of agreement amongst everybody in this debate that the act itself needs to be modernised.

Prof. Arnold : I think you would find that there is agreement across the community that the legislation needs to be fixed.

ACTING CHAIR: Furious agreement, even with the Secretary to the Attorney-General's Department. There is that, but then there were also a tranche of national security proposals tabled by the Attorney-General last week that strongly impacts on the work that we are doing here. We hear a lot about the word 'proportionality'. I wonder, firstly, whether you think the reforms last week that did specifically relate to ASIO meet the proportionality test and whether they could be advanced without any increase in safeguards, which I guess we just heard argued for?

Prof. Arnold : I have not fully assimilated the legislation from last week—but it is broad. What I thought particularly interesting was the comment this morning that, as far as Mr Irvine is concerned, it will not be used or misused to silence journalism. I think many people, on both the left and the right, who are passionate about privacy and otherwise, have some disquiet about an initiative such as WikiLeaks or the disclosures by Edward Snowden. I would certainly be one person who is not entirely comfortable with those disclosures. However, it is axiomatic that in a liberal-democratic society governments are accountable. A key mechanism for that accountability is a free press. It would be entirely inappropriate for the new legislation to be used in a way that silences legitimate criticism and legitimate investigation by the media, by the traditional media, or increasingly by what people sometimes refer to as citizen media. I am unsure that we can really rely on the public-disclosure regime.

ACTING CHAIR: If you do not believe we can rely on the public-disclosure regime—you presumably mean existing whistleblower protections and mechanisms where people can lawfully put issues into the public domain—what is your expectation of what will occur instead?

Prof. Arnold : At the moment, I am not sure. One of the reasons I flagged questions of trust is that there is uncertainty about—there is disagreement today—how particular agencies are interpreting their responsibilities under the legislation. Is web surfing covered? Is the history of my electronic communication covered? Or do we say, somehow, that email is covered and SMS is covered but everything else is not? We need a greater clarity here, and it would be possible to have that clarity.

I was glad that there was a mention of the developments in Europe. Yes, the UK is introducing mandatory data retention but it has done so on an extraordinary basis. The government admits that. Tory backbenchers have been complaining quite loudly: 'Why is this being rammed through? Why can't we have a proper debate and do we need this retention regime? Is it proportionate?' Implicitly, is everyone who is online, everyone who engages in electronic communication, to be regarded as a suspect? Do we see some sort of bureaucratic creep?

At the moment, we are being assured or being told or promised that data retention, if it is introduced in Australia, is likely to be only for a period of two years. At least in the past people have talked quite strongly about five years, seven years or 10 years. I was at a meeting about 10 years ago, with a particular official, where it was said, 'Why don't we store it for 20 years and why don't we allow a whole range of agencies to engage in data mining. This will be good. It will save us from bad people.' Possibly it will not. Again, I come back to the notion of a black box: possibly it will; possibly it will not.

We need some trust when we are told, 'Sorry, as from today I cannot give you those statistics. If I gave you those statistics it would provide comfort to people who, I think all of us would agree, don't have Australia's best interests at heart. I am not at liberty to go into details, rightly or wrongly. I'm not going to give a great deal of information about the way I interpret particular terms, and possibly my interpretation will be different from the interpretation of the Attorney-General's'—even though I think we were told they were singing from the same song sheet—'and from the Australian Federal Police and a range of other agencies'. More clarity would induce trust. It should be possible. We have excellent drafters over on that side of town, and I think it would encourage people to believe that there is some proportionality.

Essentially, just because you have a hammer does not mean that everything is a nail. Just because you use the telecommunication network does not mean you are necessarily a suspect, and it does not mean that over time we should have continuing pressure from government—largely on a bipartisan basis, largely driven by a fairly small number of agencies—to consistently, fundamentally erode privacy protection.

ACTING CHAIR: Your point is that the general population are more likely to be accepting of the work and role of these agencies if they have confidence that the oversight and accountability is there. If they trust the agencies, if they trust the mechanisms that surround them and provide that oversight, it is almost a social licence to operate.

Prof. Arnold : Definitely.

ACTING CHAIR: You put a piece up on the conversation, last October, around public attitudes towards privacy. This might tend more towards the technology sector, specifically, than intelligence agencies. There may be a view that, effectively, that privacy has been annihilated and we should just get over it, and who cares. I am interested in putting those two concepts together: people's views of their privacy and people's trust in the agency. From your work around some of these surveys and from your research, do you think that trust exists and, if it does not, I guess that is a problem for us as citizens but also a bit of a problem for the agencies themselves.

Prof. Arnold : And it is a problem more broadly for the legal system and government. A lot of the data about stated attitudes to privacy and actual behaviour is quite fuzzy. There are some conflicts. Implicitly, this was picked up by Mr Irvine this morning. He said, post Snowden, a range of people—some of those people entirely legitimately, some possibly unnecessarily—are shifting to new media, encryption, throwaway phones or whatever. There is a concern within the community that their privacy is being eroded.

Ultimately, in a liberal-democratic state—I apologise for giving you the legal-theory lecture—consent is really important. If people choose to give their information to Mr Zuckerberg at Facebook they should be allowed to. They do not have that choice with government. What we can see is that over time people are becoming more and more discerning about that sort of private-sector gifting. And there are concerns within government, where there is pressure, for example, to say 'We don't want you to use a fake name or fake address.' The sort of thing I use. If you look at some services, I am 84 years old and I live in Antarctica. I am also female—that would be news to my mother.

As people are becoming sensitised they are responding to some of these privacy abuses. They should be allowed, possibly even encouraged, through stronger privacy law and we are seeing that stronger privacy law appearing in Europe, where the regulators—nice liberal-democratic states, very much market oriented states—are saying, 'Okay, Facebook, back off; likewise, Google, back off.'

We have some concerns within Australia that privacy perceptions are shifting. Government can reinforce its legitimacy by being more transparent, by being seen to be accountable. A lot of the time it would be very easy to do. You could do it, to some extent, simply by being symbolic.

There was the senator's point before about the national security legislation monitoring. We have recognised and acknowledged that this was not a good idea and, yes, it does cost money to be accountable, but it is a good thing. If we look at IGIS, yes, it costs money but the fact that we have an Inspector-General of Intelligence and Security is a good thing. This encourages public trust. Let us reinforce that by making sure that IGIS has enough resources to carry out its job in a way that will reassure everyone, including senators and suspicious, wrinkled old men like me.

ACTING CHAIR: Are you on the fence, or do you have a view one way or the other as to whether we need a data retention regime in Australia? I presume you were in the room for a fair bit of Mr Irvine's evidence earlier.

Prof. Arnold : I probably caught the last half an hour.

ACTING CHAIR: That is when we were going through it specifically. What is your view on whether we need this regime at all?

Prof. Arnold : I am, overall, unpersuaded that we need it. We get back to the black box problem where, necessarily, we have to rely on a range of law enforcement bodies and national intelligence bodies to tell us that everything is okay. From what we can see historically—and I have no reason to believe that things really have changed that much—much of the most effective law enforcement has been distinctly low tech. To use the vernacular, someone has dobbed in someone else, or one of the intelligence agencies, such as a police force, has had an informant, and in some instances has had one of their own personnel within a particular group. In Australia we have a fixation, a fascination, with digital technology. We think that it will solve all problems. In practice it probably will not.

Old fashioned policing is important. I admit I was being irreverent before when I made the jibe about the ballet school, but possibly if we are really concerned about law enforcement we should put some money into cops on the beat or the equivalent rather than necessarily saying, 'Oh well, put more money into data mining,' because data mining probably does not work. We can look at some of the overseas studies including studies coming out of government. For example, the two reports by the President's Intelligence Advisory Board, which reported to President Obama in the US in the last month or so, there is real scepticism there about whether metadata mining really does give you much of a grasp on a range of crime, on terrorism and so on.

ACTING CHAIR: The distinction that we are trying to tease out, in part, is that between the warranted regime and the warrantless regime. We know a fair bit about the warranted regime—it is reported in the TIA Act annual report. We know who asks for them, we know the categories of offences and investigations for which they are required. It appears to me that the bar is set fairly high and that these mechanisms are robust enough that we know that they are there. That is opposed to the warrantless regime which is vague and two or three orders of magnitude more extensive. We just heard Mr Irvine before—which might have been before you arrived—refer to 'it is not the letter, it is just the envelope,' as though it is much less compelling and much less invasive. I wonder whether you would care to comment on the way in which we treat metadata. Do you think the thresholds for access for metadata should be raised? Do you think that if you have enough envelopes you have effectively got content?

Prof. Arnold : I have two comments. Firstly, I see no reason why it would not be appropriate to require warrants for metadata access and, yes, it will cost. This is a cost that is an appropriate cost in the legal system. Secondly, I thought—with all respect to Mr Irvine—he was being disingenuous. If I have a lot of mail, and if you can tell who the letters are coming from and to whom I am sending my letters, and, by extension, if you know which restaurants I go to and you know which other people go to the same restaurants, then pretty soon you can build up a fairly detailed picture of my life. Look at what is now the very large literature about the joys, the importance, the wonders of big data—the sorts of things that government has been really enthusiastic about and that academics and businesses have been really enthusiastic about. Give me enough data, give me enough envelopes about you, and I have a pretty good idea of what you are up to or what you might be up to, and, by extension, the people around you. This is privacy-invasive. I question whether it is appropriate.

I question whether we really should be planning, as is clear from statements in the past from government agencies, to collect as much metadata as we can from every Australian: web-surfing, SMS, geolocation data—whatever. If you are tracking where, for example, my phone calls are being made from, over the last month, you would have been able to tell, pretty much: 'He's at the university today; he's at the ANU tomorrow. He's out at Bungendore. He tends to go to Bungendore a lot. He's in Sydney, in this particular part of Sydney.' Yes, it is only an envelope, but you have some idea of what my life is about. One of the fundamentals of privacy—and, I think, an accepted principle of privacy—is freedom from interference: the sense that you can live your life, as long as you are law-abiding, without someone breathing over your shoulder the whole time.

ACTING CHAIR: It is one of the founding principles of liberalism, is it not?

Prof. Arnold : Yes.

ACTING CHAIR: Is it not also the case—because you made it sound as though you were wandering around in that fishbowl by yourself—that, if it is not just your handset but everybody's handset, we can work out exactly who you met, who you were in proximity to, every minute of the day?

Prof. Arnold : Yes, and you can do the six clicks of separation—you can build up a so-called social graph. Over time, if you have enough data, you can build up a very good picture of a demographic, a cohort, a group of people. Some of those people will be entirely innocent. For example, if I were up to no good, I might well be making my weekly call to my mother. My mother is entirely innocent. Her idea of good time would be—I don't know—working out whether she votes for the Liberal Party rather than the National Party. But you will be picking up data about her as well. Does the government need to know this? And could it be misused? I was fascinated to hear the comment by Mr Irvine that telcos should be required—forced—to take more care with customer information. I entirely agree with that, because we have seen, over the last couple of years, outrageous and recurrent data breaches by the major telcos. But I think that those problems should be addressed either under consumer protection law or under privacy law—possibly under the Telecommunications Act 1997—rather than under the TIA, or ASIO or whatever. The obligation should be on any business dealing with information, rather than on just, say, the telcos because the telcos are a key element of the national information infrastructure.

Senator JACINTA COLLINS: Part of our discussion covered that, where I highlighted that air carriers are perhaps another example that would be just as relevant—indeed, I am sure our security agencies would use that data also in ascertaining where people have been and what they have been doing as well.

Prof. Arnold : Yes.

Senator JACINTA COLLINS: I am interested to go back to the assertion that ASIO makes in their submission—that there has been no misuse of information; there have been some errors that have been reported by the Inspector-General, but there has been no misuse. You are apprising us of your understanding of some misuse by the telcos, but I am curious as to your view of the statement that there has been no misuse of data.

Prof. Arnold : At the risk of ranting at you—and I apologise—again, it comes down to trust. I read with interest the IGIS report, and I must admit that I am sympathetic to some of the problems that it was addressing. I think Mr Irvine quite sensibly and responsibly acknowledged, 'We should have turned the device off, but there was a clerical error and it didn't happen'. I work in a university; we make clerical errors, too. I suspect there are even errors in Parliament House; it happens. It is laudable that there has been that reporting. Are there errors of omission or commission that are taking place within ASIO or within any other agencies? The bottom line is that we hope that there are not. We trust that the officials are behaving. We trust that IGIS is actually on the ball and is properly resourced, and IGIS notes that there are questions about its resourcing. It is a matter of trust.

I qualify that trust by saying that if we look at it historically, the world was in existence, ASIO was in existence, more than 20 years ago, and if we look at what has been done in the past then clearly there have been times in a range of law enforcement and national security agencies in Australia when clearly there has been misbehaviour on occasion—a wild misuse of resources, the anxieties from at least the first years of last century that the Bolsheviks were going to take over, or the Wobblies, or whatever. There was the almost obsessional monitoring by intelligence agencies of Australian literary figures, who were, in retrospect, absolutely no threat. I think if there had been some hard thinking at the time it would have been clear that there was no threat. So ultimately the problem with intelligence agencies in Australia is not that these are bad or evil people but that they have a particular view of the world, and possibly they are not very competent. And we have to trust that they are doing their job. We have to trust that if there is a problem they will report it. But because it is a black box we have to rely on that trust and we may not know for sure until something really goes wrong.

Senator JACINTA COLLINS: Can you give me examples of the telcos' misuse?

Prof. Arnold : My reference there was to data breaches, which is something that I am interested in. This is not the telcos mining customer data for improper purposes; it is that they have mismanaged their networks, or they have mismanaged their human networks—their dealer network with Vodafone, for example—and large amounts of personal information, such as name, date of birth, address, credit card numbers and so on, have recurrently been exposed. These are large organisations. You would expect that they would have systems in place to prevent this sort of data breach—information going out on the web. Telstra I think is problematic, because we have had a couple of Telstra breaches, and we almost have boilerplate: the chief executive puts his hand on his chest, swears it will never happen again, says, 'We're so very, very sorry', and then a year down the track there is another data breach. Possibly they need fewer dividends to shareholders, and certainly fewer bonuses to chief executives, and more money on hardening the system and doing a bit of restructuring and greater compliance so that the consumer data does not get out there.

ACTING CHAIR: If there are no other questions, we might leave it there, with thanks for your evidence today and your expertise.