Note: Where available, the PDF/Word icon below is provided to view the complete and fully formatted document
Legal and Constitutional Affairs References Committee - 21/07/2014 - Comprehensive revision of the Telecommunications (Interception and Access) Act 1979
Go To First Hit

HARTLAND, Ms Kerri, Deputy Director-General, Australian Security Intelligence Organisation

IRVINE» , Mr «David» Taylor, Director-General of Security, Australian Security Intelligence Organisation

Committee met at 9:01.

ACTING CHAIR ( Senator Ludlam ): I declare open this public hearing of the Senate Legal and Constitutional Affairs References Committee for its inquiry into a comprehensive revision of the Telecommunications (Interception and Access) Act 1979. The inquiry's terms of reference are available from the secretariat. I have quite a long opening statement to make, unfortunately, so please bear with me.

The committee's proceedings today will follow the program as circulated. These are public proceedings, being televised within Parliament House and broadcast live via the web. The committee may agree to a request to have evidence heard in camera or it may determine that certain evidence should be heard in camera. I remind all witnesses that in giving evidence to the committee they are protected by parliamentary privilege. It is unlawful for anyone to threaten or disadvantage a witness on account of evidence given to a committee, and such action may be treated by the Senate as a contempt. It is also a contempt to give false or misleading evidence to the committee. The committee prefers evidence to be given in public but under the Senate's resolutions witnesses have a right to request to be heard in private session. It is important that witnesses give the committee notice if they intend to ask to give evidence in camera. If you are a witness today and intend to request to give evidence in camera, please bring this to the attention of the secretariat as soon as possible.

If a witness objects to answering a question the witness should state the ground upon which the objection is to be taken and the committee will determine whether it will insist on an answer, having regard to the ground that is claimed. If the committee determines to insist on an answer, a witness may request that the answer be given in camera. Such a request may of course also be made at any other time.

I remind senators that the Senate has resolved that an officer of a department of the Commonwealth or of a state shall not be asked to give opinions on matters of policy and shall be given reasonable opportunity to refer questions asked of the officer to superior officers or to a minister. This resolution prohibits only questions asking for opinions on matters of policy. It does not preclude questions asking for explanations of policies or factual questions about when and how policies were adopted. Officers of the department are also reminded that any claim that it would be contrary to the public interest to answer a question must be made by a minister and should be accompanied by a statement setting out the basis for the claim.

With the formalities over, I welcome everyone here today and particularly acknowledge the diary shuffling and multiple rescheduling; thank you for your patience and your time today. I welcome representatives from the Australian Security and Intelligence Organisation, ASIO. The committee has received a submission from you as submission 27. Do you wish to make any amendments or alterations to your submission?

Mr «Irvine» : No.

ACTING CHAIR: Do you wish to make a brief opening statement before we go to questions?

Mr «Irvine» : ASIO welcomes this opportunity to assist the committee in its inquiry, and I know we are scheduled to have a closed session this afternoon. We welcome the inquiry because it gives us an opportunity to address what I think are some of the misplaced conceptions and concerns about what it is that ASIO and law enforcement are actually advocating in respect of telecommunications interception, call data and so on. We do get quite frustrated, I have to say, in reading some of the claims being made about the conduct of legal communications interception in Australia. Terms such as '1984-style Big Brother surveillance', 'mass surveillance', 'gross invasions of privacy' and so on are tossed around without any real balancing consideration as to a number of facts: what we actually need interception for and how we use it and why it is so important, the use that is made of interception and, very importantly, the extent to which interception is carried out in its various forms, and the real significance of what is being proposed in the couple of years of discussions that we have had about modernising the interception regime.

I need to start by saying that there should be no misunderstanding: the interception of telecommunications is a key tool in the detection and prevention of terrorism and espionage and in the investigation of major crimes. Without it, and without our ability to access telecommunications call data and intercept communications, ASIO and law enforcement bodies in Australia cannot guarantee the level of safety assurance that people expect. The fact is that in the last eight or nine years we have stopped four mass-casualty terrorist attacks occurring in Australia and nipped quite a number of others in the bud at the very early planning stage. We could not do that without access to telecommunications call data or indeed the ability to intercept, and we should not be under any illusions in that sense.

Another point is that there seems to be a very wide misunderstanding of the extent to which we do engage in surveillance activities. This is not mass-scale surveillance. We do not have the legal authority to conduct such surveillance. We do not have the infrastructure. We do not have the resources or indeed the inclination or need to do so. ASIO officers are indeed very, very conscious of the concerns members of the public have about their privacy, and we collect intelligence only when that is needed to protect Australia and Australians. For us legally to access data or collect data, there must be an identifiable security matter. We are not talking about frivolous or prurient snooping on people. There has to be a genuine reason, and in ASIO's case connected to section 4 of the ASIO Act. The fact is that in any one year only a very small minority of the Australian community—a few thousand at most—come to ASIO's notice, and it is on this group that we seek telecommunications data. And only a small proportion of those require the use of more intrusive powers, including interception of content. So, when we do collect intelligence, we basically do so minimally, and we are required to apply the principle of proportionality and to use the least intrusive means in the circumstances. That is one area that I think has not been properly covered in commentary in the press in recent times.

The second point is that there seems to be a general assumption that there is a lack of or inadequate accountability in the way in which organs of government in Australia conduct interception activities. Much of that commentary has simply ignored the extraordinarily mandated accountability regime under which ASIO operates or denigrates the role of the Inspector-General of Intelligence and Security in keeping us honest. We do not work in a vacuum; we work within a layered accountability system which has matured over decades and which provides, in my view, a rounded assurance that in protecting Australia our intrusions into the private lives of ordinary Australians are both minimal and lawful.

Our accountability strands start with the act of parliament which governs the way in which we operate. It sets out precisely what we can and cannot do. We are accountable to parliament, including the bipartisan Parliamentary Joint Committee on Intelligence and Security. We brief the Leader of the Opposition. The Attorney-General has a significant role in authorising warranted activity. As I said, there is the role of that standing royal commission on intelligence and there is the Inspector-General of Intelligence and Security's role. Indeed, there is also the Independent National Security Legislation Monitor.

When critics are demanding that our powers in this area be circumscribed, my concern is that they are doing it without an understanding of the very precise and controlled environment in which we operate. We also have internal accountability. When we conduct interception activities, we have a range of internal processes which emphasise our role in protecting privacy, except where it is absolutely necessary not to do so.

I would like to set out what I think should be the principles governing how our telecommunications regime should be modernised. Firstly, it should be modernised because there have been considerable changes in technology over the years and the law as it currently stands does not cater for that. Secondly, the nature of the threat as it has evolved has also required us to think carefully about the way in which we use and are able to use the interception regime.

ASIO agrees with the PJCIS that the TIA Act needs to be revised and agrees with the majority of the changes that have been recommended by the PJCIS. We support the modernisation on the basis of three principles. Firstly, the legislation should be overwhelmingly technology neutral so that we do not have to come back and have a repeat of this debate every couple of years as technology changes. It should be based on principles that enable us to continue to operate schemes as technology changes. The legislation should promote efficiency and effectiveness both to cope with new communications technology and to allow more focused targeting so that we do not in fact need to bring as many people into our net at any one time, reducing the number of intrusions into the privacy of people who turn out to have no security interest.

In that sense, we need to be, in my view, very, very mindful that every time we impose a new form of accountability on organisations we are imposing a whole new layer of bureaucratic activity. Australia already has, in my view, a proven and effective accountability and oversight mechanism for telecommunications interception. We need to avoid overburdening the system with unnecessary new accountability mechanisms. I am also able to respond, if you wish, to questions on data retention and all of the misconceptions that, in my view, have arisen out of that particular subject.

My final point is that in any discussion of these issues there is a balance between the principle of privacy of an individual and the principle of the responsibility of the state to protect the individual and the community. In my view, with the current regime we have that balance about right. But it does need to be modernised to take account of new technology coming onto the scene.

ACTING CHAIR: Ms Hartland, do you want to add anything at this stage?

Ms Hartland : No.

ACTING CHAIR: Thanks very much, firstly, for coming in this morning. I will take you through some questions on data retention and other things that relate directly to some of the issues that you brought to us today, but I am very well aware that one of the issues that is giving your work some edge at the moment—and this was mentioned by you in your press conference with the Attorney-General last week—is Australian nationals or residents fighting overseas, particularly in the civil war in Syria and in Iraq. I was wondering if you could take the committee through some of the electronic surveillance tools and processes you use to track such individuals and the scope of that.

Mr «Irvine» : I need to be very careful in answering that question because it is hugely important that we do not in a public forum set out for all of our targets to see exactly what we are doing. We use a variety of methods to collect intelligence on Australians both here in Australia and overseas but only where those Australians have given us reason, according to section 4 of our act, to deem that there is a possible security risk.

The methods we use are well known to some extent. We have the ability to mount physical surveillance on people. We have the ability to collect intelligence by human means in relation to persons of interest through people, the community, telling us what is going on. We use that extensively. We also have the means in looking at the communications of these people to find out what their intentions are, whether or not they have been dealing with other people of concern to us and so on. That brings us to telecommunications interception of content and access to telecommunications call data. Each of those methods are used.

ACTING CHAIR: You are a domestic intelligence agency. Could you spell out for us, particularly where you have people moving between Australia and overseas—more on the legalities than the operational side, but stray as far as you wish to—the demarcation between your work as a domestic agency and that of your colleagues whose remit is largely overseas.

Mr «Irvine» : I would not actually describe us as a domestic intelligence agency. Our act does not do that. It lists responsibility for security that can in fact impact on Australians at home or overseas. For example, if an Australian were going overseas to plant a bomb, say, somewhere in South-East Asia, our responsibility would be in respect of that person when he or she is in Australia and overseas. Our responsibility for the lives and safety of Australians impacts on Australians when they are overseas as well.

ACTING CHAIR: So there is not some kind of hand-off to ASIS that happens at the border or anything like that?

Mr «Irvine» : It is not so much a formal hand-off as to what their responsibility is and what our responsibility is. ASIS does not have within its act the right to collect intelligence on Australians except under a ministerial authorisation. It cannot collect anything on Australians anywhere at home or overseas except with ministerial authorisation. We are different. Because we do focus so much on Australians, we can collect intelligence on the small number of people we are interested in without being required to go through external approval processes.

When there are Australians overseas, ASIS is actually much better positioned to collect intelligence on them than we are. But it does so in accordance with our security intelligence requests. One change that is being sought in the current bill that the Attorney-General has put before parliament is to enable ASIS to collect intelligence on Australians at the request of the Director-General of Security in ASIO without needing to go and get a further warrant. So ASIS would collect it as if it were operating under the terms of the ASIO act.

ACTING CHAIR: In the state of play that prevails at the moment, would that request need to come through the Minister of Foreign Affairs?

Mr «Irvine» : Yes, at the moment. What we are trying to do is to make the cooperation in collection on national security matters more streamlined and easier than it currently is. There is one other issue—that is, ASIO requires a level of information about people overseas as to whether they might be engaged in activities contrary to national security. ASIS cannot collect until it has established that they are doing things contrary to national security. So we just need to realign and get rid of some of the bureaucracy in that area to ensure that both agencies are operating in the most effective way to protect national security.

Senator JACINTA COLLINS: That issue is not currently covered in the current provisions of the Attorney-General's.

Mr «Irvine» : That issue is covered in the current legislation that the Attorney-General put forward last week.

ACTING CHAIR: There are two numbers we have got to work with. One you identified at your press conference last week is that there are several tens of individuals that have returned from those two conflicts?

Mr «Irvine» : Yes.

ACTING CHAIR: And you mentioned this morning a few thousand at most, but I gather you meant the entire remit of your work?

Mr «Irvine» : The entire remit of our work covers counter espionage, counter sabotage, activity against covert foreign influencing of government and politically motivated violence, which covers terrorism but also covers other forms of politically motivated violence as well.

ACTING CHAIR: So we have got several tens of individuals who have returned from these conflicts. How large is the pool of individuals you are tracking who you might be concerned are heading the other way and heading overseas?

Mr «Irvine» : I am only saying several tens of individuals in relation to people who have been in Syria and returned to Australia.

ACTING CHAIR: Do you mean Syria and Iraq or just Syria?

Mr «Irvine» : Mainly Syria, Iraq is a somewhat later development. There are several tens there. The second figure I would give you is that we are aware of approximately 60 Australians who are involved in the fighting in both Syria and Iraq. Not all of those 60 are necessarily fighting for the most extreme al-Qaeda derivatives in Jabhat al-Nusra and what is now to simply called that Islamic State—ISIS or whatever you want to call it. But what has been a particularly worrying tendency is that the young people who are going there are indeed gravitating towards the most extremely violent end of that particular spectrum. We have all seen pictures on television and in the newspapers of just how horribly violent that is.

ACTING CHAIR: How much are you able to tell us about how you keep track of their movements? There is barely a functioning government now across the western parts of Iraq.

Mr «Irvine» : I would prefer not to answer that question.

ACTING CHAIR: With roughly 60 individuals fighting, how many people—

Mr «Irvine» : Sorry, I forgot to give you the third figure. Overall, back here in Australia, there are probably 150 people who have some involvement with, are supporting or indeed are actively recruiting for or financing these extremist elements in Syria and Iraq. Not all of those people are necessarily threats to national security.

ACTING CHAIR: I would assume not.

Mr «Irvine» : Not all of those people will go beyond expressions of verbal support. Indeed, you do pick up a lot of bravado and passionate support for these extremist violent groups without that translating into an active national security threat. But the point is: we do not know that unless we look at them.

ACTING CHAIR: Yes, indeed. Although the ASIO amendments are not formally covered by our terms of reference and as you have already spoken of them, I will be raising a couple of issues and I presume other senators will too. In relation to the ASIO amendments or to the TIA act reforms that we are more specifically targeting here today, can you give us an example—obviously de-identified—where limitations on your existing powers have meant that you have not been able to work effectively, in exactly the kind of work that you are describing for us this morning, either tracking the return, the departure or the organising for these conflicts in the Middle East? What tools do you specifically need that you are prevented from doing this work at the moment?

Mr «Irvine» : The tools we are seeking come under a variety of headings. One heading is simply the modernisation of the legislation to enable us to take account of the way people use computers, the way people use modern telecommunications equipment that were not even thought of in 1979 when telecommunications interception was a couple of alligator clips on a copper wire.

ACTING CHAIR: I am completely with you and we have had elements of this conversation before but, with the greatest respect, the TIA act and the ASIO act have been modified and amended dozens of times since 1979. So since the last time we amended your act, which was only a year or two ago, what is there?

Mr «Irvine» : There is an ability in the first instance to be able to target the number of telecommunications devices that a single individual has without the need necessarily to get five or six different warrants to do so. It is just simple efficiency. One area is we find people using half a dozen handsets and twice as many sim cards, for example, which make tracking and understanding what you are dealing with very difficult. Another area we have already talked about is to assist better cooperation between ASIS and ASIO and better exchanges of information between ASIS and ASIO. One area that we are very concerned to have the law authorised is the ability to use third-party computers—innocent computers—not in any way that interferes with the operation of those innocent computers or indeed looks at the information on them, but in a way that looks at them from the point of view of their ability to communicate malicious software to other people.

Senator JACINTA COLLINS: That issue is part of the current proposal from the Attorney-General is it?

Mr «Irvine» : That is part of the current proposal, yes. And it is a very important one because these days in hacker attacks, whether they are state based or from private individuals, on our national infrastructure or espionage attempts to obtain our secrets, the hackers use innocent third-party computers. If we can watch the traffic going through that innocent third-party computer, discarding anything we do not need, which is anything to do with the normal business of that computer, and simply look for the malicious signatures and where they come from, then we will have taken a great stride forward.

That was never even thought of about four or five years ago or even a couple of years ago. It was only when we became aware of the extent of the cyber threat both to individuals and to national security that that sort of measure became necessary.

Then of course, while not included in the legislation, ASIO has made no secret of the fact, along with our police commissioners and all the rest of it, that we do need to have access to call data. The call data debate has literally gone all over the shop.

ACTING CHAIR: Are you using call data as a proxy for metadata or warrantless telecommunications—

Mr «Irvine» : Yes. That debate has gone all over the shop. Let me say this: ASIO is not asking for any change to the principles, the definitions or the rules under which we seek access to call data. We are asking for the call data to be retained. We do not have the United States' system where the government collects that data. The system in Australia, which has operated very effectively for 20 years or more, is that companies retain billing or call data and it is now somewhat more than just billing data. Companies retain that data for their own commercial purposes. The law allows us, with an appropriate legal reason, to access that data. We are not asking for any change to that system. We are not seeking a Big Brother arrangement whereby the government itself stores all that data and leaves it open for it to manage and control. We want the companies to keep that data. The problem is that, as technology advances, companies do not have the commercial need to keep that data in the way they did in the past. You ask what has changed. Our ability to access that data is increasingly limited by the quality of the data and the amount that is kept. So we are simply seeking a change to the legislation to enable or to require the telecommunications providers to retain that data for a period of two years, as they have done in the past but have less of a need to do so now.

ACTING CHAIR: If it is all right with colleagues—and please feel free to jump in on this—I might hold off on the data retention and that side of our work until a little bit later and instead keep taking you through where I started, although I appreciate you raising that issue because it is obviously an area of great interest. How often do you come up against a situation where you are severely limited by existing legislation in terms of electronic surveillance or other matters you might want to raise? And how do you handle those situations?

Mr «Irvine» : We are not discussing a huge brick wall that is just suddenly there. We are discussing the gradual accretion of obstacles that hinder our work in terms of having to go through very considerable time-consuming, bureaucratic procedural processes in order to have one person covered, for example, under a variety of warrants and processes. At the moment you have to operate through a warrant on one person or on one device when that person has numerous devices and so on.

ACTING CHAIR: I guess you can probably see where I am going here. But just spell out for us, rather than that kind of administrative multiple overlapping warrants sorts of issues—and I am still interested in the march of technology arguments that you put to us—what kinds of tools and techniques are individuals using to escape surveillance.

Mr «Irvine» : Without giving too much away, the use of other persons' phones, anonymous phones, phones taken out under false names, social media in ways that escape obvious observation and so on. I have to say that, in the last six to nine months, the prevalence of those evasive techniques, particularly since the Snowden revelations, has increased dramatically. Another is the increasing use of commercial encryption.

ACTING CHAIR: That is an issue that has been around since the 1990s.

Mr «Irvine» : Yes, but not on the scale that it is today.

ACTING CHAIR: Are you concerned that in your push for expanded surveillance powers—and you acknowledge in your opening statement, obliquely I guess, the widespread community concern; you probably believe some of that is unfounded but you, at least, acknowledge that it is there—of governments and agencies such as yours, it is driving more people into encryption and effectively it is an arms race?

Mr «Irvine» : It is certainly driving a lot of what I will call my customers into encryption, because they have very obvious reasons to hide what they do.

ACTING CHAIR: How do you define 'customer' in this context? I have not heard you use that language before.

Mr «Irvine» : The persons who are subjects of interest, if I can put it formally, from a national—

ACTING CHAIR: That is slightly tongue in cheek.

Mr «Irvine» : and international security point of view.

Senator JACINTA COLLINS: Would you prefer 'client'?

ACTING CHAIR: The whole subject freaks me out, but I understand you are being a little bit tongue in cheek there. Please carry on. I am interested in the degree to which the surveillance debates and the kind of overkill that we have seen in the United States, which has effectively been unlawful, is driving much larger numbers of people towards commercial encryption.

Mr «Irvine» : The first thing I would say is that we are not the United States. In my view, we have a very adequate surveillance regime, which strikes an excellent balance between, on the one hand, the privacy of the individual and the needs of national security on the other. That is the first thing I would say.

The second thing is that, in my view, the needs of national security and law enforcement are crucial and the public should not be concerned that there is going to be a gross misuse in terms of invasions of their privacy by law enforcement and security intelligence organisations. If you are going to be concerned about that then, frankly, you are going to be concerned about the way in which commercial concerns use your call data, the content of your messages and so on—which we do not access without a warrant—in order to sell you a new BMW or a new whatever. For the life of me, I cannot understand why it is somehow correct for all of your privacy to be invaded for a commercial purpose but I am not allowed to do it for the purpose of saving your life.

Senator JACINTA COLLINS: Mr «Irvine» , that is—

Mr «Irvine» : Was that dramatic enough?

Senator JACINTA COLLINS: No. It is an amusing defence, because I think you will find most people are concerned about the other purpose also.

ACTING CHAIR: I think it is probably heading towards melodrama rather than just drama. The point is taken.

Senator JACINTA COLLINS: Just while we are in this balance of accountability space—and it is probably more for my own education than anything else—in your opening statement you referred to there being no incidence of deliberate misuse or abuse of the TIA Act by ASIO and where, on a small number of occasions where errors have been made, ASIO proactively informs the inspector-general, who reports them to parliament.

Mr «Irvine» : That is correct.

Senator JACINTA COLLINS: When I read that, the first question I as a relative novice asked was: how are they identified? How would we know? I will give you this example. There is another area of security in a different role that we are investigating at the moment, quite unrelated to ASIO, where guidelines provided for an annual audit, and in a decade there are no records of any.

Mr «Irvine» : That does not refer to ASIO.

Senator JACINTA COLLINS: No, that is what I said. I am just giving you a different example, where assertions are made that there is no misuse, but then when questions are asked about how you would know suddenly the framework falls way.

Mr «Irvine» : Firstly, you are asking me to prove a negative, which is always difficult.

Senator JACINTA COLLINS: Yes, I understand.

Mr «Irvine» : Secondly, how would you know? You would know because, in the case of ASIO, the Inspector-General of Intelligence and Security is—

Senator JACINTA COLLINS: I am not suggesting—

Mr «Irvine» : bound by legislation to draw attention to any misuse of the system or abuse of the system or indeed, as she does, mistakes made and mistakes are not made it—

Senator JACINTA COLLINS: Can you give us an example of the types of mistakes that have gone on in the past?

Mr «Irvine» : For example, we would ask for a telephone company to assist us in an interception. We would give that company the warrant and we would stipulate the dates on which that warrant starts and ceases. Every now and again, somehow or other, someone has forgotten to switch it off on the date that it ceases. You get that. Secondly, you get occasional mistakes in the actual telephone numbers that are put forward. Last year there were less than a handful of incidents, all of which, oddly enough, we reported to the Inspector-General. This is one of the points I tried to make in my opening statement. People just do not understand the extent to which we take our responsibilities to protect privacy and to operate within the law so very seriously.

Senator JACINTA COLLINS: But are requests for authorisations, for example, regularly audited?

Mr «Irvine» : Yes. The Inspector-General inspects all warrants for interception activities.

Senator REYNOLDS: In your opening statement you talked about, and I know you do in your documentation here, the extensive external accountability oversight for your activities. I was just wondering if you could explain a bit further your internal compliance auditing regimes to do the things that Senator Collins was talking about. So how do you go about assuring yourself? The things I am particularly interested in are your internal processes, training your staff and how you make sure you have the right culture within your staff to not only understand the rules but also to protect privacy.

Mr «Irvine» : I think the answer to that question is: we start with the DNA of ASIO officers, right from their opening training. We drum into our officers the need to obey the law, to do only what is proportional, to do only what is proper and to have great respect not just for privacy but also for human rights generally. Certainly in recent years I think we have had a pretty good record in that area. We have four strands of accountability, which I have mentioned, the law and the internal systems. With regard to the internal systems, we recruit and promote people because they have proven that they can be accountable and operate with integrity. These values are encoded in our training and our policies. We also have in place levels of approval for particular activities, measures to protect the intelligence that we collect, measures to set benchmarks before which we can move to the next stage of intrusive activity and so on. That is done by a series of graduated approval processes. No warrant for an intrusive process goes to the Attorney-General without my having read it and signed it. That warrant can be five or six pages of carefully reasoned argument setting out how this particular activity that we want to do meets the various benchmarks that relate to national security and levels of intrusiveness. We do try to operate on a minimal basis, partly because we do not have the resources to operate on a maximal basis.

Ms Hartland : The Attorney-General's Department also has a role in terms of looking at the legality of warrants, as well, so they also have an oversighting process with warrants.

Mr «Irvine» : Every warrant is tested for legality by the Attorney-General's Department, every warrant. I forgot that, sorry.

Senator JACINTA COLLINS: On your last point about internal efficiencies, you talked in your submission and here today about the number of limitations you have, bureaucratically, legally and procedurally. In your desire to be more flexible, to keep up with modus operandi and technology use, what are the practical restrictions organisationally that you have? Is it duplication of legislation? Is it that when guidelines change you are still saddled with older guidelines or procedures? What are some of the other inflexibilities or inefficiencies that you see could be of assistance to you?

Mr «Irvine» : It is not so much duplication of legislation, it is duplication within legislation. For example, in order to look at a particular individual we may need to take out three or four different warrants, each of which requires a considered three- or four-page argument, and yet the argument is actually the same in all of the warrants. So to be able to combine a number of warranted activities together—this is an issue that is covered in the current legislation before parliament—is one such example. The ability to intercept according to a number of different selectors, rather than just the name of a person and a telephone number, for example, to be able to intercept on the basis of other attributes—call areas, time or whatever—would be a great help. It does not in any way change the level of intrusiveness but it simply makes the bureaucratic processes a lot simpler.

ACTING CHAIR: Mr «Irvine» , I think what you were referring to before was the much larger number of people using commercial encryption as a result of the Snowden revelations. There are amendments in the ASIO legislation tabled by the attorney last week that deal with the so-called trusted insiders threat, where someone inside your organisation or an affiliate gains access to information and drops it to a journalist or distributes it somewhere else.

Mr «Irvine» : With the greatest respect, that is still a crime under the Crimes Act. The legislation is not changing that.

ACTING CHAIR: So why do we need amendments to that legislation?

Mr «Irvine» : It is because there is one hole in that legislation. Let's start at the extreme end. Firstly, the Crimes Act provides quite severe penalties for espionage—that is, the covert acquisition of classified government information that is then provided to serve the needs of a foreign state or individual. Secondly, there is a level of crime, under the Crimes Act still, of the passage of classified government information to people who are not authorised to receive it. That is existing. That is not changing.

The third category, which was not there, was that we have found—and there have been some instances of this in recent times, which is what focused our minds on the matter—that people within the intelligence community have been removing classified material illegally, in an unauthorised way. They may not have handed it to anyone, but they have committed quite a serious violation of our security rules and procedures.

ACTING CHAIR: And the amendment is designed to deal with that?

Mr «Irvine» : It is designed to deal with that element. Contrary to some of the things that have been written in the press, firstly, it was never conceived with journalists in mind and, secondly, it does not in any way impinge on the public interest disclosure provisions which were introduced over the last year.

ACTING CHAIR: The so-called whistle blower protections. It seems to me that there are three different kinds of leaks or misuse of information, as you characterise it. One is the removal of information that is then passed on to a hostile authority or somebody who is directly compromising operations.

Mr «Irvine» : Yes, which fits, for definition, the classic definition of espionage.

ACTING CHAIR: The second is public interest leaks, such as, I would argue—though you may not—the Snowden material, which disclosed unlawful behaviour in the United States.

Mr «Irvine» : I think we would have to agree to disagree on that.

ACTING CHAIR: I understand. The third is the kind of leak where the front page of the Daily Telegraph is given details of all the national security amendments weeks in advance of the parliament receiving the bill—for which there are mysteriously few prosecutions in this country. I suppose you could call them the sort of authorised leaks. What are the protections against those latter two kinds of leaks that you see are embedded in your legislation?

Mr «Irvine» : Those protections are not embedded in my legislation per se. They exist and normal practice will continue. The key point about the legislation is members of the Australian intelligence community who take information in an unauthorised way and they do not have to actually give it to anyone, unless of course that person is already the subject of a national security investigation, for example.

ACTING CHAIR: So just wrapping up on this issue: your reading of the legislation—and I will come to your degree of involvement in its drafting—is that there is nothing new that would compromise the publisher from putting material into the public domain; that there is no change from the status quo?

Mr «Irvine» : I would emphasise nothing new, to my mind.

ACTING CHAIR: I do not think I am allowed to ask you for legal advice.

Mr «Irvine» : You would be a very brave man to do so.

ACTING CHAIR: You are dealing with complex legislation. To what degree of involvement did you have in the drafting of the bill that is before the parliament?

Mr «Irvine» : ASIO was part of the group of people centred on the Attorney-General's Department who contributed to the drafting of the bill. The actual drafting is done by parliamentary drafting people of the Attorney-General's Department.

ACTING CHAIR: I am presuming that you were given a copy of the draft bill before it landed in the parliament last week, though—that you had seen it and approved of it.

Mr «Irvine» : Yes.

ACTING CHAIR: It would be a bit curious if you had not. Unless colleagues have other questions in this area, I want to turn now to the issue of warrantless surveillance or the data retention—or you introduced it as call data. You have been one of the strongest voices over a period of time calling for a significantly enhanced data retention regime. I would like to draw quite a sharp distinction between the warranted surveillance regime and the warrantless surveillance regime. With the warranted surveillance, as you described, you read each of the warrants, you go to the Attorney and he issues it and that is kind of the highest level of intrusion that you are authorised to undertake. The warrantless surveillance regime accesses the telecommunications data or the metadata, where I am not sure the Attorney would be aware on any given day of how many of those requests are being made—they would not get to his office. Can you give us, to within an order of magnitude, how many warranted requests does ASIO make in an average year?

Mr «Irvine» : I will not make that public.

ACTING CHAIR: How would that compromise national security if you told us that?

Mr «Irvine» : Partly because the numbers will give foreign intelligence services a much clearer idea of who we are looking at and the extent to which we are looking at people.

ACTING CHAIR: How would they tell foreign intelligence services anything about who you are looking at? I would really contest that statement. We do not know to within an order of magnitude. Is it tens, hundreds, thousands? Presumably, it is not tens of thousands. How does that compromise—

Mr «Irvine» : Let me say, not tens of thousands.

ACTING CHAIR: That is helpful. So not millions of warrants.

Mr «Irvine» : No.

ACTING CHAIR: Tens of hundreds? Just give us an order of magnitude.

Mr «Irvine» : I am not prepared to do that in public, except to say that, with 600-odd investigations a year—very few of which require a warrant, although some investigations require multiple warrants—I think you can get an appreciation of the fact that this is not an exercise in mass surveillance. It is a carefully targeted warranted activity.

ACTING CHAIR: I think the total number for all other agencies combined in the TIA Act annual report numbers a bit over 3,000. So I cannot imagine you guys adding vastly to that.

Mr «Irvine» : No, we would not add vastly to that.

ACTING CHAIR: Where we get into mass surveillance, which is probably where we are going to have another polite disagreement, is in warrantless—

Mr «Irvine» : Can I just pick you up on that. The warrantless activity you call mass surveillance. I strongly reject that description. I have tried to explain that, when we use call data—and you are referring, I gather to call data—

ACTING CHAIR: Among other things.

Mr «Irvine» : it is tightly targeted on individual issues; it is not targeted on having a great pile of data which we sift through pruriently for whatever purpose.

ACTING CHAIR: Let's get into that then. Unless colleagues have other questions relating to warranted regime, I will move on.

Senator REYNOLDS: I have one question of clarification. Could you explain to me the differences that exist at the moment between chapter 2 and chapter 3 in the warrant regimes? It seems that there are differences. Could you explain for the benefit of my background knowledge what the differences are?

Mr «Irvine» : If we are talking about a warranted activity—and it does not actually have to be interception—a warrant is required where there is a significant level of intrusion into a person's privacy. The warrant can only be issued when there is a justifiable reason under law for that intrusion to occur. There are significant benchmarks that have to be reached for the level of intrusion. There is a lesser level of intrusion in ASIO putting a beacon on someone's car than there is in listening to every detail of every conversation.

When we come to telecommunications data, the law describes what is required for a warrant as being essentially the content of a conversation. We use a much hackneyed metaphor to say that, if you have a letter then the letter is the content and the envelope is the call data—for which a warrant currently is not required. We regard call data as normal information, as akin to a CCTV looking into the street or whatever. That does not require a warrant at this stage. Is that clear?

Senator REYNOLDS: In terms of how it is expressed in the submission, the difference and the inconsistencies and what they are talking about in here between chapter 2 and chapter 3, what are the actual inconsistencies that are being referred to?

Mr «Irvine» : I would need to check exactly what your question is referring to. While we are doing that I would make one further point—and it cropped up in a newspaper article out of Queensland just the other day. There seems to be an assumption—and perhaps, Senator Ludlam, when you use the words 'mass surveillance' you are working on the same assumption—that, without a warrant, we can just look at a person's web surfing habits, which may nor may not be—

ACTING CHAIR: I do not assume that.

Mr «Irvine» : something that they would want to have exposed. That, under our definition, is content; it requires a warrant. Senator, can I take the question on notice?

Senator REYNOLDS: Absolutely.

Mr «Irvine» : I need to focus in on exactly what it is. I probably need to take a bit of time to reread—

Senator REYNOLDS: Please do. It does relate to information in your submission about warrant regimes because the difference is at the heart of some of these changes.

Ms Hartland : I think your question goes to heart around thresholds. We can give you some details on that.

ACTING CHAIR: Since we are here, and we are moving from the warranted regime where we are talking about the low thousands in number, at the most—I may be exaggerating, but you are not able to pin it down—to the warrantless regime where all other agencies who report against the TI act, combined, last year made 320,000 or 330,000, I am presuming it would compromise national security if you told me how many of those requests ASIO makes through its internal processes.

Mr «Irvine» : Yes. I would not want that figure to become public.

ACTING CHAIR: Can give us an order of magnitude? If I start teasing you about whether it is in the millions, would you tell me that is not in the millions?

Mr «Irvine» : We are going to have another one of those drawn out exercises.

ACTING CHAIR: It is just that we tend to come away empty-handed. Misinformation flourishes in a vacuum. If you do not provide us with the information, I have to guess.

Mr «Irvine» : The number of requests that we make for telecommunications data is classified. It is proportionate, if you like, to other agencies.

ACTING CHAIR: It is in the hundreds of thousands?

Mr «Irvine» : No, with other individual agencies.

ACTING CHAIR: So it is in the tens of thousands.

Mr «Irvine» : It is proportionate to the number of investigations we carry out each year, and it is only related to the investigations we carry out each year.

ACTING CHAIR: I would expect so. There is probably no use in tormenting you. You are legally prevented from being specific about this, is that correct?

Mr «Irvine» : No. It is a judgement that I have to make as Director-General of Security, who is responsible for the security of the operations.

ACTING CHAIR: I think the Attorney-General's Department did this for us on request about two years ago: could you provide us with your working definition? You said before that you would consider somebody's web history to be content data rather than non-content data—it is a good distinction to draw. Could you provide us with your working definition. You call it 'call data'. It is called sometimes 'metadata', 'traffic data', 'telecommunications data'; the words are sometimes used interchangeably. Could you table for us your definition of what is in and what is out?

Mr «Irvine» : Yes, I can. I believe we have already done this previously in Senate estimates—

ACTING CHAIR: Maybe going back a while.

Mr «Irvine» : of the definition of call data.

ACTING CHAIR: I know the Attorney-General's Department has. I am just interested in benchmarking the definition.

Mr «Irvine» : We operate off the same one.

ACTING CHAIR: I do not know whether everybody will have seen that—


Senator REYNOLDS: I have not.

ACTING CHAIR: Could you table that for the benefit of the committee?

Mr «Irvine» : I can table it, yes.

ACTING CHAIR: I will come back to it once everybody has a copy. Give us some advice, if you will, as to how—

Mr «Irvine» : Sorry, I have just been advised that the definitions are included in part 5 of our submission, on page 13. There are two categories, under the headings 'Information that allows a communication to occur' and 'Information about the parties to the communications' who owns the service. The definition of content, which is not on that page—I am not quite sure where it is in our document—means the capture of the conversations, the capture of the actual documents and their content, email, applications and media. This is what we have to do. We can only access that lawfully under warrant.

ACTING CHAIR: What about the subject heading of an email message?

Mr «Irvine» : I will need to check on that, but that would not necessarily be regarded as call data. I am sure that that would be regarded as content.

Senator JACINTA COLLINS: In the definition of data in category 1 on page 13, data capture is the internet identifier for a person and the time and date of a communication. But from what you are saying, it will not capture who the communication is with.

Mr «Irvine» : It may identify the number of the person with whom the communication has been made.

Senator JACINTA COLLINS: I am just trying to understand how with this definition you can exclude someone's web surfing.

Mr «Irvine» : Because the act of watching someone's web surfing requires a particular activity, and that activity cannot be carried out except with the use of a warrant.

Senator JACINTA COLLINS: But this warrantless activity which will pick up the person surfing through their internet identifier—

Mr «Irvine» : No, you have to make a distinction between an internet communication, of one person talking or writing to another on the one hand, and someone sitting out there surfing the net. It is the surfing the net that is regarded as content, and for which I need a warrant.

Senator JACINTA COLLINS: So that is not then regarded as a communication that would be captured.

Mr «Irvine» : It would not be captured in the retained data or data retention scheme or call data or metadata or whatever.

ACTING CHAIR: So you would know they are browsing, you would know the IP address of the computer they are browsing from.

Mr «Irvine» : No, we would not know they were browsing unless we had a warrant to look at the fact that they were browsing.

ACTING CHAIR: Does that include if I am using a phone handset rather than a desktop computer?

Mr «Irvine» : If you are on the internet and browsing, the apparatus you use is not relevant. If, on the other hand, you were using a handset to send an email telecommunication to someone that would be covered in terms of the call data associated with that telecommunication not the content.

ACTING CHAIR: People use browsers for communication. I have a chat client open in mine at the moment to stay in touch with people much smarter than me. That is communication operating within a browser. Is that caught or not? Emails are bouncing backwards and forwards

Mr «Irvine» : Under the current definitions, if it is an email going backwards and forwards, whether or not you are using a browser, you are sending a communication. It is the fact of the communication—the email or the message—being sent backwards and forwards which is of interest to us when we talk about call data.

ACTING CHAIR: Every time I click to access a web page the browser communicates with the server asking for it and drags that material back. You are not counting that as a communication, but if there is a human at the other end you do count it?

Mr «Irvine» : I do not believe that I can answer accurately on that extreme element of technicality.

ACTING CHAIR: It is not that extreme.

Mr «Irvine» : The principle is that web surfing—your clicking on a particular site or whatever and moving to another site and so on and so forth or, indeed, googling al-Qaeda atrocities or something, whatever it is—is not picked up by us and is not regarded by us as metadata; it is regarded as content, and we need to have a warrant for that.

ACTING CHAIR: Search histories and browser histories?

Mr «Irvine» : For search histories I have to have a warrant.

ACTING CHAIR: These are useful distinctions to draw, and they are not necessarily drawn out on the table that you have provided us.

Mr «Irvine» : I know; I accept that.

ACTING CHAIR: Whether or not you are willing to provide us with it, is this all you give to your officers or is there a manual somewhere that makes these distinctions clearer?

Mr «Irvine» : Our officers are dealing under those basic descriptions we have given you, but every case needs to be looked at on its merits—and it is. By the way, we do have detailed policies on those issues under those definitions, and each case needs to be looked at in respect of those.

ACTING CHAIR: I am not interested at all in case-by-case distinctions that you draw, and I would not ask you to provide us with them. If there is anything further you can provide, as opposed to these rather vague examples, I would greatly appreciate it, otherwise it appears somewhat arbitrary and open to interpretation as to what is caught and what is not.

Mr «Irvine» : In the first place a lot of our access to metadata is actually access to identify people and identify who holds a particular phone. In this day and age of mobile telecommunications there is no phonebook. In the old days we would just look it up in the phonebook.

ACTING CHAIR: Yet they still deliver the damn things.

Mr «Irvine» : Yes, they do.

ACTING CHAIR: At the time that a data retention regime goes live in Australia—I understand you are very supportive, and the Attorney-General's comments are a bit more conditional—you are going to need to provide to a service provider a lot more than some vague dot points about what might be in and what might be out. So, could you spell out for us how a data retention regime will function and exactly what it is that ASIO thinks service providers should retain?

Mr «Irvine» : Okay. Let me just start, again, with my point I made earlier. What we are asking for is not new. Most major telecommunication providers retain billing data or call data for their own purposes. Our concern is, as the way in which billing is carried out and so on, that they will not no longer retain such data for their own purposes. What we are asking them to do is to do what most of them are currently doing, possibly with some variations, and that is to retain the data for a period of time. Some already retain this sort of data for much longer than the two years that we are asking for. Essentially what we are asking telephone companies, telecommunications providers, to do is to retain data, subscriber information and information about subscriber activity, within the confines that I have talked about for a period of two years. That can include information about calls to and from, timing, potential location in a very general sense of where the service might be, duration of the call and those sorts of things. This is information that in the past they have kept.

ACTING CHAIR: Some do and some do not.

Mr «Irvine» : Increasingly, though, what we are concerned about is that most will not.

ACTING CHAIR: Yes, because it is expensive and unnecessary for them to hold onto it. You have listed in your examples in category 1, information that allows communication to occur, about general location information, for example, mobile phone cell towers. That gives you a range within a few hundred metres and can be somewhat ambiguous, can't it?

Mr «Irvine» : It can be somewhat ambiguous. It can be a lot more than a few hundred metres. It simply depends on the particular location.

ACTING CHAIR: I would have thought that it also depends on the handset. If someone has their GPS switched on you can pinpoint people to within a few metres.

Mr «Irvine» : I am not sure if the telecommunications retain GPS data, which is different from cell tower data. That may be possible, but I do not believe that we would do that.

ACTING CHAIR: Could we agree though that metadata, as it is defined in your table, could include general location information all the way from quite fuzzy triangulation of cell towers down to virtual pinpoint accuracy of the GPS data as being retained?

Mr «Irvine» : I can agree with the first part of that. I am not sure how accurate the pinpointing could be.

ACTING CHAIR: But there is a range of accuracy, I guess.

Mr «Irvine» : There is a range of accuracy, yes.

ACTING CHAIR: How much data do you envisage such a regime would generate if all this material is being stored? We are to hear from some representatives of the technology sector next week who believe that these mountains of material, which were not even in existence and had not even been conceived of a decade ago, are being thrown over the side because they are huge and quite costly to hold onto. Have you made any estimates, as one of the country's leading proponents of data retention, as to how much data this material will actually be?

Mr «Irvine» : It is very difficult to predict. One thing you can be sure of—and I am sure you will be pleased to hear me say this, Senator,—is that that amount will grow, so it will be a problem.

ACTING CHAIR: It is growing exponentially.

Mr «Irvine» : At the same time I am very conscious of the fact that the cost of storing data is coming down in about equal proportions to the rate at which the acquisition of it is growing. This is an issue: if the government decides to go ahead with this legislation—and that is not for me to decide or to comment on—there will need to be a very, very strong level of consultation with the current telecommunications suppliers. Let me just say that the current arrangements in relation to metadata are that the telecommunications suppliers do store that and have the equipment to store it. We pay for access to it on a service-by-service basis.

ACTING CHAIR: That is more around targeted data preservation though, isn't it? If you have a person of interest, you can contact the telco and say, 'Trap that person's material until our order expires'. There is data preservations and hosted data retention.

Mr «Irvine» : It is not quite like that. What would happen is that we would go to the telecommunications provider and say 'Please give us the relevant elements of data listed on a particular service,' for example. It generally would be historical data not future data. We would then pay the telecommunications provider for giving us that information. If you think about it that is another restraint on this notion of mass surveillance. If ASIO had to pay for levels of mass surveillance, as have been talked about in the press and elsewhere, we would be broke in a week.

ACTING CHAIR: With the greatest respect I think that is something of a red herring. I thought this place passed amendments—I think about two years ago—to data preservation orders that allowed you to require a telco, or at least politely request, to retain targeted persons of interest material until you no longer needed it.

Mr «Irvine» : We can ask a telephone company to retain future data for a period of time.

ACTING CHAIR: You can also prevent them from deleting stuff they already hold. I remember those amendments.

Mr «Irvine» : If there is a reason. That, I would have thought, would be quite normal.

ACTING CHAIR: It was not normal until this place legislated that you were allowed to do it. I have no problem with that by the way. That is targeted discriminate and proportionate. In my mind it is data preservation for the persons of interest rather than data retention for the entire population of men, women, children, dogs and cats.

Mr «Irvine» : They are part and parcel, I think, of the same principle.

ACTING CHAIR: I would draw a striking distinction between the two, but let us move on. So, you are not able to tell us how much data the regime would generate. Have you made any estimates on an annual basis of how much the increase would be?

Mr «Irvine» : I am not a technical person and the figures would not be very meaningful.

ACTING CHAIR: But you are advocating for strikingly technical proposals.

Mr «Irvine» : Yes, I am.

ACTING CHAIR: You cannot really come in here and then say, 'I'm not technical.'

Mr «Irvine» : Well, I just did. The issue is: the government, in considering this legislation, will need to consider that matter, that is, how data is stored and the relative volumes and what the potential costs would be, with the industry and will need to take that into consideration in framing whatever legislation it brings forward if it does bring forward this legislation.

ACTING CHAIR: Mr «Irvine» , the AG's department, to my knowledge—it may have started sooner—started consultation with industry on this issue in about 2009.

Mr «Irvine» : There have been discussions on and off with industry for some time. There will need to be further discussions on this and other matters before the legislation proceeds.

ACTING CHAIR: Truly. Do you believe that any additional safeguards against privacy concerns or data leaks would need to be implemented to prevent this from becoming just a massive honey pot of personal information?

Mr «Irvine» : In principle no. In practice it may be necessary for two things to happen. One is that for the Inspector-General of Intelligence and Security to be able to have the resources to inspect access to these things to the level of assurance that would satisfy parliament—

ACTING CHAIR: You just had a budget cut; I guess you are well aware of that.

Mr «Irvine» : Nevertheless, I think that to be effective the Inspector-General of Intelligence and Security needs a certain level of resources. The second question is, if large volumes of data are being stored, what provisions need to be made to ensure the security of that data from unlawful access?—that is, not by ASIO or law enforcement. This is an issue that relates, in my view, to the responsibility of telecommunications providers and does not only relate to stored data.

ACTING CHAIR: They do not want this proposal at all, so it is a bit unfair to put that onus back on them.

Mr «Irvine» : But the onus has to be on the telecommunications providers, regardless of whether you have stored data. In my view, responsible telecommunications providers have an obligation, regardless of whether or not they store your data, to protect your privacy when you use their services. They also have an obligation to ensure that your services are not interrupted by hackers and whatever. In our view, that obligation to protect the continuity of the service and the privacy of the information contained in it would also apply to their retaining of metadata.

Senator REYNOLDS: Perhaps I could clarify that point: you are saying that the obligations that already are—and should be—on the telcos should be sufficient to deal with any additional storage requirements under this legislation.

Mr «Irvine» : Absolutely.

ACTING CHAIR: But would you acknowledge the privacy principle that we should not be collecting material that is not necessary? If it is not collected it cannot be abused, by ASIO or by hackers or by industry insiders or by any other malicious actors.

Mr «Irvine» : I would in reply ask you to acknowledge the principle that it may indeed be necessary to retain that information for a period of time if that gives us greater assurance in terms of protection of lives.

ACTING CHAIR: That is where I was going before with the data preservation notices. You have very wide-ranging powers to identify persons of interest and order preservation of their material. I guess I object to the principle that unless you have the ability with any Australian from birth—for their entire lives—to snoop around in their material, then lives will be lost. I think, again, you are slipping back into melodrama, with respect.

Mr «Irvine» : It already occurs.

ACTING CHAIR: Tell me what already occurs.

Mr «Irvine» : The preservation of such material, and billing material has been preserved for a very, very long time.

ACTING CHAIR: But you are aware, for example, that the location of handset data never used to exist. How did you solve crimes before these vast clouds of metadata came into existence?

Mr «Irvine» : In exactly the same way as we do now. When a telephone call was made on a fixed line we could pinpoint, to within 10 metres, exactly where the telephone was at the other end of the line. I do not see any difference.

ACTING CHAIR: I guess the difference is that you are asking for access to material that did not exist at any scale five or 10 years ago—and your language has not been as strident as some that we have heard in the course of this inquiry already. At the same time as you are claiming that you are losing access to material, you are demanding access to material that simply did not exist before. I struggle to reconcile the two. And I also struggle to reconcile the argument that it is not at all invasive, it is not an abuse of privacy, yet without access to it you cannot solve intelligence questions.

Mr «Irvine» : With the greatest of respect, Senator, I think that glosses over a whole series of issues. Firstly, do I read into what you are saying the implication that there are new tools available but we cannot use them?

ACTING CHAIR: Not new tools—new means of communications, or new metadata.

Mr «Irvine» : But those means of communications are the tools of the security intelligence business. For us they are the evidentiary intelligence trails, if you like, without which it becomes much more difficult for us to do our business.

ACTING CHAIR: I guess the point I am making—and I do not want to labour this point—is that most of these trails and forms of communication and location data of mobile handsets and social media profiling and so on did not exist 10 or 15 years ago, yet you managed to be a perfectly effective intelligence agency for decades.

Mr «Irvine» : They did not exist in quite the same form, but the general principle existed then, and what we are seeking is to modernise the legislation to take account of that technological change.

Senator REYNOLDS: Again, just to clarify for myself: what you are saying in answer to Senator Ludlam's question is that in the last 10 years the new technologies that people are now using have changed, and therefore you need to change the access to the information, the technologies that they are using, to keep up with them. Is that right?

Mr «Irvine» : That is exactly right.

Senator JACINTA COLLINS: I would like to explore a little bit further the additional safeguards you were discussing a moment ago. This is in relation specifically to the data retention issue. With the inspector-general looking at any requests for access, what is the difference between what currently occurs and what you might envisage would occur if we introduced data retention?

Mr «Irvine» : When we are talking about call data, not warranted activities, the inspector-general currently does not inspect the requests in advance. What normally happens—

Senator JACINTA COLLINS: She audits post facto.

Mr «Irvine» : She audits and if she finds that there have been errors or whatever or that we have not obeyed the rule of proportionality, she will advise me and advise the minister, and ultimately it will appear in her report to parliament. I believe this is an asset, as it were—a positive activity—and I am not discouraging the expansion of that inspection process in any way.

Senator JACINTA COLLINS: Regarding provisions to secure the information from other forms of potential misuse, what would you envisage that we might require of the telcos retaining this information to secure the data from other misuse?

Mr «Irvine» : If I understand you correctly, you are asking what obligations the telecommunications company would be under.


Mr «Irvine» : We are currently considering—and I believe we have initiated discussions with the telecommunications sector—the revision of legislation, and in fact introducing a telecommunications security reform bill, which, as I said before, legislates an obligation on the part of the telecommunications providers to take appropriate steps—and how you define 'appropriate' is obviously an issue—to protect the customers' information that is carried over their networks from external attack or whatever and, secondly, to protect the continuity of the service itself. If your telecommunications service goes on the blink and you cannot get an email message off, that is uncomfortable. But consider all of our national infrastructure, which hangs off the internet now and is totally dependent on telecommunications and suppliers and their reliability. If they fall down and their reliability falls down, we will start to have major concerns. The ability to interrupt your opponent's crucial war-fighting and/or national survival capabilities by electronic means is the warfare of the 21st century.

Senator JACINTA COLLINS: That raises an interesting point that I have been aware of for a little while—it leads to other personal security and, indeed, broader security information. For example—and this is related to a communications issue also—airline carriers are aware of your travel with other airline carriers. Presumably that information is then available to a broader network if it can go from Qantas to Virgin or whoever else. It is another example where perhaps we need to relook at the security and what we allow that type of information to be used for, quite apart from the broader national security issues.

Mr «Irvine» : My experience in relation to that is that certainly Australian airline carriers as a point of policy do not disclose to any person off the street information about passengers, flights and that sort of thing. They protect privacy in that way. Law enforcement, to the extent that we need it for national security purposes, can in some form or another access that information specifically for targeted purposes.

Senator JACINTA COLLINS: I suppose what I am suggesting is that your second point on looking at the use of information is perhaps broader than just the telcos themselves. There may be principles we need to apply in a slightly broader framework as well.

Mr «Irvine» : Yes, that could be the case.

Senator REYNOLDS: In your opening statement you talked about your desire to have more effective and efficient targeting. Can you just clarify whether you meant procedural efficiency in terms of the warrant process or were you also referring to your ability to be more selective in your total number of targets? Or is it both?

Mr «Irvine» : Both. The less time I can waste on people who are not of interest the better. The more I can focus in on the key issues of security concern the better.

Senator REYNOLDS: Following on from what you were talking about in relation to your internal compliance processes, do you rely on the Inspector-General's internal compliance auditing regime within your organisation or do you have your own separate regime as well for compliance auditing?

Mr «Irvine» : We do have our own internal reviews and examinations from time to time, usually with cause. We are constantly adjusting our internal procedures where we see that there might be weaknesses or whatever. All I can say in relation to the Inspector-General is that almost all of the so-called discrepancies in our telecommunications activities that have come to light we have self identified and drawn to the attention of the Inspector-General.

Senator REYNOLDS: So you had your own processes to identify them. You identified them and then reported them on. Are they the sorts of things that the Inspector-General would have found anyway through her own methodology or—

Mr «Irvine» : Yes, she would have.

Senator REYNOLDS: They would have got picked up anyway.

Mr «Irvine» : Yes, it just saved everyone a lot of time. I am very confident that the Inspector-General's methodology is particularly robust.

Ms Hartland : Senator Reynolds, I will just clarify, too, that the idea is that the Inspector-General can review all TI warrants. In practice she will do a sampling of those TI warrants, but I note that in her evidence to the committee she said there were no systemic concerns regarding warrants and that that is a process that works well.

Senator REYNOLDS: I was not for a second implying that it was not; it is just that I have a particular bent in terms of compliance auditing and assurance processes generally.

ACTING CHAIR: When we were speaking with the Australian Crime Commission and some of their affiliated organisations and agencies a while ago, they all indicated that there was no requirement to destroy any of the metadata or material they had gathered up, whether it was from persons of interest or not, from year to year. Can you confirm that there is no obligation on ASIO to destroy unrelated material as well?

Mr «Irvine» : We normally destroy information that is of no relevance to our security inquiries.

ACTING CHAIR: That would be a different policy to that adopted by some other agencies.

Mr «Irvine» : I am not sure about the policies of other agencies.

ACTING CHAIR: I am not asking you to comment on those.

Mr «Irvine» : For example, if an interception activity which covers everything acquires information that is of absolutely no relevance, we destroy it.

ACTING CHAIR: Is there anything you want to provide us on notice on what your actual policy is on data destruction? If you have a data destruction policy internal to your agency, that would be useful to know.

Mr «Irvine» : There is quite an interesting discussion of principle to be had. As a government department, we are in one sense required to retain for archival and other purposes under the Archives Act a whole lot of information that ultimately we discover has no bearing on national security issues. There is a bit of a grey line there on whether we are legally able to destroy some of the information we destroy from the point of view of the act. There is a slight conflict.

ACTING CHAIR: That would be an interesting conversation for another day. Finally, you would no doubt be aware that last year the Court of Justice of the European Union struck down the EU data retention directive as incompatible with article 7 of the Charter of Fundamental Rights of the European Union, which relates to personal privacy. What do the Europeans know that we do not? And do you acknowledge that that is a fairly senior legal advisory opinion from kindred democracies in Europe?

Mr «Irvine» : This is a really interesting question because the European Union, the entire group of European countries, made a directive that there would be data retention and it would be for two years. That has not been accepted universally across all the nation-states. Notwithstanding the decision of the court, Britain decided just a couple of weeks ago that they would implement that regime. They made no bones about why they need it. The court said it did not contain sufficient safeguards for implementation across EU member-states and the way it was framed violated the principle of proportionality under EU law. But it did acknowledge that data retention genuinely satisfies an objective of general interest, mainly the fight against serious crime and ultimately public security. I suspect the debate, discussion and, indeed, legal processes in Europe are not yet completed. It would be wrong of us to jump to one judgement of the European court in relation to one aspect of data retention to rule it out as a gross violation of human rights across the board.

ACTING CHAIR: I am sure it does not close the debate in Europe or anywhere else. Mr «Irvine» and Ms Hartland, we have taken up a lot more of your time than we had scheduled. We really appreciate your time with us this morning.