Note: Where available, the PDF/Word icon below is provided to view the complete and fully formatted document
Parliamentary Joint Committee on Intelligence and Security - 30/01/2015

ASHTON, Mr Graham, AM, APM, Deputy Commissioner Capability, Australian Federal Police

HARMER, Ms Anna, Acting First Assistant Secretary, Attorney-General's Department

LEE, Mr Simon, Acting Director, Attorney-General's Department

LEWIS, Mr Duncan Edward, Director-General of Security, Australian Security Intelligence Organisation

MCMULLAN, Ms Kathryn, National Manager, Specialist Capabilities, Australian Crime Commission

MORAITIS, Mr Chris, PSM, Secretary, Attorney-General's Department

MORRIS, Mr Tim, AM, APM, Assistant Commissioner, National Manager High Technology Crime Operations, Australian Federal Police

PHELAN, Mr Michael, APM, Deputy Commissioner National Security, Australian Federal Police

[13:49]

CHAIR: Welcome. Although the committee does not require you to give evidence on oath, I remind witnesses that this hearing is a legal proceeding parliament and warrants the same respect as proceedings of the House itself. The giving of false or misleading evidence is a serious matter and may be regarded as contempt of parliament. The evidence given today will be recorded by Hansard. Do you wish to make some introductory remarks before we proceed to questions?

Mr Moraitis : Thank you. I think my colleague Deputy Secretary Jones made a presentation in our first hearing in December. You also have the benefit of our submission, which you have, so I leave it at that for the purposes of this session.

CHAIR: Okay.

Mr Lewis : I have an opening statement which I would like to share with the committee. Thank you for the opportunity of being here this afternoon. The shocking and what I regard as terrible acts of violence that we have witnesses in Australia, Canada, the United Kingdom and most recently in France emphasise the gravity of the threat that is posed by terrorism. These tragic events as well as the turmoil that we have seen in Syria and Iraq illustrate the disturbed world in which we security intelligence and law enforcement agencies are currently operating with regard to the terrorism threat. We deal in this case with people with no regard for the law, no regard for community and often, I might say, no regard for human life.

ASIO is the only Australian government agency that is legislated to both collect and assess intelligence. Our routine business relies on capturing and verifying numerous sources of reliable intelligence. The functional information provided through telecommunication interception is one such source. It is a source of intelligence which we consider to be a fundamental building block for intelligence led investigations. It is a fundamental building block for ASIO to provide the security protection and the warning which our Australian community expects.

The Telecommunications (Interception and Access) Amendment (Data Retention) Bill 2014 that we are discussing today is a critical piece of legislative reform aimed at ensuring that Australia's security intelligence and law enforcement capability remains relevant and effective. Access to historical communications data is vitally important in ASIO's effort to identify threats to security and to keep Australia and Australian interests safe. I want to stress that ASIO is not seeking new powers to ensure access to this information; rather the aim is to ensure legislation is in place that will enable my organisation to keep pace with the inexorable modernisation and standardisation of access in what we know to be a rapidly changing communication environment. Again, this legislative reform is critical to ensure that ASIO remains able to gain an intelligence insight to keep ahead of the people who would wish to commit acts of terrorism, espionage and politically motivated violence and to protect against people with no regard for Australian law or community values.

The historical communication data has proved essential in the resolution of a majority of ASIO's high-priority investigations. That includes the prevention of terrorism attacks. Some ASIO counterterrorism investigations where Australian authorities have prevented the loss of life in Sydney and Melbourne are well known and have been out there in the public arena for some years. Less known, of course, is the way in which historical communication data has been of assistance to us as we tackle the problems of counterespionage. We provided a submission to the committee which you have all seen, and I know one of my colleagues gave evidence in a closed session the day before yesterday.

In the bill it is proposed that historical communication data be retained for two years. ASIO supports this provision. However, I would like to point out—and this is important—that I regard the retention period as a pragmatic compromise. Ideally ASIO data needs would be better met if there were a significantly longer retention period, but I want to stress that, with the competing interests—we do not operate in a vacuum here—of the triangle of privacy, business efficiency and security, I accept that a two-year retention period is an acceptable minimum.

I want to say a few things about accountability because I know that is of interest to the committee. ASIO's role is to investigate and provide advice on threats to Australia's national security, and we take these responsibilities very seriously. In doing this work we are very mindful of the importance of using the least intrusive methods of collection proportionate to the level of threat. When an individual comes to ASIO's attention, there are a range of methods that can be applied to establish whether that person's activities are relevant to security or not. Requesting historical communication data is often one of the most useful as well as one of the least intrusive methods of establishing those matters of fact. In many cases a simple subscriber check on a phone number is sufficient to determine that there is actually no investigation required and the matter can be put aside. This data that we are talking about is collected lawfully in all cases. I as well as my officers understand the sensitivity of these holdings. The holdings are strictly controlled. They are well managed, and access is highly accountable. In my organisation we strictly adhere to the need-to-know principle, and in addition we have numerous internal accountability mechanisms to ensure the protection of the data.

We use more intrusive collection methods only where there is a warrant and where it is warranted by the level of threat to Australia's national security. In these cases ASIO is careful to ensure that the level of intrusion into individual privacy remains proportionate to that threat and in accordance with the guidelines that were provided by the Attorney-General. It is not and will not be the case that ASIO automatically requests the maximum amount of data available. Should this bill become law, ASIO will continue to request access to historical communication data needed only for the purpose of carrying out our function, regardless of the length of time that data may be available for. We abide by the law.

ASIO's work is also highly accountable through, as this committee knows, a range of external processes. Your own committee is one such process. The Senate estimates process is another. We have internal processes within our organisation with which you will be familiar, and I note that ASIO's internal processes are open and regularly reviewed by the Inspector-General of Intelligence and Security, who I understand gave evidence to you a short time ago.

In summary, I would like to invoke some of the words that have been uttered by international figures around this particular question. International figures who have stressed publicly the need for continued access to metadata or historical communication data include Chancellor Merkel; FBI Director Comey; and my opposite number in the United Kingdom, Andrew Parker, the head of MI5. We are not alone in a global situation here. This is an international issue, and we are of course addressing the Australian aspect of that.

So, in summary, I want to reiterate four things. First, access to historical communication data is not a new power. Second, it is a power and authority that is critical to our work in protecting Australia. Third, it is essential to maintain this capability in the face of what I describe as rapidly changing communications landscapes. Finally, we already have what I regard as a strong accountability regime. We have demonstrated—and this has been admitted by the IGIS in her evidence—that we are diligently complying with that regime. Thank you.

CHAIR: Thank you.

Mr Ashton : Thank you for the opportunity to be here today. We have just a brief opening. Commissioner Colvin appeared here on 17 December and made a lengthy opening statement. We bring his apology that he could not be here today. He is certainly keen to continue. I think he has offered to present here with the police commissioners at some opportunity next month, and we greatly welcome the opportunity to do that.

The statement today is brief. It is simply to reiterate Commissioner Colvin's previous address and to add to that that we were very appreciative the committee took the opportunity to visit the AFP headquarters earlier this week. We were able to make a number of presentations to the committee in camera. For the purposes of the public record: those presentations covered a number of different types of cases, including large-scale drug trafficking importation, child sexual abuse, public sector corruption, murder, large-scale fraud and counterterrorism. The efforts that were made at that time in presenting you with those briefings were really to describe the nature of matters and the varied nature of matters for which metadata is used not only by the Australian Federal Police but by our partners who have already spoken here today and are present in the room and the way in which it is used to try to identify, investigate and prosecute crime.

One of the key points that we sought to describe to the committee in presenting those cases was not only the nexus between metadata and the actual investigations and the serious nature of those investigations but also that, importantly, metadata is often used at the very early stages of an investigative process. It often forms the mortar that sits between the bricks of investigations. Without that mortar, often you cannot build a case in which to prosecute. I think that, in describing what happens to metadata in terms of how it contributes to prosecutions and crime, in our opening today we would also make the point that it plays an integral role in that. It is often hard to quantify like to the role that it plays. If you have an analogy to motor vehicle seatbelts, we know that seatbelts save lives but often cannot quantify how many lives seatbelts save, because it is part of a whole range of safety equipment that is in a vehicle. Metadata is similar to that when we are investigating large-scale crime. It plays a critical role and plays it in partnership with a whole range of other technologies, powers and investigative techniques, but it is absolutely critical. Thank you.

CHAIR: Thank you, and on behalf of the committee I thank you for your hospitality and for the informative briefing that you did give us. I think every member expressed to me that they were extremely grateful for the hospitality, so thank you very much. Andrew, do you want to kick us off?

Mr NIKOLIC: Can I resolve what appears to me on the face of it to be something of an inconsistency in the evidence presented to the committee by previous people reflecting on your evidence and what you have said today?

I have heard Mr Lewis quote access to historical telecommunications data as crucial and that two years is a pragmatic compromise, noting that long and complex investigations potentially require more. A number of submissions have expressed divergent views on this issue. Some have said to us that you already have what you need; others have said that one year is more than sufficient. The Human Rights Commissioner, in fact, proposes a one year data retention regime for the first three years of operation, but the Privacy Commissioner in his submission has referred substantively to evidence put forward by Australian enforcement and security agencies, stating:

…evidence put forward by Australian enforcement and security agencies, provides some evidence to suggest that a data retention scheme with a retention period of up to one year may be necessary…

It goes on to say in paragraph 37:

…evidence provided to the Committee at the hearing on 17 December—

Which has been referred to—

states that telecommunications data that is less than one year old is used in a large proportion of investigations.

And, at paragraph 38:

However, the case for a longer data retention period is less clear.

I raised this yesterday. Can I, with finality for the record, understand that what you are saying unequivocally—what I understand Commissioner Colvin said on 17 December—is that, in your words, Mr Lewis, two years is a pragmatic compromise?

Mr Lewis : At the risk of repeating myself, could I just reinforce the fact that two years is not only a pragmatic compromise but it is a minimum—it is the floor below which we could not go and still produce the kind of protection and the kind of analysis that we need. If you were to offer more, or if the result of the legislation produced a longer period of retention, you would get no argument from my organisation, but we recognise that we do not operate in a vacuum and that there needs to be some form of workable compromise. There are a number of very vital interests at stake here, and we think that will do it.

I would also make the point—picking up on the Privacy Commissioner's issue—that while much of the data that we utilise may be short term, that is something that has only been in existence for six months. A point that was made by one of the previous witnesses here was that the data we pull from deeper into the time period is quite often the most important because it will be some critical piece of a major inquiry. I would also—and this is a particular and peculiar requirement for ASIO—reinforce the point that counterintelligence investigations have a very long sine wave. The backcasting and the forecasting around those investigations is very long, and so I would be unhappy at any suggestion—and I do not know where the Privacy Commissioner heard that one year was being suggested, but it has not come out of my organisation to my knowledge. It is certainly not my position.

Mr NIKOLIC: I take it from your comments just then that this is not a quantitative argument—it is not about saying X number of data retention requests are much more plentiful in the early stages under a year, ergo the smaller number of longer term ones are less important. That is the point you are making?

Mr Lewis : Almost the reverse.

Mr NIKOLIC: Finally, the Human Rights Commissioner calls for an independent judicial or administrative authorisation system not just for the content of communications but for an additional warrant process for metadata. I wonder, from your perspective, how workable that is and what, from a tactical operational level, the implications are of adding an additional layer of judicial warrant approvals up-front and what it might do to your operations.

Mr Phelan : When I last gave evidence on 17 December, I think I described that it would cripple our organisation, and I do not resolve from that position. I listened to the evidence of my state police colleagues, and the AFP's position would be exactly the same. We must remember, as we said, that metadata is one of the building blocks that we use as an investigative technique that helps build the picture for us to use those more intrusive powers and, therefore, require a warrant.

To be quite frank, I would find it quite difficult sometimes to actually meet the minimum thresholds required for a judicial authority under the current regimes that exist to obtain a warrant for that type of material, because there is simply not a lot of background there—it is the first building blocks that come from the very infancy of an investigation, whether it be information that comes from an informant or from offshore, whatever that information is. With the time it would take, it would cripple the organisation in terms of man hours to be able to do it.

Mr Ashton : To briefly add to that, if I may: what complements that is that, at the other end of the process, there is now—which we think is entirely appropriate—an increased oversight role of the Ombudsman, a very specific inspection oversight role which attempts to address some of those concerns. We will need speed, we will need to be nimble at the front end in getting this material, and then we understand at the back end, where that urgency is not there, there can be a much more intrusive inspection regime that sits up the other end of it.

Mr Lewis : I spoke in my opening remarks about the laminates of accountability that we currently have in place—the internal ones and the external ones—and the fact that our internal processes are absolutely transparent to the IGIS. To have yet another laminate on top for what I would describe as the 'quick turnaround processes' that this particular problem—the historical communications data—presents, would be an unacceptable impediment to progress. I think we would just get bogged down. If you have a look at the volume of requests that would go through, I think it would quickly become unmanageable, and, if it drops back into a situation where it is not timely, it is of almost no use. There is a perishability around the request and the desire to get hold of the information.

Mr CLARE: Mr Lewis, thanks for your written submission and your oral submission today. I want to pursue this concept of a pragmatic compromise a little more, and you have made the point that, from ASIO's point of view, the longer the information is preserved and retained, the better. I am interested in understanding the mechanics of how this pragmatic compromise was arrived at. Is it true that ASIO made the argument within government for a longer period of time but is willing to accept the two-year minimum?

Mr Lewis : No, I do not think I would characterise the process like that. We have, even within our organisation, a variety of views on how long information should be shared. There are enthusiasts who would want to see it held for long periods of time, and there are others who can satisfy themselves with shorter periods of time. I think your characterisation that the information is better with age is not what I am saying; what I am saying is that, in those cases where we have long, drawn out and very complicated but usually very serious investigations, quite often the nuggets of information will be in the longer-held databases. That is the point I am making.

The issue of parochial compromise is that, within my organisation, there is a high recognition of the fact that there are competing interests at stake here. Each one of those interests is legitimate—I mentioned the triangle, and each point of that triangle is a legitimate interest—and I think that something which is workable for all of those interests and meets all of those interests is the two-year mark. As I said, I would be very unhappy about anything less. If the committee was minded to consider something more, then you would not get any complaint from me, but I am conscious that this needs to be an acceptable position for our wider society.

Mr CLARE: Did ASIO provide any advice to the Attorney-General's Department suggesting that the period should be longer?

Mr Lewis : I cannot think of it off the top of my head. We certainly have had discussions about what the length of time should be, but I do not recall at any point giving him specific advice. I will just ask for confirmation on that, but I am pretty sure that is the case.

Mr Moraitis : The process—and Ms Harmer agrees—is a process of iteration with our agencies and the portfolio AFP/As and we have a very close, productive working relationship. We as a department look at empirical evidence and there is evidence of that in our submission. It actually quantifies the period in a qualitative and quantitative way, to address Mr Nikolic's point. I am sure the shorthand, pragmatic compromise that Mr Lewis alludes to is us as government having a pragmatic, good faith take on which way this should land. And a two-year period, to allude to discussions previously by the state police forces, is a floor—it is a minimum period that we think gets us as close as we can—

Mr CLARE: I appreciate that; I am conscious of that. I have a little bit of experience in the operations of the department and the agencies that are before us.

Mr Moraitis : I am sure you do.

Mr CLARE: I also note that, from time to time, those agencies might provide you with advice, either written or oral, about their own views about the development of a proposal that might go before the Australian cabinet. Therefore, I am interested in how that pragmatic compromise was arranged—not in shorthand but in longhand? My question to you is: did the Australian Federal Police or ASIO or any other law enforcement agency provide any advice, either orally or in writing, to you suggesting that that two-year period should be longer?

Mr Moraitis : I will ask Ms Harmer to answer that.

Ms Harmer : The AFP and ASIO have both engaged extensively with the department in the development of this legislation. As this committee is aware, we have naturally been considering the policy issues for some time. This committee has previously made some recommendations around the retention period, so it would be correct to say that ASIO, AFP and indeed other agencies have expressed views in the course of development of the data retention measure on the appropriate retention period. That has included the views that agencies have provided to this committee on the appropriateness of the length of the period and that agencies would value a lengthy retention period.

Mr CLARE: That is a very, very good answer. But there is enough in it for me to interpret from that that those agencies provided you with advice that may include that it should have been longer than two years. My question then is: who decided that it should be two years?

Ms Harmer : Those agencies did, as you say, provide advice, as I indicated before. Again, the committee has also expressed some views on a retention period and in the development of the measure it weighed those issues, considered the views of agencies, industry and also the views that this committee itself has expressed on the appropriateness of the retention period. A number of witnesses to this committee and a number of submissions have reflected that there is an exercise in proportionality to be considered in terms of proportionality as a measure. So the measure will only be proportional in circumstances where it is appropriately directed at a legitimate end. The agencies have expressed views on those legitimate ends being the functions that they perform in protecting the safety and security of Australians, and the enforcement of the criminal law. There are also industry considerations and also privacy considerations. So all of those factors weigh into the proportionality and, through that, through looking at empirical evidence and at agency views we have reached a view and the government has attempted to put forward a two-year retention period.

Mr CLARE: That is another very good answer. Can I interpret out of that that the Attorney-General's Department formed the view that two years is the right amount of time, having sought advice from the agencies and that the government has agreed to that two-year period?

Ms Harmer : That is correct.

Mr Lewis : Mr Clare, could I just clarify the comment I made to you just a moment ago, because it obviously predates my time in this appointment. However, there was earlier discussion about a variety of periods, from two to five years, that took place between ASIO and the Attorney-General's office. I arrived on the scene at the time when two years was in contemplation in my own organisation and I am personally committed to that two-year period. I believe that is a compromise point, which I think is workable.

Mr CLARE: Just to explore that in a bit more detail, I am very conscious that law enforcement agencies consider this information to be critical. We have had that impressed upon us a number of times. You have provided us with some really useful information about the currency of that information. But we have had the New South Wales Police come before us and say, 'The longer, the better; seven years would be better, thanks very much.' The impression I am getting from your evidence is that ASIO has had discussions with the department about a period that might be longer than two years—perhaps two to five—and that the department, based on consultation with your agency and perhaps the Australian Federal Police, have concluded that a pragmatic compromise would be two years rather than a longer period and that that has been agreed to by the government?

Mr Lewis : I think that is a reasonably accurate description.

Mr CLARE: I want to turn to a question that I asked the New South Wales police at the end of their evidence about the events that occurred in Sydney in December of last year. Mr Lewis, you were in the room when I asked that question. I just want to check that you agreed with the evidence that New South Wales Police gave.

Mr Lewis : I am sorry, would you mind running that question past me again.

Mr CLARE: I asked the assistant commissioner about historic communication data and whether this legislation or whether historic communication data would have stopped that event from happening in Sydney. I think the Hansard indicated that it would not prevent it, but it is extremely useful either during the event or after the event to collect information about who that person may or may not have been communicating with. We then went on to have a discussion about preservation orders. I just want to check that you agree with that.

Mr Lewis : I think in the context of the question was asked of the New South Wales officer that was here that that is the right answer. I would, however, say that, for my own organisation, you will recall that I mentioned the rather long sine curve of some of these investigations just now. For Sydney you were asking about a particular situation and I cannot and will not comment further about that for all sorts of reasons. It is not uncommon for our inquiries to be on a very long sine curve, and, in that case, the receipt and the use of historic data at the front end of that process may well change the course of actions that are taken.

Mr CLARE: Indeed. The assistant commissioner made that point as well—depending upon how long that event—in this case the siege—takes place. I also asked him questions about the importance of preservation orders and about where they are in place where people have not been identified as a threat, the value that that presents in being able to potentially prevent events like the one we saw in Sydney. I seek your views on that as well because the hard part is identifying people that are at risk and then being able to put in place a preservation notice or a preservation order on the data of these people.

Mr Lewis : The facility of a preservation order is very helpful. It is something we use and it is absolutely the case that if we were aware that something was likely to happen that you can in fact put in place a preservation order around that particular set of circumstances to understand it better going forward. But all of that of course is prospective. Your earlier question about could we have stopped Sydney is a retrospective issue and retrospectivity is a different set of issues here. But prospectively, yes those orders are very helpful.

Mr CLARE: I make the point because this is very complicated and people often get confused about what we are talking about when we are talking about metadata. There is a difference between historic data and preserving data from a point onwards.

Mr Lewis : I should make one other comment. It is important that that preservation order goes to information which can then only be used by us under warrant—that makes it profoundly different, so it is a different order of magnitude. For us to actually access the information that has been preserved—we can ask for it to be preserved—requires a warrant.

Mr CLARE: But it can happen very quickly if circumstances require. The challenge, of course, is where you place those orders.

CHAIR: We need to look at the Hansard record but I also think the assistant commissioner from New South Wales did add that, potentially, incidents like that could help stop future events. I think that was clear point that he made. Just to make sure that we have got that there.

Mr CLARE: I think that is a fair point. One of the things he said was identifying a cell or a communication network. I think it is important for us in reviewing this legislation to understand its capacity but also its limitations.

Mr Lewis : I support that point that was made.

Mr CLARE: We do not want to create any unrealistic expectations that passage of this legislation is necessarily going to stop things that will not stop. The legislation, when passed and proclaimed, will not commence in full for two years. I want to seek the views of ASIO that they are content or appreciate that there is a time period there before the legislation is fully operational and whether you have any concerns about that.

Mr Lewis : Yes, we are satisfied. We had a discussion internally about this. From the time of royal assent, there is no—dare I say—backsliding in terms of the data that is being held by the telecommunications companies at that point. I think Secretary Moraitis might have something more to say about that.

Mr Moraitis : That is right. We were listening to the testimony before—that there was no degradation and obligation from the moment of royal assent. I think that provides, again, a further floor and provides a relative degree of assurance on behalf of the operational agencies that have been well aware of that.

Mr CLARE: I am sure you would have heard the evidence of Telstra, Optus and Vodafone that they do not have any intention either before or after royal assent, and that gives us a high degree of confidence.

Mr Moraitis : Yes, that is right. That is practical reassurance we also welcome.

Mr CLARE: That must be a reassurance to you about the risk of degradation. I will move to a series of questions to the department specifically, some of which have come out of the evidence we have heard over the last two days. Firstly, we heard from ASIC, who were concerned they were not listed as a law enforcement agency. They were concerned that if they were simply made an agency by regulation by the Attorney-General that they might find themselves getting caught up in a court process. I am interested in the Attorney-General's Department's thoughts of the evidence given by ASIC.

Mr Moraitis : We are quite satisfied with the situation. I am very aware of the points made by the ASIC. I am also aware of the regime that is in place. Speaking as a secretary, I understand the perspective of where they are coming from and the practical reality of the fact that they would be a supplicant under the new regime. And for all intents and purposes, I would start from the a priori assumption that they have a very positive case to make which should be considered very strongly in that context rather than starting at the point. I will try to answer the point about risk.

Mr CLARE: Before you do that, I interpret from your comments that you are positively disposed to their argument. If this committee were to recommend that ASIC were to be listed as one of those agencies, would it be correct to say that the Attorney-General's Department would not be necessarily opposed to a change?

Mr Moraitis : I will take that one on notice, based on your recommendations. We will see how we go. The point I was making was my mind space is that I can understand the arguments and where they are coming from, so in the context of the regime we have set out—

Mr CLARE: Do you think it is a strong argument?

Mr Moraitis : Objectively, yes.

Ms Harmer : In terms of the specific issue that ASIC raised this morning, as I understand it, they reflected that perhaps a declaration as an agency would put them on a weaker footing than they might currently be at the moment. With respect to ASIC—and we have had discussions with them on this point—I do not agree that that is the case. In actual fact, a declaration puts them on a stronger footing than is currently the case. ASIC's ability to access data at the moment relies on their ability to fall within that very broadly and non-specifically cast definition of 'enforcement agency', which does not identify them by name; it relies on them falling within that broad class of agencies who are involved in enforcement of the criminal law and related functions. A declaration as an agency would actually give very specific certainty that ASIC is prescribed for the purposes of accessing data. And I think if anything it puts them on a stronger footing rather making them more susceptible to challenge on the basis on which they can access the data.

Mr CLARE: On this issue more broadly of the power of the attorney to make such a declaration, we received submissions from a number of different organisations suggesting that the discretion of the attorney in this respect should be should not be as broad as it currently is in the legislation. ACAN and made some recommendations to us about how that might be restricted to agencies that are responsible for investigating serious offences—I think as it is defined under the TI act.

As you know, the University of New South Wales—and we discussed this on 17 December—also made recommendations about how this might be tightened. Yesterday in evidence News Corporation also made the argument that the powers of the Attorney-General, or the discretion of the Attorney-General in this respect, should be more narrowly defined. Has the department had a look at these arguments and have you formed a view?

Ms Harmer : We have had a look at those arguments and we have heard some of the evidence given by those submitters that you referred to. As I said earlier, the test that is now being prescribed for declaration of an agency is one that substantially narrows and puts greater clarity around the agencies that can access telecommunications data. At the moment we have a very broadly cast description into which agencies may fall simply on the basis of their functions and constitution. The declaration process that is proposed in the bill is one that puts quite a high threshold around declaration of agencies. It would require the Attorney-General to have regard to the functions of those particular agencies—the extent to which they would use or require stored communications or telecommunications data in the performance of those functions—and then introduces some new and quite specific requirements in relation to the extent to which those agencies are the subject of binding privacy obligations in relation to how they treat that information. So the new declaration process does actually include quite significant enhancements on the way in which an agency can become a participant in the scheme to access telecommunications data. Of course in addition to that we are introducing substantial oversight for those agencies that do access the data through the ombudsman, which is not currently present in the scheme.

Mr CLARE: Their argument, if I might put it to you, is that under the proposed schedule 2, 110A(4)(f) is that, in addition to all of those things that you have set out, the Attorney-General can consider any other matter they 'consider relevant'. So this gives the Attorney-General lots of liberty in making those decisions that perhaps they should not have.

Mr Moraitis : The key word is 'relevance'; it has to be relevant to the purposes, so it is not open-ended.

Ms Harmer : I think it is also a matter of administrative decision-making. A minister is entitled to take into account those things that are relevant to the making of that decision. Whether that is specified there or not, that makes clear on the face of the legislation that those matters can be taken into account, but it would necessarily flow in any event that a minister would be so entitled, I think.

Mr CLARE: When can we expect the draft regulation in relation to the dataset?

Ms Harmer : I assume your question relates, effectively, to the extent to which the data that is to be prescribed by regulation is available?

Mr CLARE: Yes.

Ms Harmer : And on that point the data—

Mr CLARE: I guess I am making an assumption. We have the draft dataset. Organisations that have come before the committee that have looked at it have expressed general agreement with it—with the caveat that Optus today, for example, have a number of suggested changes. But there has been a consistent theme in evidence before us over the course of the last few days that there is a hankering to see the draft regulation, not necessarily by this committee but by people who have given evidence before it. But I might say that we are keen to see it as well. I want to get a feel for whether a draft regulation would be available before the end of this month.

Ms Harmer : A draft regulation would prescribe the data that is to be retained under the bill. The proposed dataset is that data. So effectively a draft regulation would produce that dataset which has been referred to the committee. So in effect the existence of a draft regulation is an issue of form in many respects, because a draft regulation would be the procedural document through which the dataset would be prescribed. The dataset that the government proposed is the one that has been referred to this committee and the one on which industry has been consulted and provided its comments and indeed the one on which it is currently preparing—

Mr CLARE: So it is a simple process; it is effectively a cut and paste of the document into a regulation—

Ms Harmer : A regulation would prescribe the dataset; that is correct.

Mr CLARE: Is it the intention of the Attorney-General's Department then to prepare that document in advance of this committee reporting back at the end of next month?

Ms Harmer : The draft regulation would be the formal instrument through which the Governor-General prescribes the data to be retained. So, in terms of this committee's consideration, the dataset that has been referred to provides the substance that would be included in any draft regulation. So the substance of the issue is already before the committee.

Mr CLARE: If this committee were to recommend that, instead of that approach, the dataset should be embedded in the principal legislation that is before the parliament, would that be a major drafting exercise?

Ms Harmer : The dataset that is proposed is one that could be included in regulations. It could likewise be included in primary legislation. I think as I said in response to questions from the committee in December, there is nothing procedurally that would preclude the dataset from being prescribed in legislation. It is simply a level of detail that is typically reserved for regulation, but certainly there is nothing technically that would preclude the data from being placed in the legislation.

Mr CLARE: Costs. We are keen to see the next report from the internal working group. They are now focused on this issue. We have received some evidence about submissions having now been made by Telstra, Optus and others to PricewaterhouseCoopers. Before we report, it would be very valuable for us to have an understanding of what the costs of this scheme are likely to be as well as what proportion of those costs the government intends to subsidise.

Mr Moraitis : As you know, there have been various iterations of PricewaterhouseCoopers' draft reporting. That is still a work in progress. We do not have a final report, and if I did I would not be able to share it with you on this occasion because it is part of cabinet deliberations. To be honest with you, we are still waiting on the finalisation of that report to inform us of the quantum and the reality the Commonwealth bears in terms of the government's commitment to reasonable coverage of capital costs. That is the context in which we are operating.

Mr CLARE: We would be keen, when that process is concluded, to have you back before the committee to explain the report and provide us with some more information on it. Are you able to give us a feel for how long that might take so that we know when we might need to bring you back before the committee?

Ms Harmer : Could I ask you to clarify the question? Are you asking for when a decision might be made on the quantum of contribution or when—

Mr CLARE: First, when we can see the report. When the Attorney-General approves the report—

Ms Harmer : PwC's report?

Mr CLARE: Yes. PwC is providing information to the IWG, if I am correct. Is that right?

Ms Harmer : PricewaterhouseCoopers is providing a report to the Attorney-General's Department that we have commissioned to inform the government, not the IWG.

Mr CLARE: Okay. Nevertheless, what I would be keen to get advice on is when we would be able to see that report.

Ms Harmer : PwC's report on costings is, as the secretary said, one that is being prepared for the purposes of government deliberations. It is not a report that we anticipate being in a position to share. Regarding the decision on costings and the decision on the contribution that the government makes, the government has reiterated on a number of occasions that it intends to make a reasonable contribution to the up-front capital costs of implementing data retention, but it would be a matter for government as to the timing of that decision. I am not in a position to advise the committee as to when that might be.

Mr BYRNE: That throws a rather large spanner in the works, doesn't it? If you have looked at previous committee recommendations, that was one of the key recommendations. So what you are telling us is that the committee is now not relevant. That is effectively what you are saying, isn't it?

Ms Harmer : What I have indicated is that the government has made a decision on costs. This committee previously made a recommendation that the costs should be borne by government. The government has taken into account that recommendation and the decision that it has made is to make a reasonable contribution to those capital costs. That advice I can give to the committee, about the approach to preparing those costs. What I cannot provide is advice as to when the government might make a decision on what that contribution might be.

Mr BYRNE: Could I say to you, via your department head, via the Attorney-General, that it would be in his interests and the government's interests to provide the information that was provided to you by PricewaterhouseCoopers to this committee. If it is not, there will be consequences. Just so that you take that on board and we have it on the public record. It is unacceptable to me, as deputy chair of the committee, and the chair. We have had discussions with Duncan Lewis's predecessor, with your predecessor, and for you to come before this committee and say to me that you cannot provide a costing is completely unacceptable. Regardless of the excuse you provide, it is unacceptable to an oversight committee. Duncan, you are talking about the ISC, where they had 12 months. The ISC would have been given this information. It would have been given this information before it deliberated, but you are saying this committee cannot have it. Frankly, I do not care what you say. It is unacceptable.

CHAIR: I do not think you need to answer that, Mr Moraitis.

Mr Moraitis : I will take it on notice.

Mr BYRNE: You can take you back to your political masters, basically.

CHAIR: The deputy chair is—

Mr Moraitis : My Attorney, yes.

Mr BYRNE: I am sure he is listening.

CHAIR: I do not think there is any need for you to respond to that.

Mr CLARE: If I might just add one point, the Australian Federal Police have been very open with the committee in providing in-confidence information which is helping us with our deliberations—ASIO as well. All of that information, which is not made public but is available to the committee, is extremely useful for the members of this committee. It is the information we need to prepare our report. I do not think there is any disagreement around this table about how important this legislation is and we are trying to scrutinise it as best we can to make sure that we provide the best possible advice to the parliament and, for that matter, the government.

But a big part of this is: how much does it cost? How much is it going to cost Australian taxpayers? We are law-makers who need to make decisions on laws, and one question we need to have an answer to is: how much does this cost in total, whether it is ballpark or exact—and it will take some time for it to be made exact, I appreciate—and what proportion of that is going to be covered in the budget? For that reason, I think it is in the interests of the government to provide this committee with that information.

I am not talking here about the proportion of it—I appreciate that that is something that needs to go through the cabinet process. I am particularly talking here about what the report says. If this committee is deprived of the information in that report, I think that would be a mistake.

Mr Moraitis : Thank you. I appreciate that point and I will take that on board and convey that to the Attorney.

Mr CLARE: I just want to move to the issue of the security of data. We have heard from a number of witnesses about that. One of the recommendations that this committee made in 2013 was that it be mandatory that data retained under a scheme such as this be encrypted. My understanding is there is no specific provision in the legislation to deal with this. We did have advice or evidence over the last few days about this from a number of different witnesses to support it, including Optus today, who described this as a sensible approach. This is another one which the department may like to take on notice because it is a policy decision that would need to be made by the government. But I am interested to get some advice on why that recommendation of two years ago was not implemented in this bill and whether it should be.

Mr Moraitis : You mean regarding encryption?

Mr CLARE: Encryption.

Ms Harmer : There are a couple of points that I can make in that regard. As a number of industry participants have reflected in their evidence to this committee, it is already the case that the industry retain a range of telecommunications data and that they are subject to a range of risk based information security obligations which oblige them to provide a certain degree of security, including under the Privacy Act and the Telecommunications Act. Those existing obligations apply to the whole range of their information holdings. Of course, data retention would be just a subset of the holdings that an industry participant might have. We would expect that the standards that the industry apply to their current data holdings would continue to apply to any additional holdings that they might accrue under the data retention measure. I should say in that regard that it is the case that we work closely with industry to manage security risks, including protecting networks. We have had productive and positive engagements with carriers on that particular front.

The other thing that I should add, which I think is reflected in our submission and may have been alluded to in Deputy Secretary Katherine Jones's opening statement in December, is that the government has committed to a broader piece of work around telecommunications sector security reforms and has indicated that it intends to bring forward legislation this year, and prior to the conclusion of the implementation phase of data retention, which addresses broader issues in telecommunications sector security. So the government's approach to the PJCIS's recommendation on encryption takes into account that broad context of the existing data protection obligations that carriers are subject to, the existing engagement that we have with them and forthcoming telecommunications sector security reforms.

Mr CLARE: Which may include encryption?

Ms Harmer : Those reforms are coming forward. They would include, I understand, broad principles in relation to the security of information. One thing that this bill naturally does not do is prescribe the particular way in which carriers must go about their business. Rather, it defines in broad terms the obligations they would be subject to without technologically specifically prescribing how they should go about it.

CHAIR: Is using the word 'encryption', then, too technologically determinant?

Ms Harmer : Using the word 'encryption' does beg the question of what type of encryption and to what standard and in what respect. I think it certainly reflects the intent of this committee, and the recommendation was understood as being about importing a degree of protection for the data. But it is fair to say that, in our engagement with the industry, while some providers asked for certainty and for a prescriptive approach to how to go about doing things, others have been very clear on the fact that being very prescriptive about how a measure should be implemented fetters their ability to run their businesses, which of course are ones that they must run at a profit.

Mr CLARE: That was one example of a lot of recommendations that have been made by different organisations before the committee over the last two days. If you trawl through the submissions, there are a lot of proposals about how the legislation might be amended or adapted. Soon this committee will need to trawl through those one by one and make a decision about whether we agree with those and whether we will incorporate them into our recommendations to the government. I am just wondering whether the Attorney-General's Department might be of a mind to conduct a similar exercise. I am conscious of your comprehensive submission. It is comprehensive and we are grateful for it. But in conducting our work and contemplating whether we agree with those recommendations which have come from a range of different organisations I am wondering whether the department might go through those same recommendations and, in consultation with the Attorney, provide advice to this committee about its thoughts on those recommendations before we finalise our report.

Mr Moraitis : So before the finalisation of your recommendations you would like a checklist of what we think—

Mr CLARE: Yes. I think it would be useful for the committee if, before we write our report and say, 'Recommendation 1 is that you should make this change to the bill based on the advice we got from organisation X,' that we have your thoughts on that as well.

Mr Moraitis : Okay, yes.

CHAIR: Sort of like a collation—

Mr Moraitis : Yes, I understand. I just wanted to clarify that you want it before the finalisation of your recommendations.

CHAIR: Yes, before.

Mr Moraitis : We will take that back with us.

Ms Harmer : We have reflected on a number of the issues that have been raised in submissions in our own submission because we anticipated that those would be raised or because we explained the effect of the bill in a particular way. The only thing that I would say is that we would certainly be assisted if the committee can inform us if it is considering particular recommendations. There is obviously a very large number of submissions, and there have been some recommendations which we have dealt with in our submission. Naturally, if the committee and the secretariat are working on a particular list of recommendations, we could tailor our advice to particular questions and particular approaches.

Mr CLARE: I was reading through the Optus submission today, for example, and it has some very explicit recommendations about making certain changes to the bill. As I was reading through that submission, I thought, 'We would be assisted if the department could give us advice on its views on those suggested changes.'

Mr Moraitis : I guess Anna's point is that it would be useful to have a list of which ones you are focusing on. Is it every single recommendation in every single submission? Are there are 120 or 300?

Mr CLARE: That is a fair point. I am sure we can narrow that down to the ones we are particularly interested in.

Ms Harmer : The Optus submission is a very good example of where we could readily provide some information that would assist in considering the effect of the proposed amendments, whether amendments would be appropriate and what the consequences of those would be. I think a number of other submissions have made somewhat broader recommendations. Gilbert and Tobin's submission is another that has raised quite specific recommendations. If we could get some guidance on some of the others that you might be considering then we would be happy to provide some comments.

Mr CLARE: Thank you for that.

CHAIR: We will be happy to have a discussion, and we will provide that guidance.

Ms Harmer : Thank you.

Mr CLARE: There is one last area I want to pursue, which is the submission by the Internet Society on the issue of public wi-fi and this being a loophole. Mr Ruddock is not here at the moment, but I know he is interested in this as well, having asked some questions in December. When the New South Wales Police appeared before us an hour or so ago, I asked them questions about this as well. They described it as a risk, and Victoria Police described it as a big gap in the legislation and a vulnerability. The Internet Society yesterday said something along the same terms, that this is a gap that we need to be very conscious of. I am very keen to have those concerns satisfied before we finalise our report.

Ms Harmer : I think perhaps when we had our earlier discussion in December I may have been at somewhat cross-purposes with Mr Ruddock, so it is probably useful that we can clarify some of the comments made at the time and address some of the risks that agencies have identified subsequently. What the bill does, as I said, is to describe the data retention obligation but to describe it in a way that is a proportionate response to the particular challenges that agencies experience in accessing data. It does not provide comprehensive coverage of the entirety of telecommunications services provided in Australia. Indeed, it includes a number of quite specific exclusions to make sure that the measure is appropriate and adapted to the particular ends that are to be achieved. One of the exclusions that is then made in that particular context is to those services that are provided to a 'same place'.

I think where I may have confused issues in December was by references to cafes. In that instance I was not referring to internet cafes in the sense understood as providers of access to internet services but to more commonly your takeaway venues and coffee shops that might provide internet access that is at their premises and that they provide as a courtesy to their customers. That is an exclusion from the coverage of the scheme. It is an exclusion in the sense that the coffee shop then is not the subject of an obligation to retain data in respect of the service that it provides to the users of the coffee shop. It is nevertheless still the case that the telecommunications service provider who provides this service to the coffee shop is one that would be the subject of data retention obligations. So it is a question of at what point of aggregation the data is accessible.

Without going into too great a detail about the operational practices of agencies, data may be accessible at a different point in the process. The fact that a particular coffee shop is not required to retain data in relation to who it provides its free wi-fi to does not preclude data from being accessed at a different point in the process, so the exclusions are an illustration or a representation of the proportionality of the data retention measure in that it targets appropriate points in the process and provides data for key telecommunications services.

Mr CLARE: If I understand that right, does that mean that, in effect, there is not a loophole or there is not a gap because law enforcement would be able to get the information they need via the ISP that is providing that service to either the council or the cafe or the airport or the railway station et cetera?

Ms Harmer : That is correct. Carriers, carriage service providers and internet service providers will be subject to data retention obligations in respect of the provision of services to their customers, and their customers may include cafes that then offer their services.

Mr Phelan : If I may, how it would work in an operational sense is that, if an internet cafe or a coffee shop has a service provided by Telstra, we would know that that internet cafe service accessed their system from between the internet cafe and Telstra at a particular given point in time, but we would not know which device within that cafe accessed their internal wi-fi router or modem to do it. It is similar to if it is a home; out of the six or seven or eight phones or devices inside, you do not know which one has accessed it. However, it is a gap in that sense, but it does not mean that we do not have other technologies or other abilities to exploit that situation. It is just another investigative technique. For example, we would know that, if a person is in that area, they are using that particular wi-fi network, maybe, and then could use other techniques. So it is not the end of the world but, like anything else—I think the state police gave the evidence—it would be nice to have and it would be great for law enforcement. We have to do the proportionality test as well, though.

Mr CLARE: Pragmatic compromise.

Mr Phelan : This has been a lot about pragmatic compromise and we have given a lot of concessions.

Mr CLARE: Have you given concessions in relation to time period?

Mr Phelan : Yes. Mr Negus when he first gave evidence said 'indefinite' and I think I have come down from indefinite to about seven and then back to indefinite. Even the examples we have put in our submission that are before you, the two out of the four—and we did not selectively choose those, they are random, major operations. For the one relating to child exploitation material, the web site in particular was compromised in 2011. The referral gets to us in 2013—two years has already passed by the time it gets to us to start anything. At a very minimum, the day it arrives you have lost two years.

CHAIR: We heard similar evidence this morning from an organisation of an exact case where it was four years later.

Mr Phelan : Yes. You are actually beholden to when the originating information comes to you not from when the offence occurred. So an offence occurred last year, three years ago, two years ago, 10 years ago but you can only start the investigation when you know about it. That has sometimes been lost on some of our commentators, that they think the offence occurred and straightaway we have access to the information. That is not true.

CHAIR: On this wi-fi issue, this is something which Mr Ruddock has been very interested in. He has asked me to ask of the A-G's willingness to just look at the evidence that we got from the Australian Internet Society yesterday. They have sought to engage with AGD or at least the Attorney's office—part of the evidence they gave of ways that might be able to assist in this issue. He was very keen for that to be put to you and whether there was a willingness from AGD to engage with the Australian Internet Society—they have made the offer—and to talk to them. I am not sure whether you heard their evidence yesterday, but if you have a look at that, that will give you the background to what they are seeking to do.

Mr Moraitis : Fair enough. Will do.

CHAIR: Thank you.

Mr CLARE: Those are all my questions. I just emphasise once again that I think it would be a mistake to expect this committee to report without having before it information on what the costs of the scheme are. I would ask the Attorney-General's Department to reflect upon that.

Mr Moraitis : Thank you. I hear you loud and clear.

Mr NIKOLIC: Can you recall whether the department provided costings for the 2012-13 inquiry?

Ms Harmer : I do not believe we did on that particular point. The issue that was referred to the committee was one of broad principle which was around broad reform of telecommunications interception legislation including, potentially, data retention legislation. As I think industry have attested to in their evidence, it is difficult to cost and measure until you have specific details and this is the first time that a dataset has been established against which costings could be prepared. So we have not previously provided costings.

Mr NIKOLIC: Thank you, and I did not want to interrupt my colleagues flow, but taking you back to the comments about datasets either in legislation or regulation, I think you said, Ms Harmer, that there is no procedural impediment to having the dataset in either but I wonder what the practical preference for having the dataset in regulation rather than in legislation might be from a departmental perspective.

Ms Harmer : As I said, the level of detail that is proposed to be included in the dataset is one that would be conventionally prescribed by regulation. Typically matters of detail are preserved for regulation with the primary legislation prescribing and limiting the extent to which legislation can be made by delegation effectively. In terms of the practicalities, the key change would be obviously a regulation is capable of being amended somewhat more swiftly in the event that there are technological changes that would require it to be amended. So primary legislation would naturally require a different process. Both require parliamentary scrutiny in slightly different ways. So the key difference would be the extent to which—

Mr NIKOLIC: Are you saying that technological development in recent times requires that sort of agility in terms of reshaping what a dataset might look like?

Ms Harmer : I think international experience suggests that potentially reshaping may be required at a future point. Our international colleagues have reflected on their experience with the EU Data Retention Directive, which took a technologically specific approach to their data set and found that it was very quickly outdated. We have learnt from that in some respects by proposing to prescribe a more technologically neutral data set. But our discussions with industry consistently reinforce the fact that telecommunications technology evolves at a rapid pace. The kinds of services that are available now were not available 10 years ago or even five years ago. There have been radical changes in the technology and the service offerings that are available to customers, who include people who use telecommunications services to engage in criminal acts and other activities. On the basis of advice from industry, we believe technological change is almost inevitable. Regulations would provide a vehicle for potentially making any refinements that were necessary in an expeditious way. That is an advantage of a regulation based approach. Amendment to legislation is naturally possible, but it takes longer.

Mr NIKOLIC: So your preference is linked to the sort of operational necessity you have seen arising from emerging technology in recent years. One of the challenges for us is obviously that the information about telecommunications services and those offerings is information that is exclusively held by the telecommunications industry. They are developing new and sometimes commercially sensitive offerings for the public and we need to be able to respond quickly to that. So, while we expect there to be change, we do not know the direction that change will take.

CHAIR: Thank you very much. I think that is all the questions. We will be in touch with some sort of matrix around recommendations. If there is any evidence that you have heard over the last couple of days that you think also could do with some clarification, we would once again appreciate any feedback. That goes for everyone who is here today. If you feel that there is anything that needs to be specifically clarified, we would welcome that feedback over the next week or so. I thank you for giving evidence at the hearing today. You will be sent a copy of the transcript of your evidence, to which you may suggest corrections. If you have been asked to provide any additional material, please forward this to the secretariat as soon as possible. If the committee has any further questions, the secretariat will write to you. We appreciate your time and, given that we have run a little bit over time, your patience in appearing before us today.