Note: Where available, the PDF/Word icon below is provided to view the complete and fully formatted document
Legal and Constitutional Affairs References Committee - 29/07/2014 - Comprehensive revision of the Telecommunications (Interception and Access) Act 1979

WATERS, Mr Nigel, Australian Privacy Foundation

[11:49]

CHAIR: Welcome. Thank you for talking to us today. Your submission has been received by the committee as number 36. Do you wish to make any amendments or alterations to your submission?

Mr Waters : I do not wish to add anything, but I would like to make a few comments highlighting some of the points in our submission, if that is acceptable.

CHAIR: That is more than acceptable. We invite you to make a brief opening statement and then we will go to questions.

Mr Waters : Thank you, Chair and senators, for the opportunity to appear before you. I have been appearing before this committee for more than 20 years, initially as Deputy Privacy Commissioner but for the last 15 years as a representative of the Australian Privacy Foundation. Most of my appearances have been in connection with various proposals for amendments to, or review of, the telecommunications interception regime. It is very good, and we are very gratified, that you are now having an overview inquiry into the act, because in the past the various inquiries have mainly been about marginal changes to the regime. If I can use the boiled frog analogy, it has always been very difficult to get people to look at the big picture and ask: 'Well, what is this cumulatively amounting to?' There is always a good case that can be mounted by the law enforcement agencies for 'just that little bit extra' and it is very valuable to have this opportunity to take an overview of the system.

I acknowledge the many other submissions you have received. A lot of the points we make have already been made to you, both in submissions and in hearings, by organisations such as the Law Reform Commission, the Council for Civil Liberties, the Rule of Law Institute and the Blueprint for Free Speech, but I would like to highlight a couple of points that might not have come up or to reinforce points that have already been made.

Firstly, there is the question of the scope and context of the inquiry. Whilst the terms of reference refer to two specific reports and to the T(IA) Act in particular, we do not think you can really do the job you have been asked to do without taking a wider set of issues and legislation into account. I know you have been doing that in your proceedings, so we welcome that willingness to look at the wider context. Part of that wider context is the overall level of government surveillance of Australian citizens and residents. We draw attention in our submission, for instance, to the extensive powers and information collection associated with the AML/CTF Act.

CHAIR: We might get you to spell out any acronyms.

Mr Waters : Sorry, that is the Anti-Money Laundering and Counter-Terrorism Financing Act. I notice that the Secretary of the Attorney-General's Department actually made reference to the mutual assistance arrangements under that regime when talking about sharing of information with overseas agencies. It is good that the government agencies are recognising the wider context and it is good also that you are prepared to do that.

There is also, of course, the international context. I know you have already canvassed a number of the parallel reviews, inquiries and developments overseas. Again, it is very important that we do not see this in isolation; it is part of an overall pattern, as we see it, of eventually the whistle being blown on the ever-increasing surveillance state and the importance worldwide that people are recognising of putting some brakes on that where it might have got somewhat out of control.

I welcome the fact that many of the government submissions have started to recognise, in a way that they have not done in the past, the importance of the privacy issues. But there is one glaring exception to that, which I would like to draw your attention to. When I was preparing for this hearing yesterday I stumbled across a privacy impact assessment report on the telecommunications interception act regime that was conducted by the consultants IIS—that is the consulting firm of Malcolm Crompton, the former privacy commissioner. The report was presented to the government in December 2011. I understand it was made public on the Attorney-General's website in August 2012. It is a very detailed piece of work. It contains some very useful analysis of the privacy implications and a detailed set of recommendations about the sorts of safeguards that should be applied to any revised regime, and I think it is extraordinary that the Attorney-General's Department has apparently not drawn the committee's attention to that piece of work, which would I think have been extremely valuable to you.

CHAIR: Well, it still can be, so thank you for drawing it to our attention.

Mr Waters : There is a direct URL, but I only found it by doing a search and just completely accidentally stumbling across it. If you look at the interception act page on the Attorney-General's website there is no reference to it.

CHAIR: Fascinating.

Mr Waters : The access regimes you have canvassed extensively—the warrant regime, the stored communications warrant regime and the authorisation regime. We have just made the point about section 313 of the Telecommunications Act, which in our view is a worrying potential sidestep or loophole that potentially allows agencies to ask for information outside of the legislative regime in the interception act. We are not entirely sure how far that is being used, but I think it is worth asking the questions and making sure that it is not being used to circumvent the intent of the interception legislation.

In terms of the use of the access powers, we have given you some statistics in here, which I know you have from other sources as well, illustrating the growth in the number of authorisation requests in particular. I always like in these contexts to draw attention to an analogy that the UK data protection regulator made several years ago, which is that when you are looking for a needle in a haystack the last thing you should be doing is building a bigger haystack. I think that is worth bearing in mind, because it is quite clear that many of the law enforcement and intelligence agencies are actually drowning under the weight of the information they already have. The problem is not information; it is the way they use information and the way they target and select information. There was a very good question that I think you, Chair, asked one of the witnesses, about how many people are involved in these authorisations, and I think that illustrates the inadequacy of the current reporting regime. We have a lot of figures there, but they do not actually tell you a lot, in particular about the number of actual individuals who are being affected by the regime.

We make reference to the progressive weakening of controls over interception over the last 15 years or so. There is a whole range of examples of that—progressively broader criteria for warrants; progressively broader scope of warrants, including B-party warrants and named-person warrants; the introduction of prospective data requirement for preservation orders; the introduction of the new stored communications regime; and the provision for warrants to be issued by AAT members rather than judges. I think the Law Council made four very good recommendations for clawing back some of those. They were all of concern. And, again, the boiled frog analogy: when they were individually introduced they may have appeared relatively innocuous, but when you put them all together it paints a picture of less control, greater access, greater surveillance.

We make the point about the blurring of what we think is a vital distinction between national security and law enforcement, and also within law enforcement between serious crime and relatively minor transgressions. We spend a fair bit of time on what we call the metadata furphy. I know you have been canvassing that extensively, but one point that I think you do need to be aware of is that there is considerable confusion out there about what is covered by metadata. I know the official line from the government is that it does not include subject lines of emails, for instance. But it is quite clear that that is not universally understood. I think ASIO's evidence that you took recently clearly showed some confusion on their part about what was covered. And I know from raising it in another context with some telecommunications carriers that they also have different understandings about what is actually covered by metadata as opposed to content. So that is something that clearly needs to be addressed.

In terms of metadata, I think it is easy, when we say 'All metadata should be covered by warrants', for the law enforcement agencies to come back and say, 'That's completely ridiculous; it's administratively impossible for us to go for warrants for all of those 320,000 authorisations.' I think one of the questions that needs to be asked is: how many of those are just for customer name and address? I do not think any of us are suggesting that you should have to go for a warrant just to say to a telco, 'Do you have a customer Nigel Waters?' So, we could get rid of that sort of furphy and say that maybe 50 or 60 per cent of requests are in that category and that it is no different from any other business that the police might go to and ask for customer information. But when you get into the details of their billing records, their transactions and all the other associated metadata, then it is our position that that should be subject to the warrant regime.

You have also been canvassing the data retention requirements in great detail. Again, we have a very strong position on that—that a new data retention regime is not necessary. The preservation notice regime should be sufficient to provide agencies with what they need, and there are so many uncertainties, as we have just heard from iiNet, about what the government will actually be asking for and the logistical issues in providing that, the cost of providing that and the security issues that are raised by creating those huge honey pots of data that nobody can give an absolute guarantee of security about. To our mind, they all contribute to the case against those requirements.

I think it is very important that a proportionality principle gets explicitly built into the regime, not only in the objects clause but also at the various levels of authorisations and warrant provisions, where it becomes quite clear that they have to make a case for why they need this information, why they cannot address their concerns from other sources not only to the satisfaction of the authorising official, whether that be a judge or an AAT member, but, we would argue, also to the satisfaction of a public interest monitor, and we strongly support the concept of a public interest monitor role in the process.

At the end of our submission we draw attention to a set of international principles on the application of human rights to communications surveillance, which is being developed by a broad coalition of international NGOs—more than 400 civil society organisations around the world—looking at what is happening in all the different countries and pooling their common knowledge to come up with a set of principles. We would refer you to those. Thank you for your indulgence, and I am happy to take any questions.

CHAIR: Thanks very much for your time and your expertise. Maybe we could start right at the beginning, and you could help us with a question that troubles many people and that Senator Marshall has asked on a number of occasions, which is, 'Who cares?'—what is the point of privacy? Does it matter? Does any of this really matter? As long as the material has been accessed lawfully, does any of this really matter?

Mr Waters : Obviously I think it does. There will be people who continue to trot out the 'I've got nothing to hide; I've got nothing to fear' line. The reality is that we all have areas of our life that we wish to remain private. There is an inherent human right in having some private space, and that extends to information space as well as territorial space. There are some very clear arguments about the consequences of a surveillance state and information being held about us in terms of the chilling effect on people's willingness to explore ideas, to communicate freely with each other and to have relationships that may or may not meet with society's approval—a whole raft of examples where it is clear that if people know or fear that information about them is going to be held and potentially accessed without necessarily any prior suspicion then that will have a chilling effect and will be deleterious in many cases to mental health and social development.

Senator MARSHALL: I am nearly being verballed, but not quite. I am actually a great supporter of privacy. What I want to try and tease out is that this is a relatively new technology. By its nature, it stores stuff; we know it does. We understand the internet—or, at least, I thought I did to a degree. My employer can have access to the stuff I do at work and family members can look at it. What happens at the other end? People can circulate it and forward it on. Electronic communications or putting staff on the electronic system—because it is not really a communication till someone communicates back the other way, I suppose—ought not come with the expectation of privacy. If I want privacy, I should write you a letter. You keep it private at your end and I will keep it private at my end. Unless someone opens it on the way through, that should be private. Or I should speak to you without other people listening. But I am just not sure. Are our expectations that the electronic system should be private, as we understand it as people over 50, realistic expectations? Personally, I am not sure that it is. If people do not have the expectation that it be private, a lot of these issues sort of disappear. It becomes a little bit like, 'So what? You knew what you were doing when you put all your information out there anyway.'

Mr Waters : There are a couple of points. One is that, realistically, people increasingly do not have the other options. We are increasingly being forced to communicate electronically by the businesses we deal with and by government. We are being pushed into that and it is actually quite difficult these days to operate with pen and paper and verbal communication only. The counterargument is that all we are doing now is using these new technologies to communicate things that we used to do on pen and paper and orally. We had a reasonable expectation then that, if we chose not to share that with a wider group of people other than the person we were communicating with, it would be respected, whether through the post office not opening your envelope or people not tapping your phone or snooping and overhearing you in public space. So why shouldn't we have that expectation simply because we have a new set of tools available for communication? Why shouldn't human beings, as social beings with economic lives and suchlike, be able to use those tools and those facilities without any change to that expectation? I concede that it is probably technically the case that we have to concede some loss of privacy if we want to use these tools, but part of what this exercise is about is saying, 'That should only be to the absolute minimum extent necessary.'

Senator IAN MACDONALD: I always tell my staff, 'Don't put anything on the email that you wouldn't want to see in a headline in The Australian tomorrow.' So even someone of my vintage understands that there is not a lot of privacy. But, as Senator Marshall says, you can have privacy—and we politicians know this—if you throw your phone away and get rid of your iPad. I suppose we do have that alternative, albeit inconvenient in this day and age. I suspect one of the things you say is that we should always ensure that government communications and forms can be filled in manually, although that may be—

Mr Waters : I think you will find that is becoming increasingly difficult. The government agencies are moving in a direction where it will be extremely difficult for a lot of people to not use electronic means.

Senator LEYONHJELM: I know you are from the Privacy Foundation, so you have been coming at this from a privacy aspect. What are your thoughts on the fact that this is not just privacy per se; this is privacy between citizens and the government?

What we are discussing is the claim that the government has a right to look at what you have been doing online, in the same way that you might say that, in 1984, they had cameras in each room of your house and Big Brother could look at you. Or at an earlier age you could argue that perhaps it would be the equivalent of having a federal policeman living in your house with you, checking on what you were doing. Do you come at it from that point of view or are you only looking at it purely from a privacy perspective?

Mr Waters : No, we certainly share those concerns. Privacy and civil liberties issues closely overlap and we work closely with colleagues in Electronic Frontiers—whom you are hearing from later—and with Civil Liberties. I do not think it is any exaggeration to make those sorts of analogies. It seems all very innocuous when it is just data and it is just taking place out of sight, out of mind. But by drawing those sorts of analogies you do actually make people stop and think, 'Gee, would I really like a policeman in my bedroom?' It may not be going that far, but we are moving in that direction. I think that is a major concern for a lot of us.

CHAIR: You raised section 313 of the telecommunications act in your opening statement. Could you tease out what your concerns are there, because my recollection is that that is the same section that is being used to censor particular web pages or particular kinds of content by ASIC, the Federal Police and one other agency—we do not know who. You have concerns about wider interpretations of that section. What are they?

Mr Waters : I am not our APF expert on this one, but my understanding is that there are two separate parts to section 313—that is, 313(3) and 313(2), which are related to crime prevention, which have been used for content blocking. But there is also a wider law enforcement wing, which is section 313(3). That potentially, as we see it, would allow a wider range of agencies than exist under the TIA Act to actually go to a telco and ask for information including, potentially, content information. We have no evidence that it is being used in that way, but one of the problems is that, in a sense, section 313 is a permissive provision. It is not a power. It seems to us that it has been used in the content-blocking sense almost as a power.

CHAIR: We only found out about it because sites were being knocked over, not because there were any reporting obligations.

Mr Waters : Absolutely. The whole idea that things could be happening under section 313 without the detailed safeguards that apply under the interception act is a worry.

CHAIR: Thank you. That is not something that I had come across; it is very useful. You mentioned, as did one of our previous witnesses, the utility of having a public interest monitor providing some kind of adversarial point of view, at least in the application of warrants at the moment. Do you think there is a role for a PIM at a federal level or are you talking about replicating the Queensland and Victorian experiences through their states?

Mr Waters : I think you need them at both levels, because clearly the state monitors can perform that role in relation to the state police and the state law enforcement agencies exercising their powers. But there also needs to be a federal one to play a role in AFP-ACC use of these powers.

CHAIR: Thank you. That is very useful. From the APF's point of view has the experience in Queensland and, more recently, in Victoria, by and large, been a positive one? Do they play a useful role?

Mr Waters : I do not have personal knowledge of that, but I understand from colleagues that they have had limited success. I think there are flaws in the models and they can always be improved. But they certainly have been valuable.

CHAIR: One of the difficulties we have had and I guess one of the tasks to be taken on is proposing reforms that bring privacy protections up to date with the way that some of these powers operating are being used. You put one proposal to us before—that perhaps metadata that was more invasive or more categorical than simply a billing record of 'Who does this handset belong to?' could be subject to a warrant process. I suspect the AAT would ask us for more staff if we did that. But, at the moment, those processes are conducted entirely internally through that administrative arrangement. What other formal, specific proposals, specifically governing the use of metadata that is currently warrantless, do you think would make sense?

Mr Waters : Two things spring to mind: one is better reporting, and more complete reporting—including of rejection rates, which I think is very important. We need to know—

Senator LEYONHJELM: Transparency, you mean?

Mr Waters : Transparency about the number of authorisations, but also the number of requests that were not authorised, so that we can get some sense of how disciplined the agencies are being—

CHAIR: And the number of individuals that are covered, perhaps? You raised that.

Mr Waters : Yes—so a whole range of better and more complete reporting, but also external oversight of any residual warrantless authorisations, because at the moment that is entirely left to agencies. We think either the ombudsman or the inspector general, depending on which agencies we are talking about, should be looking in detail proactively at the level of warrantless access as well.

CHAIR: Thank you. That is helpful. Unless there is anything else, Mr Waters, that you would like to raise with us, we will probably let you go and call our final witness.

Mr Waters : Perhaps I could just mention a couple of other suggestions for changes, apart from the ones I have already mentioned: clearer objects, the proportionality principle, better and more complete reporting, warrants for most but not necessarily all metadata, winding back the range of agencies allowed to access data—that is very important; that has blown out—

Senator IAN MACDONALD: Would you suggest who should not be there?

Mr Waters : We do not think it is appropriate that local authorities or NGOs such as the RSPCA or even some federal agencies that are looking at very minor misdemeanours should be able to have direct access. There may be some arrangements whereby they should go to the police and, if they think there are sufficient grounds, the police could exercise their powers—so some sort of tiered arrangement.

CHAIR: I think the PJCIS made a similar recommendation, though not as specifically as yours. But that was in there.

Mr Waters : Greater thresholds for access, such as the types of crimes for which warrants are given—that has been eroded over the years, and I think the thresholds need to be raised; greater safeguards on sharing and re-use of information after it has been obtained, including internationally; and no additional retention obligations.

CHAIR: We greatly appreciate it. Thank you very much for sharing your time.