Note: Where available, the PDF/Word icon below is provided to view the complete and fully formatted document
Parliamentary Joint Committee on Law Enforcement
29/03/2018
Impact of new and emerging information and communications technology

COYNE, Dr John, Private capacity

Committee met at 09:00

CHAIR ( Mr Craig Kelly ): I declare open this public hearing of the parliamentary Joint Committee on Law Enforcement for its inquiry into the impact of new and emerging information and communications technology. The inquiry's terms of reference are available from the secretariat. The committee's proceedings today will follow the program as circulated. These are public proceedings and are being broadcast live via the web and in Parliament House. I remind witnesses that in giving evidence to the committee they are protected by parliamentary privilege. It is unlawful for anyone to threaten or disadvantage a witness on account of evidence given to a committee and such action may be treated by the parliament as a contempt. It is also a contempt to give false or misleading evidence to the committee. The committee prefers witnesses to give evidence in public. Under the Senate's resolutions, witnesses have the right to request to be heard in confidence, described as being in camera. If you are a witness today and intend to request to give evidence in camera, please bring this to the attention of the secretariat as soon as possible. If a witness objects to answering a question, the witness should state the ground upon which the objection is taken and the committee will determine whether it will insist on an answer, having regard to the ground which is claimed. If the committee determines to insist on an answer, a witness may request that the answer be given in camera. Such a request may, of course, also be made at any other time.

I remind committee members and witnesses that the Senate has resolved that an officer of a department of the Commonwealth or of a state shall not be asked to give opinions on matters of policy and shall be given reasonable opportunity to refer questions asked of the public officer to a superior officer or a minister. This resolution prohibits only questions asking for opinions on matter of policy and does not preclude questions asking for explanations of policies or factual questions about when and how policies were adopted. I ask witnesses to remain behind for a few minutes at the conclusion of their evidence in case the secretariat needs to clarify any terms or references.

With the formalities over, I welcome everyone here today. I start by welcoming Dr John Coyne. I thank you for appearing before us today. The committee has received your submission as submission No. 4. Do you wish to make corrections to your submission?

Dr Coyne : I don't wish to make any changes to my submission.

CHAIR: Would you like to make a brief opening statement?

Dr Coyne : I would like to make a brief opening statement, Chair. First and foremost, I wish to thank the committee for this opportunity. Secondly, on top of the points that I have made in my submission, I want to acknowledge the great work that the Australian Federal Police and other elements of the Australian law enforcement community do in this space and the many hurdles that they've had to cross over the last few years with regard to innovation. I specifically acknowledge their work on child exploitation and the identification of child victims online and the work that they have done in collaborating internationally. With this in mind, I'd like to highlight that the speed at which society currently absorbs new technology is increasing exponentially. By default, that same speed by criminals is increasing exponentially. Unfortunately, in the law enforcement environment, at best we are maintaining the speed in absorbing new technology and at worst we are slowing down. I believe that a number of changes are required to address these challenges. These changes, as per my submission, cross issues such as: culture; the building of an innovation and risk-taking culture within law enforcement with regard to technology; the development of new strategies and approaches that close the gap between the time taken for newer technologies to emerge and for ability of law enforcement to deal with those; new breakthrough financing to deal with sudden changes and disruptions; and new legislation that actually looks at the problem going forward, rather than backwards, as is the case with the Telecommunications (Interception and Access) Act 1979.

In closing, with this technology problem I will use the illustration of 1950s pilots over North Korea. At the time, North Koreans were operating the then most advanced fighter aircraft. They were faster and better armed et cetera. The Americans were operating inferior aircraft, but were able to shoot down extraordinary numbers of North Korean aircraft. They were able to do so, because, in the dogfight situation where you have the process of observing, orientating, deciding and acting, the pilots of the American aircraft were able to observe and act faster than their adversaries. In this case we've spent the last 10 to 15 years addressing issues such as the tilt point of 2000 where we had an increase in access to internet, and such as the tilt point in 2007 with the introduction of the iPhone. What we can do is not try to match those technologies but look for opportunities where we can observe and act quicker. With that, I'm open for questions now.

CHAIR: You talked about a culture of risk-taking that's necessary, and you talked about looking at new ideas. Obviously, with any culture of risk-taking there's the risk that things could go wrong; therefore, there is possible condemnation by superiors. How do we overcome something like that in what is effectively a Public Service organisation like the AFP? How do we go about doing more to encourage that risk-taking?

Dr Coyne : I'll be quite frank. I don't want to sound like I'm politically naive or like I have a Pollyanna approach about this, but the reality is that the 20th century approach that we take to funding and DOFA arrangements don't encourage the technology environment—I'm being very specific about technology innovation. If we look towards the private sector, what we see there is for every R&D development that is successful there are a range of things that fall over on the side.

CHAIR: That's probably 20 to one?

Dr Coyne : I suspects that would be the case. I think it would actually be much worse than that, if we take into consideration start-up companies et cetera. The real challenge here is not so much about risk-taking. A lot of it has to do with dealing with the issues around DOFA accountabilities. There is more encouragement for our senior public servants in this town to continue to deliver projects that are no longer required, because issues have moved on, than there is to cancel those projects. I'll give you a very good example of that out of the UK. Before the London Olympics, the UK government, through Met Pol, was trying to establish a social media web scraping capability. In that process they purchased a range of COTS, commercial off-the-shelf software packages, to do that job. One of the things they set up was a very bespoke capability, which they paid a significant amount of money for over a long period of time—five years. It was, at that time, a very popular social media platform named Myspace, which, shortly after it was adopted, fell over. As a result of that capability, they continued to pay for a monitoring tool that was no longer effective. Those are the risks that we're talking about here. The alternatives of not taking those risks is building systems that consistently take three to four years to develop and are surpassed by technology.

CHAIR: How about the hiring policies of the AFP and, say, the Australian Crime Commission? If there is a technology junkie with this particular expertise, who may be exactly the right person, who you want to recruit and who is capable of working in this field, are we actually recruiting these types of people into organisations like the AFP?

Dr Coyne : The short answer to that is in some cases we are, but overall the system doesn't encourage that. Also, the very nature of employment and law enforcement has changed. If you look towards the latest future strategy for the Australian Federal Police, they highlight this. Operationalising that strategy is incredibly difficult. For instance, take the case of obtaining a data scientist. If the AFP wanted to obtain a data scientist and wanted them to be a sworn police officer, they would have to put that person through 12 months at the academy, bring them out of the police academy, give them two years of investigative experience and then return them to being a sworn data scientist. That's clearly not workable. The models that we have for bringing people into the Public Service are flawed in the same way. It's incredibly difficult, at a time when data scientists or forensic accountants are in great demand, to get them to move from our major cities, like Sydney or Melbourne, and take up a job for less money in the Australian Public Service. That is incredibly difficult. This is where we have to revisit these models and look at alternative approaches.

There have been experiments in the past in this. For instance, the Australian Taxation Office has experimented for nearly 20 years with bringing in cadets in the ICT industry. They're roughly in their last year of university, they work part-time within the organisation, they have a return-of-service obligation—for want of a better term—and they deliver cutting-edge young people in the workforce. That's one example of an approach. But the bottom line, as per the submission, is that what we really need is to take a much more flexible and imaginative approach to staffing issues. That comes from a loosening of arrangements around the Public Service and the employment arrangements for organisations like the AFP and the ICAC. Without that, we simply will not train those people.

I'll give you this example. This is going on within the AFP. Trying to train people retrospectively—for instance, people with no ICT background—in Python or SQL, in writing code, is a flawed process.

CHAIR: How about the retention of staff with those particular skills? Are you seeing that as an issue? I saw some numbers recently—I think it was in one of the annual reports—saying the AFP have something like a 2.6 per cent staff turnover. I think that would be fairly low compared to other sectors, but you mentioned that the demand for people with ICT skills in the private sector is high. Is there an issue of retention?

Dr Coyne : I think there are two answers to that. The first one is a general one of retention. I'm not an HR expert. Having completed an MBA, I have spent some time looking at these sorts of issues for law enforcement and intelligence agencies. Perhaps that two per cent is particularly low and it's not necessarily healthy. There's always a counterbalance between having too high or two low an attrition rate.

CHAIR: How does that 2.6 per cent compare with other sectors?

Dr Coyne : It is very, very low.

CHAIR: That's what I assumed. Would other sectors be double, triple?

Dr Coyne : It depends where they're at in the sense of change. For instance, if you were to look at Home Affairs, where you're seeing two major agencies and a significant amount of change going on over a very short period of time, you'd expect an increase in the attrition rate. It's very contextual. But, in a general sense, the AFP's attrition rate has been very low for an extended period of time, and that's going to have an impact on the age of its workforce and it's going to have an impact on refreshing skills. To be fair in using the AFP as an example, I know that that is something they're looking at.

The bottom line is that you may not want to keep the concept of 20th century employment—of saying, 'We want to pick up a young person 24 or 25 years of age who has finished an ICT degree or a computer science degree and have them come to the AFP and stay there for 25 or 30 years.' That may no longer be valid. In those sorts of areas I don't think it is valid. We want to completely refresh on a regular basis so that we have these cutting-edge skills.

CHAIR: In your submission you state:

Commercial providers of devices and systems will need to significantly improve cyber security in light of the likely growth in our dependence on digitally distributed systems.

Do you consider that the recent changes, such as requirements for companies and agencies to make public any data breaches, are sufficient to prompt these improvements in cybersecurity?

Dr Coyne : I think some of these improvements have been made, and they're significant. I saw a very good example of it just recently. A secondary client of ANZ's had had a data breach and they had advised ANZ of that. ANZ advised all their customers and within 10 or 15 minutes had cancelled all cards. So that sort of stuff is working, and I think there are interim measures. But the spirit and intent across my submission is that we used to look at these problems as: there's a problem; there's a solution. This is an evolutionary issue that will need to be continually addressed and refreshed. I suspect that committees and inquiries like this would need to occur on a much more regular basis. It's not just a matter of going: 'Well, we're right today.' In fact, the time line of how long we will remain right may only be until tomorrow morning, and that's the real challenge, both for government, the bureaucrats, and for the private sector—and for the general public for that matter.

CHAIR: Do you see any potential jurisdictional barriers in the breakup of our police forces?

Dr Coyne : It's less of a jurisdictional issue and more of a priority issue. States' and territories' law enforcement agencies, as the front line dealing with the community, are faced with the front end of that. They're faced with everything from an elderly person who has ordered something online and it hasn't turned up all the way through to major companies who are having issues. For them it's about resourcing, and of course for the states and territories their No. 1 issue has to be violent crime against victims, and they start stepping back in prioritising that way, so that is a challenge for them. For the AFP it will always be a matter of resources on the other side, and we saw this recently in the Senate inquiry. When I say AFP, really I should extend it across the whole of the Commonwealth's law enforcement capability, which is that there's a supply-and-demand challenge there. The demand for their services far exceeds the supply that they have.

Senator SINGH: Thank you for ASPI's submission. How much does ASPI have to do with various government law enforcement agencies? How much is the door open, I suppose?

Dr Coyne : As a general rule, we're an independent policy think tank, and we live to the original ideals that were presented and developed by Kim Beazley and John Howard, which is that we work with government but we're independent and provide independent contested advice. What that means is we regularly agree and sometimes we regularly disagree with policy perspectives and issues. We're regularly engaged on a range of issues—ranging from the secretary-CEO-commissioner type level down to the executive level at EL1 and EL2—talking about everything from policy and strategy to developments in the criminal world. We work really quite well with them. To give an example on the people smuggling side of the house, I will be presenting to a joint management group in Bangkok in a month's time. That's how closely we work together. But we have a different point of view and different entry points about improving the public policy dialogue as well as contributing to the decisions made up here on the hill.

Senator SINGH: I want to ask about this issue of disruption of threats. You talk about this in your submission. Obviously, there's the end game of arrests and seizures, but there's this notion of disruption, particularly of criminal targets that may be known and, I suppose, how to intercept them. Are you able to give some examples of disruption that's used through our law enforcement agencies?

Dr Coyne : I think the first thing with disruption is that this is one of the great misunderstandings of 21st century—and 19th century, ironically—policing and law enforcement. The aim isn't to arrest people; the aim is to make a safer society. The origins of modern policing find themselves in London. They were about peacekeeping and solving problems in the community. The problem with disruption, of course, is that in the intervening years in order to hold law enforcement agencies accountable for what they do, things like arrests, seizures and successful prosecutions all become key performance indicators, but in reality—if you ask the voters—I think the electorate would tell you that, whilst they want to see those things and see photos of one tonne of drugs, what they're really concerned about is a safer community. Disruption is about taking alternative perspectives to problems and focusing on making a safer society. I will give you an example of this. The NCA, the National Crime Agency, in the UK had an extensive list of organised crime targets that they had no possibility of investigating. They sent out a letter to all of those people essentially saying: 'We know that you have been undertaking criminal activities. We have your details. You should cease and desist these activities or you can expect further action.' A number of people immediately stopped doing what they were doing.

Senator SINGH: Like a warning?

Dr Coyne : I think so. But there are other options too. For instance, take MDMA—and this is lost in the annual reports. One of the great successes of the Australian Federal Police in the last 10 years was the disruption of MDMA, or the precursor, safrole oil, in Cambodia. It created a five-year drought in the availability of MDMA and ecstasy. That seizure did not appear in any KPI within the Australian Federal Police. Instead, our police were offshore working with Cambodian officials in the jungles, bringing in safrole oil and then sending over specialist teams to destroy that to avoid it going to the supply chain. That's the key of disruption—for want of a better term, a saboteur, where you can put a steel rod into a very specific place and disrupt the supply chain—and that's the more important thing. All the arrests in the world won't stop, for instance, the supply of ice in your communities and the communities that you represent. And technology is the same.

The chances of us prosecuting a number of cybercriminals is very, very low. The chance that we'll collect sufficient evidence to be able to prove to a foreign jurisdiction and then go through the process, which would be incredibly costly, of bringing those people to Australia, even when it is possible, and proving beyond reasonable doubt that they are guilty is very low to unlikely, I suspect. And, as a result of that, we have to look at alternative mechanisms to disrupt them. Those are some of the issues being discussed in regard to things like offensive cyber operations. But, on the other side, it's also about doing other activities. The email activity is a prime example of that.

Senator SINGH: Do you think we're doing enough in that space?

Dr Coyne : I think the KPI pressure on the Australian Federal Police and the Australian law enforcement community is such that it actually ensures that a larger percentage of the efforts of law enforcement are focused on transactional arrests, seizures and prosecutions. And I'd like, personally, as an academic and a person in a think tank, and as a tax-paying citizen, to see that balance swing a little bit further to disruption activity.

Senator COLBECK: Dr Coyne, you seem to be talking about a cultural change in a number of ways through law enforcement agencies around employment and around the point that Senator Singh just made in the conversation around disruption. Are these things that are occurring perhaps occurring more slowly than they should, but is it moving that way basically because it has to, rather than because that's the desired cultural focus point?

Dr Coyne : I think there's some really amazing work being done out there. There are pockets of excellence, and we see this across Australian law enforcement communities, from Queensland through to the federal level. However, I guess it's not happening at such a level that we need it to at the moment. And the reason for presenting to this committee and providing evidence is essentially that the number of factors that are controlled more from the halls of Canberra are inhibiting that. And I said at the start that some of this might sound politically naive or pollyanna-like, but if you keep on pushing law enforcement to increase the percentage of seizures, they'll focus only on that, not on reducing the supply, and those are two different outcomes. That's just an example of an innovation piece. But it is the same for ICT. Say you want to outsource and bring into your teams, for every AFP officer, one data scientist and a forensic accountant to track anti-money-laundering. It would be very difficult under current arrangements to obtain the funding and to bring those people in under contract. In the same way, it has been incredibly difficult for the AFP to obtain one single data scientist. That's the illustrative point here: the bigger piece is that we need to look at the DOFA arrangements, some of our public service arrangements and some of the arrangements within the AFP, which employs people under a separate act. We need look at those and how we can free up the freedom of movement for the CEOs and commissioners of the various agencies involved.

Senator COLBECK: That is where I was coming to. Some of those the cultural, structural and industrial relations structures that exist within those existing frameworks make it difficult. I was going to ask about the opportunities around civilian relationships. You were talking about a five-year turnover, if you like, of people so that you have fresh people right up on the cutting edge with current ideas, thinking, technologies, ways of doing things and operating within the system. It's very difficult under the existing structures to do that. With the opportunity for civilian relationships, I know it's a big cultural change in the way that some of these agencies operate, but it is one way to actually manage that.

Dr Coyne : Certainly, there is an openness in the private sector. Having presented at a number of conferences on this, I am always asked questions around, 'Why would you trust the private sector with your data?' This is what's related to all of this. And I often say, and this is going to sound—

Senator COLBECK: Why would you trust the government?

Dr Coyne : Well, for instance, if I was working in government and I had an ICT issue that required me to go to market to get something—by the time I went through the process of getting that through the bureaucracy, advertising, going through a panel, testing and everything else—it would take an extensive time to deploy that. We're talking probably a year or two. If I'm a private sector company I can do that within a matter of weeks, probably. Depending on some companies, it's even shorter. We've this in the last 24 hours with the announcement around Facebook putting up new privacy measures, for instance. There's always the profit motive, which people are worried about, with the private sector. But I think where we're going with this is that there has to be a closer relationship and we really have to re-examine how we approach public-private partnerships in this space around the technology piece. There have to be partnerships. For instance, on the encryption challenge, the idea that you can legislate your way out of the encryption challenge is deeply flawed.

Senator COLBECK: That is the current phase that we're dealing with at the moment: the increasing utilisation of the encryption not only from international cyber criminals but right down through to private use, corporate and all the other elements in between. You go back to the initial days of internet crime, for example. Traceability was one of the issues there, but now you're having additional layers of complexity added to the task.

Dr Coyne : The reality is though, and the same extension to that, is the example I gave you about ANZ. I had my card recently cancelled because it had been used fraudulently somewhere. I had a phone call from the ANZ. ANZ said to me, 'We can reprogram your new card within 10 minutes on your iPhone. It will take 10 days to still get your hard-copy card, but that means you can still buy things and still get money out.' Those conveniences in the 21st century come from encryption. The bigger debate on this—and the public needs to know this—is that by wiring in back doors and by doing those sorts of approaches, we weaken and undermine all the benefits that come from encryption. It's part of our everyday life. It's what facilitates ease.

Senator COLBECK: Where would you see the key legislative direction then, in that sense? You talked about the TIA Act 1979, which is a scary number. Hopefully there have been some modifications from then. But what's the key legislative direction or defects?

Dr Coyne : Look, the key effort needs to be, as a start point for this committee, around the issue of the Telecommunications (Interception) Act. Essentially, as I say within the submission, we've sat there and tinkered with it and tinkered with it; but it's still, behind the scenes, based on a whole range of assumptions that simply no longer hold true. That is my No. 1 place. My No. 2 place is around DOFA regulations and accountability within organisations in the law enforcement community. That's the next logical place to start with that body of work. I don't believe that this is an easy task and I think it's going to take a significant amount of work, but I'm not sure what the alternatives are. The discussions around continuing to tinker with the TIA Act just don't work.

I had this question yesterday at the Police Technology Forum, which was trying to identify whether or not putting something up in public—for instance, if I go to my local golf club and put a notice up on the front door or on a notebook for everyone to see—is the same as putting something up on an open social media account? The expectation is you have automatically, by default, opted in to sharing your communication with everyone, therefore it's separate from the TIA Act. Approaching it using the TIA Act and everything we understand based on copper-line telephones, just doesn't work. We need to revisit that. That's one of a great starting points where we can make some real difference for the Australian community and for law enforcement.

Ms O'NEIL: Thanks for your testimony, Dr Coyne, and your submission. I'd like to just stick with the encryption discussion, if we could. Could you just go a little bit back and just talk about how widespread encryption is in the commission of crime at the moment and how big of a problem this is for law enforcement?

Dr Coyne : It's particularly widespread when you're talking about communication. This is where the granularity in some of the conversations is lost. On one side is cybercrime, which everyone wants to talk about; it's very topical. On the other side is technology-enabled crime. In this case, one of the most significant challenges—the previous FBI director called it 'going dark'—is that our law-enforcement community, from the US to Australia to Canada to the UK, relies on telephone intercepts to undertake investigations. Our major, complex investigations require those.

To give you an indication, just recently Phantom Secure's CEO, which is a system related to BlackBerry, was indicted for selling 10,000 units across the globe to high-end criminal figures. What that allowed you to do was delete fully encrypted communications and remotely delete, when you're arrested, the contents on your telephone so that police could never obtain it. There were 10,000 units globally. The people using those were involved in a range of things from the transmission of drugs to the execution of people across the world. That's one small component of it. Then when you add in issues on top of that—like Viber, et cetera—the issue just grows bigger and bigger.

What you find is the big challenge with the encryption piece is the collection of intelligence and evidence. It is extremely widespread, because the public are aware of it. Criminals are aware that the AFP, the New South Wales Police and the Victorian Police all use telephone intercepts and can access mobile phones. That problem is about to get significantly worse. When 5G technology comes in, it may spell the complete end of telephone intercepts across the globe.

Ms O'NEIL: Can you talk a little bit more about why this is such a difficult regulatory challenge? I think for most people, they would just think, 'Let's just create a law where encryption is illegal,' or something along those lines.

Dr Coyne : It's a social hygiene factor. It makes every part of our life work. Because the technology is moving so quickly, the idea that you can legislate a back door—there are a couple of things; this is No. 1—creates a weakness in the system that can be exploited by others. That runs the risk of completely destroying our finance sector and our economy. It's what permits that sort of convenience. Secondly, is that encryption facilitates a range of other functions. With encryption itself, when we talk about it, we talk about one-dimensioning situations, as if Google or someone has the encryption key. The latest levels of encryption mean that keys have one-time use. Even the companies who are producing these sort of products are unable to decrypt some of these communications themselves. The technology is moving so fast.

Phantom Secure has been operating, for BlackBerrys, for at least nine or 10 years. The AFP and the global law enforcement community have only just cracked that problem now. It's old technology. This is where the other challenge with encryption is: we're thinking about it as encryption today. What we need to be doing is thinking about encryption tomorrow and a year's time. A year in this sort of ICT space is a long time. Predicting what comes next is incredibly difficult. I could bring in here, as I've done with ASPI, 20 or 30 leading thinkers and sit there and talk about what technologies are emerging over the next couple of years, and I'd get 20 or 30 different perspectives about that.

Ms O'NEIL: Given that challenge, what do you think regulators should be looking to do? I mean, we are going from just accepting that there's no way to track communications in the way that we have for decades to solve crimes over to the other end of saying encryption's not viable because of this problem. Where do you think policymakers should be looking?

Dr Coyne : At the very start, philosophically, we need to stop looking backwards and look forwards and be real about what we can achieve. We may not say it out loud but the question in committees like this and in submissions has always been: how do we return intercepts back to the days of the 1970s and 1980s? How do we get back to having that level of telephone intercept capability? That may not be the real question. The real question is: how do we collect sufficient intelligence to undertake the investigations that make our community safer? The answer to that may not be in the legislation. It's going to cost more money because there'll be more surveillance, more listening devices, more tracking devices. It could be more physical surveillance in the sense of people travelling backwards and forwards across jurisdictions and working with foreign partners. Unfortunately, looking forward, what we can't do is keep on asking ourselves this backwards question.

Ms O'NEIL: Yes, I understand. That's a really useful point. On the legislative side though—because we are legislators—do you think something needs to be done or do you believe this is really about police changing their techniques to adapt?

Dr Coyne : I think it's about police changing their techniques. I just don't think that we're going to be able to legislate our way out of this at all.

Ms O'NEIL: Okay, great. You do, though, talk about the Telecommunications (Interception and Access) Act. What are the deficiencies in that act at the moment from your perspective?

Dr Coyne : Look, in general, it is the assumptions and the access to those powers of distribution of intercept material. I think that law enforcement has changed significantly. There are some questions here around, for instance, as AFP's supply-and-demand challenge increases, will organisations like the Australian Border Force need to have greater access to powers in order to undertake investigations? And it's those sorts of bigger questions about where those powers sit.

Ms O'NEIL: Dr Coyne, just to finish off, we've got a pretty wide scope of areas that we're looking at under this inquiry. If you had to pick two or three things that you want the parliament to be doing differently, what would they be?

Dr Coyne : No. 1 would be providing law enforcement greater freedom in regards to accountabilities out of DOFA. It has to be in that process. No. 2 would be releasing the pressure gauge around key performance indicators. I don't think it's necessarily a legislative piece but it comes out of the hill here. We need to be able to provide a greater space for our law enforcement officers to innovate. That comes from the leadership on the hill here and it comes from the legislation.

Ms O'NEIL: Great. Very useful. Thank you so much.

CHAIR: Dr Coyne, you probably paint a little bit of a grim picture going forward. Is it the reality we'll always be playing catch-up football or is that what you're trying to say—that we need to look at it? Rather than where we are today, which is almost like giving up on today—'giving up' is probably not the correct expression—look at what do we need in several years' time and be working on that. We are always saying, 'Okay, what's the problem today?' and, while we're catching up on that, the villains develop another system and, by the time we've sorted it out, the villains have moved on and we're forever behind?

Dr Coyne : Yes, I think there's a degree of truth in that statement. What I'd like to see is the gap or the space between the time that criminals institute these new capabilities and the time we take to react to them to close. At the moment, the key message here, especially in the technology space, is that that problem, the time gap, is getting wider. We want to close that time gap. I think that needs to be the key priority.

CHAIR: Effectively we're playing catch-up football, but starting from a point further behind each time we start the play?

Dr Coyne : This has always been the challenge—for instance, in the counter-terrorism space for law enforcement. It's not Minority Report: we're never going to be able to arrest people in advance because they've thought about undertaking crimes. We really are going to be in that time-gap space. There are going to be changes in the general community and there are going to be changes in criminal activities as a result of that, and then law enforcement and the legislature will change in response to that. As I said, it's very similar to the 1950s. We need to get better at observing, deciding and acting on that and speeding up that process to get closer to their decision-making cycles. That will be pivotal.

CHAIR: You mentioned a case relating to BlackBerry and encryption. I hadn't heard that. Could you expand a bit more on that.

Dr Coyne : A Canadian firm had developed an encryption software for BlackBerry that allowed—and they sold 10,000 units—

CHAIR: It wasn't the BlackBerry firm, it was someone—

Dr Coyne : It wasn't the BlackBerry firm, but it was associated with—

CHAIR: It was a third party.

Dr Coyne : That's correct. They were selling what they called Phantom Secure, a piece of software for that, that allowed you to have fully secure communications that were, until just recently, unbreakable. Secondly, if an offender was arrested, it allowed a member of their same criminal syndicate to remotely remove all evidence off a phone.

CHAIR: You said that's been broken?

Dr Coyne : That's been broken at the moment through international work. There's been a great deal of collaboration across the Five Eyes law enforcement group for several years in relation to this. Initially, a great deal of that work went to the question of how we break encryption technology. In this case, at the end of the day, the encryption technology was getting older, and they were also able to allege the criminal activity and prove it sufficiently enough for an arrest of the key members of that group and company.

CHAIR: So it was the members of the Canadian group that sold the technology on who were arrested?

Dr Coyne : They did. They were a legitimate company. They were actually selling Phantom Secure software. That was the product they were selling.

CHAIR: What was the legislation that captured them?

Dr Coyne : I wouldn't be able to tell. I'd have to go and check that on notice. They were actually arrested in the US, and it's my understanding there's been arrests made in Dubai as well.

CHAIR: Isn't there also the issue: 'We thought we were selling it to legitimate individuals'?

Dr Coyne : I think in this case we had sufficient evidence globally and in the public sphere as well that it was genuinely available to criminal offenders, and it was targeted as such. I think the allegations that are still yet to go before court in the US are that the company marketed a product directly to organised crime figures to provide them safety and security to undertake their activities.

CHAIR: Which would be unlawful under a specific US statute?

Dr Coyne : Under US law it would be, yes, is my understanding.

CHAIR: Do we currently have existing legislation in Australia that would capture that sort of thing?

Dr Coyne : I'd have to check up on that.

CHAIR: Maybe you could take that on notice.

Dr Coyne : I will.

Senator COLBECK: It's a long way from The Imitation Game.

Dr Coyne : That's it.

CHAIR: How do we tackle this issue? You talk about close cooperation between the Five Eyes partners. How do we deal with actors outside of there that can use transnational boundaries to hide behind?

Dr Coyne : Earlier, you mentioned bad-news stories—some of them being very bad. I think this is one of the good news stories. Our law enforcement community's international engagement is fantastic. I found myself in Dubai and Abu Dhabi late last year, and the authorities there up to agency level and members of government can't speak highly enough of the Australian law enforcement community and the willingness to work with them. That extends across the region, and, indeed, the globe. There are always ups and downs in any international relationship, but we have that police-to-police cooperation. On the other side, what we also have is a range of mutual legal assistance agreements and treaties globally—a patchwork quilt, if you like—and that's worked. Just recently, the AFP brought someone back from Eastern Europe via several other countries to Australia. It's a good news story about our international cooperation, both within the Five Eyes group and wider.

CHAIR: Any other questions, senators and members? No? Thank you, Dr Coyne, we really appreciate your assistance and your submission. We thank you for your time here today.

There is a gentleman from Channel 10 seeking permission to film. We're more than happy to give permission to film—there are no objections from other members. Thank you, Dr Coyne.