Note: Where available, the PDF/Word icon below is provided to view the complete and fully formatted document
Parliamentary Joint Committee on Law Enforcement
29/03/2018
Impact of new and emerging information and communications technology

MANN, Dr Monique, Co-Chair, Surveillance Committee, Board of Directors, Australian Privacy Foundation

MOLNAR, Dr Adam, Vice-Chair, Australian Privacy Foundation

CHAIR: I welcome the representatives of the Australian Privacy Foundation, Digital Rights Watch Australia, Electronic Frontiers Australia and Future Wise. Thank you for appearing before us today. The committee has received your joint submission as submission No. 23. Firstly, do you wish to make any corrections to your submission?

Dr Mann : No.

CHAIR: Thank you. We have a time period that takes us through to about 11.30. We invite you to make a brief opening statement—maybe a summary of your submission for the Hansard record—and then we will go to questions.

Dr Mann : Good morning. We would like to thank the committee secretary and panel members for inviting us to provide evidence on the challenges of information communication technologies and law enforcement on behalf of the Australian Privacy Foundation, Digital Rights Watch Australia, Electronic Frontiers Australia and Future Wise. Innovation in technology is an important public policy issue that affects all aspects of society, and we are pleased that the panel is devoting attention to this issue.

In our opening statement, we would like to reiterate some of the main points from our written submission and provide a brief response to some of the points raised in written submissions by other government and law enforcement agencies. We note that almost every party that made a written submission raised the issue of encryption, highlighting that it is crucial for innovation and cybersecurity, and yet presents some challenges for law enforcement. Encryption is indeed an important public policy issue that demands careful and nuanced consideration. Encryption tools, technologies and services are essential to protect against harm and to shield our digital infrastructure and personal communications from unauthorised access. The ability to freely develop and use encryption provides the cornerstone for today's global economy. Economic growth in the digital age is powered by the ability to trust and authenticate our interactions and communicate, and conduct business securely both within and across borders.

Any attempt to weaken or undermine strong encryption poses serious risks to cybersecurity. While we recognise law enforcement's legitimate interest in accessing communications, we are fundamentally opposed to any attempt to weaken encryption, given the additional risks this would entail for a range of groups and sectors, including banking and finance, government and the general public. Encryption does not pose a fatal investigatory hurdle and, by contrast, it's an essential component of cybersecurity. It protects against cybercrime, which is estimated to cost between $1 billion and $17 billion annually.

According to the Department of Home Affairs, we already see reports of ransomware attacks doubling each year. Weakening encryption will undermine the security of information communication technologies for everyone, and will exacerbate these issues. The absence of encryption facilitates easy access to sensitive personal data—including financial and identity information—by criminals and other malicious actors. Once obtained, sensitive data can be sold, publicly posted or used to blackmail or embarrass. Additionally, insufficient encrypted devices or hardware are prime targets for criminals.

Given the collective economic and social good that encryption provides, we urge the committee to pay attention to existing legal and technical capabilities that enable access to evidence on physical devices in ways that will not unnecessarily inflict the unintended consequences of weakening the security of all digital devices. We outline issues associated with undermining encryption at length on pages 11 to 15 of our written submission, and we set forth the existing legal and technical capabilities to access evidence on page 14.

In addition to encryption, and as per our written submission, we also wish to comment on other areas that fall within the inquiry's terms of reference, including dark web policing, mutual legal assistance arrangements for accessing extraterritorial digital evidence, and the importance of independent criminological research into these areas. We welcome the committee's questions on these topics.

In summary, law enforcement plays an important role in public safety and security, though we contend that law enforcement use of new information communication technologies should be supported with evidence, be consistent with international human rights standards, be subject to robust oversight and proper checks and balances—including judicial—and uphold the rule of law.

CHAIR: Thank you, Dr Mann. Dr Molnar, do you have any opening comments?

Dr Molnar : I have no additional comments at this time.

CHAIR: In your submission, you've made some recommendations. Recommendation 2 was to:

Suspend the current program of mandatory data retention and require a judicial warrant to access telecommunications information.

Firstly, can you run us through your position, reasoning and logic for suspending the current mandatory data retention programs?

Dr Molnar : I'll take that one. I would refer the committee back to a submission that the Australian Privacy Foundation made during some testimony provided when the legislation to present mandatory data retention in Australia was being discussed. At that time, our position was that the mandatory obligation to store data for a minimum of two years was inconsistent with human rights standards, as ruled in the European Court of Justice. We actually opposed the idea that a serious crime threshold could be reduced to access that data.

Generally, we were concerned about the negative impacts that this would have on our collective good, such as media reporting—the protection of journalists is a cornerstone of democratic process. We were, at that time—and still today—unconvinced that access to metadata, which is remarkably more sensitive in what it actually reveals about an individual—if you can have access to who I've spoken with, when I've spoken to them, how often and for how long, particularly when that data is leveraged over time, it tends to reveal a much more detailed picture of an individual. It can indicate very sensitive personal information, including when I talk to my doctor. It can undermine lawyer-client privilege, in our view. Our concern was that metadata should be subject to the same requirements as content—that is, what you say in the communication.

At that time, and still today, we were convinced that we should uphold existing legal authorisation and oversight—basically, judicial authorisation instead of ex post review; it's very different to review something after the fact. When we look at that legislation today, as it's being implemented, we still hold that position. So that would, with all due respect, mean that we would urge a revisit of that present set of law.

Dr Mann : I would add that the journalist warrant process in the current mandatory metadata retention legislation was not followed by the Australian Federal Police, by their own admission. That is highly concerning from a due process and rule of law perspective.

CHAIR: That metadata retention—is it two years that the legislation's been in place for now; is that correct?

Dr Molnar : The obligation to retain metadata for a minimum of two years has been in place for roughly two years. The idea of administrative access to that data has been in place for much longer under the Telecommunications (Interception and Access) Act. If we take these two aspects together, our position is that metadata should be subject to the same judicial authorisation requirements as content. The mandatory storage obligation comes after the earlier situation there.

CHAIR: Over those past two years, are there any examples of significant negative impacts that you can point to?

Dr Molnar : Monique actually just pointed one out, where there was improper access by an Australian Federal Police officer. That was disclosed by the AFP, and we appreciate their honesty in that regard. We also would like to indicate that, by nature, it's actually very difficult to detect the improper use or improper access of metadata. It's a procedural aspect within criminal investigation. One of the issues that the APF raised two years ago was that the mandatory retention obligation would create a honey pot for malicious actors, foreign-state actors or criminal hackers to surreptitiously access that information and exploit it towards criminal ends. Again, it's difficult. The nature of cyber-infiltration means that it's sometimes very difficult to detect how long someone has been inside the network and sitting on a server. Given those characteristics, it's very difficult to have public evidence to bring—to scrutinise.

Dr Mann : From a criminological perspective, the impacts of widespread, indiscriminate, blanket surveillance on a population, contrary to human rights norms, does have the potential for a chilling effect on political process, participation, journalism, activism and so forth.

CHAIR: Can you detail further what the human rights concerns are? Can you summarise your argument that the collection and retention of metadata breaches human rights norms?

Dr Mann : Yes. A number of human rights norms, including those that Australia has signed and ratified, as per the International Covenant on Civil and Political Rights, show that humans do have a right to privacy and a private life. The schemes in the European Union—the retention schemes that Dr Molnar also mentioned—have been thrown out because they have essentially been found to present a disproportionate interference with individual human rights, including privacy and freedom of expression. Would you add to that, Adam?

Dr Molnar : No.

CHAIR: Your first recommendation was:

Follow international precedent in surveillance programs and practices and with regard to, and respect of, international human rights standards …

Could I argue that there is not one international precedent? In fact, the international precedents are very varied depending on which international precedent you want to pick.

Dr Molnar : To fill that out with a bit more detail, we make that reference with respect to Australia's obligation to comply with the International Covenant on Civil and Political Rights treaty of international law. We would point to that directly, given the connection with Australia's obligation.

Senator SINGH: You talk a lot in your submission—it is very detailed, thank you—and in your opening statement about encryption and lawful access. I'd like to hear a bit more from you about this issue of encryption. It seems incredibly complicated, and encryption is obviously used in so many different forms of electronic communication. How do you see our current laws dealing with issues of encryption? I don't know how many different platforms there are. We talk about Facebook and WhatsApp and all of the different areas where we find that kind of built-in encrypted service. What do you think we as policymakers can do in this space while, at the same time, ensuring that people's privacy is protected?

Dr Molnar : As Dr Mann pointed out in earlier statements, when it comes to encryption, it's not strictly a question of privacy. It's a question of economic security. It's a question of the security of critical infrastructure—for example, public health. It is basically government processes—sensitive communications within government and on national security. This puts it on a terrain that requires very careful and nuanced consideration. It's an incredibly complex question, as you've pointed out.

There are a number of different proposals that have been discussed in the past that would attempt to weaken or undermine the algorithmic standards—the strength of the algorithms and protocols required to encrypt communication. Our position on that is that any attempt to rely on mandating a change to the standards of encryption would be deleterious to the security and all the various aspects that I previously mentioned. There's another proposal to discuss a key escrow system, as we point out in our submission, where you have a third party that stores a separate set of keys. In a domestic context, through judicial authorisation, access to those keys could be used to decrypt the communication. There's another proposal to mandate vulnerabilities in software or hardware which can then be exploited through computer network operations or, as it is more popularly termed, lawful hacking. Our position, as we point out in the report, is that any attempt to impose any of the three previous scenarios that I outlined would lead to inevitable vulnerabilites that could be exploited by malicious actors, whether they're foreign states or organised crime groups.

As you point out, Australia has existing laws. We refer to them on page 14. There are a range of existing technical and legal powers in Australia that would not have the disproportionate trade-off of weakening security more broadly. We would urge the committee to give these prospects careful thought. Some of them would be compelled by the assistance order in section 3LA of the Crimes Act. That assistance order is for someone to disclose a password to a device. We would like to point out that, while that power exists, any use of that power should be carefully circumscribed by proper safeguards that would respect human rights and proportionality.

Senator SINGH: Are you saying that Australia's existing laws are adequate?

Dr Molnar : I'm saying that Australia has a range of statutes that it could use that would provide access to plain text on communications devices without weakening or undermining encryption.

Dr Mann : We would also echo the recent Senate motion by Senator Steele-John in previous days. He moved:

That the Senate—

…   …   …

(b) calls on the government to:

   (i) support the continued development and use of strong encryption technologies,

   (ii) resist any push from other governments to weaken encryption on personal devices, and

   (iii) work with law enforcement to develop alternative avenues to obtain information through warrants and targeted surveillance that does not put every Australian at greater risk of identity theft.

Senator COLBECK: Can I just come in on that. I understand what you're saying. The three things that you've talked about, hasn't the horse effectively bolted in this space already? I mean, there are already technologies out there that there are no keys to, there could be no keys to and, quite frankly, a government might want to put a law in place. But in the culture of the internet, in the technology of things or however you want to describe it, particularly in the cybercriminality space, there's a complete unlikelihood that anyone's going to comply with that sort of thing anyway. I think we're pretty much past that point. I get the point that you're trying to make about legislated attempts to do that, but aren't we largely out the door?

Dr Molnar : I think you're quite right. Any attempt to censor or ban messaging applications, where it's been attempted, has not proven successful from a technological stand point insofar as there is circumvention techniques. So someone who is committed to relying on encryption, which, at the end of the day, is also just a tool—and we would like to point out it's how a tool is used and not just the tool itself—means that local bans don't actually prevent international availability nor will they prevent domestic availability for committed individuals. And there's an additional burden of enforcement that would fall back upon law enforcement to maintain extensive surveillance and enforcement of any such policy. It's also worth noting that any attempt to ban instant messaging apps with end-to-end encryption have not complied with human rights codes in Brazil. They would still be before the courts in other jurisdictions. But it's also proven highly unpopular, and this is something that should be considered in any public policy consideration.

Senator COLBECK: A lot of people in this place would be in trouble if we tried it.

Dr Mann : Just to add to Adam's point there, at this stage, while a number of public statements have been made, including by Prime Minister Malcolm Turnbull and also Peter Dutton in relation to some new laws in this area, we haven't seen any draft bill or legislation so it's actually really hard for us to be able to comment on any actual proposal, concrete proposal.

Senator COLBECK: I wasn't going there but I was looking to consider mandated standards. I'm not sure how you'd actually achieve that given the pace of change in the space anyway.

Dr Mann : We're not sure of it. I don't think the government's too sure either.

Senator COLBECK: It's probably not something that's practical to even attempt. The keys in the backdoor stuff, my perception would be we're just way past all that. And in a law-enforcement sense, some of the things you've already referred to about some of the tools that do exist, about how they might reasonably be improved to achieve the things that you're suggesting can and could be achieved within the parameters that you're suggesting is probably where we would like to hear what your thinking is.

Dr Molnar : There is a number of additional technical and legal challenges that do emerge with moving into the use of computer network operations or computer network exploitation that demand very careful consideration because they can bring their own set of unintended consequences as well. We point out in our submission that some of those unintended consequences may revolve around the undeniable reality that most use of computer network operations traverse international jurisdiction and that presents a whole host of new challenges to do with preserving many of the procedural requirements that have conventionally existed within mutual legal assistance treaties. The move to CNOs actually disincentivises the reliance on mutual legal assistance, and that can have negative impacts around many of the issues that MLATs have attempted to uphold over time, including jurisdictional operation, adequate human rights standards and accountability for errors that might be made if malware is being used. If there's any additional collateral damage associated with the use of the implant of foreign code into a network in an overseas jurisdiction, that can have foreign affairs ramifications. So there's a need for MLATs to be preserved, in our view. MLATs should not be done away with entirely; they just need to be reconfigured. MLATs should actually address the new reality of not just cross-border lawful access requests but also the idea of computer network operations. I think some of our colleagues have taken a more narrow view of the role of MLATs in relation to cross-border data access requests to private companies in overseas jurisdictions and some of the rules around disclosing that information, but that's only a more narrow vision of how law enforcement is currently operating across international jurisdiction.

So MLATs actually have, in our view, a significant role to play. We acknowledge that they can be cumbersome for law enforcement, and we respect that position, but we are very much opposed to the idea of doing away with MLATs entirely, given a whole set of other legal and procedural challenges that could emerge if that position is taken.

Senator SINGH: I wonder whether you could give us some examples. You talk about the public value of encryption and its uses and say that weakening it could be an adverse step. Can you share some examples of the good value of encryption that you talk about?

Dr Mann : I would also refer the committee to Access Now's submission. They submitted a memo on the role of encryption in Australia. They cover a lot of those elements that you're discussing in relation to essential infrastructure and public infrastructure. They offer specific examples of ransomware attacks on the San Francisco metro, stopping computer glitches, stopping all trains across Melbourne in July of last year and major incidents in relation to electricity grids, as happened in the Ukraine. We can think about this in relation to banking and card payments, digital commerce, critical services and the private sector. We can think about the WannaCry incident that basically shut down the NHS in the UK recently. I think, moving forward, things like the Internet of Things, smart cities, autonomous vehicles and a whole range of other exciting technologies rely on the integrity and security of those systems. I hope that answers your question.

Dr Molnar : I would add another high-profile incident. We could probably spend the rest of our time just discussing incidents that would fit within our previous 12-month time line. In any case, there was a significant attack on the United States government Office of Personnel Management, which is a single institution that houses the sensitive information of a number of federal employees within the federal agencies. They lost sensitive data because they had insecure infrastructure. That's data that can now be repurposed and exploited for social engineering or for insider attacks. It's very sensitive data that the United States is now having to deal with in remediation efforts, and will be, conceivably, for decades to come, given the nature of social engineering around personal information.

Ms O'NEIL: Yes. I think we get the message loud and clear. And, yes, it's great to have your perspective, and we're really grateful for you being here, especially given that, as is generally the case, the weight of the evidence given to this committee comes from law enforcement, who might take a different view. However, we just heard from the Australian Strategic Policy Institute, and they are actually saying a fairly similar thing, though I think for different reasons. So you do have people in the law enforcement community who are saying that, yes, this is not as easy as it sounds. Just understand that the frustration for policymakers is that we spend a lot of time talking to police who are just tearing their hair out because people are committing crimes before their eyes using encrypted technologies in a way that wouldn't have been possible 10 years ago, and they're just trying to find a better way to police under those circumstances. So the objectives are very pure in most cases, I'd say.

I just want to ask a principle question. I guess from just reading your submission that you're arguing very strongly that, in a sense, privacy rights that are coming into existence that I see as a little bit new—like encrypted technologies allowing you to have encrypted conversations—should be completely protected, but, where technology is giving us opportunities for better policing, you're saying we shouldn't use those technologies. Whereas, when we heard from the Australian Strategic Policy Institute, they're saying to us: okay, encryption is a problem, but we can't just legislate our way out of this. On the other hand, technology's offering us lots of opportunities to police in a different and more effective way, and we should be looking and focusing our energies there. For example, some of the other submissions have talked about the use of drones or face identification technology. What's your view about how we deal with new technologies? Do you accept that, if we're balancing constantly the need to investigate with the right to privacy, sometimes when we've got new private rights we also might need to balance those with investigative techniques that you might not have agreed with five or 10 years ago?

Dr Mann : I think first of all that, as you say, a lot of the new technologies are at this stage unregulated, and also there's an absence of evidence in terms of effectiveness. So, in the first instance, I would really urge for and draw attention to the need for robust, empirical evidence of effectiveness before we jump the gun on some of this. I support the use of technologies by law enforcement under certain circumstances—in a way, again, that is consistent with due process protections and the rule of law, with sufficient robust oversight, independent oversight and so forth and avenues for review. We're not taking a position here that law enforcement shouldn't use new technologies; it's more about the structures and the procedures in place associated with their use and also in relation to the evidence of effectiveness.

There are a range of other technologies—and certainly some of the work that I've been doing and that of my colleague is in relation to 3D printing, for example. You yourself mentioned drones, and then there's obviously encryption, computer network operations and the dark web.

Just to reiterate what Adam said, it's not the tool in itself; it's the application or use of the tool. A lot of these technologies are dual-use technologies. They can be used for good things, and they can also be used for bad things at the same time. The challenge here, as you say, is balancing, not over-regulating or prohibiting the use of these technologies in a way that inhibits innovation or the socially beneficial and indeed also law enforcement's beneficial applications of those technologies, while also attempting to minimise the risks and harms.

Ms O'NEIL: Can I ask you about a specific example. Just for the record, I don't have a view about this. The Australian Commission for Law Enforcement Integrity, which as you know play such a crucial role in ensuring that police and other agencies are free from corruption, have advocated for a statutory framework for delayed notification search warrants. Do you know what these are? Basically, with a traditional search warrant, you have to show that to the person before you search their premises, but some law enforcement agencies around Australia have the power to search without the knowledge of the owner of the property and then reveal that to them within a space of six months, so it's quite a different scope of powers. Do you accept that because technology's making it harder for us to investigate crime we might need to change the way that we're investigating crimes, in a non-technological manner, in order to compensate?

Dr Molnar : Without seeing the specific details of that proposal, I would like to request that we take a response to that on notice, so that we can provide a fulsome, detailed response to that particular proposal. In terms of the question around notification requirements, they do play an important role in preserving procedural safeguards and due process. Without speaking to the specifics of the proposal, there is a tendency towards referring to new technologies, and the tools that can be exploited towards malicious ends, creating an altogether different policing environment or one that has not been experienced before. This is, in part, embedded in how we think about technology as somehow breaking with our past in some way. In fact, with many of these problems, when we deal with technology, and in our research, we find that they're old problems that continue to resurface, and they don't necessitate a complete reimagining—in a sense a downward revision of our procedural safeguards—in order to deliver effective ends towards investigation.

Ms O'NEIL: I don't agree with that, but thank you for putting your point of view. I will give you an example, which is about child exploitation. I think the evidence is pretty clear that the availability of child exploitation materials on the internet is contributing to an explosion in demand for it and that's a problem that's feeding on itself. It's one that we're really concerned about as a parliament. Can you provide any directions for us in how we can tackle this problem without going into some of the encryption weakening directions that you are so concerned about? What can we do about this problem that we're not doing now?

Dr Molnar : I would like to point out that there are already existing powers with computer network exploitation. Queensland Police Service had an investigation through their Task Force Argos. This is a burgeoning area that's very legally and procedurally complex, as it crosses international boundaries. We would certainly like to reaffirm our commitment to policing abuses, particularly child exploitation, and we think there are technical and legal powers that exist. It's good to be reminded that there are successful operations that are occurring without resort to weakening or undermining encryption. We point to some of those in our submission with the use of powers under the Telecommunications (Interception and Access) Act, the Surveillance Devices Act and the ASIO Act, in particular section 25A, I believe, which authorise the use of computer network exploitation. As researchers we don't have specific details on what statutes are being used, but we do have published work that analyses this in the legal context here in Australia.

We support steps towards mitigating harms online, but we also think that that can be done through procedural safeguards like a revised MLA structure and proper judicial authorisation. It's important that we don't do away with these important considerations given the particularly abhorrent moral and ethical nature of the crimes that are being committed. We do firmly believe that we can address some of the broader legal and technical challenges moving forward that will serve the ends of law enforcement and still actually maintain due process and human rights as best as possible.

Dr Mann : I will just add to that. On pages 9 and 10 of our written submission we refer to some of our own published work in this area in relation to law enforcement operations in relation to these sorts of computer network operations, including around the Silk Road drug crypto market and the US FBI Operation Pacifier into the Playpen child exploitation network. What we're really advocating here is at the moment there is really limited regulatory guidance for use of these procedures in any jurisdiction, including in Australia. We are seeing actually in the US, where cases are being brought to prosecution and trial, evidentiary challenges and issues. If we want to think about how we actually successfully prosecute in these areas, we need to ensure that the procedures the police are using comply with evidentiary standards and requirements.

Ms O'NEIL: Yes, I understand, so the lack of regulation is creating issues for prosecution as well.

Dr Molnar : If I could add one quick point. The traditional principle of proportionality in terms of the scope of investigations is under strain in the way that primary legislation sits in relation to the current technological environment. We have the Telecommunications (Interception and Access) Act. It has obviously been amended over time on numerous occasions, but it was by and large drafted in a different technological context. We also have the Surveillance Devices Act, with the more recent initial enactment date of 2004, but its warrant categories already, given their technology specific language, do not reflect the technological environment on the ground.

We've done work on trying to think through appropriate drafting measures to deal with the proper regulation in a way that will not actually undermine the principle of proportionality. It seems to be that, when you are trying to fit new developments and new technology into old terminology or definitions in old legislation, you actually lose the specificity of what the legislation was originally designed to do. In a jurisdiction without a formal bill of rights or constitutional rights architecture the role for the judiciary is vastly different. It's critical that the primary legislation gets things right. When it stops getting things right that can actually work against law enforcement interests in some ways, but, by and large, it works against the interests of rights and due process.

Ms O'NEIL: Okay. Thank you.

CHAIR: Dr Mann, in your submission you included a section of a PowerPoint presentation you made on digitally-printed firearms.

Dr Mann : 3D-printed guns, yes.

CHAIR: Was the point you were trying to make on that that the threat of that is overstated?

Dr Mann : I think, going back to an earlier point, what we were trying to say in this is that there is a real need here for robust evidence and research into this topic and other criminal applications of new technologies. Certainly there have been cases of 3D-printed firearms being located here in Australia, but there is no systematic research or any evidence in relation to the size or the shape of the 'threat'. In relation to that, we don't really know, but this is certainly an emerging area, particularly with the development of other 3D-printer technologies, such as 3D metal printing, which could potentially be problematic in the future.

CHAIR: So isn't that the issue? If you are using hindsight to see what's happened in the past, you might be able to minimise the problem. Isn't one of the issues in this area that you need to look at the potential for it down the track and be acting in advance rather than retrospectively?

Dr Mann : Yes, and there's also a need for robust, independent research into these areas.

CHAIR: Are you saying that you wait until it's a significant problem before you act? Isn't that the potential downfall of going down that way? Should you wait to see evidence of gangs of villains out there with digitally printed firearms and say, 'Yes, now we have a problem,' or should you say, 'There's a potential for this problem down the track with increased technology and the sophistication of digital 3D printing, therefore we need to act'? Maybe you could comment on that.

Dr Mann : Certainly that's what we're trying to do in our research in relation to this issue in particular—to get an understanding of what's happening and what will happen. However, before we can act, we need to have that understanding. We can't just shoot blindly—pun intended.

CHAIR: We thank you both for your time, and we thank you for your submission as well.