Note: Where available, the PDF/Word icon below is provided to view the complete and fully formatted document
Parliamentary Joint Committee on Intelligence and Security
29/01/2015

LAWRENCE, Mr Jon, Executive Officer, Electronic Frontiers Australia

[10:23]

CHAIR: Welcome. Would you like to comment on the capacity in which you appear before the committee?

Mr Lawrence : I appear before you as a representative of Electronic Frontiers Australia but I am also a non-executive director of the Internet Society of Australia, from whom you will be hearing evidence this afternoon.

CHAIR: Although the committee does not require you to give evidence under oath, I remind witnesses that this hearing is a legal proceeding of parliament and warrants the same respect as proceedings of the House itself. The giving of false or misleading evidence is a serious matter and may be regarded as contempt of parliament. The evidence given to day will be recorded by Hansard. Do you wish to make some introductory remarks before we proceed to questions?

Mr Lawrence : I do. EFA has been advocating for the promotion and protection of civil liberties in the digital context since January 1994. In fact, last week we quietly celebrated our 21st birthday. We are an independent, member based national association.

EFA believes that an indiscriminate, society-wide mandatory data retention scheme such as is proposed in this legislation is an unnecessary and disproportionate invasion of the privacy of all Australians, including of course everyone here today in this room. I invite committee members to reflect on this point: are you comfortable with a record of every phone call you make and receive being stored for two years and potentially being leaked onto the web? Such a scheme also subverts the principle of the presumption of innocence by collecting information about every single Australian's online and telephonic communications, regardless of whether they are a suspect.

Further, as I believe we have heard from the previous testimony, it adds significant costs to a range of businesses, has the potential to reduce competition particularly within the ISP sector and will drive up internet costs for all Australians. This legislation will also create the potential for serious harm to Australians should the enormous databases of personal information that will be created be misused or compromised. EFA believes that, should this legislation proceed, it will not be a question of whether some of this information is compromised or misused but rather when and by whom.

If there are any illusions as to the likelihood of such compromising occurring, I invite committee members to reflect on the recent hack of Sony Pictures and, to give another example, on the alleged compromising of the building plans for the new ASIO headquarters by a foreign intelligence agency. And perhaps most pertinently and most recently the compromising of the personal details of hundreds of thousands of Australians who are customers of Aussietravelcover, a breach which, incidentally, that company decided not to disclose to their customers.

The reality is that the only truly secure data is data that does not exist. The Prime Minister, the Attorney-General and other advocates of this bill have asserted that the collection and retention of communications data is less intrusive than access to the content of communications. EFA totally rejects this assertion. Bulk collection of communications data is, arguably, more invasive for a number of reasons. As the European Union's Court of Justice said in its April 2014 judgement that ruled that the European Union's data retention directive was invalid, bulk collection of communications data—and I quote:

… may allow very precise conclusions to be drawn concerning the private lives of the persons whose data has been retained, such as the habits of everyday life, permanent or temporary places of residence, daily or other movements, the activities carried out, the social relationships of those persons and the social environments …

This court's ruling of invalidity was based primarily on the directive's indiscriminate nature. It is clear that mandatory data retention has been tried and tested in many countries within the European Union, has failed the test of effectiveness and also the tests of legality and proportionality. Despite this clear statement from a major supranational court, the Attorney-General's Department continues to rely on this now discredited data retention directive as the basis for this legislation. EFA of course understands that Australians lack the constitutional protections for their civil liberties that our friends in the European Union and the United States enjoy.

This committee therefore has a critical role to play in ensuring that the civil liberties that are what we believe makes Australia what Australia is are not discarded in the name of some generic terrorist threat or in order to protect us from the tiny percentage of men who prey on children. EFA urges this committee to take this responsibility very seriously.

EFA is, along with 400 other civil society organisations from around the world, a signatory to the International Principles on the Application of Human Rights to Communications Surveillance which, as I have told this committee previously, can be found at necessaryandproportionate.org. EFA believes this legislation falls well short of these principles and should therefore be withdrawn. EFA is not however opposed to targeted surveillance with appropriate safeguards and oversight. We support the important and necessary work that our law enforcement and intelligence agencies perform on a daily basis. However, we believe that the existing powers available are sufficient for them to perform this work.

EFA would particularly like to point to the data preservation notice scheme, which came into force on 1 March 2013, when Australia acceded to the Council of Europe Convention on Cybercrime. EFA believes these data preservation notices provide a more appropriate, targeted mechanism for access to communications data on persons of interest. However, we understand that this relatively new power has, to date, been rarely used. These notices provide for mandatory retention of both communications data and content on suspects and persons of interest, while leaving the tens of millions of innocent Australians well alone. EFA believes that this existing power should be used and tested for efficacy. If it is insufficient, then clearly it must be repealed.

EFA is also unconvinced about the efficacy of mandatory data retention regimes. In January 2014, the United States's Privacy and Civil Liberties Oversight Board found that there is little evidence that the US's metadata program has made the US any safer. In 2011, the German parliament's legal service found that their mandatory data retention regime had increased crime clearance rates by only 0.006 per cent.

There is one element in this legislation which EFA does support, which is the restriction on the number of agencies that are given warrantless access to communications data. This is a necessary and urgent reform which, during the last parliament, this committee itself recommended. EFA is, however, somewhat concerned that despite this restriction the legislation provides the minister with the power to add other agencies to that list without reference to parliament. EFA fully supports any legislative safeguards that prevent the expansion of authorised agencies.

Most gravely, EFA is concerned that the legislation does not even define in detail the dataset that is sought for retention. EFA believes that defining the dataset by regulation, as is currently proposed, represents a serious undermining of the role of parliament and will enable the scope of the dataset to expand without proper scrutiny. History shows us only too clearly that schemes such as this almost inevitably expand in scope over time. EFA is also entirely unconvinced by the proposed two-year retention duration and is unaware of any evidence that suggests that this time frame is in any way justified.

Finally, in closing, I would like to point to some recent research which shows that this scheme is actually deeply unpopular within the community. Essential Research surveyed 1,842 people in the week of 18 February 2014 and found that 80 per cent of respondents 'disapprove of the Australian government being able to access their phone and internet records without a warrant'. In the week of 12 August 2014, Essential Research surveyed 1,845 Australians and found that 49 per cent of respondents felt governments are 'increasingly using the argument about terrorism to collect and store personal data and information, and this is a dangerous direction for society'. In that same survey they also found 68 per cent of respondents had little or no trust in the government, telcos and ISPs to 'store retained personal data safely and in a way that would prevent abuse'.

Mr NIKOLIC: Mr Lawrence, you totally dismiss the utility and effectiveness of metadata. I wonder whether you have had—

Mr Lawrence : I do not do that at all.

Mr NIKOLIC: Can I finish my question before you respond?

Mr Lawrence : Sure.

Mr NIKOLIC: You said 'metadata has failed the test of effectiveness'. Those were your words. Have you had an opportunity to view or read the evidence to this committee from the Australian Federal Police and a variety of agencies that say that metadata is central to virtually every counter-terrorism, counter organised crime, counterespionage and cyber-security investigation, that it is used in almost every serious criminal investigation, including for murder, rape, kidnapping and child exploitation, and that the critical role of telecommunications data in law enforcement and security agencies can be seen through its impact on a higher range of high-priority investigations? Have you had a chance to either hear or read the evidence of those people?

Mr Lawrence : I have, and I certainly do not dispute the fact that communications data is a very, very valuable and important tool for both law enforcement and intelligence activities. What I am saying is that indiscriminate, society-wide mandatory data retention regimes have been proven to be ineffective. We are not in any way opposed to appropriately targeted surveillance. As I said, we believe that there are sufficient powers on the books already, particularly with relation to the data preservation notices that came in in 2013, to provide the ability for law enforcement and intelligence agencies to ensure that they are able to access this data.

Mr NIKOLIC: But these agencies do not agree with you. They are saying that it is insufficient at the moment. In your argument that what they have at the moment suits their needs, what is the experience of your organisation or you in counter-terrorism, counter crime or counter paedophilia operations to be able to make the judgement that what those agencies have at the moment is sufficient for their needs despite their absolute clear and unequivocal advice to this committee that that is not the case?

Mr Lawrence : I think it is entirely self-evident that I have no experience in counter-terrorism, counterintelligence or counter paedophilia. What I do have is access to research that has been performed in the European Union and the United States—

Mr NIKOLIC: No, I am not talking about research in Europe; I am talking about advice to this committee from agencies like the AFP that what they have at the moment is entirely insufficient, given the adaptive nature of the threat that we have seen—the resurgent threat of terrorism and paedophilia networks, which are becoming increasingly adaptive. Your evidence to this committee just a moment ago was that what they have is sufficient for their needs. So, I am searching, frankly, for how you would justify that. It must be on the basis of some more superior knowledge than that of the people who are actually conducting these operations.

Mr Lawrence : I am going to repeat my previous answer, Sir. We have looked at the experience of the European Union and the United States, where there has been extensive research done on these schemes, and they have been found, as we believe, to be unnecessary and disproportionate. That does not mean that we do not think that information should be kept on persons of interest. There are already very broad powers available to law enforcement and intelligence agencies to access that information right now. As you would be aware, in the year to June last year, I believe, there were something like 600,000 authorisations for communications data processed in this country. There is no shortage of information available to law enforcement and intelligence at this point.

Mr NIKOLIC: So, you would prioritise research, undefined at this stage, over the clear evidence of agencies involved in the conduct of these operations and keeping our society safe that what they have at the moment is insufficient. I understand your point.

Mr RUDDOCK: My understanding is that metadata is not used primarily in relation to proving offences against people of interest; it is in fact used to discover who might be of interest to undertake further inquiries. And when you eliminate that as a tool, there will not be anybody of interest.

Mr Lawrence : Okay. Was that a question, sorry?

Mr RUDDOCK: Well, it is a statement, with which I thought you may want to perhaps disagree. But I am simply asserting that metadata is used to discover who might be of interest.

Mr Lawrence : Certainly.

Mr RUDDOCK: If you take it away, who do they inquire into? They have nobody of interest.

Mr Lawrence : I think the problem with that approach is that if you take that to its logical extension it means that we retain everything about everyone, forever. And there has to be a limit. We are a free society. Australia, as I mentioned in my opening statement—not necessarily by design, because we do not have a lot of the civil liberties written into our Constitution that many of our friends in the US and the EU enjoy—is a very free, open, diverse, wonderful society. And I think we need to retain those elements.

Mr RUDDOCK: I understand.

Mr Lawrence : And particularly when you start to wrap it into issues such as section 35P, the anti-whistleblowing element of legislation that has already passed this parliament, I think there are genuinely dangerous threats to freedom of expression and privacy in this country.

Mr RUDDOCK: Well, there may be, but you argue this in terms of human rights.

Mr Lawrence : I do.

Mr RUDDOCK: I would put it to you that the right to life, which is a human right, is of fundamentally greater importance than the right to privacy.

Mr Lawrence : Absolutely, and you said so last time I appeared before this committee.

Mr RUDDOCK: So, in terms of counter-terrorism investigations, which are likely to protect people's lives, I would not want to lightly give it away.

Mr Lawrence : Of course the right to life is greater than the right to privacy. You said this to me the last time I appeared before this committee. And the reality is that, as I have said, there is an enormous amount of data already available to law enforcement and intelligence agencies. There are already very broad powers, as you would yourself be well aware, available to law enforcement and intelligence agencies. There are the data preservation notices, which allow them to order a telco or an ISP to retain both content and communications data on any person of interest for a three-month period—

Mr RUDDOCK: In relation to a person of interest.

Mr Lawrence : Our point is not that this information is not valuable; our point is that an indiscriminate, society-wide mandatory data retention scheme is a step too far.

Mr RUDDOCK: The inquiry that the agencies are interested in is how they identify those about whom they should make inquiries. It is level of connectivity that is often the key to identifying who may be appropriate to further investigate.

Mr Lawrence : I do not dispute that for a second.

Mr RUDDOCK: Can I just go to the two points in your submission where I could not find evidence to support what you were saying. Firstly, what would be a more efficient and inexpensive solution to achieving what the agencies need—that is, to identify people of interest—that you are suggesting is available?

Mr Lawrence : As I have said a number of times, there is already a great deal of information available to agencies. They already have power such as the data preservation notices to ensure that data is retained. The reality is that what we can loosely term as 'signals intelligence' will never be as powerful as the human intelligence that our intelligence agencies are really good at.

Mr RUDDOCK: I was also looking for objective evidence that you might be providing of the real possibility of data retention being misused.

Mr Lawrence : How long have you got?

Mr RUDDOCK: I read the submission.

Mr Lawrence : That is a fair question, sir.

Mr RUDDOCK: I am looking for the objective evidence of the data that is now retained being misused.

Mr Lawrence : Data is misused every day all over the world. We know from Edward Snowden that analysts within the National Security Agency in the United States routinely used this sort of information to stalk potential and current lovers. They even had a term for it. They called it 'LOVEINT'. They only know that by their own admission because people told them that they did it. There is no other mechanism for this to be detected. We know there is an example from, I believe, Ireland where a member of the Garda, their federal police agency, had done the same thing. They had used this sort of information to stalk a former lover. There is some evidence that Victoria Police has been at least some point in the past infiltrated by bikie gangs. That sort of information being available to those sorts of organised crime figures is a very real and very serious threat to the security of all Australians.

Senator BUSHBY: Mr Lawrence, you have made the point that you accept that there is value in the use of metadata by law enforcement security agencies but that you think they have sufficient abilities now to deal with it. As I understand it, what we are talking about here is that this bill does not increase the powers of law enforcement and security agencies to access data—in fact, it actually tightens that up a little bit by, as you acknowledged earlier, refining which agencies can access the information. Do you acknowledge that it does not increase the powers to access; it just provides a more consistent dataset for a longer time than what might otherwise be available? Secondly, all of the data that will be required to be held under this bill by organisations is currently held, albeit in some cases only instantaneously, by those organisations at the moment? You don't acknowledge that?

Mr Lawrence : No. That point has been made a number of times, particularly by Steve Dalby from iiNet.

Senator BUSHBY: How is an organisation supposed to retain data if it doesn’t have it at any time?

Mr Lawrence : I think it is very clear. Let's of course remember that we do not have a finalised dataset, despite the fact that the Attorney-General's Department has been working on this issue for about a decade. We still do not have a defined dataset. I believe Telstra in their evidence just before me acknowledged that there is certain data that they do not retain for any particular period of time.

Senator BUSHBY: But it passes through. There must be data that passes through that they have in their possession, albeit instantaneously?

Mr Lawrence : Yes.

Senator BUSHBY: There is no data that will be required to be held that those organisations do not have access to at some point, even if they do not currently capture and hold it?

Mr Lawrence : Yes, I believe that is a true statement, but I am not sure how relevant that is.

Senator BUSHBY: I am just trying to establish a few things that are knowledge. So everything that goes through is something which those organisations could hold.

Mr Lawrence : They cannot just manufacture data.

Senator BUSHBY: No, exactly, or have to go out and find it somewhere else.

Mr Lawrence : No, that is fair enough, sure.

Senator BUSHBY: Currently, law enforcement and security agencies already have the power to access all of this data if it is available. Do you also acknowledge that there are business practices and new business models, particularly with the newer providers, which are built on models that do not require them to capture the same information that some of the more traditional providers are holding? Are you aware of the evidence from law enforcement and security agencies around their current abilities to access data which they have used in a number of cases we have had evidence of that have been key to resolving security and criminal activities? Their main concern is that that data, because of these changing business models, will not be available to them and in the future, when they go seeking this information and metadata that they do use usefully, it will not be there. As a result, there will be consequences in their ability to deal with security threats and to resolve criminal activities. Do you acknowledge all of that?

Mr Lawrence : I certainly do, yes.

Senator BUSHBY: So what is the answer if that data that is currently available or has in the past been available to and accessible by our law enforcement and security agencies is no longer available? Is there an alternative? You have mentioned some things, which we can get into in a minute, as to why that probably would not work, but is there an alternative to enable the law enforcement and security agencies to have access to the information they need to put together who might be persons of interest so that then they can go on to the more intrusive warrants to phone tap to look into content and all those sorts of things, to help them identify who to apply those more intrusive elements to? How do they actually get to that point without their metadata if those business models continue to the point where that data just does not exist for them to access?

Mr Lawrence : There are two points. I agree with everything you have said there. As the Attorney-General's Department itself points out in its submission, there is a long-term trend towards less and less of this data being collected by telcos and ISPs.

Senator BUSHBY: If I may, that, as I understand it, is the main motivation behind the law enforcement and security agencies requesting the retention of the data—because they are concerned that the data will not be there when they need it.

Mr Lawrence : Yes, that is understood. There are a couple of points I would make. One is that, as you point out, this is a long-term trend. There is nothing particularly urgent about this legislation that we are aware of. The other point is that I think we are in danger here of re-engineering the way we manage our society in order to increase the convenience of law enforcement and intelligence, and I am not entirely sure that that is the right approach. I think it has been very evident that access to communications data under the current regime has massively expanded in scope over time, particularly in terms of the range of organisations that are accessing it. We are all aware of the Victorian Taxi Directorate and Wyndham City Council and all those sorts of things. I think there is a definite trend here that this information is being accessed because it is easily available. To me, that is not necessarily a justification for why it should be. As I have said, we are not in any way opposed to appropriately targeted surveillance.

Senator BUSHBY: You mentioned that before. With appropriately targeted surveillance, the reality is that, if you actually have a person of interest of sufficient concern, there are more intrusive methods, and that is usually when they are utilised. You have identified somebody you have believe there is an issue with and then you can go off and use the normal traditional methods to get search warrants or whatever—phone tap warrants and so on. It is the stage before that that the evidence to us suggests is so vital. It is the stage at which you know there is a problem with somebody and then you might use contacts that they have with other phones to piece together a network of persons of interest so that you can then go to the next stage.

It is the data that is available, which has previously and historically been retained, that has made that possible and which the law enforcement and security agencies are concerned might not exist in the future and therefore they will not be able to work out who is in that network of persons of interest to go to the next, more intrusive level. Being able to say that we can look at the data of persons of interest when they are persons of interest, as Mr Ruddock pointed out, is sort of putting the cart before the horse in a way because you do not know who they are. It is the ability to go back and piece together that puzzle that is so vital for law enforcement and security agencies in order to access it.

You also made the comment that this is changing society. That comes back to my earlier question. The data is all there, and we are only asking the old organisations to hold that data. It is not like it is going in and being trawled through and accessed; there are very strict protocols—and I think they are being tightened up under this bill as well—in terms of when you can access and what you can do with that information. In the absence of a law enforcement and security agency accessing that information under those very tight circumstances, it is just held by the provider for a longer period and a clearer more consistent set of data than they might otherwise have done. That is really the only change that is occurring. So I do not see how that changes society. You might care to explain to me how this is a fundamental societal change.

Mr Lawrence : It all comes back to the fact that this is an indiscriminate scheme. It mandates the collection and retention of information about every person in this country. That is our primary objection. As I have said, we are in no way opposed to appropriate targeted surveillance. At the core of the European Union's Court of Justice judgement against the European Union data retention directive was that it was invalid and incompatible with the European Charter on Human Rights, because of its indiscriminate nature.

Senator BUSHBY: Mr Lawrence, I hear what you are saying, but on the other side we have to weigh up the importance of this data in being able to address security issues and solve serious crimes. If the data is retained, what would make you more comfortable in terms of the security of that data? Is there some way that we can go forward to satisfy you and satisfy the security and law enforcement agencies?

Mr Lawrence : As I said, I believe that those powers already exist under the data preservation notice scheme.

Senator BUSHBY: Thank you.

Mr CLARE: Mr Lawrence, I appreciate that the view of EFA is that it does not support the proposed scheme. What I am keen to seek your views on is some of the reoccurring themes that come through all of the submissions that the committee has received to date. It seems to my mind that there are about half a dozen issues constantly raised in the submissions from industry and the general public. One relates to whether the definition of metadata should be in the bill or in regulation. Another deals with cost. Another deals with how long the data should be retained—two years or more or less. Another deals with security. That is a constantly reoccurring theme. Oversight is also raised, as are definitions of serious crime and law enforcement agencies and also the exploitation of this data via court order—and there may be one or two others.

They appear to me to be some of the reoccurring themes that we are seeing coming out of submissions. I am keen to seek your views and your organisation's views on those issues. You have mentioned some of them in your introductory statement. I will step through some of them. What is the EFA's view on the issue of the definition of metadata or the dataset and whether it should be in legislation or regulation?

Mr Lawrence : As I said, we firmly believe that, if this legislation proceeds, the dataset must be defined in the legislation. We believe that to do otherwise is to seriously undermine both the role of this committee and the role of the parliament generally.

Mr CLARE: On the issue of the amount of time that data should be retained, you made the point in your introductory comments that you thought two years was too long. Would you care to expand on that or express a view on an alternative for the committee to consider?

Mr Lawrence : In short, I would not, because I am not proposing this legislation. The reality is that those agencies and individuals that are advocating this legislation have completely failed to make any case for why two years is an appropriate length of time.

Mr CLARE: On the issue of security of data that is retained, in 2013 this committee made a recommendation that, if data were to be mandatorily retained, it should be mandatory that organisations encrypt that data. My understanding is the legislation is silent on that issue. Do you or does EFA have a view on what further steps should be taken to make this data more secure? I recognise your point that no data is secure once it is created. But do you have a view that you would like to express to the committee about what steps should be taken that have not been taken to date in relation to this legislation?

Mr Lawrence : Clearly, the encryption of data is an absolutely basic requirement. However, this legislation will result in the creation of what will be massive databases of very, very valuable personal information that will be honey pots to organised crime and to any sort of person that can potentially access it. Now, the scope of risk, for example, for systems administrators who must look after this data to be compromised in some way is very high. As Steve Dalby from iiNet said in a room not far from here last year, when asked about this, 'Look, we're a business; we're going to try and find the lowest cost option for storing this data,' and right at the moment the lowest cost option for storing data is in China. So there is a very real risk also—as this committee, I am sure, is only too well aware—of this sort of information being compromised by foreign intelligence agencies as well.

Mr CLARE: And I am very conscious of the fact that with security comes cost and that the more obligations parliament places on ISPs the more costly this scheme will be. I would not be misrepresenting you, I am sure, if I were to say that it would be your view that it is important to make this data as secure as possible.

Mr Lawrence : Of course.

Mr RUDDOCK: Encryption is costless, is it?

Mr Lawrence : Encryption is costless?

Mr RUDDOCK: Yes.

Mr Lawrence : No, not at all. Encryption adds very significant costs for a whole range of issues, such as processing power. I have a history degree; I am not a technologist—but there are processing costs, there are additional interface costs in terms of managing data and so forth. So encrypting data is far from costless.

Mr CLARE: One of the other things that this committee recommended in 2013 was a breach notification system. I have the report in front of me. Recommendation 42 included, inter alia, 'a robust mandatory data breach notification scheme'. That is another recommendation that has not been picked up in this legislation. I am keen to seek your views about the relevance of such a scheme.

Mr Lawrence : Absolutely. I touched on this in my opening statement. There was a very recent incident which I think bears out the need for this legislation, which was the hacking of the database of an Australian travel insurance company, Aussie Travel Cover, which resulted in the very personal details of hundreds of thousands of Australians being compromised—and of course insurance companies are one of the organisations to which people do tend to give very, very detailed information, for obvious reasons. That was an incident which was uncovered and reported in the press. What was interesting was that the company had actually made a conscious decision not to disclose to the affected customers the fact that this information had been breached. That, to EFA, is just unconscionable behaviour. We believe that it is good business for companies to treat their customers with due respect and to make them understand that they take their personal information seriously. This is increasingly becoming a competitive issue across a whole range of industries. People are generally becoming more conscious about the privacy and security of their data. What was also quite ironic is that this story broke on the same day that President Obama announced plans to legislate in the United States for such a mandatory data breach notification scheme.

Mr CLARE: This committee also recommended in 2013, at recommendation 42, inter alia, that 'an independent audit function be established within an appropriate agency to ensure that communications content is not stored by telecommunications service providers'. That was another recommendation of our committee that I understand the legislation has not taken up. Does EFA have a view on that?

Mr Lawrence : I believe there are certain circumstances, such as—not to labour the point too hard—where a data preservation notice has been issued, where storage of content and communications is required. Other than that, I genuinely cannot see any reason why a company would choose to do that.

Mr CLARE: I think that what was proposed—and I was not a member of the committee at the time—was that this independent audit function would be established within a government agency as opposed to within the ISP. My question to you is: would EFA support the recommendation proposed by this committee in 2013, which is that 'an independent audit function be established within an appropriate agency to ensure that communications content is not stored by telecommunications service providers'?

Mr Lawrence : Yes, we would support that.

Mr CLARE: Another recommendation of the committee in 2013 that the government has taken up in this legislation is 'oversight of agencies’ access to telecommunications data by the ombudsmen and the Inspector-General of Intelligence and Security'. This is something that I understand the government has taken up in this legislation, but I am interested in the views of EFA, about whether they think that is the correct oversight model for a proposed scheme such as this.

Mr Lawrence : I think it is self-evident that additional oversight and additional resourcing of oversight is required. To be fair, the government has recognised that, but it still remains the case that the Inspector-General of Intelligence and Security has, I believe, 11 staff, which does not strike me as a whole lot of oversight going on. I do not believe that there is much proactive oversight on the part of that body. That may be something that could be addressed. I note that Mr Dreyfus has supported calls for the powers of this committee to be expanded to include the ability to look at operational issues in line with the equivalent committee in the United Kingdom's House of Commons. We would certainly support that. It is very important that this committee has real power to provide that sort of parliamentary oversight and scrutiny that is, I would suggest, more important in the context of particularly secret intelligence activities than it is in many other contexts.

Mr CLARE: Finally, I go to the issue of access to metadata through a court order for the purposes of civil litigation. I am conscious that you may or may not have an answer to this question, but it is one that vexed this committee when we last met and it will be the subject of further questions to a number of organisations giving evidence over the next two days, I am sure. Whether it is piracy and copyright infringement, or whether it is health care companies using information acquired via your Fitbit to determine how many steps you took each day, there are legitimate questions about how this data could be used through the court system. No-one has presented an answer to this committee yet about whether or not any changes should be made to limit that, or whether that is a good or bad thing. My final question to you is, does EFA have a view about that.

Mr Lawrence : Yes. You have touched on the issue of alleged copyright infringement. In 2014 we have already seen the emergence in this country by the creators of the movie Dallas Buyers Club of the rather dubious business practice of what we might call speculative invoicing. That is a business practice that is fairly rampant in the United States. The creation and retention of this information for a two-year period will absolutely enable the expansion of that activity. We do not believe that that is in anyone's interest.

I will preface my remarks by saying that I am not a lawyer. I am not aware of how the parliament could legislate away the ability of a competent court to issue a subpoena or court order, or whatever the proper terminology is, that would enable access to this information. I think it goes back to the earlier point I made about these databases being honey pots. They will be equally as attractive to hackers as they will be to commercial litigants.

Mr DREYFUS: Have you seen a finalised data set yet?

Mr Lawrence : No. I would be happy to write one for you!

Mr DREYFUS: As I understand it, your recommendation to the committee is that the bill be withdrawn, but, if it were to proceed, there should be a definition of the data set out in the legislation.

Mr Lawrence : Absolutely.

Mr DREYFUS: I thank you for the detailed submission you have provided to us, because it means we have in writing from you a detailed position. So, in view of the time, I am going to restrict myself to a couple of things that I want to tease out. The first relates to something on page 3 of your submission. It is a particular recommendation you have about the bill's provision 187C(3). That provision reads:

This section does not prevent a service provider from keeping information or a document for a period that is longer than the period provided under this section.

I raise this because we have just heard from Telstra a very clear exposition of their responsibilities under the privacy legislation, which is that they are prohibited from keeping information any longer than they need it for the business purposes for which they have collected it, and that they honour that obligation and propose to continue to honour the obligation. Is that the context in which you are suggesting that this section simply should be deleted?

Mr Lawrence : Yes.

Mr DREYFUS: Given that it simply says 'This section does not prevent a service provider from keeping …' in your view does the provision do harm by being there? In other words, what we have here is a statutory provision that imposes and obligation to keep information. It forces telecommunications companies to keep information that is to be prescribed by regulations—so you cannot tell from the bill what it is that is to be kept. But then it goes on to say that it does not prevent keeping it for longer. What is your objection to that provision?

Mr Lawrence : Because, as you have touched on primarily, it almost directly contradicts the Australian privacy principles. But, as you say, it may not be of significant harm for it to remain there.

Mr DREYFUS: And the other point that you have made here is the need for the list of agencies to be named. Are you able to speak to that for a moment—as to why it is that you think that there should be a complete list of agencies?

Mr Lawrence : As I said earlier, I think that is one element of the legislation that we do welcome, which is restricting the list of agencies that are able to access communications data. Our concern is that there is a big kind of 'but' statement at the bottom of that page, which says essentially 'or any other agency that the Attorney chooses to appoint or to add to that list at any time'. We believe that that process, in the same sense that the dataset should be defined by legislation, should be something that is subject to proper parliamentary oversight and scrutiny.

Mr DREYFUS: And the final point I want to tease out is that you have here, in the submission, a concern expressed about the supposed exemption that is provided on the face of it by 187A(4) for content. Are you able to explain further what your concern there is in that regard? You have described it as a supposed web-browsing history exception.

Mr Lawrence : Our general concern is, firstly, that we are yet to see a finalised definition of the dataset, which is obviously a massive problem. We believe that a political decision has been made that web-browsing history must be excluded from this scheme. We believe that that is probably quite a sensible political decision, because it would be deeply, deeply unpopular within the society, and our current Attorney-General is on record as saying that when he was a member of this committee in the last parliament. What we see, however, in the drafting of the legislation is a number of really quite serious inconsistencies and contradictions, which flow from this desire to exclude web-browsing history. And we have genuine concerns about the level of technical understanding of some of the people involved in drafting this legislation. It does tend to suggest that web-browsing history is intended to be included in the dataset at some point, and at the moment this is a political decision that has been made to exclude it. So, really our point there is that these schemes, by their very nature, as history tells us very clearly, tend to expand over time, often quite quickly. We would expect that this rather difficult and awkward exception for web-browsing history would potentially, at some opportune moment in the future, be quietly removed and that that sort of information on all Australians would be retained. And there are serious issues in the legislation even about things such as defining what the term 'communications' means that we have genuine concerns about.

Mr NIKOLIC: Perhaps I could ask a follow-up question on that. How do you quietly and surreptitiously amend legislation?

Mr Lawrence : Well, that is our point. It would not be in the legislation. As the legislation is currently drafted, the dataset would be done by regulation.

Mr NIKOLIC: Or regulations that are subject to disallowance. How would the government surreptitiously change the regulation to include web-browsing history? How would they do that surreptitiously and quietly?

Mr Lawrence : To be frank, at the moment, the way the legislation is written, we are not entirely convinced that it is excluded.

CHAIR: Thank you for giving evidence at the hearing today. You will be sent a copy of the transcript of the evidence, to which you may suggest corrections. If you have been asked to provide any additional material, please forward it to the secretariat as soon as possible. If the committee has any further questions the secretariat will write to you. Thanks, Jon.

Mr Lawrence : Thank you.