Note: Where available, the PDF/Word icon below is provided to view the complete and fully formatted document
Parliamentary Joint Committee on Intelligence and Security

PFEFFERKORN, Ms Riana, Private capacity

Evidence was taken via teleconference—


CHAIR: I now welcome Ms Riana Pfefferkorn, a cryptography fellow at the Stanford Law School. Do you have any comments to make on the capacity in which you appear?

Ms Pfefferkorn : I'm appearing here today in my personal capacity as a researcher who's spent several years studying surveillance cybersecurity and encryption law and policy. I don't represent Stanford University, Stanford Law School or the Stanford Center for Internet and Society.

CHAIR: Thank you very much for appearing this morning and for your very detailed submissions. Although the committee does not require you to give evidence under oath, I should advise you that this hearing is a legal proceeding of the parliament and therefore has the same standing as proceedings of the respective houses. The giving of false or misleading evidence is a serious matter and may be regarded as a contempt of parliament. The evidence given today will be recorded by Hansard and attracts parliamentary privilege. I now invite you to make a brief opening statement before we proceed to discussion.

Ms Pfefferkorn : Thank you to the committee for inviting me to testify via telephone today, and thanks for heeding the feedback from the previous hearing about the very short notice for which witnesses were invited to testify. The longer that witnesses have to prepare, the better the job that we can do when we appear before you. I especially appreciate the opportunity to submit some comments about the United States' new CLOUD Act at the committee's request, and I'd be happy to talk about that topic more if that's what the committee is interested in. I know Mr Dreyfus asked the previous witness about it.

I want to start though by taking a step back to question the necessity for this bill to be passed, at least in its 172-page current form. It's not clear whether the alarmingly broad powers that it seeks for Australian agencies are really called for. What are the specific problems that this bill is trying to solve and how big are those problems? Do they merit the serious trade-offs to multiple crucial interests that the bill would entail if passed as is? Would the bill actually solve the problems it's supposed to solve, and are there other, more narrowly drawn means to accomplish the agency's goals? Might those goals be achievable under current law or with modest changes if the agencies get more resources and training and better coordination with the technology sector?

On these questions, the American experience may be helpful. US law enforcement agencies do not tend to focus on the ultimate goal of effectively preventing, solving and prosecuting crime. Instead, they focus on how many devices they can't open and how many messages they can't read. But that's not the proper yardstick. The correct focus is on whether law enforcement can ultimately do its job of disrupting plots and seeing criminals brought to justice. If your agencies can do that even where they can't access encrypted data, that undercuts the asserted need for this bill. As Mr Weitzner adverted to, there is a wealth of other digital evidence sources from location information to cloud backups to the Internet of Things that are still available to help solve crimes, even in an age of ubiquitous encryption. Thus I urge you to ask the agencies for better information about outcomes, because that will help you to evaluate how much of the bill is really necessary.

So is it possible that law enforcement can solve its problems or get most of the way towards fixing them without this bill, given the proper resources, education and coordination? Again the US experience is illustrative. A recent report from a US think tank surveyed federal, state and local law enforcement across the United States. What it found is that the biggest challenge investigators say they face concerning digital evidence gathering is not encryption. Rather, the No. 1 problem was identifying which provider would have the relevant evidence in the first place. The No. 2 problem was the difficulties they encountered in approaching providers, finding out what data was available and getting that data without long delays in a usable format. It does not take this sweeping bill to address those issues.

What's more, this bill would entail significant negative trade-offs. You have heard from the public, and you will hear from further witnesses today, about the bill's potential impact on the cybersecurity of Australian individuals, businesses and the government itself. The bill also implicates national security, economic growth, trade in innovation, and personal rights. The irony is that, for all that downside, the putative upside might not be worth it. The bill cannot guarantee that agencies will catch the kinds of sophisticated criminals and terrorists who are savvy about their use of encryption and other security measures. They are the justification for this bill, but even top US law enforcement officials have acknowledged that sophisticated bad actors will always find the means of communicating securely, even if a bill like this is passed into law. By making it illegal for providers to offer the very best security they can to their Australian users, you'd be making your constituents more vulnerable than they are now to the very criminals who seek to prey upon them, such as organised crime rings, ID thieves and cyberstalkers. You would be making it the law of the land that innocent, law-abiding Australians have worse security than criminals do.

Finally, I want to say how troubling I found the testimony by Home Affairs representatives during the previous hearings. They insinuated that public comments weren't 'appropriate for consideration' unless they provided specific feedback on specific language in the bill and suggested specific amendments. No government official in a democracy should be heard to say that the opinion of a member of the public is not appropriate for consideration. It is legitimate to express concern about the bill as a whole, to say it shouldn't be passed in any form and that it's not enough just to change a word here or add a phrase there. To analogise to a recent example from the United States, that's like saying it isn't legitimate for a member of the American public to oppose a policy of putting little children in internment camps full stop; it's only legitimate to quibble over the specifications for the size of the cage. Narrowing the definition of what is an appropriate way to talk about a topic narrows the discourse. It channels the conversation into the framing preferred by the party seeking to control the discourse. It shapes people's very thinking about that topic. And, if someone can get you asking the wrong question, they don't have to worry about the answers. And, finally, that kind of narrowing of discourse stifles opposition. There's a saying: 'No is a complete sentence.' Fifteen thousand members of the public took a look at this bill and said no. That concludes my opening remarks. I welcome the committee's questions.

CHAIR: Thank you very much, Ms Pfefferkorn. I want to go to the supplemental email that you submitted on 13 November. In it you write about the CLOUD Act, how this bill intersects with the CLOUD Act and specifically the mutual legal assistance treaty or process that currently stands between Australia and the US and that has been in effect since 1999. Could you provide your views on how the US Clarifying Lawful Overseas Use of Data Act, or CLOUD Act, intersects with the access and assistance bill?

Ms Pfefferkorn : I've set forward some of my principal thoughts in the supplemental submission that I made. I had a few different principal points to make there, and those include that there are a few different parts of the CLOUD Act that I think have a significant interaction with the bill as currently drafted. Principal among those that I might like to focus in on is on the requirements of independent judicial oversight. I think there's been some back and forth between the Home Affairs representatives in their supplemental submissions that they had made following the previous hearing about the extent of judicial oversight for TCNs and for TANs. I just wanted to reaffirm the comments that I had made in my comments on the CLOUD Act, and to say that I think that, absent some clearer authority and better judicial oversight of TCNs and TANs, I'm not sure that those would be eligible to be served at all through any agreement under the CLOUD Act on US providers directly.

CHAIR: Thank you very much.

Mr DREYFUS: Thank you, Dr Pfefferkorn. It's refreshing to be talking to someone from a country that shares the robust democratic traditions of our own. Just on the CLOUD Act to start off with, mechanically—I'm trying to do this in a shorthand way—at the moment we've got mutual legal assistance processes that are very slow. Potentially, if Australia were able to enter an agreement with the United States under the CLOUD Act, it might mean much quicker access to data for an Australian agency. Is that a correct description? That's a very broad question I know, but I'm just trying to get the frame for this.

Ms Pfefferkorn : That's the intent for which the CLOUD Act was passed. There had been significant frustration on the part of foreign law enforcement agencies in terms of the delays in the processing of MLAT requests. I've heard of those delays averaging as much as eight or 10 months in some situations, which obviously is not compatible with what can be very pressing and urgent needs in investigations. I think the source of those delays was attributable to a few different factors. One might be that the US Department of Justice is responsible for processing those MLAT requests and I suspect they are understaffed and there are just not enough people to handle the volume. Of course the United States has MLATs not only with Australia but also with a number of other countries, so you can take one country's volume of requests and multiply that by however many countries.

Another would be that there are requirements under US law, the so-called Electronic Communications Privacy Act, that I described a little bit in my submission, with which other countries might not be familiar—understandably they're not going to be experts in US law regarding communications privacy—and so there would often be a back and forth process, as is my understanding, between the United States and the other country in trying to say, 'This isn't compliant with these particular provisions.' Or there's a blocking statute in place—the bigger problem being that absent basically domesticating a request through a US court, there's a process under federal law for which the DOJ can bring those requests to a US federal court and process them that way—that prior to the passage of the CLOUD Act flatly prohibited disclosures by providers to non-US governments. So the idea of the CLOUD Act would be to streamline that process by removing the middleman, as it were, which serves a number of ways of expediting these requests, although of course it also has some consequences for the lack of prior review by the DOJ to ensure that the request is consistent with our constitutional requirements and the requirements of our substantive law and the absence of any prior oversight by a court that could be reviewing these as well.

Mr DREYFUS: So it's potentially quicker. Could I just clarify a language point. When you use the word 'data'—or 'dahtuh', as we might pronounce it here—are you referring to content? You use the word 'data' a lot in your three submissions. Are you referring to content, or to what has been called metadata or the external telecommunications data, or to code—or perhaps all three?

Ms Pfefferkorn : I'm not referring to software code. I don't think the act necessarily contemplates the sharing of a provider's source code in their software with a foreign government; it's mostly intended to address disclosures of, as you said, communication content as well as metadata. The Electronic Communications Privacy Act includes particular titles and sections of that statute that govern both, and the CLOUD Act adds provisions to both the metadata provisions of the ECPA and the communications content provisions of the ECPA to permit for disclosures to foreign governments subject to a CLOUD Act agreement.

Mr DREYFUS: Going back to the CLOUD Act agreement, then, in order for Australia to have an agreement with the United States under the CLOUD Act, which we don't presently have, there would need to be a certification by the United States Attorney General, with the concurrence of the United States Secretary of State, that the government of Australia and our legal system affords—I'm going to quote from the CLOUD Act—'robust substantive and procedural protections for privacy and civil liberties'. Following that certification, there's a further process where congress—either house—would be able to object to the certification within 90 days. Have I correctly described the CLOUD Act process there?

Ms Pfefferkorn : Yes, that's approximately right.

Mr DREYFUS: Thank you. I'm doing my best as a former Australian lawyer. Can I ask you for your opinion on whether or not this legislation, this bill that this committee is now looking at, would, to use the words of the CLOUD Act, afford 'robust substantive and procedural protections for privacy and civil liberties' for the purposes of the CLOUD Act to make it suitable or possible for Australia to enter a CLOUD Act agreement or to have such an agreement ratified by congress?

Ms Pfefferkorn : To clarify the question, Mr Dreyfus, are you asking for my opinion or are you asking for what I think the opinion of the United States Attorney General might be?

Mr DREYFUS: Both, if they're different.

Ms Pfefferkorn : I think they are different, in that I share the reservations that have been expressed by multiple other public commenters about the privacy impacts and civil liberties implications for the statute. As I said, I think the bill as proposed is very broad and could potentially be very intrusive into people's privacy and into their ability to communicate with each other privately and confidentially. There are concomitant effects on speech when people think that they are being watched or spied upon—there is a chilling effect on their willingness to speak their minds and express themselves. I think you'll hear from other witnesses later today about the potential human rights implications of the bill as well. I have reservations about the bill.

That said, I think that my opinion is not likely to be equal to that of the US Attorney General—whoever our Attorney General might be by the time Australia decides to enter into a CLOUD Act agreement with the US; it's a little bit up in the air right now, as you might know. But I digress. I am not sure whether the bill would realistically prove an impediment to a CLOUD Act agreement in light of the facts on the ground, which are that the United States and Australia are very important allies and partners to each other, particularly in the context of the Five Eyes intelligence-sharing organisation.

Mr DREYFUS: What about the prospect of getting such a hypothetical agreement between Australia and the US under the CLOUD Act through the congress, which is another part of the process?

Ms Pfefferkorn : I think that the way that the CLOUD Act is drafted sets up a negative option for congress, where the easiest option is always to do nothing, so, unless congress objects within this 180-day period and passes a resolution of disapproval, it's my understanding that the agreement would come into force after being approved by the Attorney General with the Secretary of State's concurrence. Just as a procedural matter, the way that the law is set up would be to make it very easy for agreements to come into effect without necessitating any objection or action by congress at all.

Mr DREYFUS: I'm trying to get from you an assessment of whether or not there's likely to be objection or resistance from congress. Leaving aside the very difficult question of what the current US Attorney General or the acting US Attorney General might do, what would congress do in respect of an agreement with Australia?

Ms Pfefferkorn : It's my hope that congress would take seriously its duty to scrutinise to make sure it's satisfied that the privacy, civil liberties, human rights and rule-of-law protections of Australian law are all up to snuff as far as the CLOUD Act is concerned. We're just switching in quite a few brand-new members of congress, whose inclinations I don't yet know. I appreciate that this is a bit frustrating for you, but I'm hesitant to speak on their behalf or divine what's in their minds. As I said, the situation being that we are very close allies and that there is an important partnership between our two countries in especially the intelligence context, it would be a little odd for us to say, 'We're happy to be partners with you in the Five Eyes, but we're not going to let you have a CLOUD Act agreement, because we don't think your privacy laws are up to snuff.' That would be a bit strange.

Mr DREYFUS: Do you think there are ways in which this bill that the committee is examining might be improved or amended so as to make it more likely that Australia can secure an agreement under the CLOUD Act?

Ms Pfefferkorn : That's a difficult question. It's quite a complex bill with a number of different elements to it, and I've expressed that I have reservations about the thing as a whole. At the very least I would say that it might help not to threaten to fine people $50,000 if they refuse to unlock their phones for you; it would help not to fine a company $10 million if they refused to assist; and it would probably be helpful not to undermine security, as the previous witness said and I think other witnesses will say, because of the effects that I mentioned on people's ability to communicate privately and to feel that they can express themselves freely. I regret that that's a bit of a high-level comment rather than suggesting particular tweaks to each and every page, but I'm not sure if the amount of time we have here today would accommodate going through bit by bit.

Mr DREYFUS: You've made the point at page 7 of your 13 November supplementary submission that, even if Australia might reach a CLOUD Act agreement with the United States:

Australia cannot … compel … what Congress expressly said U.S. law enforcement agencies cannot compel. Any executive agreement with Australia is flatly barred from—

and you quote from the US law—

creat[ing] any obligation that providers be capable of decrypting data.

Can you tease that out? Even if we have a CLOUD Act agreement, it doesn't matter what an act of our Australian parliament says, because the US act prohibits, as you say, an obligation that providers decrypt data.

Ms Pfefferkorn : As I tried to explain in the submission—and thank you for your attention to it—this would give US providers the option but not the obligation to comply with requests from foreign governments to disclose data. To try to tease out the difference here: the CLOUD Act would not compel a US provider to decrypt data. As the terms of the act say, the source of any obligation to be put upon the US provider would have to come from Australian law. If Australian law under this bill were to permit Australian authorities to serve on a United States provider an order saying, 'You have to decrypt data under Australian law,' the CLOUD Act does not force that to be complied with. I'm having trouble explaining the distinction here, but I hope you can follow that. The obligation would be there under Australian law, but it's not guaranteed, as I tried to explain in my submission, that the US provider would necessarily choose to comply. As I mentioned, there are some significant penalties in the bill, up to $10 million for noncompliance, which might provide an incentive, but, as I've said in my submission, it's going to be about individual companies making the decision: do they want to stay in the Australian market? Do they want to comply with particular requirements for building in the Australian market? Would they choose to comply with this notice? They still are able to stand on their own two feet under the sovereignty of US law in bilateral agreements, as I think Mr Weitzner was talking about. It would not be compulsory under the CLOUD Act to comply with a demand made under the bill.

Mr DREYFUS: I have one last question, just because of the shortness of time, and I thank you again for the three very detailed submissions you've now made to assist the committee. In the broad, are you able to describe how governments of other countries, in particular the United States, have responded to the increasing use of encrypted messaging services by criminals?

Ms Pfefferkorn : I'm not able to answer as to countries other than the United States, but I would reaffirm what Mr Weitzner said during the previous questioning about the uses that the United States government has made both of developing in-house tools for getting around encryption on devices or on communication and of hiring capabilities or buying outright the abilities to make use of vulnerabilities in existing commercial off-the-shelf products such as smartphones, for example, to get around the security measures and encryption on those phones. That's one means that has been undertaken.

I might also potentially look at the government of Germany. I have a little bit of familiarity with how they have been responding to the challenges of increasing encryption of communications data and devices. They have put a lot of resources into building a government sponsored and funded centre. I can't tell you the German word for it—being German, it's very long and hard to say—but they have invested a lot of resources into building their own in-house capabilities to look for and find means of getting around encryption and have been pretty aggressive in hiring a lot of talented people to help them to do that. That is pursuant to what the Germans generally call a policy of security through encryption and security despite encryption. They recognise that strong encryption is vital to protecting German economic interests, national security and the individual fundamental rights of its citizens, and they nevertheless say: 'We're not going to pass a law that would require the undermining of encryption. We're not going to disincentivise German industry from providing the best security they can. In order to satisfy our law enforcement needs, we're going to develop resources in-house to exploit the inevitable weaknesses that will always occur in software and hardware products.'

CHAIR: Thank you very much for making the time to participate in the hearing today and for your submissions. If you've been asked to provide any additional information, would you please forward it to the secretariat by 9 am on Wednesday, 28 November. You'll be sent a copy of the transcript of your evidence and will have an opportunity to request corrections to transcription errors.