Note: Where available, the PDF/Word icon below is provided to view the complete and fully formatted document
Parliamentary Joint Committee on Intelligence and Security
Potential reforms of national security legislation

McDONALD, Mr Geoff, First Assistant Secretary, National Security Law and Policy Division, Attorney-General's Department

RICE, Mr Andrew, Assistant Secretary, Cyber and Identity Security Policy Branch, Attorney-General's Department

ROTHERY, Mr Mike, First Assistant Secretary, National Security Resilience Policy Division, Attorney-General's Department

SMITH, Ms Catherine Lucy, Assistant Secretary, Telecommunications and Surveillance Law Branch, Attorney-General's Department

WILKINS, Mr Roger, AO, Secretary, Attorney-General's Department

WILLING, Ms Annette Maree, Assistant Secretary, Security Law Branch, Attorney-General's Department

Committee met at 10:05

CHAIR ( Mr Byrne ): I declare open this public hearing of the Parliamentary Joint Committee on Intelligence and Security inquiry into potential reforms of the national security legislation. Today the committee will take evidence from the Attorney-General's Department. Although the committee does not require you to give evidence on oath, I remind witnesses that this hearing is a legal proceedings of parliament and warrants the same respect as proceedings of the House and the Senate. The giving of false or misleading evidence is a serious matter and may be regarded as contempt of parliament. The evidence given today will be recorded by Hansard and will attract parliamentary privilege. I invite you to make some brief introductory remarks before we proceed to questions.

Mr Wilkins : I think this is the first time we have had an opportunity to talk with the committee in a public session so it might be useful to make clear just what the exercise we are involved in is fundamentally about. As I have said to the committee previously, I do not want to overstate it or understate it. The basic values that underlie the telecommunications interception legislation are not being changed or altered, and it is not proposed that they be changed or altered. We consider that, fundamentally, there is a prohibition on people intercepting other peoples telecommunications, and then there are various exceptions to that rule. Fundamentally, it is a privacy piece of statute, and we are not proposing to alter that proposition. If the exceptions are based around law enforcement and national security, there is no intention of altering that basic proposition.

In order to gain access to the content of people's telecommunications, you need a warrant issued by an independent judicial officer or, in the case of security agencies, in the appropriate manner. No change is being sought to any of that. In the case of non-content data, which I will come to in a moment, that is currently available under the appropriate authorisation. It is not suggested that any of that be changed. So what is being changed? It is basically about trying to bring the legislation up to date, to the 21st century, and change some of the underlying presuppositions about the way in which telecommunications work. I have made available to the committee, and we have also made publicly available, a diagram setting out the distinction between what the world looked like in 1979 and what it looked like in 2010—and I am not going to prognosticate what it is going to look like in five or 10 years time. You can see that, in 1979, it was a very simple world where there was a one-to-one match between a user and a telecommunication service, more or less. In 2010 there was a huge number of devices and a huge number of service providers, so for law enforcement agencies or intelligence agencies to obtain the same sort of information it would require maybe 60 or 70 warrants where it previously needed one or two. So the issue, really, is to try and render the legislation technology-neutral going forward, to simplify the legislation and to make it business-model-neutral as far as possible.

I just wanted to put that on the table because there is not a huge amount of other things that we would want to be doing with this legislation. As I say, the fundamental values underlying the legislation are sound. What is out of date, what has changed, are not the values that underlie the legislation but the world itself and the nature of telecommunications. The idea is to try and make it technology-neutral and to try and accommodate different business models as they develop. That is really what the changes are about.

I can talk a little bit, if it is useful, about content and noncontent because I think that is, in a way, the hinge of this discussion, as I judge it, from public discussion and discussion among agencies et cetera. It is a very important distinction. As I said, if you want access to content, you have to get a warrant and you have to do that through a judicial officer, except in the case of intelligence agencies. They have to go through a warrant process of the sort that has been accepted over a period of time, and developed over a period of time, which is also subject to the IGIS review. Non-content data is in a different basket and a different regime. It is available to law enforcement agencies and intelligence agencies if it is properly authorised under the legislation by a senior officer. There are tests and requirements around that, but it is a more streamlined process than the one where you have to go before a judicial officer and get a warrant.

So what is the difference between content and noncontent data? We have provided to the committee a definition of telecommunications data. Chair, I wrote to you with a copy of that, which has also been made public through the Senate estimates process—and I think Senator Brandis may be aware of that, too. That document attempts to set out our current practice in relation to the way in which we administer the current legislation, which is a fairly conservative type of administration. From our discussions with the AFP, ASIO and the ACC about what they would expect in terms of a definition of metadata, or noncontent data, and from our interpretation of best practice overseas and in other areas and other jurisdictions, it is essentially, as we have said, information that allows a communication to occur or information about parties to the communication but it is not about what they said to each other or what the content of the communication is.

For example, there has been some discussion in the media about URLs, which I understand are basically unique identifiers of a communication device or a communication. In the Senate estimates committee we said that, as far as web surfing is concerned, if you want to get that information you need to get a warrant. The reason for that is that the type of URL, or address, that would be revealed in terms of web surfing does give some indication of the content. So, if you are going to Pete's Pornography store or Amazon, it gives some idea of the nature of the communication and the content of the transaction. So that URL would not be available unless you got a warrant. On the other hand, an email address is of a different sort. That is an important distinction to make.

We have interpreted the legislation as it currently exists and we would propose to this committee and the government that we continue to interpret the legislation and draft it conservatively so that, in cases where you could infer the nature of the communication from the address itself, it would require a warrant, it would require more than an authorisation. It means that law enforcement agencies, intelligence agencies, that want access to somebody's web surfing activities over the past six months are going to have to get a warrant; they cannot rely on an organisation. If, on the other hand, it is just email traffic of a discrete sort that they wanted to get access to, they could do that under authorisation, they would not require a warrant. I think that is an important clarification to make, and that is based on the way we currently interpret the legislation.

Senator BRANDIS: Is the document you are referring to which was tabled in Senate estimates the one-page document that was also attached to your letter to the chairman on 17 October?

Mr Wilkins : That is correct, Senator.

Senator BRANDIS: And it is the document entitled 'Definition of telecommunications data'?

Mr Wilkins : That is correct. There was one other comment I wanted to make apropos requests around what information the department has that might be available to the committee. I was asked to have a look into the nature of the information. Unsurprisingly, the department has done a lot work thinking about these issues. Most of it—in terms of preparation of papers, draft legislation et cetera, of which there are lots and lots of bits and pieces—is subject to cabinet confidentiality. There is a report which was by a task force which is not subject to cabinet confidentiality and which, at an early stage, attempted to set out some of the issues around the legislation. That report could be made available to the committee if that is of some assistance; it has been overtaken by a lot of events but it could be made available.

CHAIR: Thank you for that. Does your definition of what constitutes metadata—and I hope this is the final definition—rule out URLs?

Mr Wilkins : I think 'URL' is an unhelpful expression. Our definition does not use the expression 'URL'; it uses different words. It talks about 'information that allows a communication to occur'. It mentions the 'internet identifier' as 'information that uniquely identifies a person on the internet, assigned to the user by the provider'. The internet identifier is a URL. URLs are other things as well; but that, if you like, is at least a subset of URLs. We have, if you like, abandoned the use of the term 'URL'. I have told my guys that I would like this in ordinary English, if they would not mind, so this is as close as I have got to ordinary English.

CHAIR: We have been struggling for three months to get that. The submissions and some of the evidence we have received in terms of URLs is that it is impossible to extrapolate what is the identifier of the address, from the content. So my question to you is: with this interpretation of metadata can you give an unequivocal guarantee to those who are concerned about this that whatever we identify as a URL does not have content in it?

Mr Wilkins : For a lot of URLs, if they do have content, you will need to get a warrant.

CHAIR: But how do you get to the point where you are harvesting metadata? The contention of the people who are concerned about this is such that, regardless of whether or not you want to do it, when you are extrapolating the data, the sites you have visited automatically you cannot disaggregate them. You will know that. That will then give you a guide as to whether or not you need to issue a warrant. In terms of harvesting that information, the content will automatically be there. So the question is: what is the safeguard that prevents you from accessing that content?

Mr Wilkins : I will ask Catherine Smith to fill you in on how that works.

Ms Smith : We have heard that evidence as well from one provider. The providers that we have talked to, when we have talked to them about extrapolating this type of information, do not say that that is accurate. We have also looked at the European experience and we understand there are many vendors out there who have created technology that is currently in place in many telecommunications networks, both in Australia and overseas, that can very effectively do that job.

But the safeguard is that a law enforcement agency has to satisfy internally that they are seeking information that would fall within a definition of data, and it is very clear that they cannot ask for anything that is content. The final decision on that is with the industry player, and if they cannot extrapolate data from content, then they cannot disclose that. In relation to data retention, there has never been a suggestion that it would be anything to do with web browsing where this problem has been identified.

CHAIR: For you clarification: I had a discussion with representatives from a major telecommunications company the day before yesterday, in which they said this was a problem and that this is an increasing challenge; as the technology evolves the capacity of these people to capture that data and to keep it separate becomes less and less.

Ms Smith : Obviously I am not privy to those conversations, but the conversations we have had with industry and with the vendors, who are very keen to actually develop solutions for this, have told us—and we have talked to vendors as recently as this week who are doing that kind of technology both for providers in Australia and in the UK. They have told us that they can. Obviously law enforcement will come to a standstill if there are occasions where they cannot access information without content, so they will have to be satisfied that they cannot access that information.

CHAIR: Can you appreciate the public concern and particularly the public debate that there is now, because of the evolving technology? Because of this increased amount of data and the difficulty in extrapolating that data, the public has some measure of concern about their privacy. So we are giving them an assurance that everything is going to be okay, but the committee needs to satisfy itself that there are privacy provisions that protect. In my view, if you are going to harvest additional information, there has to be additional privacy protections. And can I say, from a personal perspective, what you just told me in terms of privacy protections I do not think would provide a lot of comfort to the public that would be listening to your evidence right now.

Mr Wilkins : The ultimate protection is that law enforcement agencies will need to get a warrant if they want that type of information. So that is the current requirement. It would be the new requirement. If they want to get this stuff, they are going to have to get a warrant as soon as it begins to disclose content—

CHAIR: I would contest that. The issue is: how do you know if the information is not being used properly? What sort of assurance is there? You can say, 'Well, we'll get a warrant,' but, if you look at the administration of some of the powers that are given to agencies, there is an oversight mechanism. There is IGIS. There is a whole range of mechanisms. When there was the questioning of detention powers, there were a whole series of provisions that were built in to provide safeguards that would satisfy the public with the granting of those powers. The fact that we are asking telecommunications companies to keep data for two years of a specific dataset and just saying that privacy will be protected. I think that is a concern. Given that you are advertising that you are keeping a specific amount of data, I think the public would have justifiable concerns about whether their privacy was being protected. From what I have heard so far, I am not satisfied that there is an independent mechanism which would provide satisfaction to the public that their data was being protected.

Mr Wilkins : We are talking here about law enforcement agencies accessing this data. If they want to access the data, they have to do it under authorisation and they have to do it under warrant. These are surveilled by the ombudsman. These are surveilled by ACLEI, if people make allegations about corrupt activity.

I do not see why the existing systems could not be adapted, maybe, to deal with these issues. What I have tried to say is that we are not proposing a different regimen from the one that currently exists. Yes, the volume is changing, but presumably the Privacy Commissioner could look at this under the new privacy principles as well to make sure it falls within the law enforcement carve-out and exception.

Mr RUDDOCK: Broadly, on the privacy issue, there is a Privacy Commissioner but privacy issues are with the Attorney-General's Department as far as government oversight and administration? There is no other department that deals with it?

Mr Wilkins : That is right, they are with us—well, the Privacy Commissioner. The policy issues are ours, that is right.

Mr RUDDOCK: I hear the argument about proportionality, and I understand that; you have got to weigh up whether the capacity to prosecute certain types of offences outweighs people giving up some of their privacy. I look at your submission—it endeavours to quantify the evil of criminal activity, breaches of security, the sorts of prosecutions where this occurs—and I ask myself, 'Does the public want us to have those matters pursued in order to protect them?' I come to that conclusion that yes, they do. Then I come to a view about privacy: does the public broadly want their privacy to be protected? I suspect that they do. I look at what complaints I get. I get complaints about people's banking information being sent off to overseas organisations where they think it has been misused. But I do not get a lot of complaints about people who have been concerned about how their privacy may have been abused when it has gone into the hands of security or law enforcement agencies. But I may be alone. Maybe everybody else is getting those sorts of complaints. I wonder whether the department is getting a lot of complaints of substance that need to be investigated about breaches of privacy by security and law enforcement agencies that are accessing information under the regimes that are there now.

Mr Wilkins : The answer, Mr Ruddock, is: no, we are not—I say that guardedly because I think I am probably about to be inundated. But, no, we are not. I assume that the Privacy Commissioner gets some from time to time, but there is not a groundswell.

Mr RUDDOCK: I am trying to work out how I get a balance. How do I weight these things up when I get no complaints on one side—and I do get expressions of concern about people's safety and security. Have you got any ideas about how we are going to balance those matters up?

Mr Wilkins : My suggestion—and I think that is the discussion I was just having with the chairman—is that I do not really like generating new institutions, but with the existing institutions of the Ombudsman, ACLEI and the various internal processes of the police and other law enforcement agencies and intelligence agencies—the IGIS, the Privacy Commissioner—there are a lot of institutional arrangements designed to safeguard people's privacy and whatever other complaints they may want to make. There is a systematic requirement for the Ombudsman to surveil the operation of this legislation and officers in my department also have some oversight—although I would not want to overstate the extent to which we can actually do much more than just watch what comes past. But the Ombudsman does have a significant role in this and I would have thought that these agencies already exist. That would be my answer.

Mr RUDDOCK: My questions beyond that go to a totally different area that we have not come to and I am happy to give way at the moment.

Mr WILKIE: Mr Wilkins, to what degree are we fighting the last war? To what degree with these reforms—in particular, the telecommunications aspects—are we trying to catch up with what we know today when they are at risk of being out of date tomorrow? There is an increasing use of the dark net and facilities like Tor, which gives anonymity to people on the net. There are a lot of law-abiding people, of course, but presumably criminals and terrorists—the more competent evil-doers—would understand the value of, say, Tor and they will not be caught up in this. To summarise, my question is: how can we have any certainty that all of this heartache, all of this public concern and all of this money that might be spent will not actually amount to very little in a few years time and that it will end up applying to a whole lot of law-abiding citizens who use the regular internet, when the people that we are most concerned about are clever enough to use the facilities that will not be captured by these telecommunications reforms?

Mr Wilkins : It is hard to answer that. I use the term 'technology neutrality'; maybe I use that in a rather hopeful fashion, but I think we are trying to ensure that the legislation can deal with, if you like, more of the same. If we get some qualitatively different development—and, say, encryption might be one of those issues—then some of the requirements may include that we are back before this committee again. We are trying, for example, to see if, under warrant, you could require the key to the encryptions to be provided as well. It may go to the type of commercial relationship between a person and a service provider as well. But you are right: this legislation may be overtaken by events. We are trying, as far as possible, though, to render it technologically neutral and business model neutral, which is the other thing that is shifting very rapidly. Do you want to add to that, Catherine?

Ms Smith : Just to say that we are well aware that there are, unfortunately, as you mentioned, Tor and suchlike ways to very cleverly evade any level of detection. The advice that I have had from agencies is that still being able to determine patterns of behaviour through access to data, even if it is to get feels of where they are setting up their blockages, gives a pattern of particular behaviour. Part of the terms of reference is also about better information sharing between agencies. The act is very strict on information sharing at the moment. We believe that, through better use of networks within these agencies that do intercept, they may be able to develop capabilities to assist each other as well. That is one of the other main aims of this reform—to allow much better sharing of information and much better understanding of the challenges that are out there rather than having people sitting on their own and just trying to look at a blank screen because it has all been encrypted or whatever.

Mr Wilkins : It is a good question. It is a good reason for keeping this legislation under fairly constant review. As I say, we can accommodate more of the same, more rationalisation in terms of business models, more technology of this variety. But if we get something that is radically different and if we get radically different techniques developing for combating the use of that technology then we might need to revisit it. So I do not want to give you an assurance that we are solving all the problems et cetera. These are clearly problems now. We are doing what we can, I think, to focus on what is required, which is certain information rather than a certain service or a certain type of device or something like that, which will change and shift from time to time. That is the only real assurance I can give you, but the point is well taken. I cannot pre-empt technological development.

Mr WILKIE: Thank you for that. You mentioned encryption. What is the arrangement currently? Are government agencies able to, by warrant, require service providers to give you access to the keys to encryption?

Ms Smith : Currently the requirement is that a telecommunications provider has to give reasonable necessary assistance in the execution of a warrant and the view has always been that if the provider themselves place encryption on it then they should provide it in a clear form. The problem is that the encryption is often put on by the individual themselves or by an application that they have downloaded themselves. In reality the warrant does not extend at the moment to require any level of decryption. It is more about where we have a good relationship with industry and they have put the encryption on themselves and we expect them to decrypt it, but certainly in relation to other types of encryption, no, there is no legal requirement for anyone to provide assistance other than that there is a provision in the Criminal Code where search warrants are executed, as I understand, and decryption has to be provided there.

Mr WILKIE: That raises an interesting point about foreign based service providers. Coming back to the whole issue of data retention, where would these reforms leave Australia regarding, say, a Google or a Facebook or a Twitter or either foreign based or foreign owned entities?

Ms Smith : There is a reference somewhere in the terms of reference about having a regime with industry where it is applied equally to all providers who provide services. I think the language is 'application service providers', which arguably the likes of Google and Facebook et cetera fall within. It is our view that if a service is provided to a person within Australia then those people who are providing that service should also fall within the legislation. So it is hoped that any reform of the legislation would include those sorts of service providers. We certainly have good relationships with those and they are very cooperative but, obviously, they are prevented quite regularly, because of foreign laws, from actually providing assistance and so the view that they have given us is that if Australian law applies to them then they will assist.

Mr Wilkins : If I may expand on that, there are two things here. If you look at the other stuff that we are talking about besides the interception legislation, you see part of the reference of this committee is to also look at something else, and I think you are calling it telecommunications sector security legislation. Part of all that says it is looking at what sorts of, if you like, requirements or constraints we should put on people who want to provide telecommunications type services into Australia. The suggestion in that paper was that a government, on behalf of its citizens, has two fundamental interests. One is that the information that people put with those telcos, wherever they are located, is held reasonably securely for the people that the telco takes all due care to look after as to their telecommunications, whether it is an Australian individual or an Australian company or an Australian government. The second thing though is that if it is required under law enforcement, whether it is a court or whether it is under warrant from a law enforcement agency, the telco will not simply say, 'I'm sorry but you can't have that information'—for whatever reason—so the telco will not enter into arrangements, if they are going to have a licence to operate in Australia, which would make it impossible for them to meet that requirement. Another thing I want to say is that there are some difficult discussions as a matter of practicality going on with other jurisdictions, with the United States, the UK, Canada and New Zealand, around some of those issues but what we could do here is at least attempt to make it a requirement of anybody who wants to carry out a telecommunications business in Australia that they at least satisfy something like those two things, and there may be more but they seem essential.

They keep people's information secure wherever they hold it and they deliver it when they are required to by law, either by the courts or by law enforcement agencies under warrant.

Mr WILKIE: Correct me if I am wrong, but probably the most popular platforms have US origins.

Mr Wilkins : Yes.

Mr WILKIE: Do they have legal entities in Australia?

Mr Wilkins : Yes.

Mr WILKIE: What is the legal basis for it and what sort of metadata would you like with, say, Facebook? What is the legal basis for compelling Facebook to keep metadata, and what metadata would you expect them to keep if you can enforce it?

Ms Smith : A number of the American service providers do actually have points of contact in Australia. A lot of that has been as a result of negotiating with them over the years for assistance to law enforcement, so they have seen that there is an operational need in Australia. That is useful, because therefore they can have executed on them a warrant or an authorisation. In relation to a retention of metadata, under the current US law they have very strong preservation laws, which Australia has been able to take advantage of. Even though there is no data retention law in the US, these service providers actually retain information for quite some time.

There are ways through mutual assistance that we are able to access this information that has been held onto by the US providers. If they do retain the information offshore then it is unlikely that any law about data retention would apply to them, because the US law would actually override ours in that context. However, I think what we want to be satisfied of is that we can get access to the information. From what we understand from talking to the social network providers and these different providers in the US, they are happy to retain information as long as they are satisfied that a lawful order will come along at some point, whether that be via mutual assistance—

Mr WILKIE: Okay.

Mr RUDDOCK: Can I just come along to your encryption question.

Ms Smith : Yes.

Mr RUDDOCK: The encryption codes are held offshore. We cannot compel somebody to provide it to us.

Ms Smith : Correct.

Mr RUDDOCK: Are there arrangements being considered for inviting agencies abroad who have the power to obtain it to appropriately share it? Are you looking at allowing overseas law enforcement agencies, and perhaps intelligence agencies, to access encryption codes that might have been applied in Australia for the purposes of their law enforcement and security?

Mr Wilkins : Some of that is probably protected information, Mr Ruddock, but there are certainly discussions going on, I can say, at the level of attorneys-general around the—

Mr RUDDOCK: If you are considering it and you are saying it is something that is being thought of, then I am happy to step back and receive whatever information might be appropriate in other areas.

Ms Smith : So the answer is yes and we can provide that sort of information.

Mr Wilkins : We can provide some information, actually.

CHAIR: Publicly or privately?

Ms Smith : I think that has to be in private.

Mr Wilkins : I think probably at the moment it would be best to do it privately, not because there is anything sinister about it but because there are delicate international discussions going on. That is all.

Mr WILKIE: I do not feel that I have got to the bottom of this issue with foreign based platforms and how these reforms might apply to them. I am informed, in fact, by some of the work I have done in poker machine reform and whether or not Australia could place restrictions on PayPal with online gambling. Am I right in assessing then that these reforms—in the absence of a bilateral security agreement to do with this—would really be at the pleasure of the foreign provider and that—and we will pick on Facebook a bit more—we could not compel Facebook to provide metadata?

Ms Smith : It is our understanding that the scenario that you have just given is the current practice and in fact we are very much at the whim of US law. There are certain exceptions under the US law where there is imminent risk of injury of a person and we can get that assistance et cetera.

We have been advised, in the policy development work we were previously doing on this, that, if there is an obligation under Australian law which has extraterritorial application for these foreign service providers, they will actually be required—and we can compel them—to assist us in relation to the services they provide to Australians or provide in Australia. There will have to be a geographical boundary around this sort assistance. We cannot go and ask for assistance about something which is happening in another country. But, if the assistance is related to communications which, at some point, pass through the Australian telecommunications system, the advice we have had—or that we are working on—is that generally they will be able to be compelled. There are certainly ways—some as simple as terms and conditions of service. If they are Australian terms and conditions of service when you sign up in Australia, they will have the force of Australian law rather than the force of US law.

Mr Wilkins : You are right. The sanction, ultimately, is one we have to deliver and it would have to be something which will affect either their property or their business or whatever they do in Australia if they did not comply. It is quite conceivable that somebody—a company like Google—could just say, 'We are not interested in Australia; we will just get out of there and not have our property there.' They are unlikely to do that. The branding issues around that are significant for them too. But essentially you are right. We are probably not going to be able to reach out and prosecute some of these people—that is the extreme position—if they do something which oversteps the mark or do not retain this stuff. That is the reality. But, at that level, it begins to work on the basis of their reputation, their relationship with the government and how they are viewed internationally. It becomes a more complex thing than simply law and sanction.

Mr WILKIE: I understand, Mr Wilkins, that the department has had some discussions over a number of years with some Australian service providers—telcos. Have you had any discussions with these foreign based platforms?

Ms Smith : Yes.

Mr WILKIE: Have they indicated a willingness to cooperate?

Ms Smith : Most certainly. To be honest, they are very useful corporate citizens. They are very happy to assist us. They are very happy to engage with us on the areas of US law which allow them to provide assistance to foreign countries.

Mr WILKIE: What sort of metadata have you discussed with them?

Ms Smith : All metadata that exists within their systems.

Mr WILKIE: How do you define metadata on a Twitter account, say?

Ms Smith : Twitter is not the example I would use because I have not had discussions with them for 10 years. I have had discussions with the ones who have been around for 10 years. When it comes to Facebook, for example, it is the same kind of information that we have talked about in our data set. We would not be seeking any information from a US provider that would not be lawful under Australian law. That is our starting point. If the US considers that other things fall within the telecommunications data definition, we are not interested. We are only interested in what falls within the ambit of Australian law. It is the kind of information which Mr Wilkins has previously mentioned.

Mr WILKIE: I mentioned PayPal before. Do you expect these reforms to extend as broadly as platforms such as PayPal?

Ms Smith : To the extent that they have communication services. There are a lot of these modern financial arrangements where they have—it is probably not called email; I would call it email; my children would probably call it messaging or chat or something like that. To the extent they provide communication services, we have an interest in them. Outside that, that would be outside the ambit of this legislation.

Mr WILKIE: The British are looking at a one-year limit on data retention. I think some European countries have implemented one year and some other countries have gone for a longer limit. What is the science behind your proposal for two years?

Mr Wilkins : There is no real science but it needs to be for a period that is suitable, so it is two years or one, or something like that. Otherwise it would be too long or it would not make sense. In a sense it is arbitrary. The two years came from the European model. That is where we originally took that concept from.

CHAIR: Sorry to cut across. Did you just go to the broadband? The European data directive says six months to two years. Did you just decide to go to the end of the spectrum—two years?

Mr Wilkins : We have not decided anything yet.

CHAIR: You have not decided, but you put a two-year time frame in there. I do not know whether that is another ambit claim; we have had lots of them in the course of this hearing. It has been put to us that it is absolutely necessary. I think we had Commissioner Scipione saying that he would love it to be in perpetuity or, at the very least, for five years. So there is a divergence of view.

I am presuming that you have had a conversation amongst the intelligence agencies, local law enforcement agencies and the AFP. My question is: what did they put to you? Sorry to cut across you, Mr Wilkie. Did you decide to push it out there, because that was in the band of permissible timeframes, and then work back?

Mr Wilkins : They were looking at longer periods of time, it is fair to say. Two years is something which seems, from my conversations with my counterparts in Europe and around the world, to be around about the amount people are talking about as being acceptable from a government/community point of view. Anything over that and you begin to get into the area where people are saying, 'That's too much.' Less than that and the law enforcement agencies are asking, 'Well, what's the use of this?' It is hardly scientific, I must say, but—

Mr RUDDOCK: You would be looking at the proportion of their complex investigations that require them to access this information after a period of 12 months. I suspect that there are some forms of inquiry that you might be undertaking which continue. There are others which, if you cannot get some reasonable leads on within six months, you might be prepared to abort. You cannot people investigating continuously. You have to identify whether there are matters where, two years down the track, you would still usefully be able to pursue if you had access to that information.

Mr Wilkins : Yes. That is part of the logic of where you pitch it. You have heard what the law enforcement agencies say. They say that they want it kept. Our judgement is that if it is less than two years—to take your point—it is not of that much use, because of the way complex investigations are run.

CHAIR: But 95 per cent of data that is accessed currently—this was evidence provided, I think, by an association of telecommunication users—is accessed within 12 months or less in Australia. That was the evidence.

Ms Smith : That is not the advice we have had from agencies. Obviously, you would have to ask them, but we have tried to pull that sort of information together. There are particular types of crimes that, without doubt, come within the one year, but for others—serious and organised crime and terrorism—we understand that we need much longer than that.

Mr WILKIE: I am very mindful that the British security services—in particular the police and intelligence agencies—are first rate. Those agencies and their police forces, MI6 and MI5 are as good as you get in the world. I find it very interesting that they are working on a one-year proposal but we are wanting something that is double that. If it is good enough for the British security services, why wouldn't it be good enough for us?

Mr Wilkins : I think it would probably be worth drilling down into that a bit, because they are also part of Europe. And some of the argy-bargy in Europe around the issue of privacy is because there are different countries that have different positions on this.

I do not want to get into international relations, but I think some countries would say it should be zero. When the UK were chairs of the EC they managed to get the two-year thing through. Probably the others are now coming back and saying, 'They've done a review; can we get a compromise somewhere in the middle?' I am not sure whether, if you asked MI5, that that is necessarily what they would say. Maybe it is what, officially the British government says. I just do not know.

Mr WILKIE: In other words, there is an element of compromise, including a political compromise?

Mr Wilkins : I suspect so.

Senator BRANDIS: Any figure is going to be arbitrary but, presumably, it is not completely arbitrary because, to some extent, it must reflect a view of investigative imperatives so that the agencies or the police forces must have taken a view that the utility to them of this data, given the way in which their investigations are conducted, will deteriorate significantly after two years. In other words, the more recent the data, the more useful it will be to them. The more ancient the data, the less useful it will be to them. The time limit that is placed upon retention reflects a rough and ready view about the time beyond which most of the retained data would not otherwise be useful. Do you agree with that proposition?

Mr Wilkins : I think that is right. The tail that takes it out to two years is probably due to some of that rather more complex transnational organised crime or terrorism sorts of offences. But I suspect that is right.

Senator FAULKNER: I want to ask some questions in two areas. Firstly, some issues about the background of the inquiry and, secondly, following on with some of these metadata issues. The committee and I have been grappling for a long time with some issues in relation to the work the department has done historically and I appreciate you touching on that in your opening statement. It is true, isn't it, that a range of telecommunication industry players were involved in a consultation process with the Attorney-General's Department in 2009 and 2010 in relation to the possibility of the establishment of a data retention scheme?

Ms Smith : That is correct.

Senator FAULKNER: Is it also true that the Attorney-General's Department co-ordinated or were solely responsible for the development of a proposal to put to those participants?

Mr Wilkins : A proposal?

Senator FAULKNER: Is it true that the Attorney-General's Department either coordinated a proposal in relation to a data retention scheme to be put to those participants or were they solely responsible for the production and development of a proposal to put to those participants?

Ms Smith : We consulted them on what two years data retention would look like and what the implications would be on industry and the type of information that they could hold and the potential costs of it. There was no actual proposal put to them.

Senator FAULKNER: Were they provided with a policy proposal?

Ms Smith : No. They were provided with some documentation, which was the basis of those consultations. There was certainly no decision by government and no endorsement by the Attorney-General. It was more just working documents within my branch, whereby we coordinated with other agencies and went to industry and asked, 'Essentially, what would this mean to you; what are the effects on industry of this?'

Senator FAULKNER: Was a policy proposal document handed to them at one of the meetings?

Ms Smith : It was not a policy proposal. We gave them a draft of what a dataset of data retention might look like and from my recollection—a lot has happened since 2009 and early 2010—it was a document that was just a one-pager which had information in relation to it; I would have to refresh my memory on that. But it was not a policy proposal; it was kind of like a—

Senator FAULKNER: A document, then?

Ms Smith : It was a document to get them talking, basically. It was not a policy proposal.

Senator FAULKNER: So a document was handed to them. Okay. I do not want to get bogged down in the definition. A document was handed to them.

Ms Smith : Yes, I think two documents were handed to them.

Senator FAULKNER: All right, two documents were handed to them. Were they developed in the Attorney-General's Department exclusively, or were other agencies—law enforcement, security or intelligence agencies—involved in the development of those documents?

Ms Smith : Other agencies were involved in the development of those documents.

Senator FAULKNER: That work preceded the round table or consultation processes you had with industry participants, one assumes.

Ms Smith : Yes.

Senator FAULKNER: When did that start?

Ms Smith : I cannot recall when it actually started—

Senator FAULKNER: Could you take that on notice for the committee, please.

Ms Smith : I can certainly take that on notice.

Senator FAULKNER: Thank you. Are you able to say—and you may not be able to; I appreciate that if you cannot be precise about timing—which agencies were involved in the consultation process?

Ms Smith : I think I can, yes. It would have been ASIO, the AFP and the Australian Crime Commission, and also the Department of Broadband, Communications and the Digital Economy. It would be very likely to have been ACMA, but I can confirm that.

Senator FAULKNER: Mr Wilkins, you said in your opening statement that there was a lot of background material, but you described it as 'Cabinet-in-Confidence' with the exception of a report by a task force.

Mr Wilkins : That is right.

Senator FAULKNER: There is no such classification now as 'Cabinet-in-Confidence', is there?

Mr Wilkins : Yes, there is.

Senator FAULKNER: Really? I thought we had changed all these classifications.

Mr Wilkins : 'Sensitive: Cabinet' is now the—

Senator FAULKNER: Yes, isn't it 'Protected (Sensitive: Cabinet)'?

Mr Rothery : It is the minimum classification.

Senator FAULKNER: I thought the Attorney-General's Department would be right on to this.

Mr Wilkins : It is 'Protected'.

Senator FAULKNER: 'Protected', yes. I only say that as an aside, because I have never heard a more preposterous suggestion than to change a classification understood by any interested person, 'Cabinet-in-Confidence', to one that is not understood, and I really appreciate the fact that the Secretary of the Attorney-General's Department used the old, more user-friendly classification.

Mr Wilkins : We still allow people to talk about 'cabinet sensitive' documents.

Senator FAULKNER: I am very pleased to hear that. But you said a report of a task force did not have such classification, so I would like to know a little bit about the task force, if I could. First of all, can you explain to me the background to the task force? You might let us know when it was formed, what the initiative for its formation was, what its terms of reference were, who served on it and when its report was provided, please.

Mr Wilkins : I can do all that. Do you want me to start now?

Senator FAULKNER: Yes, please. I think you did say, Mr Wilkins, that this is something that at some point you are happy to table for the committee.

Mr Wilkins : Yes.

Senator FAULKNER: You might just give us the broad background. What I am interested in understanding is how this fits into the background of the work this committee is doing. I am sure you appreciate that, because until today I had not heard that we had a task force.

Mr Wilkins : It is a task force that I set up internally. I have set up task forces to look at a number of different areas of complex policy, like access to justice and organised crime, and one was set up on TI. Why? Because it was clear, as I think I said to this committee before, that this was a fairly gothic type of piece of legislation, it was no longer useable, it had so many exceptions, it was so complicated and we needed to have a look at what had gone wrong. It needed to be thrown up in the air and probably have some of the assumptions looked at and rewritten.

So a task force was formed. It was an internal bunch of people. There are terms of reference here, which were basically to come back and explain what was wrong with the legislation, how the world has changed, what sorts of changes needed to be made. We also asked for someone from ASIO and the AFP to participate because we did not have all the technical know-how that they had. So the task force met for around six months and then delivered a report to me, which I showed the Attorney-General of the day as well, which had an analysis of the failures of the current legislation and some suggestions about how they might be changed. That is really what the task force did.

Senator FAULKNER: And what was the timing of the task force?

Mr Wilkins : It was delivered in—it has November 2010 on the cover of this.

Ms Smith : It was May 2010 when we put it together.

Mr Wilkins : I put it together in May 2010 and it delivered its report at the end of 2010.

Senator FAULKNER: And was the consultation with the industry participants a useful input for the task force—

Mr Wilkins : I did not know that was part of it.

Senator FAULKNER: or was that a separate exercise?

Mr Wilkins : I have no idea. That had nothing to do with this task force, as far as I was concerned. I did not ask anybody to go and consult with industry. So I am not sure. That might have been—

Senator FAULKNER: That is what I am asking. I am asking if that was a separate exercise.

Mr Wilkins : I think it may have been.

Ms Smith : It was a completely separate exercise. I think I met with industry in March 2010, and then this task force took over where we were heading.

Senator FAULKNER: All right. We obviously cannot ask detailed questions as we have not yet seen the report. But was a proposal for a data retention scheme something that was either within the terms of reference or considered by that task force? Can you assist us on that?

Mr Wilkins : We cannot recall, Senator, but we could check and come back to you in the next couple of minutes, if you like.

Senator FAULKNER: I would appreciate that, because I think it would be of some interest to the committee.

Mr Wilkins : It should have been; let me put it that way.

Senator FAULKNER: It should have been. But, as no-one seems to be able to recall, it makes it difficult for us to go any further on that. As you know, Mr Wilkins, there has been criticism of the department, not necessarily from this committee. But there have been—'criticisms' might be too strong—concerns that, from the kick-off of this process, there has not been any flesh put on the bones about the data retention scheme proposal. In other words, in the Attorney-General's Department's discussion paper Equipping Australia against emerging and evolving threats,a very controversial issue manages about 2¼ lines in a dot point on page 13. There has been criticism about the lack of detail, and since that time this committee and, I suspect, others who are interested have been trying to flesh it out. I do not know if you think that is a fair comment to make. I think it is a fair comment. But you might care to address the issue of the lack of detail in the Attorney-General's discussion paper on this proposal. I thought I would ask you to do that in the interests of fairness, given the sort of debate that has ensued.

Mr Wilkins : All I would say is that, as you would appreciate, this is an initiative that I took as secretary to try and get a look at some complicated legislation. The government did not necessarily share my views. In fact, the government set up a committee to look at some of the issues that we raised—and, presumably, in that report indirectly—that have been bouncing around in various other forums. So we do not make government policy in that sense. The government makes government policy.

Senator FAULKNER: I understand the government makes government policy, but I am talking here about the process of the Attorney-General's Department. So the Attorney-General's Department issues the paper in July 2012—I am not suggesting it is not a government document, but it is under the name of the Attorney-General's Department. It has, as I say, 2¼ lines in a dot point on what has been a very contentious and controversial proposal for a data retention scheme. And since that time the proponents of the data retention scheme, in my view, have been on the defensive. Part of the reason for that, I think, is lack of detail. I was just asking you whether you were able to make a comment on that—that you may or may not share that view.

Mr Wilkins : We did not look at data retention as part of the review of the telecommunications interception act. We looked at metadata but we did not look at retention. That has been a separate exercise. So it is—

Senator FAULKNER: All right. So, if it is a separate exercise, where does it emanate from—if it is not part of your review, what you looked at? It is addressed with these industry players in 2009-10, and then nothing happens until it bubbles back up now.

Mr Wilkins : Let me be clear. Metadata is covered by the telecommunications interception act, so of course we looked at metadata in that context. The retention of data is a purely operational matter which has been made an issue because of the way in which telcos are going to conduct their business going forward. It means that suddenly we are going to have a problem about the retention of metadata, which had not been an issue before. That is really where that issue has come from, Senator; it has come from an operational issue.

Senator FAULKNER: Yes, but I have been grappling for ages with understanding the role of your department and agencies in the development of the proposal. It just assists, I would think, in the considerations that we have to make—the background to it, the reason for the initiative, where the initiative has come from and the case for supporting such an initiative. And when I hear—

Senator BRANDIS: Senator Faulkner, if it helps, now at least there does seem to be a commonality of view between the department and the principal agencies on the definition, because the definition proffered by Mr Wilkins in his letter of 17 October is the same definition that is adopted in the supplementary submission today by ASIO, the AFP and the ACC—

Senator FAULKNER: I appreciate that. I will get to that, Senator Brandis. But the key element there is the date. It is a bit of a chicken and egg argument, isn't it, when we now have commonality of view but it is a commonality of view arrived at in October 2012? I am talking about trying to understand processes that occurred in 2009 and 2010, as they developed into 2012. And I agree with you; as I flagged when I commenced my questioning, this issue is an important one. So, yes, there is now a commonality of view. But I do not know that we should be jumping through hoops because that has occurred years after the proposal was first floated.

Senator BRANDIS: No. I do not want to debate it but I think, in fairness, this has been a reasonably interlocutory process—

Senator FAULKNER: Yes.

Senator BRANDIS: and we have as a committee narrowed the issues by identifying to the department and other witnesses those parts of the manifold issues which were of concern to us. That is one of the reasons why some witnesses are coming back for a second time, as they are today—so that they can address particular concerns that have emanated from this committee. So I do not think it is necessarily a matter for criticism that, for example, a common definition has now been arrived at that was, at least in part, responsive to requests and urgings from this committee for there to be a commonly agreed definition.

Senator FAULKNER: And I completely agree with that. What I am trying to do here is understand the background that has led to the situation we now face.

For example, I do not think that any of us were aware there had been a task force report, or even a task force, prior to today.

Mr Wilkins : There is nothing remarkable about a task force. I have several going on at the moment, actually.

Senator FAULKNER: No. It may not be remarkable but I am just saying that we are not aware of it.

Mr Wilkins : It is just the way it is.

Senator FAULKNER: I appreciate you letting us know about it now, even though we had not heard about it before.

Mr Wilkins : Well, you asked me and I told you.

Senator FAULKNER: Yes. I did flag with you that I thought some of this background would be useful as we try and grapple with these issues. I think what seems to be lost by some of the agencies is that this proposal is a very controversial proposal. In my view—I am speaking here as a politician—I think it is a very controversial proposal. I will be part of this committee's deliberations as it works through its recommendations. I want to have all the information I can available to me as I put my views before this committee in private meetings about the recommendations it should make. I have not felt that I have had that information available to me. For the life of me, I do not understand why such an important issue in 2010, drops off the agenda and comes back again. But, you may not be able to assist and I think you will just say that is a matter for government.

Mr Wilkins : I can. First of all, I do not think that we should confuse the review of the Telecommunications Act with this issue about retention of data. The retention of data issue came up. It was not mysterious. We had discussions about operational matters with agencies and they said that there is an emerging problem. That was happening quite independently of this task force which was working on a review of the telecommunications interception legislation. We do this all the time. We talk to agencies in the portfolio and if there are operational issues, we try and sort out what we are going to do with them, trying to coordinate a position. It happened at a middle ranking officer level. I was not aware that was actually occurring on the retention of data.

Senator FAULKNER: I do not want to labour the point, but it is in the Attorney-General's Department's discussion paper in a very, very truncated two-and-a-quarter line reporting on page 13. That is correct, isn't it?

Mr Wilkins : It is in a discussion paper that the Attorney-General's Department prepared for this committee based on the terms of reference that you were given, yes.

Senator FAULKNER: Yes.

Mr Wilkins : The committee has been asked what its views are. I think the government is trying to find out, on the basis of that, what position it should take.

Senator FAULKNER: Yes, that is correct. The government has made clear that it wishes this committee to take a role in recommending an approach on the data retention scheme. You are absolutely correct to say that. I might say, in response, 'That is terrific, given all the background that has occurred internally in the Attorney-General's Department and other agencies on this issue, and that has not progressed to the point of a government decision.' That is fair enough. All I am asking for is an understanding of that, as this committee—which has been left with the responsibility under its terms of reference of reporting—has knowledge of. I am asking for some transparency in relation to that to assist us to come to a recommendation on this matter that you rightly say has been battered over the net to us.

Mr Wilkins : As far as I know, you have got the material that exists out there that had been part of the discussions previously. There is not a giant iceberg sitting underneath this information.

Senator FAULKNER: There is a range of proposals.

We have heard today from you that there are draft legislative amendments that are happily stamped 'cabinet-in-confidence' and other material that is happily stamped 'cabinet-in-confidence'. I had asked previously, as you know, if there was any of that sort of material that could be made available.

These issues are best dealt with as much transparency as can be applied. That is the principle I operate on and from day one it has been difficult for this committee, I think, to put, as I have described, flesh on the bones because it starts as a proposal about which there is no detail. As you rightly say, more and more detail is being provided and, as Senator Brandis says, more and more thinking has gone into agencies about some of the issues of concern, not least of which is the definition of metadata.

Mr Wilkins : In fairness, the definition—

Senator FAULKNER: I am being fair, Mr Wilkins. I am trying hard not to be unfair.

Mr Wilkins : The definition of metadata I don't think is a revolutionary document. It simply distils everybody's understanding that has been going on for some considerable time. It seemed a good idea to put it out there because there had been a lot of discussion and debate about it. That was the reason for putting it out there.

Senator FAULKNER: Some would say it might have been better for it to be an original proposal. Perhaps some of that might have allayed some concerns. I do not know. It is hard for me to make a guess about it.

Mr Wilkins : That is not a matter for the department; that is a matter for the government, as you would appreciate.

Senator FAULKNER: As you say, the department has a role of advising government. The department prepares the draft of this particular document. Did this document go to the minister for approval?

Mr Wilkins : Yes.

Senator BRANDIS: Did it go to the Attorney-General for approval?

Mr Wilkins : I am not sure.

Senator FAULKNER: It could have had more detail about the metadata definition in the draft that went to the minister, couldn't it?

Mr Wilkins : I do not know the date. I can find that out for you.

CHAIR: Sorry to cut across you, Senator. Is that the original document? How many versions of the discussion paper have there been? There is a publicly available discussion paper but I would like to know if there is a more detailed discussion paper that is classified and that we have not had access to.

Mr Wilkins : No. There is no more detailed paper that is classified and that you do not have access to.

Senator FAULKNER: I only make the point, Mr Wilkins, about the draft that goes to the minister. I do not ask questions about advice to ministers. I am careful about these things. I am not going to ask you whether the minister amended the document or anything, but I am making the point to you and you would, I am sure, accept it: a draft that goes from the Attorney-General's Department to the Attorney-General is nevertheless developed in the Attorney-General's Department. So if the Attorney-General's Department wished to put more detail about the definition of metadata in a draft that goes to a minister it could have.

Senator BRANDIS: By the way, do you have an answer, Mr McDonald, now to that question of mine about when?

Ms Smith : We think it was April but we want to confirm, so we think it would more appropriate to confirm.

Mr McDonald : I think one of the things that comes out of that line of questioning is that it sort of assumes that the minister does not have any input. The department prepares the discussion paper with very much in mind what government might want, and the idea of that discussion paper is to have a conceptual discussion.

Senator FAULKNER: This discussion paper goes—and it is sensible—to the terms of reference that this committee has. That is a fair comment, isn't it?

Ms Smith : Yes.

Senator FAULKNER: One of the terms of reference, the most controversial one, relates to the request of this committee to consider the two-year data retention scheme.

Mr Wilkins : Yes.

Senator FAULKNER: I am only making the point that in the discussion paper there are 2¼ lines in a dot point on the most controversial issue.

I am not going to labour it, but we have been grappling with this for a long time. And, sure, there is a backfilling and work being done by the Attorney-General's Department and other agencies, and everyone has been cooperative and helpful. I think every member of this committee would acknowledge that agencies have worked hard to assist us to deal with the issues that we have before us. I asked you, Mr Wilkins, whether you felt that with the value of hindsight—and I do not necessarily expect you to answer this—that perhaps there could have been more and better detail—

Mr Wilkins : I will not answer that then.

Mr WILKIE: in the discussion paper in the first instance. Anyway, I am boring you.

Senator BRANDIS: Can I just indicate to you, Mr Wilkins, that unlike Mr Wilkie's view, two years is not an issue for me. If we decide, as a matter of principle, that the broad proposal being advanced is a good thing, then I think it matters very little whether it is one year, two years or perhaps even longer. That is not my concern. My concern lies in the metadata content distinction. I assume you have looked at the supplementary submission we have received from ASIO, the AFP and the Australian Crime Commission?

Mr Wilkins : What is the date of that submission?

Senator BRANDIS: It is dated 26 October 2012.

Mr Wilkins : No, I have not, actually. Is that the public submission?

Secretary : Yes, it ahs been made public.

Senator BRANDIS: Let me just read to you something. It is not public yet. Am I at liberty to read something?

Secretary : There were some submissions that were protected from later discussions with—

Senator BRANDIS: I will not read from it, but I will paraphrase what I think is already—

Senator FAULKNER: That is corner cutting, Senator Brandis.

Senator BRANDIS: Okay. I will approach this in a slightly different way.

Senator FAULKNER: Very wise.

Senator BRANDIS: It has been asserted to the committee by witnesses from the internet industry that the metadata content distinction is not a tenable distinction when it comes to internet use. It is asserted to the contrary by agencies that it is. For me, this is a very important issue because, unless I can be satisfied that the metadata content distinction can be maintained in relation to internet material with the same integrity that it is able to be, I accept, maintained in relation to telecommunications material, I do have a very great concern. That is what I want to explore with you briefly. Can I take you to the definition of 'metadata' in your paper? The way in which the definition is structured identifies both telephony and internet communications, but then in a generic way—by which I mean in a way that appears to be intended to apply equally to both—addresses two categories of information: information that allows a communication to occur and information about the parties to the communication.

In particular, in relation to the second of those two categories, the last dot point: 'Information on recipient party if known by the service provider,' seems to me to be a slightly—if I may say so, with respect—obscure way of saying that the internet address which is accessed would be among the category of information required to be retained. Given that the internet operates visually not aurally—content on the internet is visual not aural—and is capable of being retained indefinitely, rather than being ephemeral like a telephone conversation, I still have a serious misgiving in my mind about whether it is as simple as that to say that one can mandate the retention of metadata in relation to internet communication without, perhaps in an incidental way, mandating the retention of content too—for example, page views or browser histories. My concerns are partly born of my own lack of technical understanding of this area, but they are also born of what seems to me to be the very clear and unambiguous assertion by the internet industry witnesses that one could not maintain such a distinction. So I hope I have explained—if perhaps a little too elaborately—what is on my mind. Can I invite you to address that issue of the integrity and the clarity of the distinction, for internet use purposes, between metadata and content?

Ms Smith : Certainly, and your technical understanding seems quite good, because I think you have actually picked up something that, under this definition, could be argued to be a web address. The reality is that this working definition of telecommunications data is something that, internally, in the department, we have used for a very long time. We have not written it down and given it to people, but it is something that we talk to people about. But we are very clear when we give that advice that a party to the communication, when you are talking about telecommunications data, does not include anything that would equate to a web browsing session. So—

Senator BRANDIS: Ms Smith, you say that, but how do you maintain that? Let us say I am a terrorist, and I like to visit terrorist websites. As I understand your definition, the web address which I am visiting would be within the meaning of the metadata required to be retained, but if the web address is retained, isn't the page view accessible at that web address going to be immediately also within the corpus of what is retained? And if that is so, then doesn't that confute the proposition that the agencies are not interested in the browsing history of people in relation to their internet use?

Ms Smith : The short answer to that is that information about a web address, we are proposing, would not be retained under any data retention proposal, but this definition here—

Senator BRANDIS: Well, the last dot-point in your second category here, where it refers to the recipient party and then refers to the same information—I assume that means the previous dot-points—would seem to me to include the web address. Perhaps that should be clarified.

Ms Smith : What I am trying to say, obviously not very well, is that this definition of 'telecommunications data' is a working definition that we currently use. It is not what we are saying should be retained under data retention if in any way it includes the content of the communication. There would have to be clarity made on that last point that it is information about the recipient but only to the extent that the content of the communication is not disclosed.

Senator BRANDIS: I must say that I do not find that very reassuring. If we look at Mr Wilkins's letter of 17 October, Mr Wilkins actually says, 'This document was prepared for the committee to assist the committee's consideration of the issues before the inquiry', the letter having referred in the preceding paragraph to the metadata issue, and then mentions that it was tabled on 16 October at estimates. Given that I, Mr Wilkie I think, Senator Faulkner, Mr Ruddock and Mr Byrne—everyone here, in fact—has at earlier hearings of this committee flagged that the issue I have just identified was a big issue for us, and this document has been generated within your department, evidently for the purpose of addressing our concerns in this area, and has been now adopted for the purpose of today's hearing by the three most directly affected agencies, ASIO, AFP and the ACCC, I find it almost incredible that the one issue that we have identified as being of concern to us, the addressing of which was evidently the purpose of the creation of this document, has been left obscure in the document.

Mr Wilkins : This is a characterisation of metadata but, as I said, if you want metadata that divulges content, you will need a warrant. That is what I said at the outset.

Senator BRANDIS: I heard what you said, Mr Wilkins. That is not my point. I do not know how I can make this any more straightforward. What this committee wants is a clear statement, which you can call a definition if you want, that reassures us that insofar as internet metadata is sought to be retained there is no way, either directly or incidentally, that the retention of that internet metadata will enable content to be retained. That is in the face of the evidence from the internet industry that you cannot do that; you cannot give that assurance. I have no technical knowledge of this field. I am not quite as luddite as Senator Faulkner, but I almost am.

Senator FAULKNER: That's cruel! But I'm glad you're not that bad.

Senator BRANDIS: For me, this is the big issue, I can tell you. As I said at an earlier hearing, the public would accept a level of mandatory data retention in relation to telecommunications. They would accept the logic of the regime being technology-neutral and therefore reaching the internet. But my political judgement is that there is no way in a million years that the public would not react very strongly against a proposal unless they were absolutely guaranteed that their internet browsing history or use would not be the subject of the mandatory detention regime.

Mr RUDDOCK: Can I just explore that with you, in part, George. Companies now keep data for billing purposes. They are not required to keep it.

Senator BRANDIS: No.

Mr RUDDOCK: That is what we are addressing. This statement does not appear to me to be requiring them to keep data. You are saying, 'Incidentally, because they keep other data or information, some content may be kept.' We are not asking them to do that. It is something that they may elect to. Is that any different to billing data?

Senator BRANDIS: Yes, I think it is different that the government or the parliament is mandating this. We have had an unequivocal statement from Mr Irvine that ASIO does not want this.

Mr Wilkins : ASIO does not want it?

Senator BRANDIS: It has no interest in the internet browsing history being retained, right?

Mr Wilkins : That is right.

Senator BRANDIS: All I am saying is that I would want to see in the definition of 'metadata' a much clearer statement of that than exists in the document that has been generated. That would necessarily require you to satisfy yourselves and us to satisfy ourselves that the assertion by the Internet Industry Association witnesses that you cannot differentiate between the two in a functional way is wrong.

Mr Wilkins : No, I think that is right, Senator. Understood.

Senator BRANDIS: Okay. That is my point.

Senator FAULKNER: If it is the time and place for such definitions, can I just ask Mr Wilkins about this one too. As this one is an active definition, it tries to explain what is included. Perhaps the uncertain areas could be dealt with by a more effective exclusionary.

Mr Wilkins : I think that is probably a possibility—to make it clear that it does not include in some cases—

Senator FAULKNER: I just wonder here, if we are really trying to nail down a definition—and I think Senator Brandis's point is not what is included but what is not included.

Senator BRANDIS: And, I am not having a go at you, Mr Wilkins, but we would need a higher threshold of reassurance than to say, 'That is probably a possibility.'

Senator FAULKNER: Yes.

CHAIR: I am actually going to add something to that from my perspective, given that we seem to be having a generalised conversation about this. Sorry, Senator Faulkner?

Senator FAULKNER: I was just going to say that I asked a question about whether any of these technical definitions—and I do not know the answer to this; I am no expert in telecommunications definitions—have exclusionary elements to the definitions as well as inclusionary elements. Is this common practice? I am aware of definitions in other areas that are exclusionary in part. I am sure you are too, Mr Wilkins.

Mr Wilkins : Yes, you could do that. It is not a problem.

Senator BRANDIS: Could I just illustrate this really practically—and perhaps I said this before. If you retain what you treat here as the metadata about the internet, which includes the address access, how is that not going to tell somebody inquiring about the retained data what web pages somebody was looking at?

Mr Wilkins : Sorry?

Senator BRANDIS: The whole thing operates on web pages and page views. I just do not see how, in a functional way, retaining the internet metadata is not going to necessarily involve retaining the history of browsing by a particular internet user. Once you arrive at a particular internet address then you arrive at a particular internet page, don't you, and the content is there before you.

Ms Smith : What we are proposing to be retained here is like an IP address, for example. My understanding is that it kind of works a bit reverse to that. The AFP, for example, will have been given a tip-off by a particular telco that there is a lot of child pornography on a particular web address and that there are people looking at it. So they will get the IP addresses of who was looking at it. For the purposes of the data retention is to go back and find out who belongs to those IP addresses so they can start the investigation. I think there is information obtained about web pages, but generally it is being updated all the time and industry themselves are not actually retaining anyone's browsing history. A person buys a service that can download so much a month, so all they are retaining is that they have spent most of their downloads; they are not actually retaining that information at the moment. What they are retaining for short periods of time is the IP address that accessed particular sites.

Senator ABETZ: Is that the same thing as the URL address?

Ms Smith : The URL address is a universal definition that is given to any describer on the internet—that is the way I understand it. A lot of people commonly say that a URL is a web address, but, as Mr Wilkins said in his opening comments, a URL can be an email address, it can be an IP address, it can be absolutely anything.

Mr Wilkins : It is a series of zeros and ones put into a computerised form and everyone has a unique one. Email addresses have them but other addresses have them too. I think there is no difficulty in accommodating what you want in terms of a definition; my only question is: do you want us to do more work on this or do you want to deliberate about it and tell us what more work you think we should do?

Senator BRANDIS: I am not going to ask you to do any more work. I have just pointed out what I think to be an obscurity in the document you have produced.

Mr Wilkins : The way I see it—and this might be naive—is that you are basically keeping the name and address but you are not keeping all that content.

Senator BRANDIS: I know that is the objective, but my question is: when it comes to the internet, can you keep the name and address of the recipient and the history of the use of that name and address by a particular person without the content that that person is seeing at that address being at least incidentally retained as well?

Mr Wilkins : We understand the answer to that question is yes.

Senator FAULKNER: The threshold question is: can that objective be met. What Senator Brandis is asking—in my layman's language; he would say 'Luddite language'—is: can that threshold be met in relation to internet usage? In other words, no content? Can that even be met? That is the technical threshold question. I have no hope of answering that question, but others might.

Mr RUDDOCK: If you go back to the point I made, companies do keep information about pricing now which we do not require them to keep.

Mr Wilkins : That is right.

Mr RUDDOCK: Companies may keep information that constitutes information about content that they elect to. As long as we draft our measure in such a way as to say that they do not have to do it. We are not seeking to make it unlawful for them in fact to do so, are we, George?

Senator FAULKNER: But we are making a change to law which makes it an obligation to retain certain data; that is the proposal of the government.

Mr RUDDOCK: No, I am saying we should draft a law in such a way that it is not an obligation, but they may elect to.

Senator FAULKNER: But that is a different question.

Senator BRANDIS: I guess my observation is based in part upon the rather rhetorical but nevertheless accurate observations that the draftsman of your supplementary submission makes on the first page. The draftsman, who obviously has a taste for slightly purple prose, says:

As the combustion engine, air travel, space flight and the advent of the computer marked the first seventy years in the last century so the last five years have been dominated by the revolution in communications technology. Social media, smart phones and the rapid growth of the online world are still in their early days but have already caused a monumental shift in the way people communicate and transact with each other.

And that is right but my political point is: the internet is such a pervasive cultural and social phenomenon, it is so much a part of everybody's everyday life, that any parliament that was suspected of giving the government the power to retain every citizen's internet usage would provoke, I think, a very strong adverse public reaction.

Mr Wilkins : I think that might be right, but I ask a question though about that because you used the word 'power'. This is going to Mr Ruddock's point in a way. What this is about is an obligation to retain and, I think his point was, they may retain all sorts of things for other reasons—maybe, the customers have asked them to retain it, who knows?—but the bit that they retain under parliament's obligation would be content only. So, in characterising what they are obliged to do, we could do what Senator Faulkner said and say, 'This does not include web browsing material.' They are not obliged to do that. The more critical thing is, also, that law enforcement agencies basically cannot authorise access to that. That is the other work; it is not only a question of retention but also a question of what may be authorised and what may be required under warrant, if it exists.

I would suggest that maybe we do just as bluntly as that: put in that it does not include web browsing. In terms of the technical capacity to retain just a person's name and address, so to speak, and not any of the quantum, we have—and I am not an expert on this either—at least some assurances from Europeans whom we have had discussions with that it is technologically possible to do that. I do not know, myself, whether that is possible. We could certainly get the best advice we can and make it available to the committee, but I think the critical point is that people may retain information for a variety of purposes. The question here is: what should we be obliging them to retain?

Senator BRANDIS: No, I do not think there is any doubt about that being the question. The question is: what is mandated? Not what the people might do independently of a mandate.

Mr Wilkins : We could, just for clarification, picking up the point as you said was in that submission, and it does not include web browsing, which is the point I made in estimates as well.

CHAIR: Another thing I would ask you to contemplate—and I flagged it at the start of my discussion with you—is some additional privacy protection. Notwithstanding that we could be clarifying the points that Senator Brandis and Senator Faulkner have made, I would like you to contemplate what mechanism could be used to safeguard privacy on the use of this database—the metadata—because it has been put to me by telcos that one of the concerns that they have is that you are basically creating almost a honeypot of information. If you segregate that information out of the data that telecommunications companies basically accumulate each day, it would create an incentive for people to try to access that. I would ask you to contemplate what form of mechanism or person or structure could be used to ensure that there would be greater privacy protections if this regime is implemented.

Mr Wilkins : We will do that.

CHAIR: You can take that on notice and put that to us in writing.

Mr Wilkins : We might take up Senator Brandis's point as well.

Mr RUDDOCK: We have had some discussions about the costs of doing this and your paper talks about ensuring that there is a level playing field. My view is that, if we are going to require information to be kept, there are costs associated with that and we need to treat all of the organisations that keep it equally. I was surprised at the magnitude of it when I looked at it: 287 fixed line service providers; three mobile network operators; 176 voice over internet protocol service providers; 97 internet service providers, including ISPs with at least a thousand subscribers—it is covering a very significant field of operation. It appears in your papers that you have excluded doing what we understand they may be doing in Britain, and that is that the government pays the providers to keep the information. It did not seem that the cost was altogether prohibitive—I think it got to about $800 million over 10 years for three times our population. Is it prohibitive for the government to do that? Have you thought about it? Is it something that has been contemplated?

Ms Smith : We have not excluded anything because we have not made any decisions on what it would look like—and we would welcome your thoughts—but, essentially, we think that there are three possible cost models: one is that industry pays, one is that government pays and the other one is that the cost is shared, as it currently is, with interception capability arrangements. One of the biggest challenges for us in the early work that we did in 2009-10 is that it was very difficult to get any quantification of what this would actually cost, because some providers gave us figures that were up here and other providers gave figures that were right down here. I think that was a lot about not really understanding what it would look like at that time. So, essentially, we have not done any actual cost modelling at this point in time, but we are open to what potential there would be.

Mr Wilkins : One of the considerations would be how we view the impact of the activities of law enforcement and security in terms of the integrity, if you like, of the communication systems in this country. In other words, is it simply to pursue criminality, where this is an enabler, or is cybercrime and the exploitation of people and issues around security itself things which should be built into the cost of them doing business and of people using the internet? In other words, is there an argument of the sort that we successfully advanced in relation to AUSTRAC, for example, on keeping information about financial transactions? Yes, it provides important intelligence for pursuing criminality et cetera, but it also has an important impact on the integrity of the system as a whole, so that those who participate, either as consumers or as service providers, have a level of comfort that law enforcement agencies can do their work and protect people—because the other side of this is some form of protection as well.

Mr RUDDOCK: One of the reasons I pursue something like this—suggesting that the government might pick up the cost—is that it forces you to think about what that might be. One of the aspects for us in weighing up any decisions that we come to when we impose a legal obligation on organisations that are running a commercial business—some of whom keep information and some of whom do not, and we are going to require them to keep it—is that we have to have some idea about what the cost is. We are getting information about the nature of the evil that has to be addressed. We are trying to weigh up the privacy issues and the breaches.

I think another issue is: do we essentially destroy the viability of businesses by imposing costs that are likely to drive them out? I have no idea whether we are doing that. I hear some people telling us that they are going to have to rent buildings the size of Civic in order to keep the information. I do not know whether that is real or unreal, but we have heard evidence to that effect.

I am wondering whether you have objectively tried to assess these costs and can give us some information about how realistic it is. Otherwise, we might just as easily recommend the government pay it, and you can work it out with Treasury as to how much you will have to appropriate for that purpose. At some stage, you are going to have think about it.

Mr Wilkins : That is a reasonable question. We have not got any quantification; although, we could probably do that on the basis of what happens currently.

Ms Smtih : That is right. Yes.

Mr Wilkins : A cost-sharing arrangement has the benefit of concentrating everybody's mind on making sure it is as efficient as possible, of course. I am not sure within the time available that we will be able to make submissions around that type of cost. Cost is obviously a consideration.

Senator BRANDIS: There has been some estimates given by other witnesses of the likely costs. They have been various, I must say. I am rather with Mr Ruddock on this. It seems to me that this is not regulation the cost of which a business would be expected to bare; this is a mandate that a business actually provide a service to government.

Mr Wilkins : Or to the public. I was just putting the contrary position that it is also part of ensuring the integrity of a system of communication.

Senator BRANDIS: That is not the principal grounds advanced to this by any of the witnesses we have had from the different agencies.

Mr Wilkins : Except that a lot of the criminality that we now witness is now cybercrime and fraud.

CHAIR: I think that is it, unless you have something further to add.

Mr Wilkins : There are answers to questions.

Ms Smtih : I will read those. In relation to the task force report, there is a confirmation that carriers and carriage service providers are no longer retaining data to the extent that they previously did, but it does not make an actual recommendation on data retention. In relation to the submission on the discussion paper: that was submitted to the Attorney-General on 8 May, and provided back to the department on 10 May this year.

CHAIR: Thank you for your evidence. If we have any further questions, our secretariat will write to you.

Committee adjourned at 12 : 03