MURRAY, Mr Angus, Chair, Policy Committee, Electronic Frontiers Australia, and Vice President, Queensland Council for Civil Liberties

O'SHEA, Ms Elizabeth, Chair, Digital Rights Watch

[11:09]

CHAIR: Good morning. I welcome representatives of the Australian Civil Society Coalition. Do you have any comments to make on the capacity in which you appear?

Mr Murray : I additionally represent the coalition of councils of civil liberties, including the Queensland Council for Civil Liberties, Liberty Victoria and the New South Wales Council for Civil Liberties.

Ms O'Shea : I'm speaking on behalf of the coalition generally.

CHAIR: Thank you, Mr Murray and Ms O'Shea. Although the committee does not require you to give evidence under oath, I should advise you that this hearing is a legal proceeding of the parliament and therefore has the same standing as proceedings of the respective houses. The giving of false or misleading evidence is a serious matter and may be regarded as a contempt of parliament. The evidence given today will be recorded by Hansard and attracts parliamentary privilege. Over to you for an opening statement.

Mr Murray : This, as you would appreciate, is not the first time that we have appeared before this committee and that this inquiry has a relatively long and complex background, with the first submission on the exposure draft provided by the coalition on 10 September to the Department of Home Affairs, followed with a submission to this committee in October 2018. I gave evidence before his committee on 21 October. Further evidence was provided by way of submission on 1 July 2019, and I have recently, this year, given evidence on 20 February to the Independent National Security Legislation Monitor, which was followed with a supplementary submission arising from that hearing on 5 March. Throughout the course of these inquiries a consistent theme through submissions provided by Civil Society Coalition is that the manner by which this legislation was introduced and passed warrants deep criticism and should be criticised broadly by this committee. And, more generally, our submission has been and remains that the act ought to be repealed.

In our submission this legislation has to be understood in context. The context is that the surveillance landscape in Australia has dramatically expanded and it expanded without the check and balance of an enforceable federal human rights framework. There have been numerous inquiries and Law Reform Commission reports that have highlighted that fact, and that is a theme that has existed through these submissions and a theme that will exist through today's evidence. That landscape, to be clear and to paint a very broad picture, commenced in 2013—it commenced earlier than that, but 2013 is a good place to start in respect to this legislation—and that was with the introduction of the mandatory metadata retention scheme. That has been followed by the recent biometric facial recognition—or identity matching services—bill that this committee recently reported on. And now there is this legislation, the assistance and access act legislation, which has been consistently described as both legally and technologically complex.

The difficulties that exist with this legislation largely arise from the way in which it was rushed through parliament. Then, that there are this many inquiries and that there has been this much commentary around the legislation—and indeed the security monitor in his recent report notes that the complexity and technicalities of this legislation make it a very difficult exercise to properly understand how and what government is actually doing. This process ought to have had a greater amount of consultation before the legislation passed, and it puts us in the somewhat unenviable position to be commenting about legislation that has now passed.

Where our submission primarily is is that the legislation ought not have passed. But, in terms of the submissions today and where I think it's useful for us to take the committee, the Independent National Security Legislation Monitor, in his 316 page report, has done great credit to this process, and I offer my personal gratitude for the work Dr Renwick undertook in relation to that report. It is a comprehensive and well-rounded report that deserves praise. The position we take is generally that the report comes to 33 recommendations that are all acceptable. However, those recommendations are a baseline of where reform or amendments should be taken in relation to this legislation, should the recommendation of the committee be not to repeal the legislation.

I have a few brief comments in relation to the recommendations, and then I'll hand over to my colleague. First and foremost, the security monitor recommends the introduction of a new division, an investigatory powers division, of the Administrative Appeals Tribunal and an investigatory powers commissioner. In his report he talks about how that division may be constituted as an oversight body for both technical capability notices and technical assistance notices. Our submission and evidence I gave before this committee previously remains that the oversight of the issuing of warrants or notices under this regime must be best for the court. Previously before this committee, I drew reference to the relatively recent decision of Big Brother Watch v United Kingdom and I quoted at that previous hearing the decision in that matter in the United Kingdom. I won't quote the entire section again, unless it's desirable for the transcript. However, I will add the same emphasis that exists in the emphasis in submissions on this, and that is that, when dealing with secret warrants or anything to do with secret surveillance, 'it is in principle desirable to entrust supervisory control to a judge, judicial control offering the best guarantees of independence, impartiality and a proper procedure'. I make no criticism of the Administrative Appeals Tribunal, but an administrative review of these decisions is inappropriate in the context that these are secret surveillance techniques that are being deployed by government, with a very broadly defined class of designated communications provided.

In relation to the notices issue and specifically technical assistance notices and technical capability notices, the security monitor draws attention to the concepts of 'reasonable and proportionate' as expressed in the act. To take an example to the committee, section 317PA provides:

The Director-General of Security or the chief officer of an interception agency must not give a technical assistance notice to a designated communications provider unless the Director-General of Security or the chief officer, as the case requires—

and, if the committee adopts the security monitor's recommendation, it would be the Administrative Appeals Tribunal issuing these notices—

(a) the requirements imposed by the notice are reasonable and proportionate …

In our submission, at the start of service, that is an appropriate way of checking and balancing the content or substance of a notice. However, that section cannot be read in a vacuum and must be read and construed in the manner by which section 317R described, and that section sets out the criteria that has to be imported into the decision-making criteria when determining whether a notice is reasonable and proportionate.

The committee will note that all bar one of the criteria that are being considered in the construction of the reasonableness and proportionality focus on either commercial imperatives or national security imperatives. It is only when we take ourselves to section 317RA(f) that we get to the criterion of 'the legitimate expectations of the Australian community relating to privacy and cybersecurity'. It is our view that the conflation of privacy and security in that single subsection is inappropriate and that greater weight needs to be placed on the human rights of Australian citizens and the reasonable expectations of Australian citizens to their right to privacy; and, separately, as it is a separate concept, that the operation of a technical capability notice or a technical assistance notice does not cause an issue or affect the legitimate expectations of Australian cybersecurity as a separate section. We would suggest that section (f) is expanded more holistically to deal with the concept of privacy and expressly place greater weight and emphasis on the decision-making criteria that ought to be applied to that provision, and then, potentially, section 317RA(fa) on cybersecurity.

In addition, we agree with the conclusions that the security monitor makes at sections 6.61 and 10.13 in relation to the requirements that tend towards the need for an independent review. That review body is, in the security monitor's view, the AAT. In our view that ought to be a judge.

We also draw attention to the concept of privacy I just mentioned and how that needs to be expanded. That has been already been clearly demonstrated by this government as a possible outcome and that there is the ability within the government to draft pro-privacy or legislative arrangements to properly respect Australians' privacy. The example of that is the recent Privacy Amendment (Public Health Contact Information) Act 2020, which gave effect to the current COVIDSafe application. There's reference to the language that's adopted in that act in section 5.71 of Dr Renwick's report. We encourage that, when the committee is construing amendments that are required for this act, reference is made to the stringent and forceful language in the public health contact information act.

We also agree with the security monitor that the removal of 'systemic vulnerability' in the language of responsibility and simply having a 'systemic weakness' is an acceptable point, and we agree that a statutorily enshrined definition and examples of systemic weakness is the appropriate course. We further agree that target technology requires the same thing, with statutory examples and a clearer definition. Finally, we think it's a sensible approach to form an Australian investigatory powers commission, and there ought to be oversight in the form of an independent body that authorises the issuing of technical assistance notices and technical capability notices. We say that, in line with the Big Brother Watch decision and recent decisions in Australia in relation to the issuing of warrants in the Smethurst decision, it ought to rest with the court and not with the tribunal. That is my opening statement. Thank you.

CHAIR: Thanks very much, Mr Murray. Did you say Ms O'Shea had something to add before we move to questions?

Mr Murray : I believe so.

Ms O'Shea : I do. Thank you, Chair. The Coalition of Civil Society Organisations is grateful for the opportunity to provide further input to this review. I'm speaking on behalf of Digital Rights Watch; Blueprint for Free Speech; the Human Rights Law Centre; various councils for civil liberties in New South Wales, Queensland and Victoria; Access Now; Electronic Frontiers Australia; and Future Wise.

It's easy to assume that the issues canvassed in this review are beyond the capabilities of the everyday person to understand or to deal with when they are issues that are rarely likely to become relevant to them personally, but I believe this could not be further from the truth. Strong encryption is our best protection against criminal and state sponsored hacking, and preserving strong encryption is a central component of digital security, which we all have a right to expect. These are put as ongoing risks as a result of this law. Moreover, the Coalition of Civil Society Organisations has coordinated nearly 1,500 submissions from the public and the interest in this law remains high. These issues do not escape the notice of the public. They're aware of them. When I speak today, I do so on behalf of many, and our position remains as it was then: that the bill should be rejected. As it is now law, it should be repealed. We're deeply concerned by the powers contained in the act and the serious implications for human rights and democratic governance. We're very concerned about the rushed process and serious implications of this law. This review represents an opportunity to fix these errors.

I want to raise a number of matters that have come up since the passage of this bill and even since we filed our submission in response to this review. There are three things: the risks to a free press, contact-tracing apps and, finally, the report of the Independent National Security Legislation Monitor. I mentioned the risks to a free press. There have been two recent raids on journalists, from both News Limited and the ABC, that have been conducted, reportedly involving powers conferred by TOLA. These are powers that became available as a result of the amendments to the Crimes Act. While we understand that these powers technically fall outside the scope of this review, we think it's critical that the committee acknowledge the serious public concern generated by these raids. There is now open hostility within government to whistleblowers generally and there is a clear risk that these powers may well be used to advance that cause at the expense of the public's digital security and free press.

We also note the rollout of the COVIDSafe app and many other similar contact-tracing apps around the world. We appreciate that we're in the early stages of this crisis and there'll be further opportunities for considered reflection upon these issues at a later point. One of the lessons that I think are clear and that we can learn now is that public trust is critical and necessary as a factor to these projects being ultimately successful and useful. The take-up rates in Australia are nowhere near where they need to be for this app to work, and there are good reasons for this. The public harbours a lack of trust in government when it comes to technology policy, and this feeds the lack of take-up of this app. The repeal of this law, we would argue—or, in the absence of repeal, significant increases in transparency, oversight and accountability—could go some way towards rebuilding trust in government. Until that happens, we can expect the example of COVIDSafe to repeat itself.

Lastly, my colleague has canvassed the various recommendations in the report of the Independent National Security Legislation Monitor. I would reiterate that the monitor recognises the urgent need to address the problems presented by this law and endorsed several of the coalition's recommendations, including independent oversight and requiring warrants for all powers enshrined under the act. Independent oversight would bring TOLA better in line with the equivalent law in the United Kingdom. In the United Kingdom, to obtain access to encrypted communications under the relevant act, an application must be made to both the Secretary of State for the Home Department and the Investigatory Powers Commissioner's Office. Under what is known as the double-lock system, both the Home Secretary and the IPCO must give approval, and we think that's a process that ought to apply here. It's necessary but it's insufficient until we do endorse it as a recommendation. In general, that remains true for a lot of the recommendations in the monitor's report. Our preference remains that it is a court and that there are ways in which the public could be represented in any process for approval of use of their powers under the act. But the fact is that the monitor's report and the many concerns that he raised highlight that this review could be a significant turning point for the history of this dangerous legislation.

These problems would have been wholly avoided if representatives had debated this bill properly and had welcomed public and expert scrutiny rather than demonstrating suspicion towards it, and made a genuine commitment to protecting digital security and the right of all people in a liberal democracy—and not this fearmongering for political pointscoring. We think the public has been failed by this law, but we can do better and I would encourage the committee to consider repeal or, absent this, extensive reform.

CHAIR: Thank you very much, Ms O'Shea and Mr Murray. We will now move to questions, and I'll give the call to Senator Abetz.

Senator ABETZ: Thank you for the submission. First of all, Ms O'Shea, in relation to the lack of take-up of the COVID app, do you have any evidence that suggest that the lack of that take-up is because of distrust of government or—as my office has received many representations—a lack of take-up of the required modern technology, especially amongst the older demographic in our community

Ms O'Shea : Of course, there's still work to be done in terms of understanding why this project has not been successful. The one piece of evidence, though, that I would point to that I think is relevant is that in Singapore, which is a country that is known for its faith in government, half of the people who were surveyed who knew about the app but elected not to download it did so because they were concerned about how their government would use the data that was collected. That was a key reason. I think a common theme in many countries around the world is that there is a lack of public trust in government—trust to be able to execute these projects properly but also trust that data shared with government will be used appropriately. I think that's a valid concern.

Senator ABETZ: But nothing specific that you can point to in relation to Australia?

Ms O'Shea : I think it is too early to tell.

Senator ABETZ: Does the coalition or, indeed, any of its constituent members get funding from any of the tech or big tech companies?

Ms O'Shea : I'd need to think about that carefully. There's obviously a large number of organisations within the coalition. I'm sure some of them do. I don't think it would necessarily be direct grants in all instances. There are of course funding bodies that are funded by tech companies of all sorts of descriptions that then go on to fund civil society work. I probably need more information about what exactly you are asking, but I don't think I could provide details about all of these organisations.

Senator ABETZ: I thought the question was relatively straightforward. Does the coalition or indeed any constituent member that has been listed receive any direct financial or in-kind support from big tech companies and, if so how much? Then, of course, we'd be interested in which companies they might be in relation to how they might be seeking influence in relation to this public policy issue. If you could take that on notice for us and come back to us, I'd be much obliged. Mr Murray or Ms O'Shea, as I understand it, in your ideal world TOLA would be repealed—full stop. Would you put anything in its place to assist us in this area for national security concerns?

Mr Murray : I'll take that question. I will take a couple of steps backwards and answer your two previous questions so that I am appropriately responding to everything you are saying. On 28 May I submitted on behalf of Electronic Frontiers Australia a submission to the Parliamentary Joint Committee on Human Rights in relation to the COVID legislative arrangements. In relation to the question you had with respect to trust and the COVID-Safe app, in that submission we drew that committee's attention the federal government's track record with respect to the My Health Record, the census, robodebt and the data retention scheme as well as the recent crashes of the myGov website. In our submission, and respectfully, it's not an issue that Australians don't necessarily trust government; it's that government has not given Australians a reason to trust it. The context that sits there is: trust is something that is hard earned and easily lost. Each of the government digital platforms that are rolled out has, with respect, had issues and has caused, in the context of robodebt, direct and serious harm to individuals, which, as you would appreciate, has recently ended up with a large settlement and an acknowledgement, that required the court's intervention, that the robodebt platform is not operating correctly and a large significant refund is issuing—

Senator ABETZ: Mr Murray, I understand all that, and I've been on the public record expressing concern about robodebt. But what is the specific evidence, if there is any, that can point to the assertion that the lack of take-up of the COVID app was because of distrust of government.

Mr Murray : I don't have specific evidence, and that's not—

Senator ABETZ: Right; and I thought that's what Ms O'Shea said as well. If you could go to the other questions, I'd be much obliged. Sorry to rush you, but time is of the essence.

Mr Murray : In relation to that question about funding, I sit as vice-president of the Queensland Council of Civil Liberties, and it is that organisation's policy and mandate that funding is not taken from anyone other than an ordinary member. We do not take corporate funding at all from big tech or otherwise. Other organisations within the coalition—like, for example, Electronic Frontiers Australia—does take in-kind support from technology companies. However, those companies have no voting rights and no sway in relation to the operation of that organisation. To answer that question fully and squarely, Electronic Frontiers Australia was founded before Google and has at many times criticised Google, although it has in the past taken funds from Google to assist its operation. You would appreciate that not-for-profit charitable advocacy does require some funding, and the operation of these organisations does require some funding. This funding provided by big tech to these organisations is not something, in my view, that can be correlated with influencing the way in which these organisations advocate. Senator, if you don't mind, could you repeat your final question?

Senator ABETZ: The final question was about your philosophical approach to this legislation. As I understand it, in your ideal world TOLA would simply be repealed—full stop. Would you have anything in its place, given the, I believe, appropriate expression of concern for national security considerations?

Ms O'Shea : Senator, if you don't mind I might just go before my colleague. In our submission we do highlight comments made by a serving member of the New South Wales Police Force at a public event which indicated that he was of the understanding that New South Wales Police were not meaningfully consulted about TOLA prior to the bill being tabled before parliament. Obviously, the Civil Society Coalition does not suppose that it is in any position to indicate what are the needs of law enforcement, but we did find it quite alarming that a key agency that would be dealing with offences that were at least publicly stated by representatives as being a motivating force behind this legislation were not meaningfully consulted on it prior to it being passed. So I think it is a matter for agencies to come forward, but there is a role for the public to play. There is an expectation that I think the public rightly has that privacy will be protected but also that encryption will be protected. We rely on encryption to do all sorts of activities in the digital world, and compromising security for one purpose does not mean that it will be limited to that purpose alone. So risks that are taken in putting encryption in jeopardy ought to be done with public consultation and public involvement and, we would argue, are not necessary. We can craft legislative regimes in a way that reflects both the public's need for cybersecurity and digital security and the need for law enforcement to do their job.

CHAIR: Could I confirm that your submission to the member of the New South Wales Police Force was to Arthur Kopsias—was that his name?

Ms O'Shea : That's correct.

CHAIR: Do you have his title within the New South Wales Police Force, just for the record? It's not clear in the submission.

Ms O'Shea : I'm afraid I don't. I can provide it at a later time.

CHAIR: Do you know whether he was middle management or upper echelons? I'm just trying to get a sense of how much influence he has within New South Wales Police.

Ms O'Shea : He was certainly senior and long-serving.

Mr DREYFUS: I asked this question of Atlassian, and I'll ask you too. What dos a healthy consultation process with the Australian technology industry in the Australian community look like? Is there a template or an example you can think of where a government, either an Australian government or a foreign government, has conducted a rational and productive consultation with technology companies in the community in relation to a national security bill? The reason I ask is that I expect there will be bills in the future that raise similar issues to the assistance and access bill. I'll be happy if both of you attempted an answer to that.

Mr Murray : As my colleague was saying to answer the previous question, in the commencement of answering that question, the submission is not that there should be no security legislation in this country. The submission is that the form and substance of this legislation and the manner by which it was introduced are ripe for criticism, and that if the consultative process had been undertaken prior to the passing of this legislation it is likely that we would have clearer, more articulate and more fit-for-purpose legislation than what we presently are dealing with. It's not a submission that says that privacy is absolute and we should do away with security for want of privacy, because that would be an absurd submission. The flip side of that is that security is also not absolute and security shouldn't do away with privacy. There is a compromise that needs to be reached between these, and that compromise is achieved through deep and meaningful consultation.

As an example where national security legislation has involved consultation with various stakeholders—civil society and industry as well as policymakers—one could point to the inquiry that this committee is currently undertaking. This is meaningful consultation that has stakeholders involved. Had the cart not been put before the horse, and had this consultation been able to complete, there are many definitional issues and technical issues in the legislation that might have been able to be resolved prior to its passing, which would have been the preferable course.

As you'd be aware, Mr Dreyfus, in Australia there are also examples where government is required to have privacy impact assessments formed in relation to draft or proposed legislation. Those privacy impact assessments are often done in consultation both with civil society organisations and separately with the technologists that are more versed to deal with the technical aspects of privacy implications associated with legislation. So it isn't something that would be new to this country to be consulting industry and civil society in relation to legislation before it passes.

What has happened here, and the criticism I take of national security legislation particularly, is the very rapid passage of that legislation with very little meaningful consultation, which often ends up with concerns of the public and civil society that, whenever government introduces something that has the words 'national security' in it, it's a foregone conclusion irrespective of what the act actually says. You see in this particular example, the assistance and access legislation, that the TOLA bill was introduced in September 2018. Home Affairs in the exposure draft gave the community, I believe, two weeks to put submissions together, and it was only by a collaboration of civil society organisations that a submission was possible.

That kind of consultation is meaningless. That kind of consultation doesn't take into proper regard the importance of having not only those who represent civil society, being interested citizens of this country that are concerned with respect to their human rights and the interaction between the citizen and state, but also—and separately distinctly importantly—the technologists who are able to comment on the actual viability of legislation. Had that process been expanded, it's likely that a lot of these criticisms wouldn't have been present and that we would have had a more acceptable legislative framework that doesn't have the issues with respect to definitions attached to 'target technology' or 'systemic weakness' or that balances the act, where proportionality ties back, effectively, to it's being proportionate if it is national security focused. I trust that answers the question.

Mr DREYFUS: Thank you, Mr Murray. Ms O'Shea, do you want to add to that?

Ms O'Shea : I would concur with my colleague's comments. I think that a process like this should have taken place over many more months than it did. In other countries—for example, the UK—when the equivalent bills were debated, the process unfolded over years. I don't think the urgency around this was justified. The sense of alarm around this bill meant that it was passed in a format that was grossly deficient, which I think is now clear, given that amendments have been put forward by the opposition as well as, of course, in the report of the Independent National Security Legislation Monitor. I think the other component of this is that the rushed process meant that many representatives couldn't come to terms with the complex nature of a bill like this, from a technical perspective, where perhaps they did not have a technological background. I would point to the comments of Clare O'Neil in this respect, who talked publicly about this issue and the great rush around these kinds of proposals meaning that it's very difficult for politicians to find the time to come to terms with them. I think there is more work that we could do in terms of consulting with experts, and in terms of representatives who hold office doing the work to learn about these issues and being given the space to do so. That would improve the quality of lawmaking.

Mr DREYFUS: Thanks, Ms O'Shea. In your written submission, which is dated 1 July, you made a number of detailed suggestions for improvements in this legislation. Of course, at the time that you wrote it, you didn't have the advantage of the very lengthy report that we now have from Dr Renwick, the Independent National Security Legislation Monitor. I want to ask a couple of questions arising from the monitor's report. First of all, in your written submission, you said that there's a problem with the definitions of 'systemic weakness', 'systemic vulnerability' and 'target technology' that we see in the legislation at the moment. You said that you support the amendments that Labor proposed, which were passed by the Senate in February 2019. They, unfortunately, were never put to the House. Now that you've had a chance to consider the monitor's recommendations 8 and 9—the first of those being a recommendation by him that all references to 'systemic vulnerability' should be removed because the term doesn't add anything; it's redundant; and the second, recommendation 9, being detailed drafting amendments—what do you think of those recommendations? Do they address the problems of the current definitions of 'systemic weakness' and 'systemic vulnerability'?

Mr Murray : I'll take that question. You're making reference to paragraph 16 of the submission of 1 July and the issue taken with 'systemic weakness', 'systemic vulnerability' and 'target technology'. Directly, recommendation 8 resolves the issue with respect to the definition for 'systemic vulnerability' because it makes that term redundant. We agree with that. In terms of the definition of 'systemic weakness', I don't disagree or oppose recommendation 9. Our position is that a statutory definition, such as examples of a 'systemic weakness', ought to be included. That is in the security monitor's report. We endorse that. You are correct that we have previously endorsed the Labor amendments that would provide a definition of 'systemic weakness'. In relation to the third of those terms, 'target technology', I additionally agree with the monitor that 'target technology' requires a narrower understanding and that a set of statutory examples of 'target technology' should be included. I'm just checking the recommendation where he speaks about a 'target technology' definition, because I agree with the security monitor that 'target technology' should be a specific instance of a technology. That would narrow what could otherwise be an unlimited scope for 'target technology', which was a point that was expressed in evidence to Dr Remick, when the monitor was conducting his consultations. That was recommendation 10, and we agree with that. The 'specific instance' aspect of the intended target is the correct way of narrowing 'target technology'—that it's not the totality of application or the totality of service but rather a single instance of it on a device.

Mr DREYFUS: Like the monitor, your coalition has called for an independent judicial authorisation process. I'm paraphrasing what you've said in the interests of time. You would have seen that Dr Renwick, in his recommendations 3, 4, 5 and 6, makes a very detailed proposal for an independent authorisation process, going even to how it could be fitted onto the Administrative Appeals Tribunal in the form of a new division. I wonder if you're in a position to comment on the approach that's been taken by Dr Renwick in his recommendations. Is it something that you would support, or could it be improved on, or would you be suggesting something quite different?

Mr Murray : I will address that again. Firstly, our position is that control and authorisation of technical capability notices and technical assistance notices ought to be vested in a chapter 3 court, not an administrative review body. Our highest and starting point is that the supervisory role of the courts ought to apply rather than the administrative review or the administrative construction of the appeals tribunal. In terms of an improvement, our view is that it should be vested in the Federal Court, not in the AAT, so that it's something that is subject to the authorisation of a judge rather than an administrative member. That has been a position of the Council for Civil Liberties for a very long time in relation to warrants—that warrants would not issue from anyone other than a judge. These are, by effect, analogous to warrants.

In terms of where the monitor has taken us with his recommendations, I would make the following as comments on his recommendations and not necessarily a complete endorsement of those recommendations. The first is that, had the consultation process been undertaken properly from the start, it's likely that this would be the natural conclusion to the consultation—the compromise between the court and an ASIO director-general issuing these warrants. I don't disagree with the sense and the pragmatism in the approach of the security monitor and his justification for why the vesting of these powers in an AAT division to be created may be preferable to a chapter 3 court, and the monitor does eloquently explain why he reaches that conclusion. I don't disagree with the reasoning that the monitor places on that; however, it is still preferable to have a judge for the reasons that I cited in paragraph 19 of the submissions of 1 July, which is the quote from Big Brother Watch and Others v United Kingdom. Where the warrants are secret, the warrants must be issued by a judicial body.

In the context of further enhancements that could be achieved to the monitor's suggestions, if the monitor's suggestions were accepted and a judicial vesting of this power was rejected, it would need, firstly, a bill to be introduced for me to meaningfully comment on how that division would be created and how the powers would be vested in that division. That bill would need to have clear parameters in terms of, firstly, the ability to be represented before the Investigatory Powers Division of the AAT. There are examples in relation to migration review, where representation is an automatic right. This is a situation where representation ought to be an automatic right. Secondly, there would need to be clear parameters in terms of the publication of decisions arising from this division. As you would appreciate, section 35 of the AAT Act already allows for a relatively low threshold, as against section 37AF of the Federal Court Act, for the suppression and non-publication of information or identity of parties. The pseudonymisation of a party and the suppression of commercially sensitive information and the reported decision out of this division would be preferable, because that would alleviate some of the concerns with respect to transparency and not creating a situation where Australia adopts a FISA-esque Foreign Intelligence Surveillance Act court—I think FISA is the acronym in the US—into our administrative appeals tribunal.

Thirdly, there is an access-to-justice proposition that needs to sit around the existence of this division. If we take, for example, a DCP that is Google Inc. and a technical capability notice issued to Google that goes before the AAT, the funding and resourcing available for Google are significantly greater than for an individual who owns a website. That disparity in the access to representation and in the access to a full and complete technological and legal basis upon which a notice issues has to be addressed in the legislation. It has been mused among my colleagues that that may be in the form of allowing, by right, amicus submissions into these proceedings before the AAT or a standing advocate for the DCP in this tribunal as a matter of right that's funded by the state, or some other variation that enables parties to be proportionately represented when the notices issue. The overarching point with that is that it should vest with a judge. If it doesn't vest with a judge, there is sense in what the security monitor is referring to, because it is a check and balance. The enhancement would simply be to make it more transparent, with greater clarity in terms what the representation would be and what the appeal process from that decision would be, which ought to be in the Federal Court. I hope that answers the question.

Mr DREYFUS: Yes. Thank you very much, Mr Murray, for that detail, and I thank you and Ms O'Shea for assisting the committee.

CHAIR: Over to you, Senator McAllister.

Senator McALLISTER: I just want to ask you about some of the specific suggestions additional to those you've already discussed in your written submission. You make the suggestion that a rebuttable presumption ought to be established in relation to the limitations on things that may be requested of a DCP. Obviously, these propositions which are described in the negative become quite complex conceptually to understand. I wonder if you could just talk through what the practical effect of a rebuttable presumption around the limitation would be in a process.

Ms O'Shea : Forgive me. I'm just looking up where this is in our submission, and I'm struggling with the NBN. Bear with me.

Mr Murray : If you could make a paragraph reference or a page reference to the submission, it would assist me as well.

Senator McALLISTER: Yes, it's page 15 in the document before me. I'm conscious that occasionally the secretariat helpfully add additional and different numbers, so that may not be the page reference for you.

Ms O'Shea : Did you say page 15?

Senator McALLISTER: No, sorry. Actually, I have no page numbers on it at all. It's the paragraph that begins:

Address the problems with the definition of 'systemic weakness', 'systemic vulnerability' and 'target technology.'

You've talked a little about the problems with the definitions themselves, but you make the additional suggestion that, if there is a limitation and it is raised by a recipient of one of these notices, there should be a rebuttable presumption that the limitation applies. I would just like to give you the opportunity to talk through the effect of that for the committee.

Ms O'Shea : I see. I now understand. Forgive me. I wasn't exactly sure what you were speaking about there. Part of the difficulty, I suppose, of the legislation as it was drafted is that some of these terms were not defined, and it made it difficult to see how the limitation contained in 317ZG was meaningful, especially in a context in which implementing a technical assistance notice or a technical capability notice may create a risk that was unclear at the time of introduction but may come to pass at a later point. I think part of the difficulty about introducing systemic weaknesses is that they become obvious in retrospect, whereas at the time they weren't so clear. Our concern was that there be a proper process for considering concerns raised by individuals who are required to carry out these notices and that the full spectrum of risks be considered by someone with a technical background. A rebuttal presumption might facilitate that process. I can appreciate why it's not particularly elegant, and it may no longer be required if some of the changes recommended by the monitor are made, but it was our attempt to introduce a robust process for considering risks with input from people with technical expertise.

Senator McALLISTER: You also make the point, on the previous page of your submission:

… any capabilities or tools developed as a result of a TAR, TAN or TCN be restricted to use only pursuant to a judicial warrant. When that warrant is no longer in force, the recipient of the TAR, TAN or TCN should be notified appropriately and permitted to take any steps to address the impacts of the TAR, TAN or TCN as they see fit.

Again thinking about the specifics of this, what would be practically known in terms of the way this regime operates?

Ms O'Shea : Obviously, it's difficult to know what activities might be undertaken pursuant to a technical capability notice, but, if you were to build a tool which facilitated access to encrypted flows of communication, that tool should only be able to be used to execute that particular warrant and nothing else. I think there is a risk, if you create an abundance of these kinds of tools, that they may not be patched or the technology may not be amended later to close that particular loop or remove the vulnerability that's created. That's our primary concern.

The other issue, of course, is that these tools are extremely valuable for criminal hackers. We've seen the NSA, for example, lose control of tools—without noticing in one instance—and then scramble to work with the technology company to patch that particular weakness. I appreciate, of course, that there's a protection in the legislation whereby a company can't be prevented from patching a known vulnerability, but in circumstances where it's been created pursuant to a notice or a request it is important that it be restricted and there be an endpoint for its use so that it doesn't become an ongoing arrangement and so the digital security of these systems is protected because the number of vulnerabilities is limited.

Senator McALLISTER: Mr Dreyfus asked you about the monitor's suggestions in relation to systemic weakness. I wonder if that change to the definition of systemic weakness, which would ensure that the data of third parties was not imperilled, does the same job as the path that you're suggesting here.

Ms O'Shea : Obviously, my colleague made comments in response to Mr Dreyfus, which I concur with, around the definition, which is one issue. I think the ongoing use of tools is a secondary issue that sits apart from that. Any tool that is designed to break encryption for a national security purpose does create a vulnerability. I can understand how it might be labelled something different for the purposes of the legislation, but I think in the interests of ongoing digital cybersecurity we shouldn't allow proliferation of those tools or allow them to exist beyond the purpose for which they were created. That is the source of anxiety, I think, that motivated that particular submission. So while I appreciate that some of the definitions might serve to ameliorate concerns about, for example, that rebuttable presumption suggestion, I'm not sure that they necessarily address the issue that you raised in the second point about making sure that these tools and capabilities are time limited and purpose specific and that there's an approach for attempting to improve and protect digital systems from inadvertent or criminal behaviour that might then exploit the weaknesses that have been created for an agency under the act to be able to execute a warrant or pursuant to an authorisation.

Senator McALLISTER: I'm conscious that you've given us a lot of your time already. I have one final question, which is for you to explain the significance of your recommendations around reporting requirements and why it is that you consider that public reporting is important in relation to these powers.

Ms O'Shea : I think public reporting is critically important. In part it goes back to Senator Abetz's question at the beginning of this session. We were talking about the need for this legislation. I think it is interesting to look at things like questioning and detention warrants under the ASIO Act and the public reporting requirements around them, because it gives the public confidence that such powers are being used, for example; that they're not there for very specific or minimal reasons; and that they're not being overused. In that sense I refer to public reporting in the media around the metadata retention regime and—I think it would come as a surprise to many Australians—how commonly requests for metadata are made to technology companies. That information only became available by technology companies disclosing that themselves. It gives confidence to the public that the powers might be necessary but also that they're not being used well beyond the scope that was being put forward at the time the legislation was proposed. I don't see any difficulty in similar reporting requirements applying in the context of this legislation. I haven't had the opportunity of seeing any submissions that suggest otherwise. It seems to me to set a bad precedent if reporting requirements that are used in previous national security legislation don't similarly apply in relation to this act.

Senator McALLISTER: Thank you both very much for your time and for making a written submission.

CHAIR: Mr Murray and Ms O'Shea, that concludes our discussion. Thanks for your attendance here today. If you have any additional information, could you please forward it to the secretariat by 4 pm on Monday 10 August 2020. You will get a copy of the transcript of your evidence and you will have an opportunity to request corrections to that transcript.