FLETCHER, Mr Brian, Director of Policy, APAC, BSA The Software Alliance

Evidence was taken via teleconference—

[12:06]

CHAIR: I welcome Mr Fletcher from BSA The Software Alliance to give evidence. Although the committee does not require you to give evidence under oath, I should advise you that this hearing is a legal proceeding of the parliament and therefore has the same standing as proceedings of the respective houses. Giving false or misleading evidence is a serious matter and may be regarded as a contempt of parliament. Evidence given today will be recorded by Hansard and attracts parliamentary privilege. Would you like to make an opening statement?

Mr Fletcher : Thank you, Chair, and good morning to the honourable members of the committee. BSA The Software Alliance appreciates the opportunity to speak with the joint committee again in relation to this inquiry into the TOLA act. As the committee is aware, BSA is an industry association that represents the global software industry. Our members include Adobe, Amazon Web Services, Atlassian, Cisco, IBM, Microsoft, Oracle and Salesforce, to name a few. What they share is an interest in driving data-centric innovation and software development, including cutting-edge advances in artificial intelligence, machine learning, cloud based analytics and IOT things. BSA members' work helps to make our devices smarter, our businesses more competitive and the delivery of government services more effective. Of course software has also been at the heart of the global response to the COVID pandemic, in particular through providing the backbone of the digital economy, allowing people to work remotely. It's not surprising, therefore, that our members have had an interest in the TOLA act. To this end we appear before you today as we have in the past. You would be aware from our submission and from our previous interactions that our members fully support the Australian government's desire to have more powerful tools to aid in the fight against criminal and terrorist activities. Some of our members are the recipients of regular lawful requests for information from law enforcement agencies around the world. They're committed to complying and cooperating with lawful requests for information to the extent that they can do so from a technical and legal perspective and in a manner that does not violate the obligations that they have to their customers. We don't believe that assisting the government to fight crime and terrorism on the one hand and ensuring the security of software and digital devices is a binary choice. This is a conclusion also drawn by the INSLM in his recent report on the TOLA act. BSA contributed to the INSLM review on the act, and we want to commend the work of the former INSLM, Dr Renwick. Whilst the report that he released doesn't totally eliminate all concerns from the bill, we commend the report to the committee. BSA, along with the Australian Information Industry Association, provided a letter to the committee last week, jointly supporting the INSLM recommendations.

We'd like to highlight some of our concerns that BSA have raised with the committee previously, which we feel are directly addressed by the recommendations. First, we feel recommendations 8, 9 and 10 would significantly strengthen the definition of 'systemic weakness'. Next, there are many recommendations—12, I think, in total—that provide a more robust and more independent oversight and operation of the TOLA scheme. Recommendation 7 limits the application of notices to offences that are punishable by more than three years in prison, and that directly addresses a concern that we've raised in the past. Recommendation 11 does not allow TANs and TCNs to be issued to natural persons. Whilst this may have been a misunderstanding, it was a fairly widely held one. We think that explicitly stating this in the legislation adds to the understanding and trust that can be put into this.

As noted earlier, INSLM recommendations aside, we still have some outstanding concerns regarding the legislation. Transparency is an important principle for ensuring public confidence in the powers granted to law enforcement agencies. We would like to see greater transparency in TOLA, including, for example, a greater ability given to companies to be able to disclose TCNs and TANs received from the government. BSA also objects to the provisions in the act that provide the government with access to intellectual property, trade secrets and other proprietary and sensitive information, including source code or undisclosed vulnerabilities. In our view, granting access to such data is a slippery slope and sets an inherently bad precedent for other governments. Whilst we understand and support the act's purpose to collect data for law enforcement purposes, we remain concerned about the broad and undefined scope of the act's authority to raise mandatory notices for national security.

Again, I want to thank you for inviting us to participate in the hearing today, and I look forward to any questions you might have.

CHAIR: Thank you very much, Mr Fletcher. We'll go to Mr Dreyfus.

Mr DREYFUS: Thanks very much, Chair, and thank you, too, Mr Fletcher, BSA, The Software Alliance and the Australian Information Industry Association, for participating in the committee's inquiry. As I understand it, you participated in the Independent National Security Legislation Monitor's lengthy consultation process as well. Is that right?

Mr Fletcher : That's correct.

Mr DREYFUS: Thank you, also, for the more recent letter. Your submission was dated 26 June. It obviously predated the publication of Dr Renwick's report, and you've now told us in a letter of 22 July that it's the view of your organisations that the Independent National Security Legislation Monitor's recommendations should be adopted in full by the committee and indeed by the government. It's an enthusiastic endorsement of the work that Dr Renwick has done. I'd like to drill down a little bit into: are you concerned that, if you don't adopt the recommendations as a package or endorse the recommendations as a package, that might lead to some kind of unpicking? My question to you is specifically about recommendations 8, 9 and 10, which go to the definition of 'systemic weakness'. Do you think that that is the best solution to correcting the deficiencies of this legislation in that area?

Mr Fletcher : Thank you, Mr Dreyfus—it's an excellent question. It's fair to say that when the INSLM's report was released the tech industry did a lot of work pouring over the results and the implications that were in there. There was certainly a heated debate amongst members of BSA as to what to recommend going forward and what all of this really meant. I think it's fair to say also that, should industry have been given a pen, our definition of systemic weakness would be different and it would be probably closer to that of the repairing access and assistance bill that we supported previously. However, after a lot of conversation it was the consensus decision of our members that recommendations 8, 9 and 10 were sufficient and were considered to be what we would support going forward for the bill.

Mr DREYFUS: On another matter, which is a bit related to that first question about your support for the INSLM's position as a package, what's your issue about recommendation 12, which you single out in a footnote to your letter? That's the recommendation where Dr Renwick recommended that the Australian Federal Police should not have any role in the consideration of industry assistance notices requested by or issued on behalf of state and territory police. If I could just say by way of preface, I had taken Dr Renwick to be saying, 'If you introduce this independent authorisation process that I'm recommending, well, you don't need to have the Australian Federal Police involved in respect of the use of these powers by state or territory police.' Are you able to expand on why it is that you put that footnote in your letter?

Mr Fletcher : Of course. The issue here for the members was one of efficiency and effectiveness. We feel that these powers should be used in extremis—for serious offenses—and, as such, they would not be called upon often In our view, a centralised, coordinating team for Australian law enforcement applications for these powers would better understand the abilities and limitations of the industry and have fast access to the correct industry contacts, and, essentially, be better able to navigate the process of applying for requests and notices with industry.

Mr DREYFUS: I think I'll just take it that you agree, then, with what the Independent National Security Legislation Monitor has said in his proposal in recommendations 3, 4, 5 and 6 as to some kind of independent authorisation process. You don't want to add anything to your endorsement of that proposal?

Mr Fletcher : In the past we've certainly discussed with the committee and in a number of our applications our global position, which is that we prefer judicial review and that an independent judicial authority should be available for any order that authorises government access to content or sensitive data or anything that mandates technology providers to take specific actions regarding data or technologies. The members, again, discussed this in-depth, and the consensus of feeling of the members was that Dr Renwick had considered all of the issues and that we were comfortable with what he was putting forward as a suggested new oversight and issuance process.

Mr DREYFUS: My remaining matter goes to something that your submission focused on, which was the interaction between the assistance and access act and the United States CLOUD Act. The US Department of Justice has said publicly 'there is nothing in Australia’s Assistance and Access Act that would preclude or prevent the conclusion of a CLOUD Act agreement' between the United States and Australia. On the other hand, the

Chairman of the United States House Committee on the Judiciary, Congressman Jerry Nadler, has expressed concerns publicly about the assistance and access act and its compliance with the requirements of the CLOUD Act. That's by way of introduction, Mr Fletcher. Could you outline what role the US Congress would play in approving a CLOUD act agreement between the United States and Australia?

Mr Fletcher : My humblest apologies; I'm not sure if I can actually comment on that.

Mr DREYFUS: That's fine. I was relying on your international focus and the fact that you had made these submissions about the CLOUD Act, and I appreciate your frankness on that point. What you have, however, done in your submission—I won't take up time on this now—is point out potential conflict between the assistance and access act and the United States CLOUD Act, particularly going—

Mr Fletcher : That's true. Section 105 of the CLOUD Act talks about procedural protections for privacy and liberty, sufficient mechanisms to provide accountability and appropriate transparency, and being able to be reviewed or oversighted by a court judge or magistrate. It is true that we have raised those concerns before, and we do feel that the INSLM recommendations would obviate that risk somewhat. But, at the end of the day, the CLOUD Act is, as you know, enabled by executive agreement negotiated between the governments of Australia and the United States. Those details will undoubtedly be discussed between the parties as part of that—

Mr DREYFUS: And is subject to approval by the United States Congress, which is what my earlier question was going to.

Mr Fletcher : My apologies.

Mr DREYFUS: That's alright; if it's outside your field of expertise, we'll leave that there. Thanks very much indeed, Mr Fletcher.

CHAIR: Thank you very much, Mr Fletcher, for your time today. Thank you for your forthright responses, as well. We appreciate it. We'll get a copy of the transcript to you so you can make any corrections. If there's anything else you'd like to provide, if you could do so by 4 pm on Monday 10 August that would be great. Thank you again for your time today and also for your submission. The committee will now suspend.

Proceedings suspended from 12:23 to 13 : 07