GILLESPIE-JONES, Ms Christiane, Director Program Management, Communications Alliance

STANTON, Mr John, Chief Executive Officer, Communications Alliance

Evidence was taken via teleconference—

CHAIR: I now welcome representatives of the Communications Alliance to give evidence. Although the committee does not require you to give evidence under oath, I advise you that this hearing is a legal proceeding of the parliament and, therefore, has the same standing as proceedings of the respective houses. The giving of false or misleading evidence is a serious matter and may be regarded as a contempt of the parliament. The evidence given today will be recorded by Hansard and attracts parliamentary privilege. I now hand to you for an opening statement.

Mr Stanton : Thank you very much, Mr Chairman and members of the committee, for the opportunity to appear before you once again today. It's fair to say that debate over the appropriateness of the assistance and access act has been long, passionate, complex and global in nature. This debate has been essentially about how to balance three undeniably important but not necessarily complementary objectives. The first of these we feel is the need for the security of our telecommunications networks, infrastructure and the communications transmitted across those networks to be protected from unauthorised access or interference. Second is the ability of our enforcement agencies to operate effectively in a digital environment where bad actors have increasingly employed encrypted communications to attempt to conceal their activities from authorities. Finally, there is the need to preserve law-abiding citizens' enjoyment of individual rights and freedoms, particularly the right to privacy and security of their private communications.

When attempting to balance these objectives I think we need to be mindful of the risk that the legislation may generate unintended consequences, including the creation of new avenues for cybersecurity threats—for example, through the weakening of encryption. The creation of such new avenues could not only pose dangers to individuals and the functioning of our digital society but also undermine the government's own ability to combat external threats. As Atlassian pointed out well earlier today, it can risk damaging Australia's growing export-oriented technology sector.

From the outset the legislation helped amass a very broad coalition of stakeholders concerned that the provisions were disproportionate, dangerous, impractical and lacking in significant control and oversight of the activities of agencies. That coalition included Australian and overseas members of civil society, academia, the cybersafety community and the communications and technology sectors, some of whom have already appeared before the committee today. While the legislation served to unify this alliance, it also drew a divide between alliance members, enforcement agencies and relevant government departments.

There have been many amendments proposed to the legislation. In our view, many of these were well-considered and were soundly based on the experience of experts in communications network security, but, by and large, they have not been taken up. During the three or more years that this legislation has been in development and under scrutiny, including I must say via the very great work of the PJCIS, and during the period between its passage through parliament and its time on the statutes, unfortunately it has not proved possible for all parties to land on a sensible middle ground—a well-crafted amending package that does the best job possible of reconciling the competing objectives that I mentioned earlier.

We believe that the Independent National Security Legislation Monitor, in what he himself described as the most complex inquiry he has undertaken in his role, has constructed a package within the recommendations of his report that actually can take us much closer to that desired sensible middle ground. We believe that the INSLM's inquiry, report and recommendations demonstrate the independence which he and his team have approached the challenge. We think the recommendations do offer a path for a solution that almost certainly does not meet 100 per cent of the aspirations of any of the stakeholder groups, including our own, but does take account of the legitimate priorities of all of those groups.

We support the INSLM's report and the suite of recommendations contained therein. If I may, I'd like to call out a few of the recommendations, particularly those that have featured prominently in the public or stakeholder debate and which go to the broader functioning of the assistance framework. Perhaps, most importantly, recommendations 3 through to 6 would, if implemented, in our view, provide, for the first time, independent judicial oversight and review of the requests and demands being made by enforcement agencies under the act, and this has long been a theme of our submissions and those of many others in relation to the present state of the legislation.

Also key in our view are recommendations 8, 9 and 10, which we think, if implemented, would largely address the present dangers of lack of definitional clarity around the prohibited effects of agency requests. These recommendations also address a serious concern that the relevant powers give more discretion to enforcement and national security agencies than is reasonably necessary for the intended purpose, including scope to act in ways that were not contemplated or intended.

Recommendation 7 would assist with allaying the concerns of proportionality, or lack there of, by raising the imprisonment threshold for offences to which assistance requests relate from three to seven years. Again this has been a regular component of the requests we've been making for changes to the legislation.

Recommendation 11, which, by and large, ensures that requests are being directed at an organisation rather than an individual employee is key to not only improve on the practical challenges of the legislation but also to limit unnecessary secrecy.

Finally, we warmly welcome the monitor's recommendation 24 to amend the legislation to allow future own-motion reviews by the INSLM. The deep expertise and experience of the institution of the monitor in the area of national security legislation ought to be harnessed, we believe, where required to ensure that the three competing objectives remain adequately balanced in the future. In the same vein, we welcome recommendation 30 to allow disclosure of information to the public when this is in the national or public interest. We're happy to comment on other recommendations if the committee desires. We hope that after due consideration the committee will be able to endorse the recommendations and will urge all political parties to implement them through the parliamentary process.

Finally, I need to note that while NBN Co is a member of Communications Alliance, it has not been involved in the preparation of this submission.

CHAIR: Thank you, Mr Stanton, for the submission and also for appearing along with Ms Gillespie-Jones today. If I could go to the INSLM's report itself—I'm not sure if you have a summary of his recommendations—I refer to paragraph 1.3 and I'll paraphrase very quickly. He talks about the threat landscape, about hostile foreign states, about the ongoing threat of terrorism and also about the ever-present threat of criminals engaging in online activities to perpetrate general but serious crimes such as child sexual exploitation and sophisticated frauds. He concludes that part of his report by saying that he accepts the evidence and is satisfied from the evidence that he's received from intelligence, police and integrity agencies that there must be a legislative response to criminals, hostile states and terrorists going dark. I assume you accept that as well?

Mr Stanton : Yes, we do.

CHAIR: Now we might disagree on the nature of the response and the scope of the response. I think that's what we're talking about here. This brings me to your submission. On the first page—in fact, it's under the introduction here—I refer to the paragraph at the bottom of the page, which says:

The geopolitical impact of the Act must be further interrogated, and particular attention should also be focused on the legal and economic implications of the application of the law on Australian Industry.

No-one 18 months ago anticipated COVID and where we'd be right now as a country, not only economically but also strategically. All of us want us to recover after this pandemic in the best possible position and be a competitive country. So I'm very interested in understanding the impacts of this legislation, as you and other stakeholders have raised, on Australian industry. Just to just to commence the discussion, could you tell us a bit more, please.

Mr Stanton : Our membership is primarily telecommunications in nature rather than pure tech companies like Atlassian or those involved in information technology. We've listened to the submissions and the testimony that they've made to the committee over the course of the past 12 months or more, including the comments by Atlassian today.

We've been involved with the ITPA, which is the IT Professionals Association, who have also given anecdotal evidence that this is problematic for the confidence of customers overseas in purchasing from Australia because there can be no guarantee of potential compromise having been avoided. If systems were compromised, under the legislation, the supplier would not be able to disclose that. I don't have empirical data—I'm not sure that anyone does as yet—about the number of sales or opportunities forgone. As Atlassian said, many of those opportunities might disappear without you ever knowing that this was the reason. But we have we have no doubt that it is a risk to an export-oriented sector which we think has great potential for Australia's recovery and for our economic future.

CHAIR: Sure. A parallel public debate does not lead to this at all but is a useful reference point. Huawei's challenge now is they're seeking to shape 5G networks around the world and their customers in many countries, but they have a trust problem. We're not quite in that same league, though, are we?

Mr Stanton : There is no there's no Australian-owned IT entity that matches the scale of players like Huawei or Ericsson or Nokia. But Atlassian is one example, I guess, of a large and increasingly influential player in Australia.

CHAIR: Would you agree though that TOLA—if you were to compare the People's Republic of China's national security laws—has, on the face of it, far more oversight than the equivalents in China?

Mr Stanton : Our concern has been about the legislation in Australia as it affects this country rather than necessarily being too worried about international comparisons with other regimes. We are concerned too to try and make this legislation as good as it can be. That's been the focus of our efforts.

CHAIR: I appreciate that. I'm just making a general point. Who are some of our competitors of Australian exporters in the tech space? Who are we competing against? And who might have the edge in giving confidence to potential customers? Which countries have a more favourable national security legislative ecosystem than Australia concerning tech policy and the way it engages the tech industry? Can you give any examples?

Ms Gillespie-Jones : Without diving into details, it appears to us that the discussion in the UK has been somewhat more open and consultative in the past. The approach that they have taken in spite of recent developments were with the involvement of the relevant parties, including Huawei. As my colleague just said, we were not concerned so much as to whether others might conduct themselves worse or better than Australia. We were concerned with, given our legislative and democratic basis, what we consider to be the best possible approach to this difficult problem. We are of the opinion that this has not been necessarily the case in the past in the development of this legislation, which is why we now welcome the package of recommendations from the INSLM so that we can try to move forward with a balanced middle ground.

CHAIR: Sure. The reason why I referred to Huawei and asked about other jurisdictions is because one of the arguments that's being advanced, not by just your submission but by others, is that the actors fear political consequences for Australia, potentially making us less competitive. I was just trying to get a sense of who our competitors are and why they might have the edge over us. But I'm assuming we don't have an empirical data on that?

Mr Stanton : No, and it's an environment that is moving in various jurisdictions.

CHAIR: So it's a vibe—if I can use the colloquial?

Mr Stanton : They're your words, not mine.

CHAIR: We will go to one of your recommendations which goes to ghost users. You outline that TOLA amendments could allow for a ghost user to be added to an encrypted communication. Just for the public record, can you elaborate on that point and how that might, on your understanding of that, pose a risk to tech companies?

Mr Stanton : Clearly, if a user is inserted into a circle of communication and nobody knows who that user is or what their intentions are, you have an immediate and very significant breach in the security of those communications. You don't know where your data or other messages are going or what they may be used for, and you're also operating under the false assumption that what you do on that communications channel is secure; it's not.

CHAIR: We're short on time, so I'll finish that question there. Are there any parts of the INSLM report that you don't agree with?

Mr Stanton : There are some elements that we might have preferred to see done slightly differently. For example, we were very attracted to the UK model, the IPCO model, which the INSLM also looked at. While we would prefer a fully independent body along the lines of IPCO to be established, we recognise—as perhaps the INSLM also did—that recommending the creation of this capability within an existing institution like the AAT is probably a slightly faster and perhaps more politically deliverable recommendation to put back to government.

Ms Gillespie-Jones : A second observation, if I may: we also agree with the recommendation to remove the definition of 'systemic vulnerability'. We also agree with the recommendation to amend the prohibited effects. We are probably in the same boat that was outlined by BSA. We probably would have preferred the amendments put forward previously, which basically removed most of those definitions, but we consider this a workable solution and we are happy to accept it.

Mr Stanton : All in all, while there are some things that we think are less than ideal, we think the package is a very sensible set of recommendations which involves some compromise by all sides of the debate. Hopefully, it gets us to a sensible middle ground. It's on that basis that we're able to support it.

CHAIR: Okay. I don't have any further questions. Thank you.

Senator KENEALLY: Thank you, Mr Stanton and Ms Gillespie-Jones. Can I pick up on the questions that Mr Hastie was asking you; he was asking a range of questions about reputational issues. Am I correct in remembering that you previously noted in your submissions to various TOLA inquiries about the reputational issues—in fact, in the INSLM inquiry in February, did you make note of some research that you did to try to put some context around that risk? Did you conduct a survey?

Mr Stanton : There was a survey undertaken by InnovationAus, which we supported; I don't have it here among the many papers in front of me today. A high majority of companies—I think there were 57, from memory—were surveyed, and they said that they had experienced negative sentiment and that they believed they had already begun losing opportunities. I'd be happy to forward a copy of that research out of our files, if that would be helpful.

Senator KENEALLY: I think it would, because we've had several questions today that, understandably, have sought to quantify the reputational risk and what companies have experienced. To the extent to which there is a survey that has been done and there is some data around what companies are reporting in terms of lost sales at home or abroad as direct consequences of the acts, or whether or not people are less likely to be informed about operations in Australia, I think that would be useful to our inquiry.

Mr Stanton : We certainly will do that.

Senator KENEALLY: Thank you. Can I pick up a few questions on the INSLM review. Are there any points that you don't believe were effectively addressed in that review? I accept your comments about the recommendations that have been made. Are there any recommendations that were not addressed by the INSLM that you would have liked to have been made?

Mr Stanton : We think it was a fairly comprehensive effort, to be honest. We made very detailed recommendations around many of the clauses. I think it's a credit to the INSLM and the team that they addressed in one form or another all the major points that we put to them.

Senator KENEALLY: In your submission to the INSLM inquiry, you said you'd worked closely with agencies and other stakeholders over the last decade on new national security laws to try to make them more balanced, practical and capable of being implemented. You noted some success in relation to data retention and telecommunications sector security reforms, but you said you could not claim any similar success in relation to TOLA to date. Why is that?

Mr Stanton : The process was fundamentally different. In the case of data retention, for example, the Attorney-General's Department put out position papers as early as 2009 and consultation papers in 2010. We were involved in consultation with them right up to the period when the bill was introduced, in 2014. There was a PJCIS inquiry into it at that time as well. The government then set up an implementation working group, which included ASIO, the AFP, the Australian Crime Commission, the Attorney-General's Department, some major telco carrier reps and myself, to look at the dataset that was being proposed, to look at the explanatory material around it, to look at the road map to compliance and to look at the costs associated with implementing the legislation. That group produced a set of recommendations, which the government implemented. The legislation was passed in March 2015. All of that work bore fruit in terms of getting something that was reasonably workable. Even with all that good intention there were some unintended consequences from data retention, which are well known. But it was a much more collaborative process, and it brought into the legislation the benefit of expertise from outside of government and within industry.

Where TSSR was concerned, we had consultation papers from the AGD in the works as early as 2015. We were given the opportunity to work through two exposure drafts of the bill during 2015. There was a big roundtable meeting with agencies and industry departments in Parliament House, where we all worked through the detail of the issues that we could see. Again, there was a PJCIS inquiry, and the government accepted all of the recommendations of the committee before the bill was passed in the Senate. Again, it was a much more collaborative process, and at the end of the day it produced a TSSR act that is actually working pretty well, from the perspective of industry, in what is a very complex area. None of that sort of engagement took place with us in relation to this legislation.

Senator KENEALLY: To be clear: have you been consulted by the government on potential amendments or drafts to TOLA?

Mr Stanton : No, we have not.

Senator KENEALLY: Just to compare: what about the IPO bill currently under review?

Ms Gillespie-Jones : It's a bill that, at the moment, creates less concern for a lot of our members. We have made a submission to the PJCIS, but we have not been directly and expressly consulted as an industry organisation prior to the bill being drafted or introduced. But I would say that the two other processes that John mentioned, data retention and TSSR, are probably better examples of how we envisage that future legislative processes could go.

Senator KENEALLY: Turning to your current experience of TOLA: are you aware of any company that has had direct interaction with the TAR, TAN or TCN provisions of the act since its introduction, and, if so, can you provide any information on how that process has gone?

Mr Stanton : No, because if they had they would be unable to tell us. That would be illegal.

Senator KENEALLY: I'd just note that the INSLM has noted that two agencies have used that power, as the ASIO director-general confirmed that ASIO had used TOLA power in his annual threat assessment in February this year. We'll leave that as the publicly available information.

I want to move to the practicalities of dealing with the various requests from many agencies, especially given the potential expansion of the legislation out to various state and territory bodies. From your perspective, does the single point of contact for state and territory bodies make it easier or more difficult to coordinate requests? I'm thinking specifically in relation to policing bodies potentially going through the AFP or not.

Mr Stanton : I have heard some industry players express a view in the past that they would prefer state players to come through the AFP because it channels the communication, but I'm not sure I can claim that's a universally held view. It's certainly the case—we saw in data retention, for example, a huge number of different agencies coming to service providers with metadata requests—that channelling things into a reduced number of channels, if not a single point of contact, would typically be helpful for the industry. That's also because those more specialised channels, if you like, are likely to have a regularised process, greater familiarity and even, potentially, prior experience with the telcos that they're making requests of. All of that might make it operationally easier than otherwise.

Ms Gillespie-Jones : Typically, one of the concerns is that smaller providers and organisations especially, who have less legal manpower, do not want to be put in a position where they have to actually prove the legality of the request and whether the requesting agency actually has the requisite powers to do so.

Senator KENEALLY: It does seem that there is some difference of opinion among industries, broadly speaking, as to whether or not having the AFP provide a single point of contact is a good thing. What I'm trying to get to is: what's driving that, and, if it is a concern about legality or suitability of the request, would an independent authorisation process, as the INSLM has recommended, help resolve that?

Mr Stanton : It would help resolve that and so many other potential issues, in our view. It would tend to place some sort of constraint on agencies as to the proportionality and reasonableness of their request, knowing that there would be an independent set of eyes backed with technical expertise looking at whether the request was practicable, whether it was proportionate and whether it was reasonable. It might reduce the volume of requests that were outside those parameters as well as ensuring a more regularised process around the production of assistance requests and notices.

Senator KENEALLY: Thank you. That's very helpful.

Mr DREYFUS: Thanks, Mr Stanton and Ms Gillespie-Jones, for appearing again before the committee. Since you wrote the written submission that we have, the INSLM's report has of course landed and you've given us, helpfully, some comments about his report in your introductory comments and in your answers so far. I want to go directly to the INSLM's recommendations 8, 9 and 10, which address problems with the current definitions of systemic weakness and systemic vulnerability. In your written submission, and perhaps also in your oral responses today, you endorse the Labor amendments in respect of those terms—the ones that we had in the parliament at the end of 2018. The INSLM has adopted a similar but not identical approach to that contained in the Labor amendments, which, I had understood, you endorse. Does the INSLM's approach address your concern?

Mr Stanton : Most of them, I think. If we had to play favourites, I think we would prefer the amendments that were put forward by Labor way back when. We think that what the INSLM has put forward is a solution we can live with and accept as part of the overall package. But the endorsement we provided to those original amendments still stands because we thought that was the best solution.

Mr DREYFUS: These are marginal differences—that's a comment by me—but what's preferable about the amendments that were put to the parliament in December 2018?

Ms Gillespie-Jones : We found it preferable to remove the definitions of systemic weakness and systemic vulnerability altogether because we continue to find that they're not necessarily adding clarity to what is prohibited. We trust that the approach, which the INSLM has taken too, while it still leaves the definition of systemic weakness in place—clearly defining the prohibited effects of an agency request is preferable to a definition only or to a definition plus the prohibited effects construct. We are comfortable with the INSLM's recommendation 9 also on the grounds and provided that there is an independent oversight authorisation scheme, because that will assist with determining whether something is actually having a prohibited effect or not.

Mr DREYFUS: Yep, and it's the second matter of his recommendations that I wanted to ask about. In recommendations 3,4, 5 and 6 of his report, Dr Renwick has set out a pretty detailed independent authorisation process—down to what new institution or new division of an existing institution, namely the AAT, might be created. Your written submission very distinctly agrees with Dr Renwick in principle that there needs to be an independent authorisation process. But your view is that a judge is required. What's your current position, having now read what the INSLM had to say in his very detailed report, about this question of independent authorisation?

Mr Stanton : We are dealing with, I guess, the art of the possible. The statements in our original submission still stand. But, again, we've looked at the pragmatic approach that we think the INSLM has taken on this issue and if it's not possible to have a fully independent, fully judicial authority imbued organisation, like IPCO, then certainly installing a retired senior judge with access to technical expertise within an institution like the AAT is not a bad compromise, in our view. In any event, it's certainly a big step forward to what exists in the legislation today in this regard, which is very little. So, we're willing to support it on that basis. If the government, or political parties, decided to go with something that was more closely aligned to the IPCO model, we would be very happy with that. But what the INSLM has proposed is a solution that we think is not unreasonable.

Mr DREYFUS: By IPCO, just to be clear, you're referring to the relatively new United Kingdom legislation?

Mr Stanton : Yes.

Mr DREYFUS: What can you tell us generally about how this legislation has affected the technology industry in Australia? Is there evidence that Australian companies have lost business? Have there been compliance costs? It's a pretty general question.

Mr Stanton : There were some questions earlier from Senator Keneally and others in relation to this. We have explained, I think, that we don't have empirical data, other than the survey that was undertaken by InnovationAus, which showed a great level of concern among the industry and a belief by the majority of players that they were already starting to miss out on opportunities. Are there compliance costs? Absolutely. They're perhaps not of the scale that we saw in data retention, where there were major IT builds that had to take place. But a great deal of money is being spent on business processes to ensure that companies are able to comply with the increased level of activity that they're anticipating.

Mr DREYFUS: To be clear, this is compliance costs to be in a position to respond to notices, as well as actually responding?

Mr Stanton : That's right. It's hard for entities to anticipate what the volume will be of the three different types of requests or notices that can come, but they need to be in a position to respond in a way that's compliant with the legislation. So, a lot of preparation and business process planning and training goes on within organisations, to enable compliance.

Mr DREYFUS: The chair asked you some questions related to this next question. Australia is going through an economic crisis at the moment, as are many other countries. Hundreds of thousands of Australian workers have lost their jobs. Are you able to outline the significance for our economy of the technology and communications sectors in Australia today?

Mr Stanton : Yes. If I could start with the telecommunications sector, there was some recent research undertaken by Deloitte Access Economics, and the figures that they came up with were that the total value-add to Australia's GDP from the telecommunications sector was about $51.5 billion, in 2017-18. That was $21.7 billion directly supported by the telco industry and about another $30 billion supported through indirect activity. We're talking there about 87,000, or more, directly employed staff within the telco sector and that industry, because it has a high enabler and multiplier effect, supported more than 267,000 full-time-equivalent employees in the economy in that year. The centrality of communications and IT technology to people's lives I think has been pretty graphically demonstrated to all of us during the course of the last four months as we've increasingly turned to telecommunications and IT technology to enable us to undertake our learning and our business and our daily lives. The pandemic has greatly accelerated the uptake of new services and the development of new technologies and refinements to things like videoconferencing platforms. I think that only serves to increase the potential opportunity for the Australian sector, because all around the world those habits that have been ingrained over the last four months are going to endure not just for the duration of the pandemic but beyond it. It actually, perversely, creates an even bigger opportunity than would otherwise have been the case.

Mr DREYFUS: How many people would the businesses that you represent employ in Australia—approximately?

Mr Stanton : Approximately 70,000.

Mr DREYFUS: Atlassian, who were on first this morning, gave us a figure for the technology sector as a whole. They suggested that the technology sector employs some half a million Australian workers—anyway, you represent a large slice of that number. What kind of jobs are we talking about. Are many, or perhaps most, of these jobs relatively well-paid, secure forms of employment?

Mr Stanton : They are. They are typically professional roles across a whole range of disciplines—network and service maintenance, product development, marketing, sales, customer support, hard engineering and IT. So, it's a pretty diverse range of roles, but the majority of them are professional roles that pay above the average wage in Australia.

Mr DREYFUS: Do you think Australia's technology and communication sectors have a lot of room to grow? The context for that is that, if we're talking about an economic recovery and creating well-paid and secure jobs for Australians as we move out of this crisis, do you see the sector playing a role in that?

Mr Stanton : I very strongly believe so. There is enormous investment that is either already being, or soon will be, channelled into a range of areas. The renaissance of the international satellite industry, for example, is seeing huge amounts of investment into low-earth-orbit constellations that can provide low latency global broadband and voice. We are seeing the beginnings now of the next big global disruptor, which is the Internet of Things networks, which have revolutionary potential not just for communication between people but in enabling industries to operate much more efficiently and to almost be able to predict their own future. So, productivity gains that can flow from the IoT are huge.

The other one that is even more exciting than it is scary is artificial intelligence, which is already reasonably pervasive in the way that many companies operate their businesses. But the potential of that is going to explode, I think, over the next decade. Any of these areas where Australia is in a position to be even a world leader in a niche of that sector has the potential to create an enormous economic contribution, and, with that, many, many jobs.

Ms Gillespie-Jones : If I may, I think Atlassian also cited some of these figures before. There's a report—I think it's from AlphaBeta—which said that around $122 billion is the current economic contribution by the tech sector to Australia's GDP. If we were to catch up with the global leaders in tech then that contribution could rise to $207 billion, which is almost but not quite double—an additional 40 per cent.

Mr DREYFUS: To what extent does legislation like the one we're looking at here, especially in the absence of an adequate consultation process, undermine the capacity of Australian technology and communication businesses to grow and to flourish?

Mr Stanton : It certainly is an inhibitor. The argument, of course, is how to be empirical about that, and that's extremely difficult. But the fact that so many players in the Australian sector are concerned and reflecting on the questions they're getting from overseas customers and potential customers indicates that it is more than a passing worry; it is a factor that does have the potential to undermine that growth.

Mr DREYFUS: There's obviously a perception problem with this legislation, as well as many obvious and very real drafting problems. To what extent can the perception problem—I'll give an example: Australian authorities want to introduce backdoors and that sort of thing—be addressed by fixing the drafting problems? What else can and should the government do to ensure that these measures don't harm business?

Mr Stanton : I think adopting a set of recommendations from a demonstrably independent legal expert—a set of recommendations that are built around transparency and oversight cannot do other than help the level of confidence on the basis that, if people know that there are checks and balances around the activities of agencies, that's inherently a better way to strike the right compromises between enabling enforcement agencies to operate effectively, avoiding the risks of creating new cyberthreats, avoiding the potential damage to industry and, along the way, thankfully, helping to safeguard the rights of individuals.

Mr DREYFUS: The last matter arises from a question that was directed to you by Senator Keneally. We assume you discussed an issue that was in fact previously looked at by this committee: that state and territory agencies should have to get approval from the Australian Federal Police to issue industry assistance notices. That's the recommendation the fact made and that the government in part implemented in the legislation that's now there and that we're looking at. The key reason the committee made that relatively unusual recommendation was the rushed inquiry process. In the time available, the committee had received almost no evidence and the government had conducted no consultation at all with state and territory agencies about whether there would be adequate oversight of these towels at the state and territory level. Sorry for the lengthy introduction here, but we hoped that, by requiring the notices to be channelled through the AFP, the Commonwealth Ombudsman could at least give some level of oversight because the Ombudsman has oversight power of the AFP. We hoped that, by funnelling through the AFP, we might get some level of consistency in how the notices are being framed. In other words, it was an imperfect, possibly temporary solution to a very real problem created by the government's lack of consultation and the rushed nature of our first inquiry.

I've got an open question to you: how do you think the committee should address these issues, first of all ensuring some level of consistency in terms of how these notices are being used by the range of agencies that are going to use them? Second, how do you deal with the need for a consistent and appropriate framework of oversight given that there are a number of jurisdictions involved.

Mr Stanton : I'm tempted to hark back to the implementation working group that was used to refine the data retention legislation. Just as in this case, there were questions that everyone was grappling with around the data set and other elements of that legislation. Equally, there are questions about accepting the INSLM's recommendations around setting up the IPC. A working group of that type could dig into the options and come up with some recommendations based on operational experience or detailed projections. Similarly, there'd be an opportunity to look at whether the committee's recommendation around channelling through the AFP is the best way to go or whether it would be better to have every one of those potential requests or orders go through the IPC, which is a longwinded way of saying that I don't really know the answer, but we would be very happy to work with other stakeholders to try and come up with some recommendations on that.

Mr DREYFUS: Thanks very much, Mr Stanton, and thank you, Ms Gillespie-Jones.

Senator STOKER: Thanks very much for the evidence that you've given today. I've just got one question on a matter which I think was alluded to in the chair's questions earlier, but I just want to clarify the issue in my own mind. You've outlined in your submission that the TOLA amendments could allow a ghost user to be added to an encrypted communication. Can you elaborate upon this and make sure the committee fully understands what you mean by that?

Mr Stanton : Yes. If there was a secure circle of communications either between two individuals or a group, as is often used for collaborative business purposes or other communications purposes today, and there was a requirement to create a weakness within that platform which then allowed a security agency to put in a ghost user—that is, a user who could see their communications being passed but who was not visible to the other users—then that clearly is a risk, particularly if, once that vulnerability is created in the platform, you have the potential for bad actors to take advantage of the same loophole and put themselves into the communication circle. So it's a fundamental weakness that, potentially, could be used not just by agencies for ostensibly good purposes but by bad actors for bad ambitions.

Senator STOKER: We need to consider all potentialities, but, in your assessment, how realistic or how remote is that risk?

Mr Stanton : It's such an attractive capability to have that I would not be in any doubt that bad actors would seek to employ it. It's similar to some of the bugs that are inserted into computer systems by bad actors where they lay dormant for a while, and, when they're activated, they are invisible to the owners of that system and they're able to gather data and make use of it. So it's a variation on that theme. I can't give you probabilities around how often it has or would happen, but it's the sort of capability that would be enormously attractive to somebody with bad intentions.

Senator STOKER: Thanks very much. I appreciate that.

CHAIR: Mr Stanton and Ms Gillespie-Jones, we don't have any further questions for you. Thank you again for your submission and for your attendance here today. If there is anything else, could you please get it to the secretariat by 4 pm on Monday 10 August. As always, we'll send you a copy of the transcript of your evidence and you'll have an opportunity to request corrections to any errors. Thank you very much.

Proceedings suspended from 14:03 to 14:09