By Thomas Karpiniec, Chair of EFA's Policy & Research Standing Committee.
Last week, Attorney-General George Brandis introduced an omnibus bill to the Senate that seeks to update the legislation governing the operations of Australia’s intelligence services.
Three weeks ago, we reviewed the proposals that were expected to be included in this tranche of legislation. The more controversial of these include provisions for “disrupting” target computers in the course of executing a computer access warrant and allowing access via a third-party computer.
Now that the legislation has been tabled we can see exactly how the government intends to apply the PJCIS recommendations.
Firstly, the good news
EFA is pleased that the government has reversed its decision to abolish the Independent National Security Legislation Monitor, a role which provides an important holistic overview of the web of interconnecting legislation in this area. EFA is also pleased that the Attorney-General has referred this legislation to the Parliamentary Joint Committee on Intelligence & Security (JCIS) for review before it is considered by the parliament in full.
These are both small but significant wins in terms of ensuring proper oversight of these significant proposed changes.
Disruption of target computers
The standards that ASIO has to meet when they are executing a computer access warrant have been lowered. Under existing legislation there is effectively a blanket ban on activities that would impact on lawful users. This has been changed in two ways:
• If some action “is necessary to do one or more of the things specified in the warrant”, provided there is no “material loss or damage” then the impact on lawful users is now completely disregarded.
• Interfering with, interrupting or obstructing a “communication in transit” is now explicitly permitted.
It is concerning that the rights of lawful users are discarded so easily. Under this proposed amendment, if a website was being used to conduct illegal activities then an attempt to disrupt its server could potentially affect thousands of legitimate organisations and ordinary people. This sort of action should only be used as a last resort and when the seriousness of the threat warrants that level of surveillance.
We’ve already seen the effects of such action, when ASIC last year inadvertently blocked tens of thousands of legitimate websites when they meant to target only one or two. While the technical incompetence shown by ASIC in this case (they failed to understand that a very large proportion of websites exist on shared servers – with the same IP address), is unlikely to be paralleled within the intelligence services, this is a telling example of the sorts of collateral damage that can occur. It should be noted that ASIC’s actions were taken under section 313 of the Telecommunications Act, which is in dire need of review. We are therefore very pleased that Communications Minister Malcolm Turnbull has recently announced an inquiry into this use of that section of the Act.
The Inspector General of Intelligence and Security (IGIS), the body responsible for overseeing the activities of intelligence agencies, also expressed support for ensuring the impact on unrelated persons resulting from any use of this power is minimised.
Access to third-party computers
A computer targeted in a computer access warrant may now include “a computer associated with, used by or likely to be used by, a person (whose identity may or may not be known).”
This gives ASIO the right, with a suitable warrant, to break into computers belonging to innocent people in order to obtain covert access to a target.
This opens a potentially enormous can of worms. As an example, ASIO could use this power to access the servers of an email provider, in order to access the emails of an individual of interest. This email provider might be a legitimate Australian business that does its best to provide a secure and private service for its customers. Not only does this provision give ASIO the right to violate that trust – it is now even in their interest to stockpile possible attacks against Australian businesses rather than help them to secure themselves.
There are many other scenarios to ponder. If the business notices ASIO’s intrusion and announces to all their customers that they have been attacked, could that count as disclosing information about a special intelligence operation? Would there be any penalty for detecting and stopping ASIO? What about publishing details of their method of attack? If ASIO accidentally damages a computer or a business’ reputation, is there any accountability requiring ASIO to own up to that and provide compensation?
This new power could therefore have a great deal of negative unintended consequences.
Surveillance of Australians by ASIS
Until now ASIO is the only intelligence agency that can (legally) spy on Australians. This bill seeks to empower the Australian Secret Intelligence Service (ASIS) to collect intelligence not only about foreign individuals and organisations, but to also assist ASIO in investigations targeting Australians. This will be permitted provided that ASIS’s activities occur outside Australia.
Although there is much talk of Australians fighting in Syria and Iraq, it is interesting to note that nothing in this section of the bill requires the Australian target to be overseas. With much of Australians’ data and communications going overseas this raises important questions about what else ASIS might be asked to do that ASIO can’t.
This is precisely the sort of power that enabled the United States’ National Security Agency (NSA) to conduct comprehensive surveillance on American citizens and residents, in contravention of their supposed role as a foreign-focused organisation.
Imprisonment for disclosure of classified information
A new type of “special intelligence operations” is to be created, which will carry with them indemnity for participants from civil and criminal liability, subject to certain limitations. There are to be strict penalties for disclosure of such ‘special operations’ - 5 years imprisonment, or 10 years if disclosure endangers somebody’s health and safety.
The wording of these new offences is clearly intended to cover both whistle-blowers and journalists who might publish leaked information.
EFA supports whistle-blowers who responsibly reveal illegal and immoral activities. If abuses like those disclosed by Edward Snowden were revealed in Australia under the terms of this proposed legislation, then the actions of journalist Glenn Greenwald and the Guardian, New York Times and Washington Post could all be illegal; this, despite the enormous public interest value in revealing the far-reaching and indiscriminate NSA surveillance, and despite the reforms that have occurred in response to the public outcry.
Former Iraq war whistle-blower and now MP for Denison, Andrew Wilkie said in a statement: “The increase in penalties for the disclosure of intelligence material must also be accompanied by an amendment to the Public Interest Disclosure Act 2013 to ensure protection for intelligence whistle-blowers.”
Mandatory data retention – not just yet
A proposal for mandatory data retention by ISPs is not included in this bill. It is widely expected that the government will attempt to legislate for this at a later date.
At a press conference on Wednesday the head of ASIO David Irvine described data retention as “absolutely crucial”. The effectiveness of data retention in improving national security is highly disputed and the implications for the privacy and rights of Australians are significant. See our previous coverage of this issue.