On 29th July 2014, EFA Executive Officer Jon Lawrence and Alex Vulkanovski from EFA's Policy & Research Standing Committee testified before the Senate Legal and Constitutional Affairs References Committee in relation to the Committee's Inquiry into the Comprehensive revision of the Telecommunications (Interception and Access) Act 1979.
Read EFA's submission to the Inquiry [PDF, 571KB]
Here is an extract from the official Hansard transcript (original here).
CHAIR (Senator LUDLAM): Welcome. Thank you very much for talking to us today. The committee has received your submission as submission No. 22. Do wish to make any amendments or alterations to that submission?
Mr Lawrence: We have prepared a statement as an overview of our position. We realise that we are coming towards the end of the process and you have probably heard most, if not all, of what we have to say already. We will try to keep it fairly high level and not labour your time in covering the same ground too extensively.
CHAIR: I think you are reasonably aware of the material that we have traversed so far. If you would like to make an opening statement, you can keep it as brief as you like and then will go to questions.
Mr Lawrence: As a bit of background, EFA are celebrating our 20th anniversary this year. We have been fighting for civil liberties within the digital space all that time. We are a national membership-based non-profit organisation. Essentially, our objectives are to promote the civil liberties of users in the digital context. We certainly do understand the challenges that intelligence and law enforcement face in a context of very rapid technological change and increasingly ubiquitous digital communications, and we obviously support appropriate and reasonable reform of relevant legislation, including the Telecommunications (Interception and Access) Act, to ensure that those agencies can have the tools they need to investigate, detect and prosecute serious criminal activity and other threats to the peace and security that Australians have long enjoyed, but we are very concerned, and have been for some time, that the T(IA) Act in its current form—as I am sure you are well aware—does not adequately balance the needs of security with protecting the rights and interests of citizens.
We are particularly concerned around the right to privacy and also the subversion of the presumption of innocence which mass surveillance brings with it. So we are keen to ensure that these rights, particularly, are given meaningful protection in any reform to the act. We are very concerned about the growth in the scale of access to data under the act. We believe that is far in excess of what any reasonable person could assert is necessary to tackle serious crime and terrorist activities and other threats to security. We are also strongly opposed to the introduction of any mandatory data retention regime, for a whole range of reasons, much of which Mr Waters covered in his testimony, so I will not cover that as well.
We also share concerns around the use of section 313 of the Telecommunications Act, as discussed. In particular, I would like to raise one other issue there, which is recent reports in the Fairfax media about police gaining access to mobile phone tower data in bulk. It is not clear to us whether this access is being achieved under the terms of the T(IA) Act or under section 313 of the Telecommunications Act or potentially under some other power, but we think that is something that requires some investigation, because it is clearly, by definition, bulk access to data of anyone with a mobile phone within the range of that mobile phone tower.
From a principle perspective, Mr Waters also mentioned the international principles on the application of human rights to communications surveillance. EFA was an original signatory of that document, which, as has been mentioned, was developed by a very wide range of actors from around the world and has now been signed by over 400 organisations, across not-for-profits, civil society generally and the commercial sector, from around the world. I will not labour the point there, but we would refer the committee to those principles, which are available at Necessaryandproportionate.org. We encourage you to go through them.
In terms of looking at the current context of where we are compared to when this act was written in 1979, obviously there have been a few changes in the way people communicate. I think it is important to stress that digital communications now, particularly for those in the younger generations, are an all-encompassing aspect of their personal and non-personal lives, in ways that obviously could not have been anticipated when this act was written. The idea that, for a lot of young people, the internet is real life is something that people need to absorb. With that comes the point that, while in many ways the only way to be truly private these days is not to use the internet, there are actually quite serious social costs involved in that in today's society, which I think need to be appreciated.
In line with that, we reject pretty strongly the assertion that taking the powers of this act from 1979, a context where mobile phones did not exist and the internet was still a pipedream, and extending those powers into a context of ubiquitous mobile devices and internet usage is not in any way a logical extension of the law to, as it were, keep up with technology on a like-for-like basis. We strongly believe that in fact this represents a very dramatic escalation of surveillance deep into all aspects of people's lives and goes far beyond anything originally envisaged when this act was drafted.
Mr Waters touched on some of the issues around the definition of metadata. It is clearly a pretty critical starting point that we get a clear definition of metadata. In the telephonic context it is fairly straightforward, but if we go beyond that into non-telephonic communications we have some very serious concerns that it is even technically feasible to effectively separate metadata from content, particularly in the case of email communications. We also strongly disagree with the assertion that metadata is less invasive than providing access to content. As the Attorney-General's Department itself admitted in its submission:
… telecommunications data can contain particularly sensitive personal information justifying special legal protection.
We completely and wholeheartedly agree with that. Clearly, it can be used to build a picture of a target, their network of associates, where they shop, where they eat, where they sleep. As Professor Edward Felten said in his submission to a US case involving the ACLU and James Clapper, who I believe is a former head of the NSA:
… metadata is often a proxy for content.
In many ways it should be, particularly in any substantive form, taken as much the same. David Seidler, you may be aware, recently did some work for ACCAN looking at data retention. His point was:
Although on its face, metadata might appear anonymised and trivial, the development of big data analysis techniques (for which metadata is “perfect fodder”) means that the insights it provides after manipulation might well meet this definition—
of being content, that is.
We echo Mr Waters calls for tighter access restrictions to this data. I think it is very clear that, given the potentially highly invasive nature of this content, of this information, there should be much tighter restrictions and, ideally, a clearly defined list of agencies that are able to request access to data. As mentioned, there may be cases where agencies outside that list can apply via an approved agency, as it were, to do that, but we think that there do need to be some very tight restrictions around that. We also agree that there should be very tight, very stringent and very clearly defined thresholds for access to data. We support the implementation of a warrant process for access to metadata in any substantive form, as Mr Waters said, outside of simple customer information. We do not think there is a need for wider access to that, but for anything involving any substantive amount of metadata we would certainly support that.
In principle, we think the thresholds for access should be set taking into account the principle of proportionality and we should ensure that access is only available in relation to a reasonably serious offence—for example, a criminal offence attracting a certain maximum term of imprisonment or a civil offence attracting a predetermined minimum penalty, and where there is a reasonable suspicion of the people involved in such an offence. We also support calls for more detailed reporting of access to data, including all the points mentioned. We also see no reason why access to communications data by intelligence agencies should not be reported on, at least on a statistical basis. We cannot see any harm in doing that. We agree that there needs to be more effective external and independent oversight of this process. We would also suggest that there need to be very clear rules about what happens to data that has been accessed through this process, how long it is retained by the agencies and how it is disposed of and so forth.
Senator LEYONHJELM: This is similar to the question that I had for Mr Waters previously: are you approaching this from a civil liberties point of view or a privacy perspective? I heard you mention the presumption of innocence, so I am assuming that that is a factor. So are you, like Mr Waters, saying there is a private space and it should also exist in the electronic area, or are you saying this is a civil liberties issue of the relationship between the individual and the state?
Mr Lawrence: I would say both. As was mentioned, EFA works closely together with the APF on many issues. We share their views on most privacy factors—not all. We do believe—and I think it is important to touch on this—that it is important that there be a private space for people. As I mentioned earlier, I think that, if you are a young person these days, the social cost of opting out of things like Facebook and other social media is quite significant, and I do not think we can just dismiss that and say, 'If you really want privacy then don't use the internet.' I just do not think that is an effective response to the reality.
We are predominantly a civil liberties organisation. Privacy obviously is a large part of that for us, but we believe that this—and when I say 'this' I mean the entire scope of mass surveillance that we have become aware of, particularly over the last 12 to 13 months—really undermines the appropriate levels of government access to people's lives. As I say, if everyone is being surveilled then everyone is a potential suspect and is not really being treated as a citizen, which I guess is at the core of our concern.
Senator LEYONHJELM:I tend to agree with you on that. So at what point do we say it is acceptable if it means preventing a London bus bombing, a Bali bombing or those sorts of things? At what point do we say that we trade off a degree of either our privacy or our civil liberties in exchange for heading those sorts of things off? What is your view?
Mr Vulkanovski: Firstly, I would like to raise the point that civil liberties and national security do not necessarily have to be mutually exclusive. It is not a zero-sum game, so we should not treat it as such in terms of having to concede one to gain another. But, in terms of what kinds of restrictions or standards should be in place, basically at the moment the T(IA) Act allows for three things to justify it: a criminal offence, a civil penalty of any kind and any issue relating to revenue. Basically, the authorised bodies and persons are drafted as such. What Jon proposed, or what EFA proposed, was setting some kind of standard or test for that—even simply the employment of a 'reasonableness' test. That is a fairly wide, reasonably well understood term, but it is sufficient to allow some kind of threshold. Going back to your question, it is that threshold that can justify it.
You mentioned the London bombings. I would put up the example of littering, for instance—simple littering or a fine of arguably trivial value. These things are currently justifiable, and I use the word 'justifiable' as it is used in the T(IA) Act. So you are right to question what kind of threshold there should be. I do not think we can answer, right here and right now, what kind of threshold should be in place, but I think reasonableness is a good place to start.
Mr Lawrence: If I can just add to that, in some ways what I would do, without question, is turn it around and suggest that there actually is no real evidence—certainly not anything that we are aware of—that has shown that access to this sort of information does prevent activities like that. I was actually on a tube train in London at a quarter to nine on 7 July 2005, so I do not take this lightly, but there is no question that the British intelligence agencies did not have access to this sort of information prior to that act occurring.
Probably a more pertinent and recent example is the Boston Marathon bombings, where not only did the USA, through its various agencies, have essentially what appears to be unfettered access to telecommunications but also they knew these guys were dodgy, because the Russians had told them. They had even interviewed them. Having all this information did not stop the blowing up of the marathon. So there are genuine questions here, and there has been a fair bit of research done in various jurisdictions looking at just how effective this information is. Mr Waters touched on this as well. Having more information does not make things easier. In many ways, it potentially makes things harder. It also raises the likelihood of false flags and false positives—
Mr Vulkanovski: and Australian resources.
Mr Lawrence: and Australian resources and so forth. There is a real issue here. We have seen this come out of the revelations about the National Security Agency in the US. There has been to this point very much—we know their mantra was 'collect it all'—an approach of 'We can do this, therefore we should.' I think we need to have some pretty serious conversations—as this is a very important part of that conversation—about the limits to do that. There is a burden of proof on the intelligence agencies here, which they can very easily circumvent by saying, 'We cannot comment on intelligence agencies.'
Mr Vulkanovski: It's hard to make comment without any data.
Senator LEYONHJELM: One of the chief champions of data retention, in particular, is ASIO. What is your opinion of their enthusiasm for it?
Mr Lawrence: Being very absorbed in these issues for some time, it is certainly clear to me that this sort of mass-scale data mining and signals intelligence will never go anywhere near replacing good old-fashioned human intelligence. That is the point. If we learned anything from Edward Snowden it is that having all this information does not necessarily make anyone any safer. In many ways, it undermines—this is one of my real concerns. We cannot protect our civil liberties. In a sense, ASIO was set up to protect the civil liberties of Australians but we cannot protect those by dismantling it [ed: should read 'dismantling them']
CHAIR: Nicely put. Quoting briefly from your submission, and following along a similar line, you said:
Those acting against national security will not be affected by data retention. The ease with which data retention regimes can be evaded is grossly disproportionate to the cost and security concerns of the data retention regime.
Effectively, what you said is that it will be rolled over the general population, but those seeking to avoid it will have the expertise or tools to do so. Since you have a technical background, let us use that. How would people avoid these collection techniques? How easy is that to do?
Mr Vulkanovski: Anonymous browsers, like Tor, can be used to circumvent this data. I have some examples not with me at the moment—
Mr Lawrence: The use of encryption generally does raise the cost of surveillance quite dramatically. We are already seeing, in response to revelations about the NSA, people starting to become much more cognisant of the value of encryption. The reality is that if you have strong technical knowledge—and it is fairly clear that the more sophisticated terrorist networks and organised crime gangs do have some pretty serious technical knowledge—you can take various steps to bounce around the internet and hide your location and identity, which does not mean you could not necessarily be found in the final instance but it does make it very difficult and very time-consuming and very costly for the intelligence agencies. I think the takeaway from that is that these sorts of mass surveillance project are likely to not really address the issue of major crime, in a sense. You will catch a few people, but they are probably the people you were going to catch anyway, I would suggest.
Mr Vulkanovski: I think David Seidler, working for ACCAN, who we quoted earlier, summarised it quite well when he said the people that we are trying to catch will likely be the ones that will know how to evade them. I think that brings it home.
Senator IAN MACDONALD: But surely the security agencies would know what you have just said—that those that we are trying to catch would know how to evade them. So why do they still persist? What I am suggesting is that they obviously do think it is a useful tool.
Mr Vulkanovski: I imagine they would be aware that these devices of circumvention are out there. I would hope that they would be aware of that. But I think a data retention scheme or the loosening of access to any stored data would simply make their job easier. In doing so, we assert it is disproportionate to what we give up in terms of civil liberties. Making something too easy to access or allowing a wide variety of bodies to access it tends to shift the proportionality against our cause.
Mr Lawrence: I would add that I do not personally feel that the intelligence agencies or the Attorney-General's Department or the Federal Police have made a reasonable case as to why this information is required. The primary argument I have heard essentially is: 'Well, we've always had access to this information through the phone system. We're just extending that. It is a logical extension into these new communications technologies.' As I said in our opening statement, we strongly reject that. If you think about when this act was originally drafted, the information that you would get would be the fact that a phone call was made from No. A to No. B at a certain time and lasted a certain duration. That is four pieces of information. As soon as you widen that into a mobile phone context, all of a sudden you have got a location at each point, which is an entirely new thing, where literally people's locations can be tracked. Then, if you go beyond that into non-telephonic communications, all of a sudden the amount of information that has been collected starts to explode. You start to have potentially dozens, if not hundreds, of different points of data that can tell all sorts of things about what is going on. It is really quite a different scale, a different scope, a different context, and it needs to have very different rules.
Senator IAN MACDONALD: We might ask the ACC when we are down there later whether people can circumvent it.
Mr Lawrence: The argument that is often made—this may have been explained to earlier—is that because the business models and so on are changing, particularly within the ISP space, their requirement to store a lot of this data, which was usually just billing data, is starting to go away. This is understandable. There is a concern on the part of the agencies that it will get to the point where they will go and request data and it just will not be there, because the company had no reason to store it. That is the point at which I think you start running straight into some of the fundamental privacy principles, which is that information should not be stored unless there is a legitimate reason for it. Storing it just in case we might want to do some surveillance on you is, we would argue, beyond that line.
Mr Vulkanovski: Just in case there is a needle in the haystack.
Senator IAN MACDONALD: I do not want to suffer the fate of one of my colleagues, who used television drama shows as a substitute for actual facts, but I might say that the American television cops would never solve a crime without surveillance access to phones. Even some of the British cops would seem to be at a disadvantage if it were not there. Perhaps that is not real life though. Senator Marshall, I assume you are going to ask your question?
Senator MARSHALL: I was just going to ask, as a general question, whether you have issues with warrants that might have been issued for a purpose that then identify other issues of criminal activity—whether you then have a problem with that incidental information being used and passed to other agencies that it might affect, from a civil libertarian point of view.
Mr Lawrence: That is kind of a difficult question to answer in the abstract, I think. Warrants are there and are given specific restrictions for a purpose. In that sort of circumstance—and I am not a criminal lawyer by any means—if other evidence is uncovered and there is a reason for that to require police investigation then presumably there would be a process where they could then go and get a secondary warrant and so forth. But I do not pretend to be an expert on that.
Senator MARSHALL: You are right in terms of the development of the legislation pre internet and pre mobile phone—not necessarily all mobile phones, but the electronic world anyway. You make a point which is right: there is so much more information out there, and inevitably, if you are targeting someone and you are right about that and you get the information, you may get much more information. But my understanding at the moment is that it is then very problematic to pass that information on if it was not specifically on the purpose of the warrant.
The other point is that a lot of people have used examples. You say, 'Why should everyone be treated as a criminal?' and I agree with that, but what about the example that we all walked through the security screening into this building? Do we also take the attitude that we were all being treated as potential criminals because we did that and conceded to that?
Mr Lawrence: No, I think there is a really simple answer to that: it was my choice to walk into this building today. What we are talking about here—and another example that is often used is that we all use loyalty—
Senator MARSHALL: Can I just pick up on that. You said earlier that it is too easy and not acceptable in today's world to say, 'If you want privacy, don't use the internet.' Okay, maybe it is your choice to walk into this building. It might be your choice to go through an airport. There are lots of buildings in town where there is security required, and sometimes it may not be your choice. Is it the same argument?
Mr Lawrence: Partly. I think part of that is that we have spaces now in the digital context which, whether we like it or not, are becoming public spaces. To a large extent, Facebook is kind of a privately owned public space.
Senator MARSHALL: I am told it was so yesterday, but I do not know; I was not there yesterday either.
Mr Lawrence: Tumblr, Instagram or whatever—Snapchat. But I think there are some really serious questions there about how we treat these new public spaces, potentially. But, even having said that, if I am using a private email to communicate with somebody else, I think there is an expectation of privacy there, which is not the same as walking into a building and going through a metal detector.
Senator MARSHALL: Does a lot of it come back to what people understand? Again, in the example of someone using their private email address on their employer's computer, the employer still ultimately has access to that if they want to. Is that really the mistake of the user saying, 'I should have known that this wasn't private because I don't own that', or should they have had the expectation of privacy?
Mr Lawrence: I would agree with Senator Macdonald's point earlier. If you are at work, it is not private; it is work. It is important that people do have a distinction between—
Senator MARSHALL: Not in your lunch break?
Mr Lawrence: People do have some expectation of privacy, but I always counsel people, as the good senator has said: do not write anything in your work email that you would not be prepared to defend in court or see on the front page of the Herald Sun, but—
Senator MARSHALL: What about if you use the phone during your lunchbreak? Should the employer be able to listen to that?
Mr Lawrence: It probably depends whether the employer is paying the bill or not, to some extent, but I have always counselled people to maintain a very strict distinction between their personal and private emails, for a whole range of reasons, but particularly because it is important to have that distinction. I think that is part of the point. When you are at work, your expectations of privacy are slightly different from when you are in a private context. I think that is largely as it should be.
Senator MARSHALL: Should there need to be a warrant system for non-privately owned systems? I understand there should be a warrant to go and get your personal stuff, but, if it is not your personal stuff and you have been using it, should there be a warrant at all?
Mr Vulkanovski: I think ultimately each individual needs to take some responsibility when they are online. That is a given. That has to be done. We need to exercise prudence and we need to be aware of where our information can land, who is seeing it in its immediate capacity and who can probably see it in its immediate or future capacity. In saying that, laws such as the T(IA), or any laws in particular, provide that level of—you mentioned, 'Should this person be allowed to view this?' or 'If someone is standing next to me, they inherently can hear me, so would that be an invasion of privacy?' All these things can be mimicked online, except you probably do not know that someone is over your shoulder or that the boss is there. Why we are here today and why you are here today is basically to ascertain the standards that should be put in place. That is what we are trying to determine, to put some kind of standard on and create the bridge between my personal data—possibly rather personal data—and the legal capacity to obtain this data. We all know they have the capacity to retain this data. A lot of people do. But why we are here today is to determine what that legal threshold is. Basically this is something that should be sorted out and determined, hopefully, ideally, here today.
Senator MARSHALL: That is why—
Mr Vulkanovski: That is how the process works and that is how it should be.
Senator IAN MACDONALD: This is not really germane to our terms of reference, but you did mention earlier the difficulty with the social implications. There are lots of stories about young children suffering badly from bullying and other things and thinking that Facebook and Twitter are real life. Do you think that there should be some compulsory warnings flash up on the screen every time you turn on your computer, saying: 'Please be aware, whether you are young, old or indifferent, this is not private; this could be seen by anyone'?
Mr Lawrence: I think it is important. There is a lot of really excellent work being done at the moment, particularly in the school context, educating and empowering people about what the issues are so that they understand what they are doing. There is this emerging concept of digital citizenship, which has been promoted by a lot of the agencies that are focused on protecting children in that space. In my role, I see some of the adults who slip through that net, in a sense. There is a lot of really excellent work being done in the youth space and probably not quite enough attention being paid to educate people that did not grow up with the internet. We are all aware of that. I was somewhat overjoyed the other day to see my 86-year-old father reading the newspaper on his iPad for the first time. Does he understand the privacy implications of what he is doing? Not really, but I think there is a role for us all, and, to many extents, that is at the core of EFA's mission: to educate people as to exactly what they are doing. As Alex said earlier, I think there is a great deal of personal responsibility that people need to exercise.
There are great dangers out there on the internet, as there are on Macquarie Street. But it has been our experience over two decades that the internet is an overwhelmingly positive revolution in communications. There are bad things happening there, and we need to be educated about what they are and we need to understand them so that we can tackle them effectively, both on a personal level and on a society-wide level. One of the other things that has really become clear to me over about 15 years of working in this space is that while there is a great deal of hope and the internet is an enormously enabling technology and has fantastic opportunities for education, particularly in less developed countries—if we can fix the copyright regimes, that is—it is also potentially the most powerful surveillance device ever imagined. And we need to get that balance right. I guess that is at the core of our concerns.
Senator IAN MACDONALD: It amazes me that people give their credit details over electronic media so regularly. I am surprised that there are not more fraud cases than we hear about—well, I know there are more than we hear about.
Mr Lawrence: Perhaps I could put one quick question back to you on that: do you give your credit card information over the phone?
Senator IAN MACDONALD: I try not to, but I have on occasion, yes.
Mr Lawrence: I would assert that it is much more secure to give it through an encrypted connection to a computer than to a person.
Senator IAN MACDONALD: Probably, yes.
CHAIR: A cheerful thought. Thanks very much again to both of you. We will wrap there, but your time today has been very much appreciated. Perhaps I could get a motion to accept any tabled documents from today's proceedings, principally this stuff from iiNet. It is so moved. That concludes today's proceedings. The committee has agreed that answers to questions taken on notice at today's hearing, I think mainly from the first witness, will be returned by 12 August—two weeks from today. I thank all witnesses who have given evidence to the committee today.