COORDINATING PROCESSES AND INVESTIGATIVE CAPABILITY
6.1.1 Many departments and agencies have an interest in cryptography policy. Some of the range was outlined in Chapter 1. The issue of policy primacy now needs to be established so Ministers and departments are aware of whom with which they need to consult when policy issues overlapping the cryptographic area surface and so one Minister and department is viewing the issue of cryptography policy from a holistic point of view. There is fair indication that neither of these functions is currently being performed. Inside and outside the bureaucracy there is some bemusement that no department has or is even claiming ownership of this policy area. That diffidence, should it be that, can only confuse. Because of the pervasive impact of cryptography policy issues on every sphere of activity, not least the way commerce and government will engage in business, the matter should be taken to Cabinet promptly for a decision on policy ownership.
6.1.2 It has become self-evident that decisions taken in the areas of IT industry development, export schemes, broadband communication policy, intellectual property, criminal justice or law enforcement. each bear on policy issues associated with encryption, so it is only sensible that one Minister and one Department coordinate those issues while several may have responsibility for particular areas. The mystification within government and in the private sector at the apparent lack of policy coordination is accentuated by the plethora of committees, working groups and other forms of review looking at policy issues which embrace or impact upon cryptography policy issues. Clearly the questions of policy primacy and coordination go together and, when settled, need to be advised widely.
6.1.3 Which department should have the policy responsibility is an issue for decision by Ministers. Some of the issues are mentioned at paragraphs 3.4.3-5.
6.1.4 The option of the Attorney-General's Department was suggested in light of its interaction with the IT industry, academics, its organising role in the joint Australian Government/OECD conference on Security Privacy and Intellectual Property Protection in the Global Information Infrastructure in February 1996 and its continuing function as chair of the Ad Hoc Group of Experts tasked with developing draft Guidelines on Cryptography and leader of the Australian delegation, as well as its protective security policy, law and legal policy interests. As an alternative, Cabinet may decide to give it to a sub- committee of Ministers, but the chair of that sub-committee would likely be decided on the same basis as a single responsible Minister - congruence with portfolio interests, best positioned to represent the whole of government interests and subject to counterbalancing pressures which would likely produce balance and perspective.
6.2.1 Technology continues to develop at an astonishing rate, rendering inadequate or anachronistic the scope of statutes whose original purpose may be yet clear but whose specification of the means by which ends are achieved has rendered them nugatory. The clearest example of this are the listening device provisions in the AFP Act which specify the purpose to be for carrying voice transmissions. This degree of specificity about means in the statute precludes their use to transmit video or other images, or electronic signals. There is a need to amend the provisions and, just as clearly, to ensure all these forms of intrusive investigation are couched solely in terms of purpose or objective, not the means by which those purposes may be realised. This is important to take account of the constant changes in technology and the political sensitivity which always surrounds the introduction to and amendment of such measures by the parliament.
6.2.2 The steadily growing level of dependence of business on computer and information technology has seen, not surprisingly, a proliferation of computer and communications crime. That trend is only likely to become more pronounced. The AFP needs to be able to deploy whatever it judges from a propriety and operational point of view to be the appropriate means. It is unable currently to use listening devices against these categories of crime because of their classification. It seems clear the criteria of Class 2 offences in section 12(B) of the AFP Act should be widened to enable it to do so.
6.2.3 That increasing reliance on computers for communication, file storage, word processing and publishing, among other uses, affects the subjects of investigation of the AFP, the NCA and ASIO as much as the rest of the community. Computers may be used to prepare for the commission of Commonwealth offences and assist in the commission of those offences. While investigative agencies may be unable to introduce human sources, listening devices or conduct searches because of the standard of protective security observed, the limited time available or the risk of destroying the integrity of the investigation, it may be open to them, if the authority existed, to defeat the access controls on the target's computer and enter the system.
6.2.4 Some anomaly is perceived in the different way obligations are levied on telecommunications carriers and service providers. The class licensing system of service providers has not worked as well as might have been hoped. Dealing with the specific interest of this Review, it has proved ineffective in dealing with those service providers whose activities frustrate law enforcement or the preservation of national security. A system of enrolment as provided in s.225 of the Telecommunications Act 1991 has been canvassed by LEAC. It was hoped the services to be specified as subject to this requirement would include the supply of switched services, reselling capacity on leased lines to the public, reselling airtime on mobile networks, supply of voice mail and electronic mail services where those services include the provision of infrastructure, supply of paging services and the operation of private networks with more than 5,000 lines or which provide links between more than five distinct places, and providers of Internet services. The two major drivers of concern for law enforcement and national security are access to customer information and the kinds of services which could potentially be legally intercepted. The Department of Communications and the Arts (DOCA) has opined that a general requirement for registration of service providers would destroy the integrity of the class licensing system and it fears further obligations placed on service providers, whether through a system of enrolment or Ministerial direction, could deter some from entering or remaining in the industry.
6.2.5 There is broad support for a form of registration/enrolment from AUSTEL, the service providers themselves and the law enforcement and national security agencies. The delicate policy question with which DOCA, in particular, has to grapple is that actions not be taken which may prove inconsistent with the deregulated environment after 1 July 1997. This is a strong public interest argument here - but so, too, is the public interest in the maintenance of law and order and the protection of national security. Some form of registration or enrolment seems justified.
6.2.6 There has been a need for clear legislative authority for tracking devices (beacons) for some years. Proposals for draft legislation have, been considered but never advanced to the stage of a bill being listed.
6.2.7 The Crimes Act 1914 contains no explicit provision for a covert search to be undertaken by any constable. It simply speaks of entry being made 'at any time', with necessary assistance or force as required. It is understood the execution of a search warrant was intended to be a transparent process so the owner or occupier might check the details on the warrant, confirm they were a correct description of his/her property and then monitor the search and seizure to ensure compliance with the terms of the warrant. No doubt the powerful place which property occupies in the common law had something to do with this approach. It is possible, presumably, for the police to delay execution of a search warrant until no person is present. That may not offend the terms of a warrant in a literal sense but it does frustrate the extant intention of the statute. The issue is raised as occasions will occur when a search of premises may well enable an investigation to be focussed more sharply, the privacy of others to be protected from unnecessary intrusion, a prosecution to be achieved and resources to be saved and directed to other priority tasks.
6.2.8 The ASIO Act provides for the issue of search warrants which may be executed covertly. 63 Such a provision recognises the value of a search as an investigative tool, rather than simply a means of publicly announcing the fact, and likely the conclusion, of the investigation. It also obviates the dilemma which those who execute a Crimes Act search warrant in covert fashion may face. That situation should be avoided. The Parliament has recognised the need for such a covert capability in relation to ASIO, there are strong grounds to extend that capability to law enforcement.
6.2.9 Tracking devices cater for locating or following the platform on which they are mounted. To investigate the offences enumerated in 6.2.6, the capacity to trace communications and identify the location of their source is just as, if not more, critical. There is extant authority for carriers, service providers and AFP, NCA or ASIO to cooperate in this regard. A problem would arise were carriers to confine the test of reasonable cooperation to life-threatening situations. This would seriously restrict the use of what would otherwise be a tool of immediate application, enabling the direction or diversion of resources. With the deregulation of the telecommunications market from 1 July 1997, this situation may well become more fraught. There is an issue of costs and the AFP and ASIO should carry a reasonable proportion for out-of-hours access to the service, but the, service needs to be available. The prospect of a growing incidence of encrypted communications will only increase the importance of this facility. LEAC, with its own reporting arrangements, would seem the most appropriate forum through which a new cooperative agreement might be negotiated.
6.2.11 Agency technical officers may be urged to effect such modification with the support, on the issues of personal and agency risk, of their management, senior officials of other departments and agencies and even Ministers. Such approval processes and support may not, however, address the liability implications of proceeding without the consent of manufacturer, supplier or owner. In the event of an equipment or software malfunction or failure to perform to full specification, an investigation of a complaint could lead to discovery of the modification. The issue of liability of the Commonwealth may then potentially arise. While agencies would not, presumably, employ techniques readily discoverable by physical or electronic search or which may interfere with functionality in any discernible way, in other words all reasonable means not to interfere in the contractual relationship between manufacturer/supplier and customer would be taken, the possibility of compromise cannot be excluded. Provision to limit the liability of the Commonwealth in these circumstances is a necessary protection for the officers and agencies engaged in this high risk area of technical collection.
6.2.12 Where sensitive operational sources, targeting or methods are likely to be disclosed in judicial proceedings, the Commonwealth commonly mounts a claim of public interest immunity (PII), arguing disclosure would adversely affect the operational capability of the agency concerned, render it ineffective in the performance of functions given it by the parliament, possibly place the lives or well-being of agency employees at risk or face the compromise of investigations employing similar means. It has been the experience of the AFP, NCA and ASIO in argument and cross-examination in support of applications for PII, that some information for which protection was sought under the aegis of those applications has, in fact, been disclosed. Indeed, it is not unknown for a judgement upholding a PII claim to be released, without restriction, when it contained information led in support of the application but intended to be protected bv the grant of that application.
6.2.14 A useful conceptual model is to be found in the ASIO Act. Part VA of the ASIO Act deals with the Parliamentary Joint Committee (PJC) on ASIO. After setting out the functions of the Committee, it proceeds to list what they do not include. Among them:
To that limitation on the function of the PJC is added the power of the Minister to issue a certificate advising a witness not to give or continue to give evidence or not produce a requested document for reasons relevant to security. Notwithstanding those two levels of protection, the legislature decided nothing should be left to chance when the Committee comes to report to the Parliament. It prescribed the Committee shall not disclose:
The statute then proceeds to enjoin the Committee to obtain the advice of the Minister whether the disclosure of any part of its report would meet the above or another criterion. 66
6.2.15 The model seems apposite as the restrictions intended to preserve effectiveness in the performance of function occur later in the same statute where the Parliament has given a range of intrusive investigative powers, subject to the application of the Director-General and the approval of the Attorney-General.
6.2.17 Invocation in judicial proceedings of such a statutory protection against disclosure of sensitive operational methods should properly be accompanied by a certificate from the head of the agency attesting to the nexus between that matter and the capability of the service to perform its functions and offset by a privacy oversight mechanism similar to one discussed later in this chapter.
6.2.19 In summing up this section, there is a need to remedy some obvious deficiencies, to provide for new ways of doing old things and to preserve some existing capacities. The following list, which addresses concerns of Commonwealth agencies only, is not exhaustive, but illustrates the issues to be addressed.
as computers are as frequently used as communications devices as they are for data storage or word processing, there is need to widen the criteria of Class 2 offences in section 12(B) of the AFP Act so that listening devices may be used, for example, to obtain a password entered into a computer.
the authority to enter premises and install a beacon or tracking device for the purpose of transmitting data from that premise to another place and the related authorities to do this without the permission of the owner, to enter or traverse any other premises necessary to reach the premise the subject of the warrant for the purposes of the warrant, to re-enter the premise as required to install, maintain, replace or remove the device and for the authority to enter the premises for the purpose of removal of the device not to be limited by the term of the warrant.
the authority to alter proprietary software so that it may provide additional and unspecified features. It is understood that without specific authority, it would be an offence to alter proprietary software but the introduction of other commands, such as diversion, copy, send, dump memory to a specified site, would greatly enhance criminal investigations. A question of liability may arise where the software does not perform to the satisfaction of the owner and/or the specification of the manufacturer and it is alleged that interference with the software program commands may be responsible.
the creation of a statutory exemption from any order or direction by a court or process of discovery by an officer of the court or any other person from disclosing information concerning sensitive operational matters, the disclosure of which in the judgement of the Commissioner may affect the investigative capability of the AFP, and for the fact and category of those matters authorised by magistrate or judicial warrant not to be included in any unclassified and unprotected forms of reporting and be exempt from discovery under the Freedom of Information Act 1982.
6.2.21 Telecommunications Act
maintain the licence requirement for carriers who wish to market a service which is not susceptible to interception to first obtain the explicit approval of the Minister for Communications and the Arts who shall be required to consult with the Attorney-General. It is understood a proposal has been mooted that the requirement to consult with the Attorney-General should be waived. That would be a backward step and not address the particular requirements of law enforcement and national security, which both fall in the Attorney's portfolio.
establish a requirement for all communications service providers to be registered. to facilitate the service of warrants and access to customer data bases. There are practical (neither legal ambiguity nor delay) and natural justice reasons (where some change is made to licence conditions a guaranteed means of informing the provider should be available rather than leaving the provider ignorant and potentially in breach of the law) for taking this step. While there is some resistance from DOCA, the Service Providers' Association supports the proposal.
the authority to 'hack' , under warrant, into a nominated computer system as a necessary search power and to secure electronic evidence of an attack on a computer system.
the authority be created for the Commissioner of the AFP to require persons to answer questions, notwithstanding the principle of non self-incrimination, concerning passwords or codes relating to material seized in the course of investigation of serious criminal offences and found to be encrypted or to produce materials relating to the cryptographic processes employed.
the authority be established for search warrants, if the Justice of the Peace thinks fit, to be executed without permission first sought or demand made.
6.2.24 The establishment of a statutory protection for investigating agencies from disclosure of sensitive information bearing on operational capability may exclude certain of those activities from the scrutiny of the courts or an oversight body charged with monitoring privacy protection. It is important that the privacy rights and civil liberties of persons the subject of investigations are preserved and seen to be preserved. There is, therefore, a need to put some special arrangement in place which will accommodate this need. A suggestion is made in the following paragraphs.
6.2.25 The task may be assigned to an Ombudsman, Inspector-General of Intelligence and Security or similar independent person experienced in the conduct and handling protocols of sensitive matters. The Inspector-General of Intelligence and Security has this function in his remit as far as ASIO is concerned. The IGIS Act prescribes the Inspector-General will act for the Human Rights and Equal Opportunity Commission in respect of the intelligence community. 67 As far as Commonwealth law enforcement agencies are concerned, I had been thinking in terms of the Ombudsman, but the function might be given to the proposed National Integrity and Investigations Commission.
6.2.26 This official concerned would be required to:
satisfy him/herself that the process by which the inforination/item was obtained followed Commissioner's/Chairman's/Director-General's procedures and respected the subject's privacy within the limits of the operational parameters,
where the reviewer should come to a view that procedures were not followed or procedures are deficient for circumstances not previously envisaged, he/she should call a meeting involving the Minister and the Head of the agency and bring such matters to their attention. A brief record of fact and recommendation might be prepared and brought to the meeting by the reviewer. At the conclusion, both Minister and agency head might initial the piece of paper which would be retained by the agency head,
no files, papers or records of such operational matters would be retained outside the agency concerned, but would be produced on request by the Minister or the reviewer,
the reviewer would provide a one-page annual report to the Minister or parliament on this area of his/her functions in which mention might be made of the number of cases examined, the number which resulted in some recommendation for change and a general judgement of the sensitivity with which the agency was walking the fine and difficult line between proper respect for individual privacy and civil liberties on the one hand and the operational requirements of sensitive investigations on the other.
6.2.27 This outline is neither suggested as complete nor prescriptive, but merely an example of an attempt to walk a middle course at risk of some offence to both sides, yet offering a reasonable compromise.
6.2.28 There is obviously a functional overlap between the AFP and NCA and the police services of the States and Territories. The offences attracting the major investigative focus of those agencies are no respecters of borders, whether national or international. In a report where I urge new areas and forms of cooperation between the Commonwealth and the States and Territories, address a challenge which will tax the limited operational flexibility of those agencies either separately or acting in concert, and where there must be universal acknowledgement that involuntary or inadvertent disclosure of effective tradecraft by one will affect all adversely, the strongest call has to be made for parallel or complementary legislation between the Commonwealth, the States and Territories.
6.3.1 A modest but encouraging initiative was taken by DSD in the past year to bring together agencies facing common problems in the technical collection of intelligence, to provide a forum for frank exchange and to ensure coherence and the avoidance of duplication in the research and developmental work being undertaken by a number of agencies. This grouping did not involve any law enforcement agency representation. As the Review has not recommended the establishment of a separate decryption facility for law enforcement and in light of the reduction in Government outlays, there is an even greater need to ensure law enforcement agencies are included in this sort of forum and exchange, as they are likely to experience most acutely the problem.
6.3.2 This report has earlier (paragraphs 4.4.8-12) suggested the establishment of an inter-agency forum which would bring together the Commonwealth law enforcement agencies (AFP and NCA) ASIO and DSD, compliance agencies such as ACS and AUSTRAC and a coopted representative of a State or Territory police service. As the National Police Research Unit is involved in research on the impact of cryptography, it may be appropriate for an officer working on the project to represent the State and Territory police services.
6.3.4 The relationship of these agencies with AUSTRAC may well prove crucial once encryption becomes more pervasive. Major subjects of investigation, whether they be narcotics suppliers or distributors, pornography distributors, money-launderers or terrorists, rely and will continue to rely on the banking system to provide value to their transactions. The 'money trail', provided by credit and smart-cards, not to ignore fly-buys, may well provide a continuously available hand-rail in a darkening investigative world.
6.3.5 This report has earlier noted the resources dedicated to the investigation of computer crime among law enforcement and national security agencies are impressive but seem very meagre. 68 There can be no doubt increasing demands will be made on these units. There is, in such specialist and technical areas a critical staffing and capital investment mass below which staff development and capability enhancement cannot be achieved or sustained. With agencies, some staffing and budgetary protection will be required if these purposes are to be met and failure through atrophy avoided. There would be merit in the proposed inter-agency forum on cryptography preparing, for the respective agency managements, a staffing, development and investment plan for the next 5 years. The aim of coordinating this through the forum would be to ensure its coherence, resource maximisation and the complementarity of its parts. The reason for proposing a 5 year time frame rather than the customary triennial basis is due simply to the pace at which the technology and circumstances change. In a field in which prediction of the operating context in 3 years time is hazardous, extension of the horizon to 5 years might lessen the risk of an inadvertent obstacle being placed in an agency's path by corporate decisions.
6.4.1 The term normally used by the OECD to cover law enforcement, counter-terrorist and counter-espionage interests is 'public safety'. It is a useful and simple description of a class of interests which concern the community, with which the state must be concerned and which various agencies must investigate. The means employed to investigate the kidnapping of a distinguished visitor or internationally protected person, a threat to blow up an aircraft if demands are not met or money paid, a terrorist threat against Australian citizens or institutions or a major importation of narcotics are essentially the same. Putting aside the variety of overt means which may be employed, the covert ones may include various combinations of physical, audio and visual surveillance, the search of premises and possible seizure of items, the interception of various forms of telecommunications and possibly of the mail. They may include thermal imaging, call tracing, tracking devices, GPS, or even satellite imagery.
6.4.2 The powers which involve an intrusion into a person's privacy are located in various statutes administered by several federal Ministers. It has long been the case that amendment of the investigative sections of these statutes has been approached with considerable diffidence. Not because of lack of belief in the merit and necessity of particular amendments but rather because an excess of hyperbole appears to characterise these public discussions and often prevents reasoned explanation and ready acceptance by the community and carries, therefore, the risk of negative electoral impact. Sometimes that tendency has been positively encouraged with Orwellian titles to statutes like the 'Electronic Surveillance Act'. Criticism by a court or oversight body of the manner or circumstances in which some intrusive investigatory power was exercised appears to increase the degree of difficulty with which amendments to the relevant statutes are approached. It seems axiomatic in the Australian community that there is not and will never be a convenient time to introduce necessary amendments to the investigatory powers of these agencies. They are generally introduced in isolated fashion and often have to be argued defensively.
6.4.3 The chancing nature of crime, the proliferation of security threats with a capacity for violence, the extraordinary burgeoning of technology, all make regular review and amendment of the investigative capability of law enforcement and national security agencies a necessity. The increasing number of dignitaries invited by the Government to visit the country who face the risk of violence, the rising incidence of attacks against the institutions of the state and the imminent arranging of a major world event such as the 2000 Olympic Games suggest a different conceptual approach might prove rewarding.
6.4.5 The ready availability of strong data encryption and increasing difficulty associated with interception, likely to be exacerbated in a deregulated environment, threatens both the availability and viability of traditional investigative methods. This will place, for instance, much greater emphasis on tracing, intercepting and data logging of calls through multi-carrier and multi- national networks and the local authority to enable these measures. The suggested statute would be able to make clear the common purpose and inter- relationship of the various investigative powers. Oversight or review mechanism procedures could be collocated in the statute or cross-referenced.
6.4.6 In presentational terms, explanatory memoranda and second reading speeches could be situated against a clearly drawn public safety backdrop - threats of kidnapping,, of violence directed against institutions of the state, of bombing of public buildings, of terrorism directed against aircraft, of explosive devices in public places. There are, regrettably, examples in any six month period and the Atlanta Games proved yet a-ain the drawing power which major events retain for the violent and the deranged. A schedule might indicate to which departments and agencies the statute applied and then specify particular provisions by part, section, paragraph or sub-paragraph.
6.4.7 It is not suggested such an approach would overcome all problems which have been experienced, but once enacted the process of review and amendment should be greatly facilitated. Under administrative arrangements Ministers are responsible for specified statues and it may not be possible or desirable to bring all intrusive investigative powers into the one Act. It would, however, make much sense for the law enforcement and national security related powers which are located in the Attorney-General's portfolio to be so combined.
6.4.9 As a discussion paper was issued in early September 1996 by the Attorney-General on the extension of the Privacy Act to the public sector and strong elements of preservation of privacy and individual liberty exist in the public safety purpose of those various investigatory powers, it may be sensible to couple the matters for legislative consideration. The security and protection demands associated with staging the 2000 Olympics in Sydney were always going to be a heavy burden. They have not been lightened by the loss of the TWA flight from New York to Paris just before the Atlanta Games nor the bomb which exploded in Centennial Park at the Games site. It is already evident from media commentary and public discussion that the community regards the provision of effective security arrangements not only as a national obligation but also a matter of national honour, reflecting the distinctive nature and values of our society. This backdrop should assist acceptance of such an approach.
Footnotes:
63
Australian Security intelligence Organization Act 1979, s. 25 (3) 'A
warrant...may, if the Minister thinks
fit, provide that entry may he made, or that containers may be opened, without
permission first sought or demand made and authorize measures that the Minister is satisfied are necessary
for that purpose.'
64
Australian Security Intelligence Organization Act 1979. s.92C (4)(c).
65
ASIO Act, s. 92N(I)(b).
66
ibid, s.92N(2).
67
Inspector-General of Intelligence and Security Act 1986, s.8 (1)(a)(v)
68
cf. paragraphs 3.5.4 and 4.4.7