Privacy Law and Policy Reporter
A report to Australia's Federal Cabinet on the long-term cost-effectiveness of telecommunications interception (TI) reveals the central role that considerations of interception and surveillance play in the development of Australia's telecommunications infrastructure, more than any previous available document. The Barrett Review provides a blueprint for future implementation of Cabinet's 1990 decision that 'all public telecommunications services should be capable of being intercepted for law enforcement and national security purposes'.
The central recommendations of the report are:
The Review also recommends some strengthening of privacy and accountability mechanisms:
In July 1993 the Security Committee of Federal Cabinet requested Mr Pat Barrett, Deputy Secretary, Department of Finance, to review the long-term cost-effectiveness of telecommunications interception. The 'Barrett Review' (Review of the Long-Term Cost Effectiveness of Telecommunications Interception), delivered in March 1994, is still largely unknown outside those involved in formulating government telecommunications policy, although an edited version has received limited public circulation.
(References in square brackets [n.n] are to paragraph numbers of the Review, with [0.n] referring to paragraphs of the summary chapter, and references preceded by 'R' are to recommendations in that summary chapter.)
The background to the Barrett Review is that in 1990 the Federal Government decided that 'all public telecommunications services should be capable of being intercepted for law enforcement and national security purposes'. In 1992 it decided that the cost of providing investment in new interception facilities should be met through the budget new policy process (NPP) [7.1.1].
The Barrett Review is essentially a response to two perceived problems: (a) that new technological advances may make TI ineffective; and (b) that the sharing of the cost burden of TI is much more problematic in the new multicarrier market (and will be even more so in the post-1997 fully deregulated market). Hence the Review focuses on both cost burdens and effectiveness.
Legislation to implement those aspects of the Review's recommendations favoured by Cabinet is expected to be introduced in the near future, possibly before the end of 1994.
The Review is significant in the light it sheds on TI practices in Australia, as much as for its recommendations. It reveals or confirms information such as the following:
The Review finds that 'Australia's interception capability in areas of strategic significance has been, until relatively recently, virtually 100 per cent but is being seriously eroded' [0.19].
It identifies the shift from analogue to digital telephony and the wider availability of encryption as the two main current threats to the effectiveness of TI [0.7], and the move toward mobile telecommunications (personal communications services or PCS) as a third [3.2]. The Review considers that it is not possible to be definitive about the impact that these changes in telecommunications will have on TI capabilities, but 'they do indicate that software solutions will increasingly be needed to perform interception' [3.2.4].
'There is no legislative constraint on the manufacture and use of encryption devices in Australia', but the agencies 'do not currently consider encryption as a significant threat to interception, at least in the foreseeable future' [3.3.2].
However, condition 3.1 of the General Licences Declaration and 8.1 of the Public Mobile Licence Declaration (made by the Minister under s 64 of the Telecommunications Act 1991 (Cth)) both required that a licensee must not operate a telecommunications network unless:
(a) it is possible to execute a warrant under the Telecommunications (Interception) Act 1979 in relation to a telecommunications service provided by means of that network; or
(b) if it is not, or would not be, possible to execute a warrant issued under that Act - the Minister, after consultation with the Attorney-General, authorises its operation.
Authorisations for non-interceptible services have been issued under (1)(b) in both categories [5.2.12].
The Review does not endorse either the approach taken in France (encryption is illegal unless the keys are deposited with the Government) or advocated in the US (the 'Clipper' proposal of a Federal standard for encryption, the keys to the 'front door' of which would be held by two Federal escrow agents and accessible only via a warrant) [3.3]. (The Review pre-dates the passage of the US Digital Telephony Bill).
Instead, it notes that 'encryption appears to be of lesser concern than in the US because there is less likelihood of and scope for economic espionage, and cheap voice encryption devices are not yet readily available. Also, Australians have available in the GSM digital mobile services an effective means of encrypting their communications for legitimate privacy and commercial security purposes that is not, as yet, available to Americans' [3.3.9]. The Review recommends that LEAC should carefully monitor US and other developments 'to advise the Government of any degradation of TI capacity'.
The Review notes that, in order to ensure that law enforcement needs are taken into account in the development of new technology, 'international user requirements are being drafted by law enforcement agencies in North America, Europe and Australia' [5.3]. Such standards have three objectives:
A key recommendation of the Review is that Australia should promote the development of new international user requirements on telecommunications interception, and should ratify them at the first appropriate international meeting of law enforcement agencies, as the best prospect for a solution to maintaining long-term TI capacity.
The Review rejects the argument that the Australian Government should introduce a unilateral requirement that carriers/service providers only introduce technology that is interceptible, because 'such a unilateral policy runs the risk of implementing less than world class technology which could put Australia at a major disadvantage in a cost-competitive sense'. However, 'the sooner an international requirement for interception is standardised and accepted, the more likely there will be the automatic provision of a TI capability in new technology with similar implications for all users' [0.13, emphasis in original].
The Review states that it is expected to take three to eight years for such an international agreement to be reached, and argues that Australia should support initiatives currently being taken by the US's FBI [0.12].
The Review also notes that, in Australia, parallel work to the 'International User Requirements' work is being done on a 'National Product Delivery Standard' - by whom is not made clear - which should be kept consistent with the international user requirements.
The TI Act only allows interception for law enforcement purposes in connection with the investigation of a 'serious offence', defined as a Class 1 or Class 2 offence. More stringent requirements apply to the granting of a warrant for a Class 2 offence. Class 1 offences include murder, kidnapping, narcotics offences and related offences. Class 2 offences are offences punishable by imprisonment for life or for a period of at least seven years, where the conduct involves at least one other indicia of seriousness (serious risk of serious personal injury, serious fraud, etc).
The Review searches for some defensible basis to determine what offences should be interceptible (warrantable). It notes a lengthy 'wish list' of extensions proposed by various law enforcement agencies [2.3.2], that there is 'strong opposition from privacy and civil liberties groups to any extension of the list of warrantable offences' [2.3.8], and that the 1993 amendments to the TI Act included computer offences as warrantable offences, a departure from the 'seven year rule' [2.3.4] (see 1 PLPR 174). It rejects 'corruption' (as in the NSW ICAC legislation) as a defining criterion, on the basis that the Federal Parliament has not taken a view on this.
In the end, the Review tentatively endorses the definition of 'relevant offence' in s 4 of the National Crime Authority Act 1984 (Cth), as an approximation to notions of 'organised crime' or 'corruption'. The NCA Act requires an offence punishable by imprisonment for at least three years, plus that it 'involves two or more offenders and substantial planning in an organisation; involves the use of sophisticated methods and techniques; [and] is of a kind ordinarily committed in conjunction with other like offences' [2.3.5]. The Review argues that this 'may provide guidance' in the 'reformulation of the definition of "serious crime" so as to ensure that it actually covers what needs to be covered but that it also does not exclude crimes more serious than those covered' [2.3.9 and R 2, emphasis in original].
By some rather tortured logic, the Review concludes that privacy and civil liberties groups should not object to this as they accept that the warranting procedure should be available for 'serious crime' [2.3.8] and it would remain necessary for a judge to be satisfied that the circumstances supporting a warrant were satisfied [2.3.9].
The upshot is a recommendation for a very substantial expansion of interceptible offences, with the core criterion being reduced from seven years' imprisonment to three years.
The Telecommunications Act 1991 (Cth), s 47 requires carriers and service providers to give authorities of Australian Governments 'such help as is reasonably necessary' for enforcing the criminal law and laws imposing pecuniary penalties, protecting the public revenue, and safeguarding national security. The Minister is empowered by ss 63-65 to impose such licence conditions and to make declarations imposing other conditions.
AUSTEL's Law Enforcement Privacy Committee (LEAC) was formalised by a Ministerial Direction under s 50 of the Telecommunications Act 1991 (Cth) on 15 July 1992. It had existed since 1990, and then comprised representatives of AUSTEL (Chair), AUSSAT, AFP, State and Territory Police (one representative), ASIO, Customs, Attorney-General's Department, Department of Communications, Defence Signals Directorate, National Crime Authority, OTC and Telecom. Its composition has changed since then. The direction requires, among other things, that AUSTEL identify which agencies require 'assistance' from carriers, and develop principles to assess what help is needed and procedures for resolving disputes about payment (on the principle that carriers will neither profit nor bear the cost of law enforcement responsibilities). It is also required to seek the views of the Minister (for Communications) and the Attorney-General on any matters with significant law enforcement or national security implications [5.2.19]. LEAC's New Technology Subcommittee has concentrated on interception issues.
It is notable that there are no representatives on LEAC who could be considered to have a predominant interest in privacy protection (the departments have some intermittent interest). The Review pre-dates the formation of AUSTEL's Privacy Committee (which also has few privacy interest representatives: see 1 PLPR 125), and it would seem that an obvious role for that Committee would be to provide some missing privacy input into LEAC's considerations.
AUSTEL has issued directions to Telstra and Optus under s 46 (5 August 1993), and Vodafone under s 41 (24 August 1993), requiring that these carriers consult with the New Technology Subcommittee about any 'proposals to develop new technologies', and to comply with LEAC principles 'for assessing what help is reasonably necessary' and for resolving charging disagreements. The agencies that carriers are required to help are: State and Territory Police Forces; ASIO; NCA; AFP; NSW Crime Commission; Qld Criminal Justice Commission; NSW ICAC; Australian Taxation Office; Australian Customs Service; Australian Securities Commission; 'Commonwealth departments and authorities with significant law enforcement or revenue protection responsibilities'; Australian Reports and Analysis Centre; and State and Territory revenue authorities.
Since most of these agencies are not involved in investigation of the types of matters which can be the subject of interceptions (at least not yet), it is clear that the tasks of LEAC and its subcommittee extend to other techniques of law enforcement (see below concerning call data).
LEAC has apparently experienced conflict between surveillance agencies and telecommunications suppliers because of their 'conflicting goals': 'It has been claimed that on occasions an almost confrontationist or, at least, an adversarial role was adopted by the parties' [5.2.25].
Nevertheless, the Review concludes that 'there appears to be no other forum that would be as well placed' to co-ordinate consideration of TI issues [5.2.27], and recommends that LEAC should 'co-ordinate consideration of interception issues associated with the introduction of new technology and ensure that ministers are given early warning of the issues that need to be considered' [R 15], that it should develop guidelines on what is required by carriers 'in areas such as delivery of intercepted information and a capacity for multiple simultaneous intercepts'
[R 17], that it should co-ordinate critical response times between agencies and carriers/service providers when new technologies are being introduced
[R 19], and that AUSTEL be given considerably more funds to support LEAC's expanded TI role [R 18].
LEAC is therefore to become the key co-ordinating body in both planning and implementing TI, even though it is a 'privacy-free zone'.
The Review states [4.3.11] that:
It is also open to question whether the current arrangements for the supply of call data to law enforcement agencies are as tight as they should be. Such data consists of information on the connections made between parties and is not covered by the TI Act. Administrative arrangements for the supply of such information to law enforcement agencies in accordance with the Privacy Act 1988 and the Telecommunications Act 1991 are being worked out within [LEAC].
Elsewhere, the Review refers to 'the current efforts of [LEAC] to standardise procedures to be followed by agencies and carriers in the provision to agencies of call data that is not associated with an interception' [p 15, emphasis added], indicating that call data is obtained by surveillance agencies in relation to matters which are outside the limited range of offences covered by the TI Act.
It may be that the number of calls subjected to this form of surveillance dwarfs that obtained through interception, though the Review does not quantify the obtaining of call data. The disclosure and use of call data is, of course, a very contentious telecommunications privacy issue in other contexts.
In relation to call data, the Review makes two recommendations:
This second recommendation is not restricted to call data associated with intercepts. The Review points out that US and Canadian laws require that call data be supplied under court order provided the agency satisfies the judge or magistrate that the data is required for law enforcement purposes, and recommends such an approach here [4.3.11]. This approach means that call data would continue to be available without any of the restrictions imposed by the TI Act, either in relation to classes of offences, reporting requirements, or audits.
The second part of this analysis of the Barrett Review, in the next issue, will cover issues such as 'who pays to tap your phone', the proposed privacy protections, and the Olympian challenges for surveillance beyond 1997.