Privacy Law and Policy Reporter
In October, the Telecommunications Legislation Amendment Bill 1997 passed almost unnoticed through the Senate, and commenced its second reading debate in the House of Repreesentatives on 19 November. The Bill includes provisions which require all carriage service providers (CSPs), including most Internet Service Providers (ISPs), to develop and maintain a capacity to intercept traffic passing through their hands when presented with a properly authorised warrant by a relevant authority.
Although the Bill is giving effect to a policy announced in March (which the Federal Department of Communications and the Arts (DoCA) claims was notified to CSPs, industry and consumer groups), and set out in a DoCA policy statement dated 26 August, it is only since the Bill was introduced that interested parties have really become aware of the implications. Although the DoCA statement claims that consumer organisations were consulted in March, the Regulatory Impact Statement on the Bill states that ‘The law enforcement and national security considerations raised by TI capabilities make it inappropriate to undertake consumer consultation.’ Chris Connolly drew attention to the proposals in an opinion piece in The Australian’s Computer Supplement on 11 November.
The Government’s policy is to ensure a uniform interception capability, in accordance with International User Requirements (IURs) (which the Australian Government has been involved in developing). The requirements on each CSP include the technical development of the capability at their own expense, the preparation and annual updating of an Interception Capability Plan, and advising the ACA and law enforcement agencies of any relevant technical changes in advance of implementation.
Apart from the considerable administrative and cost burden being placed on the estimated 500+ ISPs (many of them very small operations), one must really question the need for this heavy handed regime.
The Federal Opposition, in the second reading debate on 19 November, while accepting at face value the Government’s case for the amendments, did at least identify the major civil liberties and related implications of the proposal, setting them in the context of the confused state of government policy on encryption. Opposition spokesperson Martyn Evans moved an amendment to refer the wider issues to a Committee, in the following terms:
... the bill should be referred to the Standing Committee on Industry, Science and Technology so that a public inquiry can be conducted by the Committee and the House given the benefit of the committee’s advice on the effect of the bill on the future development of electronic commerce in Australia with particular reference to:
(1) the development of an encryption policy that promotes public and business confidence in the security of financial transactions conducted electronically;
(2) the requirement for secure digital signatures;
(3) the impact on business of the Government’s failure to support legally binding privacy standards for Australian companies.
Of critical importance is the extent to which the amendments would control the use of cryptography to encode the contexts of communications. On the face of it, the Bill appears only to require CSPs to provide law enforcement agencies with the liability to intercept and record traffic, not to ensure that messages are understandable. However, DoCA and the ACA have both advised ISPs that the detailed provisions of the IUR, which the amendments seek to implement, do have this effect. On this advice, CSPs would not be able to offer encryption as part of a commercial service without retaining the ability to decode messages when served with a warrant. This would have major implications for the availability and integrity of strong encryption, and would pre-empt the important public debate which is urgently needed on domestic cryptography policy.
The law enforcement community often try to argue that they are simply trying to maintain the existing level of capability in the face of new technology and changing media of communications. However, in an unusually frank admission, the Minister, Warwick Smith, in the second reading debate, noted that the intention is to provide ‘a new level of interception capability’.
A related development is the draft direction issued by the ACA in November concerning the issue of pre-paid SIM cards for mobile phones. This facility, which avoids the need for credit checks, has been offered by some of the mobile carriers for some time, but law enforcement agencies were concerned that the pre-paid cards effectively allowed mobile phones to be used ‘anonymously’, and for this reason would be attractive to criminals, offering a way of frustrating the authorities’ interception and monitoring powers.
The draft direction requires mobile carriers to record either the SIM card purchasers credit or debit card details or, if they pay by cash or cheque, proof of identity.
This appears to be another example of wholly inadequate public debate, and at least on the face of it, an unjustified over-reaction to an unquantified risk. Why should the ability to use a mobile phone anonymously not be seen as equivalent to the existing facility to make calls through a public call box, where only the location can be traced, not the caller? Information about the purchaser of a pre-paid SIM card will in any case not be a reliable indicator of who is using it to make calls. And why should cash purchasers be required to give more persoanl information than credit card purchasers?
Given all of the logistical difficulties involved in organising interception warrants, and then, if the mobile is a digital GSM type, decrypting the communication, the practical value to police and intelligence agencies of having access, presumably delayed, to details of SIM card purchasers also has to be questioned.
However, before the existence of the warrant safeguard for interception is seen as adequate re-assurance, two other changes need to be borne in mind. The first is the wide range of personal information held by telecommunications carriers and service providers now available to law enforcement agencies without a warrant, while the second is the recent weakening of the Telecommunications (Interception) Act 1989 to allow nominated members of the Administrative Appeals Tribunal to grant warrants as well as Federal Court judges.
A wide range of government agencies, including law enforcement bodies, have long had the ability to require the disclosure of information, including personal information, from third party organisations for the purposes of performing their statutory functions. The Tax Office and the Social Security Department are perhaps the two best known examples, with far-reaching powers, including to demand whole classes of information in bulk, without any prior suspicion or ‘probably cause’ justification, but many other Commonwealth departments have similar powers in more limited circumstances.
Law enforcement agencies, which have been able to ask for assistance but to only demand information with the authority of a judicially issued warrant, have long been jealous of the relatively greater powers of the agencies concerned with revenue protection. It is in fact odd that the Tax Office and others have been granted such sweeping powers that are denied even to police forces and intelligence agencies, without much apparent resistance, but the precedent should not be extended without a fight. The law enforcement community not surprisingly argues for the anomaly to be resolved in their favour, and a proposal for a ‘notice to produce’ scheme was circulating in the Commonwealth bureaucracy in recent years.
The first manifestation of this scheme in practice is to be found in the new Telecommunications Act 1997, which cleverly combines a general obligation to assist law enforcement agencies with a discretion to disclose for law enforcement purposes. Although both these components existed in the previous telecommunications legislation, the new ingredient is a ‘certification scheme’ which allows carriers and service providers to rely on a certificate from a police force or other designated agency that the information requested is required for a legitimate purpose. Previously, the onus under the Privacy Act disclosure principle (IPP 11), and under the parallel secrecy provision of the 1991 Telecommunications Act, lay in theory on the carrier to satisfy itself that the disclosure was required.
Although in practice, Telstra routinely provided police forces with a very large volume of personal information (150,000 cases a year), the fact that the responsibility remained with the carrier provided, at least in theory, a useful safeguard — ensuring that Telstra, for instance, processed all requests through a central unit of experienced staff. At the end of the day, if Telstra staff were uncertain about the justification for or circumstances of a request, it could previously have refused access until a warrant was produced.
Under the new regime, it is arguable that a carrier would be in breach its statutory obligation to assist with law enforcement if it did not respond to all ‘certificate’ requests. The danger is that this will now become a casual routine procedure, perhaps delegated to less experienced staff, and that police forces will feel less constrained in justifying requests. While some additional record keeping requirements were added by the new legislation, together with an auditing role for the Privacy Commissioner, this will only supervise the procedural aspects of the scheme, not the substantive nature of the disclosures. It will be interesting to see the trend in the volume of disclosures under the new procedures.
Recent separate legislative amendments have also weakened the controls over interception and the installation of listening devices (‘bugging’). The Telecommunications (Interception) and Listening Device Amendment Bill 1997 was introduced into Federal Parliament in May, and despite some vigorous argument by the Opposition and minor parties, passed in November.
The most controversial, and worrying, amendments allow warrants to be issued in future by designated members of the Administrative Appeals Tribunal (AAT). This was presented by the Government, and eventually accepted by the Opposition, as an unavoidable necessity given the unwillingness of Federal Court judges to continue to perform the role exclusively.
The Government also attempted to put forward spurious arguments concerning constitutional impediments to the judiciary’s role in issuing warrants — as the Opposition pointed out, the High Court has in fact expressly confirmed, in the Grollo case, that judges may perform such tasks. Unfortunately, while the debate included suggestions that the federal court judges unwillingness was more a question of resources than an objection in principle, this appears not to have been pursued to the logical point of asking the Chief Justice, or at least insisting that the Attorney-General document the court’s specific concerns, instead of merely asserting that the continuation of the role was not possible.
The Democrats moved an amendment to extend the pool of warrant-issuing authorities to include State Supreme Court judges, but this well meaning but misguided proposal — they saw this as a supplement rather than an alternative to AAT members — was not supported by the Opposition.
It was left to Senator Cooney, with his extensive experience of privacy issues as a past chair of the Senate Legal and Constitutional Affairs Committee, to identify the real concern in this matter, in debate on the Bill on 23 September. This is the fact that most of the AAT members who are likely to be designated by the Attorney-General under the amendments are appointed for fixed terms, and are not tenured. Without casting any aspersions on the integrity of individual AAT members, it is simply not as good a safeguard to have someone whose future career prospects may depend on further governmental appointments deciding something as crucial as the issuing of an interception or bugging warrant
This is of course a subset of a much wider issue about independence of various statutory officers from the Executive Government, but is of critical importance in this case because we are dealing with one of the most intrusive actions the state can take against an individual — the monitoring of private conversations. To illustrate the extent of this intrusion, the total numbers of warrants issued in 1996–1997 were 740 for telecommunications interception and 473 for listening devices (figures cited in the Senate, 23 September and 28 October 1997).
It is disappointing that despite their clear identification of the issues at stake and their gravity, the Opposition and minor parties were unable to develop and present a coherent strategy to defeat this amendment, which leaves every Australian just a little more vulnerable to abuse of State powers.
Taken together, the various changes outlined in this article add up to a very significant shift in the balance between law enforcement and privacy interests. Government must now be held to account for the implementation of its extended powers, with close scrutiny and reporting of those few statistics and explanations that are made public. The community will also need to be even more vigilant in respect of further extensions of law enforcement powers, with the telecommunications industry just one of the arenas in which this perennial struggle to keep a sensible balance of public interests is played out.
Nigel Waters, Associate Editor.