INSLM recommends taking encryption-busting approvals power from Australian Ministers

In his final report before retiring, Australia's Independent National Security Legislation Monitor (INSLM) Dr James Renwick took the red pen to the country's encryption-busting legislation, making a handful of recommendations, mostly centred on the creation of an independent body to oversee the approval of warrants.

Free PDF

Australia’s encryption laws: An insider’s guide

Australia now has world-first encryption laws. This guide explains what the laws can do, what they cannot do, and how Australia ended up here.

Read now

The Telecommunications and other Legislation Amendment (Assistance & Access) Act 2018 (TOLA Act) was rammed through Parliament back in late 2018. Under the laws as currently written, agencies can issue:

• Technical Assistance Notices (TAN), which are compulsory notices for a communication provider to use an interception capability they already have;
• Technical Capability Notices (TCN), which are compulsory notices for a communication provider to build a new interception capability, so that it can meet subsequent Technical Assistance Notices; and
• Technical Assistance Requests (TAR), which have been described by experts as the most dangerous of all.

TANs and TARs can currently be approved by the head of the requesting law enforcement or intelligence agency. TCNs must be approved jointly by the attorney-general and the minister for communications.

In the 316-page report [PDF], borrowing US President Ronald Reagan's famous dictum "trust but verify", the INSLM recommended a re-work of the TANs and TCNs approval process that would give the power to the Administrative Appeals Tribunal (AAT) through a new Investigatory Powers Division (IPD).

"The new IPD, building on the powers and procedures in the Security Division, would operate in a similar way to protect classified material of agencies that are applying for TANs and TCNs and the commercial-in-confidence material of DCPs that are resisting the issue of those notices," Renwick wrote, noting separately that the legislation should be clarified so that a designated communications provider (DCP) cannot be an individual unless they are a sole trader.

Borrowing the idea from a similar model used in the United Kingdom, the IDP would be able to utilise existing AAT powers and procedures, including alternative dispute resolution, to decide for itself whether to issue a TAN or TCN, he explained.

It would hear submissions and receive evidence from the applying agency and the DCP and be in a position to promptly determine technical questions, such as whether a notice is practicable, reasonable, and proportionate, or if it would create a systemic weakness.

"The Attorney-General's approval would be required for a federal agency to lodge an application for a TCN with the AAT, but this should not be required for any State or Territory body or the Commonwealth Integrity Commission, if and when it is established," he clarified.

As envisioned, the IDP would consist of a new part-time deputy president, who would also be the Investigatory Powers commissioner (IPC), along with other eminent lawyers and technical experts as needed.

Renwick recommended the creation of the IPC as a new statutory office holder, whose functions would include monitoring the operation of TOLA Schedule 1, including by sharing information with other oversight bodies -- such as the inspector-general of Intelligence and Security and the Commonwealth ombudsman -- and reporting annually on its operation to the attorney-general and the Parliamentary Joint Committee on Intelligence and Security (PJCIS).

The IPC would also be an additional, part-time deputy president of the AAT and be heavily involved in the appointment of other part-time technical and legal decision-makers assigned to the new IPD who would also assist the IPC in the monitoring roles.

The IPC would also be charged with developing and approving the prescribed form for TAR, TAN, and TCN applications and issuing guidelines.

Renwick has asked that relevant agencies keep a record of the number of industry assistance orders that are executed and provide them annually to the IPC, as well as change the various industry assistance order provisions to mandate the agency in question be required to report to its oversight agency the number of assistance orders that it executes each year and, other than for ASIO, publish those figures in public annual reports.

Similarly, the INSLM recommended that agencies be required to keep records of the number of requests they make of carriers or CSPs under section 313 of the Telecommunications Act and to report on those matters annually to the IPC.

Renwick asked the minister be blocked from being able to remove material from an Ombudsman report under that provision.

As he considers the IPC role should be filled by someone who is "independent of government, is eminent in the law and its application, enjoys bi-partisan support, and is not diverted by judicial duties", Renwick recommended that the IPC be a retired judge of the Federal Court or the Supreme Court of a state or territory, appointed by the Governor General, on the advice of the Attorney-General, following mandatory consultation on the appointment with the Leader of the Opposition.

"I would expect there would also be consultation with industry, but I would not mandate it," he added.

"I consider the creation of a standing pool of technical experts, appointed also as members of the AAT, carries significant advantages. First, it would bring together a group of people with appropriate skills, qualifications, and experience to properly grapple with the complex technological issues to which TANs and TCNs might be expected to give rise. That alone would be a significant improvement on the status quo, as at present there is no requirement that any person issuing an industry assistance notice have any technical expertise."

He also noted in the report the advantages of having people who understand both cutting-edge technology and the nuances of Australia's security challenges.

"I have no doubt that, despite the skills shortage that presently exists in the technology sector, there exist within Australia sufficiently qualified technical experts who could form part of that group of technical experts," he wrote.

After confirming in March he would not be requesting a repeal of the Bill, Renwick has asked for a few tweaks, such as recommending that agencies retain the power to engage in limited telecommunications interception, for the purposes of a computer access warrant, without the need to obtain a separate warrant under the Telecommunications (Interception and Access) Act 1979 (TIA Act) to authorise that interception.

"I recommend that the AFP no longer have any role in the consideration of industry assistance notices requested by or issued on behalf of state and territory police," he said.

Additionally, Renwick recommended state and territory anti-corruption commissions be given the power to agree to or apply for all three types of industry assistance notice, with the power also to be given to the foreshadowed Commonwealth Integrity Commission, when and if it is established.

"I recommend no change to the capacity of the relevant agencies and a DCP to freely agree a TAR with each other, other than that a prescribed form be used."

Also on Renwick's list for editing is removing all references to "systemic vulnerability" in Schedule 1, saying the term is redundant.

Renwick further recommended the introduction of the following definitions: "Otherwise secure information" to mean "information of, any person who is not the subject, or is not communicating with the subject of, an investigation" and "unauthorised third party" to mean "anyone other than a party to the communication, the agency requesting the relevant TAR, TAN or TCN and/or integrity agencies".

Attorney-General, and currently Acting Home Affairs Minister, Christian Porter said that given the PJCIS is currently reviewing the encryption-busting legislation, it would be "sensible" for the government to await the PJCIS findings before responding to the INSLM's report.

"What is clear however, is that the counter encryption laws have been critical to helping protect Australia's national security," Porter said. "The government will carefully review the report's recommendations along with the findings from the PJCIS review later this year to ensure our agencies continue to have the most effective and proportionate laws available to them."

With Renwick's departure, Grant Donaldsonhas taken over as INSLM for an initial period of three months while preparatory arrangements for his permanent appointment are made. Donaldson previously served as the Solicitor-General for Western Australia.

RELATED COVERAGE

• Home Affairs considers expanding the list of agencies who can access metadata
• Home Affairs report reveals deeper problems with Australia's encryption laws
• Home Affairs savaged over poor data retention laws oversight
• Cops are getting full URLs under Australia's data retention scheme
• Australia keeps telco data longer than all but three countries
• Anti-corruption and police integrity bodies reject call to reduce data retention period
• OAIC wants visual on what telcos are handing over under data retention regime