ASIO vows to consider privacy, proportionality, and human rights in IPO process

The Telecommunications Legislation Amendment (International Production Orders) Bill 2020 (IPO Bill) requires law enforcement agencies in Australia to consider privacy, proportionality, and human rights before making a request to access data. As currently drafted, it doesn't require the Australian Security Intelligence Organisation (ASIO) to do the same.

On Thursday, ASIO Deputy Director-General of Enterprise Service Delivery Peter Vickery said that ASIO would, where it can, make the same considerations as law enforcement bodies when making an application.

"Our [current] procedure is we start from the lowest level of intrusion that we possibly can and the lowest level of invasiveness in terms of privacy that we possibly can, and go into those more intrusive if absolutely required," Vickery told the Parliamentary Joint Committee on Intelligence and Security (PJCIS).

"The AAT can ask us about any matters as they see fit."

The Administrative Appeals Tribunal (AAT) isn't required, however, to look at privacy, proportionality, or human rights when reviewing an international production order (IPO) from ASIO as it is with law enforcement, in the current form of the Bill.

Despite the committee previously hearing concerns over the security division of the AAT perhaps not being the most appropriate to handle IPO requests, Vickery said ASIO remained comfortable about the role staying with the AAT, as currently drafted.

"We are comfortable with the security division of the AAT being the right place … they're well-versed in what we can or cannot do and their staff have appropriate security clearance," he said. "That meets our requirements."

Must read: Terrorism, espionage, and cyber: ASIO's omne trium perfectum

The IPO Bill is intended to amend the Telecommunications (Interception and Access) Act 1979 (TIA Act) to create a framework for Australian agencies to gain access to stored telecommunications data from foreign designated communication providers in countries that have an agreement with Australia, and vice versa.

The Bill is a precondition for Australia to obtain a proposed bilateral agreement with the United States in order to implement the US Clarifying Lawful Overseas Use of Data Act (the CLOUD Act).

In addition to concerns over ASIO's approach to accessing data under the IPO Bill, the PCJIS previously heard from the Inspector-General of Intelligence and Security (IGIS), which oversees the operations of ASIO, that the spy agency isn't required by the Bill in its current form to make public its IPO history.

"We're keen to ensure we are as transparent and forthcoming as we can be," Vickery said.

"We're happy to work out a system to ensure we're providing the data in an efficient matter," he said, in relation to sharing information with IGIS as part of its oversight role under the Bill. 

"IGIS and her staff are welcome to come and check on our record keeping at any time."

Appearing before the PJCIS on Tuesday, IGIS Margaret Stone raised concerns regarding the level of authority required to seek an IPO.

As the Bill is currently drafted, any one of ASIO's several thousand employees could theoretically be authorised to apply for an IPO. Stone's suggestion is to restrict authorisation to only the director-general of ASIO and the deputies, of which there are presently three.

"While we accept that with multiple IPO applications, it may not be feasible for the director-general to approve all, there are three deputies at ASIO … it seems to me there's a concern about delegating it to any member of the ASIO staff where there's no training or experience in relation to these matters," Stone said.

"None of that detracts from what would be the good sense of the director-general, but it would in our view be worth considering if this should go in the legislation."

In response, Vickery said that under the IPO Bill, ASIO's existing protocols and procedures for domestic orders would continue to apply, which includes the director-general being in the loop with requests for data.

He said under the current method, it has to be a senior officer, executive level two equivalent or above. The director-general may also appear before the AAT to discuss any IPOs.

Home Affairs told the PJCIS later on Thursday that following evidence from IGIS and ASIO that it would "take a look" at the legislation as drafted and make an amendment to the level of ASIO officer that can make an IPO.

Real-time offshore private message interception

As detailed in ASIO's submission to the committee, passage of the Bill would allow it access to encrypted communications stored overseas.

"Australia has seen a steady shift to encrypted Internet Protocol (IP)-based communications over the past decade, with the majority of these services provided by offshore companies," it wrote. "This shift in communications practices has naturally been mirrored by the subjects of ASIO's investigations."

ASIO said as companies that provide encrypted IP communications services are mostly based offshore -- meaning they often fall outside the legal frameworks in Australia that authorise interception of communications or disclosure of telecommunications data -- such communications are therefore not accessible to ASIO, or, when collected through warranted interception via onshore providers, are encrypted and unusable.

"The Bill seeks to enable access by agencies such as ASIO to data controlled by technology companies located offshore, where such access is for national security purposes. It will enable ongoing and reliable access to a broad range of data and communications sourced directly from offshore providers," it said.

"Legislation that supports ASIO's ability to fulfil its function to obtain, correlate, and evaluate intelligence relevant to security is essential."

At present, Australia Federal Police (AFP) can access information within private messages on apps based overseas such as Messenger, Instagram, Twitter, and Snapchat as a stored communication. Under the IPO Bill, in its current form, AFP would be allowed to obtain this stored data in real time, when the communication is occurring.

"That will depend on the company and what their capabilities and capacities for that to happen, but what ultimately I think that means is that it makes our ability to access data from overseas the same as for Australians," Vickery added on Thursday.

"From our point of view, what we would be looking at … to make sure that capabilities and capacities that we currently have are mirrored by the new legislation.

"If the legislation is passed in a way that its intended, that will give us the capability and the capacity to do that."

MORE ON THE IPO BILL

• International Production Orders Bill will give ASIO access to encrypted communications
• IGIS asks ASIO be required to provide transparency in IPO regime
• IGIS highlights out of date thresholds for ASIO in International Production Orders Bill
• Australia served Microsoft nearly 900 data access requests in six months
• Comms Alliance asks for International Production Orders compliance cost coverage
• AGD says Australian data restricted for use in US capital offence investigations
• Aussie law enforcement integrity body wants International Production Orders Bill
• Australian Privacy Foundation labels CLOUD Act-readying Bill as 'deeply flawed'