Under Australian laws such as the Telecommunications (Interception and Access) Act 1979 and the Mutual Assistance in Criminal Matters Act 1987, government authorities can issue foreign companies that operate in Australia, like Microsoft, with requests for data.
"Microsoft responds to demands for non-content data globally from a number of countries including Australia," Microsoft assistant general counsel, law enforcement and national security Norman Barbosa told the Parliamentary Joint Committee on Intelligence and Security (PJCIS).
"We have local personnel who receive requests for non-content, subscriber records and IP addresses who forward those on to our corporate teams who process them, and we respond to a number of requests from Australian law enforcement officials around the country."
While Microsoft took on notice what requests fall under each Australian Act, Barbosa said nearly 900 requests were made by Australian government authorities in only six months.
"I don't have specific data on requests pertaining to those individual Acts, we do keep transparency reporting on the number of requests we receive in total from Australian authorities, but we don't break them down based on the specific acts Act that they're requested under," he said.
"At our most recent reporting that covered July to December of 2019, we received a total of 898 requests from Australian government authorities."
Barbosa was appearing before the PJCIS as part of its review of the Telecommunications Legislation Amendment (International Production Orders) Bill 2020 (IPO Bill), which is intended to amend the Telecommunications (Interception and Access) Act 1979 (TIA Act) to create a framework for Australian agencies to gain access to stored telecommunications data from foreign designated communication providers in countries that have an agreement with Australia, and vice versa.
The Bill is a precondition for Australia to obtain a proposed bilateral agreement with the United States in order to implement the US Clarifying Lawful Overseas Use of Data Act (the CLOUD Act).
Having already provided a submission [PDF] to the committee, Microsoft on Wednesday expanded on a number of points it raised, including providing Australians with notice that they have been subject to surveillance activities.
"We believe notice is a fundamental right of customers and citizens around the world to receive notice at some point if they have been the subject of surveillance, and how we envision that working is similar to how it works in many countries around the world, including the US in that after a request has been executed, both the government and the service provider take part in that notice," Barbosa said.
"The government should have an obligation at some point to notify the target of surveillance, that they have been the subject of a request, and service providers should be allowed to communicate freely with their customers about [that]."
While Barbosa said notification of surveillance should primarily be from law enforcement, he said service providers should also be free to speak to their customers about the nature of the surveillance, subject to limitations when there is a risk to an investigation.
"And we recognise that there are many cases where secrecy may be necessary for some portion of the investigation, or possibly longer depending on the nature of the case," he added.
"The timeline can be anywhere from a few months to over a year, depending on the sensitivity of the case and the progress of the investigation … but often times, once a case has been solved, and a suspect is being brought to justice, obviously the government will be revealing its evidence against that suspect and there's generally no longer a need for secrecy."
Microsoft is also concerned with the independence of the Administrative Appeals Tribunal (AAT).
"We are concerned with ensuring that there are robust mechanisms for that review and that the standards clearly require law enforcement to step forth a factual basis that shows that the request is reasonable and proportionate, that there is reason to believe that there is evidence of the crime that is under investigation that will be located in the data that is being sought and that the reviewing officer is not subject to undue influence from the government agency making that request," Barbosa said.
Barbosa said Microsoft has recommended that to have faith in the process, the PJCIS seek confirmation that only members of the security division of the AAT can authorise IPOs and that the PJCIS recommend additional requirements for the membership of the security division that are empowered to authorise IPOs to ensure the member has the appropriate criteria.
"We just want to be sure that those reviewing these are not subject to undue influence that may impact their review," he added.