The legislative framework that governs Australia's intelligence community is "unnecessarily complex". It leads to "unclear and confusing laws" for the intelligence officers who have to interpret and follow them.
So said the final report of the Comprehensive review of the legal framework of the National Intelligence Community in December 2019 -- although the government didn't publish it until a year later, in December 2020.
Comprehensive indeed: Even the unclassified version runs to more than 1,300 pages.
That review, conducted by former diplomat, public servant, and one-time ASIO chief Dennis Richardson, recommended that as far as electronic surveillance goes, Australia needs a whole new electronic surveillance Act.
As Richardson noted, when the core Telecommunications (Interception and Access) Act 1979 (TIA Act) was originally passed, it was just 19 pages long. But by the end of 2019, it had blown out to 411 pages.
"The TIA Act itself rests on outdated technological assumptions, and has become complex to the point of being opaque. We are not the first review to recommend its reform," Richardson wrote.
"Technological change and convergence has resulted in telecommunications interception, covert access to stored communications and computers, and the use of optical and listening devices... becoming functionally equivalent."
Currently, though, these activities are subject to "inconsistent limits, controls and safeguards" across the TIA Act, the Surveillance Devices Act 2004, and the Australian Security Intelligence Organisation Act 1979.
Richardson made dozens of recommendations for how such a new Act should work, and 203 recommendations in total.
It took an entire year for the government to respond, in part due to the COVID-19 pandemic's impact on business, but eventually, in its formal response of December 2020, it agreed that such a reform was needed.
Indeed, the government agreed, or agreed in principle, to the vast majority of Richardson's unclassified recommendations.
"The central area for reform is a new electronic surveillance Act, which will be a new landmark in Australia's national intelligence legislation," the government wrote.
"A new electronic surveillance Act will be generational in its impact. This legislation will require careful and detailed consideration, with extensive public consultation, to establish a framework that will support Australia's intelligence collection and law enforcement agencies in the years to come."
Which is all well and good, but it'll take time. Five years and AU$100 million, according to the Richardson review.
That's down to "the complexity of issues at play, the multitude of interested stakeholders at the Commonwealth, state and territory level and the controversy which attaches to what are, arguably, the most intrusive powers of the state".
"A new Electronic Surveillance Act will take two-three years of very detailed work and drafting before being considered by Parliament, after which there will need to be a good two year implementation period to update IT systems, adjust procedures, and retrain staff," Richardson wrote.
"It would also be possible for government to continue making ad hoc amendments to address individual challenges, as they arise. But kicking the can down the road will only make the reform exercise that much bigger and more complex when the time comes, as it surely will."
At the start of 2021 it's still all about ad hoc laws
Despite knowing about Richardson's recommendations for a year, the government is still faffing about with a fat sack of ad hoc laws, most of which continue to be controversial.
Chief among them is the Telecommunications and Other Legislation Amendment (Assistance and Access) Act 2018, usually referred to as the TOLA Act or the AA Act.
The TOLA Act introduced that complicated regime with clumsy and confusing definitions through which intelligence and law enforcement agencies gained the ability to request or demand assistance from communications providers -- all very broadly defined -- to access encrypted communications.
A year later, the Labor opposition introduced its Telecommunications Amendment (Repairing Assistance and Access) Bill 2019, which goes part of the way to tidying up the mess, but in the view of your correspondent not far enough.
That Bill has yet to go anywhere, mostly because the Parliamentary Joint Committee on Intelligence and Security (PJCIS) was scheduled to conduct a review anyway.
PJCIS asked Australia's then-Independent National Security Legislation Monitor (INSLM) Dr James Renwick to take a look.
His recommendations, made in a 316-page report [PDF], included setting up an independent body to oversee the approval of TOLA Act activities rather than agencies approving them themselves without judicial oversight.
PJCIS was supposed to complete its review by September 30, 2020, but there's been no sign of it yet.
PJCIS is well behind schedule most of its other work too.
One of its recommendations was that the Department of Home Affairs "prepare national guidelines on the operation of the mandatory data retention scheme by enforcement agencies recommendations". Because currently there aren't any.
The recommended timeframe was a leisurely 18 months.
PJCIS is also reviewing the Telecommunications Legislation Amendment (International Production Orders) Bill 2020, which is all about exchanging telecommunications data with other countries.
There's no sign of that report either, and no deadline has been given.
There's yet another PJCIS review into the Telecommunications Sector Security Reforms (TSSR), which were all about "a regulatory framework to manage the national security risks of espionage, sabotage and foreign interference to Australia's telecommunications networks and facilities".
Submissions to that review closed on 27 November 2020. No public hearings have been held yet, and once more there's no deadline for the committee to report.
The Communications Alliance is worried about the potential for confusion because telcos' requirements under TSSR overlap with those in the Security Legislation Amendment (Critical Infrastructure) Bill 2020 which was introduced in December 2020.
There is, of course, another PJCIS review to deal with that, with submissions closing February 12 and a reporting deadline of April 11.
Finally, there's the brand new Surveillance Legislation Amendment (Identify and Disrupt) Bill 2020 introduced in -- you guessed it -- December 2020.
This new law would hand a trio of new computer warrants to the Australian Federal Police and the Australian Criminal Intelligence Commission: A data disruption warrant, a network activity warrant, and an account takeover warrant.
There's a PJCIS review into that Bill too, with submissions closing February 12, but again no deadline for the committee to report.
Then there's the Identity-matching Services Bill 2019, which was all about sharing biometrics between federal and state agencies, which was so bad that PJCIS recommended a complete redraft. We've yet to see any progress on that.
A mess of the government's own making
In hindsight it's easy to see why Australia's intelligence legislation is in such a mess: For nearly 20 years now, politicians on both sides have rushed through a series of ad hoc laws without proper oversight.
From the time of the terrorist attacks in the US on 11 September 2001, through to 1 August 2019, "Parliament passed more than 124 Acts amending the legislative framework for the NIC, making more than 14,500 individual amendments i.e. inclusive of the minor and technical," Richardson wrote.
That's more than one new Act every eight weeks and it's fair to say that politics has often trumped good governance.
In December 2018, for example, despite all its bold speeches against the proposed TOLA Act, Labor caved in and passed it anyway.
"Let's just make Australians safer over Christmas," then-Labor leader Bill Shorten said.
"It's all about putting people first."
It was a decision for which they were subsequently roasted, and rightly so.
Laws, like puppies, aren't just for Christmas.
10 years ago, when Labor was in government, the controversial Cybercrime Legislation Amendment Bill 2011, which was meant to being Australia into line with the Council of Europe Convention on Cybercrime, was found to be seriously flawed by the Joint Select Committee on Cyber-Safety.
The House of Representatives ignored nearly all of those recommendations. Instead, MPs rushed to correct a fatal flaw that would have seen the new law fail to achieve its stated purpose.
The current backlog of surveillance legislation, somehow simultaneously both rushed and delayed, seems unlikely to break from this pattern.
The Minister for Home Affairs, Peter Dutton, and his sprawling department seem either disinclined to, or incapable of, organising themselves in a way that provides both thoughtfully drafted legislation in a timely manner, and meaningful timeframes for public consultation.
Cutting judges out of the warrant process? Really?
Also concerning is Richardson's recommendation to not strengthen judicial oversight of intelligence activities, but to lessen it.
"Recommendation 30: Ministers should continue to authorise ASIO and Intelligence Services Act agency activities. These authorisations should not also be subject to judicial or other independent authorisation," he wrote.
The government agreed.
"Ministerial authorisations, together with IGIS [Inspector-General of Intelligence and Security] oversight, provide appropriate protections and accountability for intelligence warrants and authorisations, and should continue without additional judicial or other authorisation," they wrote.
The Law Council of Australia has expressed "grave concern" about this.
"This would reinforce Australia''s status as a major outlier within the Five Eyes Alliance," wrote Pauline Wright, the Law Council's president.
"The United States, United Kingdom, Canada, and New Zealand all have judicial authorisation requirements for their intrusive intelligence collection-powers," she wrote.
"For the public to have trust and confidence in covert activities it is essential the utmost independence and rigour applies when granting authorisations. Judicial authorisation is essential to creating and maintaining that state of trust."
The Australian government's challenge this year will be to unravel this tangle of laws. One might wonder whether they're up for it.
- Intelligence review recommends new electronic surveillance Act for Australia
- Christchurch terrorist's radicalisation shows the limits of surveillance and censorship
- E-commerce retailers in Australia voluntarily pledge to improve product safety online
- Reserve Bank of New Zealand investigates illegal access of third-party system
- Rapid website-blocking power for violent material proposed for eSafety Commissioner
- Australia's cyber power is more bark than bite