IGIS highlights out of date thresholds for ASIO in International Production Orders Bill

The Inspector-General of Intelligence and Security has concerns that the International Production Orders Bill would give Australia's spy agency powers that are a decade old and potentially unaligned with the current level of privacy intrusion involved for accessing telco data.

The Inspector-General of Intelligence and Security (IGIS), as one of its roles, will have oversight of how the Australian Security Intelligence Organisation (ASIO) uses the international production orders (IPO) regime, if legislated.

As a result, it focused its submission [PDF] to the Parliamentary Joint Committee on Intelligence and Security (PJCIS) and its inquiry into the Telecommunications Legislation Amendment (International Production Orders) Bill 2020 on its application to the spy agency.

Must read: International Production Orders Bill will give ASIO access to encrypted communications

The IPO Bill is intended to amend the Telecommunications (Interception and Access) Act 1979 (TIA Act) to create a framework for Australian agencies to gain access to stored telecommunications data from foreign designated communication providers in countries that have an agreement with Australia, and vice versa.

It paves the way for Australia to obtain a proposed bilateral agreement with the United States for implementing the US Clarifying Lawful Overseas Use of Data Act (CLOUD Act).

Free PDF

Australia’s encryption laws: An insider’s guide

Australia now has world-first encryption laws. This guide explains what the laws can do, what they cannot do, and how Australia ended up here.

Read More

In its submission, IGIS stated it was concerned that requirements in the two-step approval, which would be consent by the Attorney-General and authorisation by an Administrative Appeals Tribunal (AAT) member, would result in a more rigorous process to the issue of international orders than to domestic warrants.

"There is currently no statutory requirement for nominated members of the AAT to consider privacy, proportionality, and human rights in deciding whether to issue any of the three categories of IPOs that may be sought in relation to national security," it wrote.

"IPOs issued to ASIO could potentially be very broad in scope, extending beyond individuals reasonably suspected of being engaged in acts prejudicial to security, to services used for 'purposes prejudicial to security'.

"IGIS would expect ASIO to consider privacy and proportionality matters in its applications."

According to IGIS, the addition of a requirement for ASIO to notify the IGIS of all IPOs issued within three months into the Bill would aid its ability to provide oversight.

The age of ASIO's domestic access thresholds was also called into question by IGIS, and although IPO thresholds are on par with existing ASIO ones, IGIS noted that they were developed over a decade ago.

"In the more than 12 years since that threshold was introduced there has been a dramatic change in the level of privacy intrusion involved in access to telecommunications data," IGIS said.

Similarly, the ASIO Guidelines which regulate ASIO's activities, including use and retention of telecommunications information, have not been revised in over 10 years.

IGIS asked the committee to take into consideration ASIO's statutory powers and that the technology available to it has increased significantly across that decade when making its recommendations.

Urgent circumstances would allow a telephone application to be made, but IGIS said there is currently no statutory guidance on what may constitute "urgent circumstances". It also said there is no requirement to provide the Attorney-General with the particulars of the urgent circumstances when seeking their consent by telephone. They do, however, need to be provided to the AAT member at the time a telephone application is made.

IGIS told the PJCIS it would assist oversight regarding ASIO's requirement to report comprehensively to the Attorney-General on all IPOs.

"Some form of public statistical reporting on ASIO's use of the IPO regime would make the operation of the scheme more transparent," it added. "The committee may wish to seek assurance that designated international agreements entered into under the framework established by the Bill will be made public."

It also suggested a statutory requirement for a periodic review of the ongoing relevance of the data collected under IPOs, and further, suggested the committee consider extending destruction obligations to telecommunications data provided under an order.

The Bill's requirement that ASIO retain certain records could also be amended, IGIS said, to require that records must be kept for three years, or for as long as any of the data obtained under an IPO is retained, whichever is the longer.

On technical matters, IGIS said the Bill uses different definitions for the same terms in the TIA Act and said keeping them different "may cause complexity and result in confusion in the proposed new international framework".

Also not consistent, IGIS said, is that the current domestic data access regime provides specific protections for journalists that are not present in the proposed IPO scheme.

IGIS has asked also for Clause 153 to be amended to enable IPO information to be used, recorded, or disclosed for the purpose of "an IGIS official exercising a power, or performing a function or duty, as an IGIS official", rather than just functions under the Inspector-General of Intelligence and Security Act 1986.

"To ensure efficient and effective administration of different oversight aspects of the scheme there should be an amendment to the IGIS Act to provide explicit authority for IGIS officials to share information with the Attorney-General's Department for the purpose of its role as Australian Designated Authority," it added.

MORE ON THE IPO BILL