Intelligence review recommends new electronic surveillance Act for Australia

It would repeal the existing parts of three Acts to form a new one that covers the use of computer access and surveillance devices powers.

A review into Australia's intelligence community has recommended comprehensive reform of electronic surveillance laws, one that would repeal existing powers and combine them to avoid duplication, contradictory definitions, and any further ad hoc amendments to the existing three Acts.

Electronic surveillance powers enable agencies to use electronic or technical means, which would otherwise be unlawful, to covertly listen to a person's conversations, access a person's electronic data, observe certain aspects of a person's behaviour, and track a person's movements. Currently, these powers are contained within the Telecommunications (Interception and Access) Act 1979 (TIA Act), the Surveillance Devices Act 2004 (SD Act), and the Australian Security Intelligence Organisation Act 1979 (ASIO Act).

Parts of the Telecommunications Act 1997 and the Criminal Code Act 1995 are also directly relevant when considering these powers.

Each Act requires agencies to meet thresholds before accessing these powers and requires external authorities, such as judges, Administrative Appeals Tribunal (AAT) members, or the Attorney-General as is the case of ASIO, to approve the use of powers.

In 2017-18, Commonwealth, state, and territory law enforcement agencies obtained 3,524 interception warrants, 828 stored communications warrants, 802 surveillance device warrants, 23,947 prospective data authorisations, and 301,113 historic data authorisations. ASIO likewise obtained interception, surveillance device, and computer access warrants.

"In short, we conclude that the legislative framework governing electronic surveillance in Australia is no longer fit for purpose," the review said. "The SD Act was enacted 15 years ago; the ASIO Act and TIA Act are 40 years old; and the foundations of the surveillance framework date back to decisions made by Prime Minister Chifley in 1949."

It said that after 40 years of continued amendments, problems with the framework have accumulated.

"The framework contains a range of highly intrusive powers that are functionally equivalent, but controls and regulates their use in a highly inconsistent fashion. It is based on outdated technological assumptions that cause challenges for agencies applying the framework to modern technologies," the review said. 

There are more than 35 different warrants and authorisations for electronic surveillance activities. These warrants have different tests, thresholds, safeguards, and administrative requirements.

Similarly, the review said, there are significant differences between the limits and controls that apply to agencies' use of their electronic surveillance powers in respect of third parties who are not, themselves, under investigation. Additionally, the ASIO Act, SD Act, and TIA Act contain 10 different arrangements for "emergency authorisations" to exercise their electronic surveillance powers in various urgent circumstances.

It also said ad hoc amendments often introduce as many problems as they solve and many of the core definitions in the Acts date back to the 1970s and 1980s and do not reflect the current telecommunications environment.

The review labelled the TIA Act as a "case study of complexity", saying the complexity was both unnecessary and harmful.

The review considered the following fixes: Continuing to progress ad hoc amendments to deal with problems as they arise; repealing and rewriting the TIA Act alone; comprehensively reforming the entire electronic surveillance framework -- repealing and rewriting the TIA Act, SD Act, and relevant parts of the ASIO Act; or developing a common legislative framework, which would be a broader consolidation of core legislation governing the National Intelligence Community (NIC).

"We recommend that the SD Act and TIA Act, and relevant parts of the ASIO Act governing the use of computer access and surveillance devices powers should be repealed and replaced with a new Act," it declared.

Under a new Act, it said agencies should continue to be required to obtain separate warrants to authorise covert access to communications, computer access, or the use of a listening or optical surveillance device under a new Act. It added the Act should not introduce a "single warrant" capable of authorising all electronic surveillance powers.

As part of the development of a new electronic surveillance Act, the review said, the Australian Transaction Reports and Analysis Centre (Austrac) should be able to access telecommunications data in its own right under arrangements consistent with other Commonwealth, state, and territory law enforcement agencies presently authorised to access telecommunications data.

It also recommended for corrective services authorities to be granted with the power to access telecommunications data if the relevant state or territory government considered it to be necessary.

A further recommendation is that as part of the development of a new Act, electronic surveillance powers should be vested in the Australian Border Force (ABF), not the Department of Home Affairs, and the ABF should also be granted the power to use tracking devices under warrant and authorisation for the purpose of serious criminal investigations.

The new Act would amalgamate bits from the existing Acts, but unify them. As one example, the Attorney-General would be permitted to issue warrants authorising ASIO to intercept telecommunications, access stored communications, access computers, and use optical and listening devices under the new Act if they were satisfied that a person was engaged in, or was reasonably suspected of being engaged in or of being likely to engage in, activities relevant to security, and the exercise of powers under the warrant in respect of the person is likely to substantially assist ASIO in obtaining intelligence in respect of a matter that is important in relation to security.

Under a new electronic surveillance Act, the review added that surveillance device powers should continue to be available for the purposes of integrity operations. But the use of tracking devices should be regulated separately from other electronic surveillance powers in a new electronic surveillance Act, it noted.

Under a new Act, ASIO's tracking device warrants should be subject to the same test as ASIO's other electronic surveillance warrants. The review also asked for another review once 5G rollouts are complete to determine whether access to network data has become functionally equivalent to using a tracking device.

A new electronic surveillance Act would require an issuing authority issue law enforcement warrants in writing wherever possible, and record keeping was highlighted as a must by the review.

Under its plan, the Attorney-General can approve variations to warrants while agencies themselves would be granted authority to make minor modifications to warrants.

The review said the development and testing framework that is presently contained in Part 2-4 of the TIA Act should be extended to enable the Attorney-General to authorise the testing and development of electronic surveillance and cyber capabilities, as part of a new electronic surveillance Act.

To summarise, the core definitions in a new electronic surveillance Act should: Provide clarity to agencies, oversight bodies, and the public about the scope of agencies' powers; ensure that there are no gaps in the types of information that agencies may intercept, access, or obtain under warrants and authorisations; and be capable of applying to new technologies over time.

A new electronic surveillance Act should not require carriers, carriage service providers, or other regulated companies to develop and maintain attribute-based interception capabilities, the review said, noting these companies should continue to be required to develop and maintain the capability to intercept communications sent and received by specified services and devices

Under a new electronic surveillance Act, the Attorney-General should be given the power to require a company to develop and maintain a specified attribute-based interception capability. If such a capability has been developed, agencies should be able to obtain attribute-based interception warrants in cases where it will be practicable for the warrant to be executed.

ASIO and law enforcement agencies should be permitted to use their own attribute-based interception capabilities, in conjunction with service providers, under warrant, the review said. 

Interception warrants issued under a new electronic surveillance Act should be capable of authorising the interception of communications by reference to one or more services or devices that the person -- or group -- who is the subject of the warrant uses, or is likely to use.

It would ideally also retain specific secrecy offences for the use and disclosure of, and other dealings with, information obtained by, and relating to, electronic surveillance and continue to prohibit the use and disclosure of, and other dealings with, information obtained as a result of unlawful surveillance activities.

Existing use and disclosure provisions in the SD Act and the TIA Act should be replaced with simple, principles-based rules that "maintain strict limitations on the use and disclosure of information obtained by electronic surveillance". It should also permit the use and disclosure of, and other dealings with, surveillance information for the purpose for which the information was originally and lawfully obtained.

The review added the new electronic surveillance Act should permit agencies to use, disclose, and otherwise deal with surveillance information for a defined range of secondary purposes, and require ASIO, law enforcement agencies, and Commonwealth, state, and territory agencies to destroy records of information obtained by electronic surveillance, as soon as reasonably practicable.

However, the review recommended that ASIO conduct under a new electronic surveillance Act should continue to be overseen by the IGIS and the Commonwealth Ombudsman should have oversight responsibility for the use of Commonwealth electronic surveillance powers by all agencies other than ASIO. The Ombudsman should oversee the compliance of all agencies, again excluding ASIO, with a new electronic surveillance Act.

LOCAL POWERS FOR ASIO

The review's report was broken down into four volumes totalling 1,317 pages, making 203 recommendations that affect the nation's intelligence community and its operations.

Among the recommendations was giving ASIO the ability to seek a warrant for the collection of intelligence on an Australian, providing they're acting on behalf of a foreign power.

This would require, if the request for repeals is not adopted, amendments to the TIA Act and the ASIO Act to enable the Director-General of Security, on a request from the Foreign Minister or Defence Minister, to seek a warrant from the Attorney-General for the collection of foreign intelligence on an Australian person who is acting for, or on behalf of, a foreign power.

Currently, the ASIO Act does not apply an Australian/non-Australian distinction for ASIO's security intelligence activities. It does, however, restrict ASIO's ability to obtain foreign intelligence on Australians.

"Preventing some forms of collection when the Australian target is onshore, but enabling it when the target is offshore, seems a disproportionate restriction that costs Australia a significant intelligence dividend," the review noted.

Those preparing the review claimed this restriction has cost Australia valuable intelligence where an Australian is acting for, or on behalf of, a foreign power, and that it would continue to do so unless the rules are changed.

Delivered earlier this week was the Advisory Report on the Australian Security Intelligence Organisation Amendment Bill 2020, which was prepared by the Parliamentary Joint Committee on Intelligence and Security (PJCIS).

The PJCIS report [PDF] made eight recommendations, with the last being for the Bill to be passed by Parliament, following the implementation of the previous seven requests it made, which included prohibiting ASIO from using a tracking device without an internal authorisation.

RELATED COVERAGE