The scrutiny of actions taken by cops and spooks under Australia’s controversial encryption laws should be just as close as that of actions under previous laws, according to the Independent National Security Legislation Monitor (INSLM), Dr James Renwick.
But he hosed down concerns that the use of these new powers had resulted in mass surveillance.
INSLM is conducting an inquiry into the Telecommunications and Other Legislation Amendment (Assistance and Access) Act 2018, generally known as the TOLA Act, or when it was still being considered by parliament, the AA Bill.
Renwick gave clear indications that he would explore this issue in some detail as he opened two days of public hearings in Canberra on Thursday.
“Intrusive surveillance powers, by all means conferred by law and with clear threshold and safeguards, which already apply in the physical world, should in principle apply in the analogous virtual world unless there are good reasons to the contrary,” he said.
“I’m tending to the view that because so much data and content which we don’t know about is contained on our mobile phones and computers, not least because it’s generated by DCPs [designated communications providers] as they seek to monetise our personal information, there should be at least as great scrutiny and safeguards as there were pre-TOLA before for such information is made usable under TOLA.”
Agencies need to obtain a warrant under the Telecommunications (Interception and Access) Act 1979 to begin the process of accessing communications. But currently, they can gain assistance from a DCP under TOLA with the approval of their own agency head.
INSML sees no signs of ‘mass surveillance’
Renwick has looked at the seven known uses of TOLA powers by law enforcement agencies, as well as the unknown number of uses by the Australian Security Intelligence Organisation (ASIO). ASIO gave him access to all documents, “no matter how secret”.
“Nothing I have seen to date suggests there’s been anything like the idea of ‘mass surveillance’ as a result of TOLA,” Renwick said.
“To the contrary, what I have seen to date suggests that TOLA has allowed for pre-existing intrusive powers to be used in a more targeted or limited — and therefore less intrusive — fashion against people who are not persons of interest, because the focus is on persons of interest. And that is an important change.”
Renwick also acknowledged the problems with the definitions of terms such as “systemic weakness”, and even “content” versus “metadata”, saying “there’s not necessarily a bright line” between the two.
“For the purposes of this morning, by content I mean texts, emails, phone calls and pictures,” he said.
“By metadata I mean such things as when an email was sent, the sender and recipients, their locations, how it was sent, how it was stored, and also what websites have been visited, what apps used, and so on”
He suggested that the TOLA Act should have examples of what does and doesn’t constitute a systemic weakness written into the Act itself, rather than have it hidden in regulations or other documents.
Renwick rejected the idea that the encryption debate comes down to a choice between two binary opposites, however.
He cited the comments by the “distinguished” Encryption Working Group (EWG) assembled by the Carnegie Endowment and Princeton University. EWG called for the debate to abandon two straw men.
“These are, first, that we should stop seeking approaches to enable access to encrypted information, but second, that law enforcement will be unable to protect the public unless it can obtain access to all — and I emphasise the word all — encrypted data through lawful process,” Renwick said.
As EWG wrote, “[These are] absolutist positions not actually held by serious participants, but sometimes used as caricatures of opponents.”
Independent “double lock” approval for decryptions?
Renwick suggested independent judicial oversight of the TOLA regime could be provided by a model similar to the UK’s.
The UK’s equivalent law is the Investigatory Powers Act 2016. To obtain access to encrypted communications under the Act, an application must be made to both the Secretary of State for Home Affairs and the independent Investigatory Powers Commissioner’s Office (IPCO).
Under what is known as the “double lock” system, both the Home Secretary and IPCO must give approval.
“Having spent time with both IPCO and security and police agencies in the UK, I can say it’s been very well received, not least because it has raised the level of trust,” Renwick said.
“My conversations … made it clear to me anyway, that IPCO was critical to the UK obtaining a CLOUD Act agreement from the United States. And it’s been said publicly that Australia also seeks such an agreement.”
Renwick suggested that a suitable external body might be the existing Administrative Appeals Tribunal (AAT).
“One possibility is that an application … could go for approval to the Security Division of the AAT, which is accustomed to dealing with highly sensitive or secret information,” he said.
There have been concerns, however, that the AAT might not give similar applications the same attention that would be provided by a judge.
The INSLM’s encryption laws inquiry is due to report by June 30. His analysis will feed into the ongoing review by the Parliamentary Joint Committee on Intelligence and Security (PJCIS), which is due to report by September 30.
The PJCIS is also due to report somewhat sooner, on the effectiveness of the mandatory telecommunications data retention regime, by April 30.
Disclosure: Stilgherrian wrote the Encryption Working Group’s country brief on Australia, for which he received an honorarium.