Submission No. 12 - Financial Services Consumer Policy Centre


Parliamentary Joint Committee on the Australian Security Intelligence Organisation

Review of the Australian Security Intelligence Organization Legislation Amendment Bill 1999
Submissions

Submission No. 12 - Financial Services Consumer Policy Centre

Financial Services Consumer

Policy Centre

Submission to the Parliamentary Joint Committee on ASIO

Inquiry re ASIO Legislation Amendment Bill 1999

April 1999

Chris Connolly
Director

Financial Services Consumer Policy Centre

Unit 508
410 Elizabeth Street
Surry Hills NSW 2010
t. (02) 9281 4164
f. (02) 9281 4574
director@fscpc.org.au

http://www.fscpc.org.au

Introduction

The Centre welcomes the opportunity to comment on the ASIO Legislation Amendment Bill 1999. We note the importance of this rare opportunity to discuss the role of ASIO and the regulations governing it. We also note the dramatic extension of ASIO's powers proposed in the Bill, and call on the Committee to extend the period for consideration of this legislation.

The Centre's submission is made in the following context:

Chris Connolly, the Director of the Centre, is the consumer representative (as a nominee of the Consumers' Federation of Australia) on the AUSTRAC Privacy Advisory Committee. The Centre therefore has an interest in the impact of the new ASIO powers on AUSTRAC.

Chris Connolly is also the Coordinator of the Campaign for Fair Privacy Laws, and endeavours to represent the public interest on a wide range of privacy issues, including general law enforcement issues.

This submission argues that the proposed new powers for ASIO under the ASIO Legislation Amendment Bill 1999 are not justified, are not subject to sufficient oversight and control, and will have an adverse impact on privacy. This submission also argues that the Bill will significantly undermine the work of AUSTRAC and the Australian Taxation Office.

It should be noted that Mr Connolly has been provided with a draft of the Memorandum of Understanding between ASIO and AUSTRAC, and a draft of the Memorandum of Understanding between the Inspector General of Intelligence and Security and AUSTRAC.

These documents are dated 10 February 1999. They have been provided to Mr Connolly in his capacity as a member of the AUSTRAC Privacy Advisory Committee. They are marked "in confidence" and AUSTRAC has granted permission for Mr Connolly to refer to them in this submission.

Those parts of the submission which discuss the content of the MOUs are therefore marked confidential until further advice is received about the status of the MOUs.

Mr Connolly has made himself available to the Committee to answer questions about matters raised in this submission.

Purpose of the Bill

ASIO's current functions are limited by the ASIO Act 1979 to the gathering and communication of intelligence relevant to security (Section 17). Security is defined as protection from:

  • espionage
  • sabotage
  • politically motivated violence
  • promotion of communal violence
  • attacks on Australia's defence system
  • acts of foreign interference

Importantly, there are two Sections in the ASIO Act 1979, designed to ensure that ASIO operates strictly within the ambit of the above functions:

Section 17A states that "This Act shall not limit the right of persons to engage in lawful advocacy, protest or dissent and the exercise of that right shall not, by itself, be regarded as prejudicial to security, and the functions of the Organisation shall be construed accordingly".

Section 20 states that "The Director general shall take all reasonable steps to ensure that:

a) the work of the Organisation is limited to what is necessary for the purposes of the discharge of its functions; and

b) the Organisation is kept free from any influence or considerations not relevant to its functions and nothing is done that might lend colour to any suggestion that it is concerned to further or protect the interests of any particular section of the community, or with any matters other than the discharge of its functions."

We can see from the combination of the definition of security and these two "warning" sections that the functions of ASIO are to be interpreted in the narrowest possible sense, and that it was the intention of the original legislators that ASIO should have the least possible impact on the normal processes of advocacy and dissent.

The Attorney General seeks to assure the community, in his Second reading Speech, that the Bill "will not extend ASIO's functions but simply enable the Organisation to meet its statutory responsibilities in more efficient and effective ways."

Having considered the contents of the Bill, and having perused some of the Memorandums of Understanding drawn up to implement the Bill, we can only assume that the Attorney General was talking about a different piece of legislation.

In contrast to the words of the Attorney General, our reading of the Bill and related documents finds that it delivers far more to ASIO than a mere "updating" exercise could or should deliver.

In this submission we consider these substantial changes to ASIO's functions and powers:

    1. The ability to obtain warrants under a new, less stringent test
    2. The ability to access and copy any computer data
    3. The ability to alter some computer data
    4. The ability to gain access (without a warrant) to AUSTRAC records
    5. The ability to gain bulk access (without a warrant) to AUSTRAC records
    6. The ability to undertake bulk "data matching" exercises with AUSTRAC records
    7. The ability to gain access (without a warrant) to Tax records
    8. The ability to gain bulk access (without a warrant) to Tax records
    9. The ability to undertake bulk "data matching" exercises with Tax records

The reality is that this Bill represents a major overhaul and extension of ASIO's functions and powers, coupled with a reduction in the controls over the operation of ASIO. This is not justified. There is no external pressure for ASIO's role to expand. Technology may have changed, but technology itself does not 'create' any new threats, and overall the number of threats to Australia's security have diminished.

We now turn to discuss each of the matters outlined above in more detail.

1. The ability to obtain warrants under a new, less stringent test

The new Section 25(2) proposed in the Bill replaces the existing test for warrants with a new test.

The old relevant section - 25 (1) reads:

"Where, upon receipt by the Minister of a request the Minister is satisfied that there are reasonable grounds for believing that there are in any premises any records or other things without access to which by the Organisation the collection of intelligence by the Organisation in accordance with this Act in respect of a matter that is important in relation to security would be seriously impaired, the Minister may(issue a warrant)"

This means that the test is only satisfied where all of the following elements coexist:

There are reasonable grounds for believing that:

    1. Certain material exists on the premises;
    2. ASIO requires access to that material;
    3. The collection of intelligence by ASIO would be "seriously impaired" without access to that material; and
    4. The above collection of intelligence is "important in relation to security"

The proposed Bill replaces this section with the new Section 25 (2):

"The Minister is only to issue the warrant if he or she is satisfied that there are reasonable grounds for believing that access by the organisation to records or other things on particular premises will substantially assist the collection of intelligence in accordance with this Act in respect of a matter that is important in relation to security."

This new Section completely changes the nature of the test for warrants. The old test required an 'obstacle' to be in the way of ASIO. That is, their collection of intelligence on a serious matter would be "seriously impaired" by not obtaining the information sought. The new test simply requires some marginal benefit for ASIO if they had the information - their collection would be "substantially assisted".

There is a great deal of difference between the two tests. It is a significant lowering of the barrier to ASIO obtaining warrants. One would therefore expect to see extensive reference to this new Section in the Explanatory Memorandum and/or the Second Reading Speech.

However, the Explanatory Memorandum only makes a cursory reference to this Section, stating that "Subsection 25(2) simplifies the description of matters about which the Minister must be satisfied before he or she issues a warrant."

The Second Reading Speech simply states "these amendments clarify the requirements for the issue of a search warrant".

The effect of these two statements is to suggest that the amendment only changes or clarifies the description of the test for warrants, and makes no change to the test itself.

This can only be explained as either a mistake, or a disguise (intentional or otherwise) of the true nature of the amendment.

If we accept the former explanation, then it is clear that the Minister intends the amendment to clarify only the description of the original test. Perhaps the original test is worded a little clumsily. A plain English amendment might prove useful, but the basic requirement of "seriously impaired" must be retained.

If we accept the latter explanation, then the amendment should be rejected outright. No evidence has been presented to justify a lessening of the test. The significant change to the test has been disguised (whether intentionally or not) by the very Minister responsible for issuing warrants subject to the test. The Explanatory Memorandum makes no mention of the change. The test drawn up by the original legislators should remain intact.

Recommendation:

Either amend the original Section 25(1) so that it reads more clearly, but retains its original meaning; or justify and explain the reasons for lowering the test for warrants.

2. The ability to access and copy any computer data

As we enter into the age of the "information economy", great care must be taken to balance the rights of individual users of computers and electronic communication, and the needs of security agencies.

An amendment to the ASIO Act which is described as "minor" is not an appropriate forum to discuss, or decide, that balance.

Australia is yet to outline clearly articulated policies and guidance on the use, development, import and export of cryptography. No forum has considered the complete social and economic ramifications of either restricting the availability of cryptography, or providing security agencies with the ability to access cryptographic keys.

Yet the Government, in this Bill, appears to make a unilateral decision to allow ASIO to take the necessary steps to access cryptographic keys by allowing them to hack computers, and copy or alter data, in order to crack security systems. This is not the forum to either discuss the technical feasibility of such a proposal, or to decide that the balance should be so heavily weighted against the user.

Recommendation:

Defer consideration of ASIO's ability to remotely access computer data, and other powers which may impinge on new forms of electronic communication, for consideration by a more appropriate forum.

3. The ability to alter some computer data

The ability of ASIO to alter computer data without further restriction is completely unnecessary. The provision that ASIO may do "any thing reasonably necessary to conceal the fact that any thing has been done under the warrant" (Section 25 (5c)) gives ASIO the power to do whatever is necessary (including presumably to alter data) to "cover their tracks".

No other alteration of data by ASIO can be justified on any grounds.

The 'protection' of Section 25 (6) is a diversion. Whether the alteration interferes with other persons 'lawfully' using the computer is irrelevant. The restriction should simply be that ASIO cannot alter data except where it is absolutely necessary to conceal their presence.

Recommendation:

The ability to "add, delete or alter" computer data should be removed from Section 25 (5a).

4. The ability to gain access (without a warrant) to AUSTRAC records

We are completely opposed to ASIO being granted any access to AUSTRAC information beyond that which they might obtain by current means (ie. where there is a joint investigation with an existing user such as the Australian Federal Police).

ASIO has a particular role and a particular image within the Australian intelligence community. Its focus is (correctly) on gathering intelligence relating to potential risks to national security. It does not have a role in the investigation of money laundering or tax evasion. The information which is collected under the Financial Transactions Reporting Act must be considered, at best, incidental to the purposes for which ASIO was established.

ASIO's image in the general community is that of a ';spy agency' interested in terrorism, treason and espionage. The inclusion of ASIO in the list of users of FTR information will have to be conveyed to consumers in pamphlets in bank branches, posters etc. This will dramatically change the nature and perception of the FTR Act and the work of AUSTRAC. A certain stigma will attach to the work of AUSTRAC, and those responsible for collecting information under the FTR Act. It will be difficult for AUSTRAC to retain its current image of being focused on money laundering and tax evasion.

Further access by ASIO to AUSTRAC records is completely unjustified. Potentially all the previous work that has been done on promoting awareness of AUSTRAC's role and the assorted privacy issues and protections will be undone by this amendment.

AUSTRAC will lose the support of the privacy and consumer movement, if they simply become a de facto collection agency for ASIO.

The proposed Bill is pathetically quiet on what protections are available should ASIO abuse its right to access AUSTRAC information, and contains no restrictions on the scope or procedure for ASIO to access AUSTRAC information.

These protections are left to a Memorandum of Understanding between ASIO and AUSTRAC and a Memorandum of Understanding between the IGIS and AUSTRAC. You will see below that these MOUs provide absolutely no protections and we have no confidence at all in this arrangement.

The protections and restrictions should appear in legislation.

This proposal can correctly be categorised as 'function creep' - the situation where activities which are prima facie privacy intrusive are allowed to proceed after careful consideration and public debate, often with restrictions (such as the development of the FTR Act), but which later become subject to gradual extension without similar debate or restrictions. I believe that if ASIO had been openly proposed as a user of AUSTRAC information at the time the FTR Act was introduced, the debate may have been very different.

It must be remembered that the activities of AUSTRAC are privacy intrusive, and are tolerated because the public agrees that money laundering and tax evasion are serious problems, and because the public are assured that that the information is collected and used in an appropriate way for the elimination of money laundering and tax evasion. The public should not be expected to tolerate any use of AUSTRAC information outside those parameters.

ASIO must prove that the benefits of their access to AUSTRAC information outweigh the risks. Firstly they must prove that AUSTRAC information would lead to the successful detection and prosecution of those who pose a risk to national security. Secondly, they must prove that similar results could not possibly be achieved by traditional investigative methods or, indeed, through a joint investigation with an existing user.

The Memorandum of Understanding between ASIO and AUSTRAC is deficient in a number of respects.

In any case, the memorandum of Understanding is completely unsatisfactory as a regulatory tool. It is not a document that is available to the public. It can change at any time on the whim of only one party. It can be removed at any time without notice. It is not the subject of any regulatory oversight.

Recommendation:

ASIO should not have access to AUSTRAC records. They should continue to access AUSTRAC records on an 'as needed' basis through joint investigations with existing users such as the Australian Federal Police.

If ASIO is granted further access to AUSTRAC records, this access should be governed by a series of restrictions and procedures appearing in legislation - not in a Memorandum of Understanding.

5. The ability to gain bulk access (without a warrant) to AUSTRAC records

The Memorandum of Understanding anticipates, and allows, situations where the provision of AUSTRAC information in "bulk" can be made to ASIO.

If ASIO are to have access to AUSTRAC records, restrictions must be placed on the type and scope of this access. They should only be able to make individual searches with a specific intent. Fishing trips should not be allowed. The MOU is an ineffective tool in providing these restrictions - in its current form it allows virtually unrestricted access, including bulk access.

Recommendation:

If ASIO is granted access to AUSTRAC records, the legislation should specifically prohibit bulk access by ASIO to AUSTRAC records.

6. The ability to undertake bulk "data matching" exercises with AUSTRAC records

The Memorandum of Understanding anticipates, and allows, situations where data matching exercises can be carried out between ASIO and AUSTRAC.

Data matching between ASIO records and AUSTRAC records should be completely prohibited. If ASIO are to have access to AUSTRAC records at all, restrictions must be placed on the type and scope of this access. They should only be able to make individual searches with a specific intent. Fishing trips through wide data matching programs should not be allowed. The MOU is an ineffective tool in providing these restrictions - in its current form it allows virtually unrestricted access, including data matching.

Recommendation:

If ASIO is granted access to AUSTRAC records, the legislation should specifically prohibit bulk data matching between AUSTRAC records and ASIO records.

7. The ability to gain access (without a warrant) to Tax records

The amendments to the Taxation Administration Act proposed in the Bill are similar to those discussed above in relation to AUSTRAC.

In this case, however, we have not had discussions with the Australian Taxation Office or access to copies of the relevant Memorandums of Understanding. In these circumstances we simply repeat our concerns as outlined above, exchanging tax records for AUSTRAC records.

Tax records are similarly irrelevant to the purposes of ASIO. They are also accessible through joint investigations with other law enforcement agencies.

There is no justification for further access to tax records.

We call on the Committee to provide copies of the relevant MOUs or other regulations guiding ASIO access to tax records.

Recommendation:

ASIO should not have access to tax records. They should continue to access tax records on an 'as needed' basis through joint investigations with appropriate government agencies.

If ASIO is granted further access to tax records, this access should be governed by a series of restrictions and procedures appearing in legislation - not in a Memorandum of Understanding.

8. The ability to gain bulk access (without a warrant) to Tax records

We presume that a similar power to gain bulk access to tax records is anticipated or allowed in the relevant Memorandum of Understanding. This should be prohibited.

Recommendation:

If ASIO is granted access to tax records, the legislation should specifically prohibit bulk access by ASIO to tax records.

9. The ability to undertake bulk "data matching" exercises with Tax records

We presume that a similar power to allow data matching between tax records and ASIO records is anticipated or allowed in the relevant Memorandum of Understanding. This should be prohibited.

Recommendation:

If ASIO is granted access to tax records, the legislation should specifically prohibit bulk data matching between tax records and ASIO records.

Appendix About the Centre

The Financial Services Consumer Policy Centre is a non-profit consumer research and advocacy organisation. We are a national body with an office in Sydney.

The Centre's mission statement is:

"The Centre will become an ongoing organisation conducting policy research and advocacy on national issues affecting low income and disadvantaged consumers of financial services."

The Centre was established by the Financial Services Network as an Incorporated Association in early 1998. The Centre's initial funding comes from a grant from the National Consumer Trust Fund. We conduct projects which are relevant to the needs of low income and disadvantaged consumers, and which have the potential to help produce pro-consumer changes in the financial marketplace.

The Centre's focus is on access issues and the affordability of financial services for low income and disadvantaged consumers, including research on:

  • Unfair and anti-competitive fees and charges;
  • The relationship between the social security system and financial services;
  • Superannuation choice of fund;
  • Best practice in the provision of insurance products;
  • Migrants and banking; and
  • Consumer protection in electronic commerce.

The Centre's Management Committee is made up of nominees of existing consumer and community organisations:

Michael Funston, Nominee of Consumer Credit Legal Centre (NSW)
Vicky Geraghty, Nominee of ACOSS
Fiona Guthrie, Nominee of Consumers' Federation of Australia
Jane Hutchison, Nominee of AFCCRA
Su Mahalingham, Nominee of Consumer Credit Legal Service (WA)
Daniel Coyne, Nominee of Australian Consumers' Association
Russell Mitchell, Nominee of Consumer Credit legal Service (VIC)

Financial Services Consumer Policy Centre

Suite 508
410 Elizabeth street
Surry Hills NSW 2010

Tel (02) 9281 4164
Fax (02) 9281 4574
Mobile 0414 938 942
director@fscpc.org.au

http://www.fscpc.org.au

A copy of this submission is also available from the Committee Secretariat.