7.1
This chapter discusses the role of oversight organisations, oversight by the judiciary, as well as the reporting and transparency requirements set out in the Telecommunications and Other Legislation Amendment (Assistance and Access) Act 2018 (TOLA Act) and considers recommendations regarding improvements to these arrangements.
Schedule 1: Industry assistance framework
7.2
As discussed in Chapter 4, Schedule 1 of the TOLA Act introduced an industry assistance framework, comprising technical assistance requests (TARs), technical assistance notices (TANs) and technical capability notices (TCNs). These powers are provided to both law enforcement and intelligence agencies, and are subject to various oversight responsibilities.
Overview of authorisation and oversight of TARs, TANs and TCNs
Technical assistance requests
7.3
TARs are voluntary assistance agreements made between heads of the Australian Security Intelligence Organisation (ASIO), the Australian Secret Intelligence Service (ASIS), the Australian Signals Directorate (ASD), Australian Federal Police (AFP), Australian Criminal Intelligence Commission (ACIC), or the Police Force of a State or the Northern Territory (defined as ‘interception agencies’) with designated communications providers (DCPs).
7.4
As TARs are voluntary assistance agreements made in consultation between one of the above agencies and a DCP, they are not subject to an external authorisation process.
7.5
The head of the Australian Security and Intelligence Agency (ASIO), Australian Secret Intelligence Service (ASIS) and the Australian Signals Directorate (ASD) must inform the Inspector-General of Intelligence and Security (IGIS) within seven day of issuance.
7.6
For other interception agencies such as Federal, State and Territory police, the Commonwealth Ombudsman must be informed seven days after issuance. State and Territory police may also disclose details of a TAR to a State or Territory inspecting body, where the disclosure to the inspecting body is in connection with the performance of its functions.
7.7
In addition, the TOLA Act requires the Home Affairs Minister to prepare an annual report to detail the number of TARs given by interception agencies during the applicable year financial year, which is made available to the public under the Telecommunications (Interception and Access) Act 1979 annual reporting mechanism.
7.8
ASIO, ASIS and ASD are not required to report publicly on the use of TARs. However, ASIO Act requires ASIO to report on the number of TARs issued in a given financial year in its classified annual report.
Technical assistance notices and technical capability notices
7.9
The Director-General of Security or the chief officer of an interception agency may issue a TAN to a designated communications provider. In the case of a TAN from a State or Territory police force, the AFP Commissioner must provide approval for the head of the State or Territory police force to issue the TAN.
7.10
Once a TAN has been issued, the Director-General of ASIO or the chief officer of an interception agency must advise their relevant oversight body within seven days.
7.11
ASD and ASIS are unable to issue TANs or TCNs.
7.12
TCNs are issued by the Attorney-General pursuant to a request from the Director-General Security or the chief officer of an interception agency. The Attorney-General must not give a TCN to a designated communications provider, unless the Attorney-General has given the Minister of Communications written notice of the proposal, and the Minister for Communications has approved the notice. The Department of Home Affairs has described the process as, effectively, a ‘triple-lock’ mechanism.
7.13
Like TARs above, the number of TANs and TCNs issued must be outlined in the Minister for Home Affairs’ annual report each financial year. Additionally, the ASIO Act requires ASIO to report on the number of TANs and TCNs issued in a given financial year in its annual report.
7.14
Neither TANs nor TCNs are subject to judicial authorisation or AAT authorisation prior to issuing.
Adequacy of authorisation process
7.15
A number of submitters to this inquiry, and the Committee’s previous inquiries, raised concerns about the level of authorisation required for the issuance of a TAR, TAN or TCN.
7.16
The Office of the Australian Information Commissioner recommended that the TOLA Act be amended to require independent judicial oversight of the issue of a TAN or TCN:
The OAIC notes that many stakeholders have continued to express concern that judicial authorisation is not required before issuing a TAR, TAN or TCN, as set out at Appendix A of the PJCIS report.
Law enforcement initiatives that impact on privacy require a commensurate increase in oversight, accountability and transparency, to strike an appropriate balance between any privacy intrusions and law enforcement and national security objectives. In order to build trust and confidence in the framework, and as previously submitted, we recommend that the Act be amended to introduce independent judicial oversight before a TAN or TCN is issued or varied. An application to a judge to issue or vary a TAN or TCN should be accompanied by a mandatory technical assessment.
7.17
Some submitters noted the requirement for assessors to consider TCNs, and Kaspersky suggested that the assessment requirement is limited in its utility:
Assessors, in the new subsection 317WA (7), must only ‘consider’ whether TCNs are reasonable and proportionate as well as whether compliance with the TCN is practicable and technically feasible, but assessors do not have the right either to approve or disapprove TCNs. This questions the real role of assessors and their opinions’ value in the consultation process. The TOLA provides ambiguous wording as to whether the assessment carried out under the consultation notice is binding or not – ‘if a copy of the assessment report has been given to the Attorney General, the Attorney General must have report considering whether to proceed in giving the notice’ (new subsection 317WA (11)).
7.18
In addition, Amazon expressed concern that once a notice is issued, it cannot be reviewed on its merits.
7.19
While the Independent National Security Legislation Monitor (INSLM) did not consider it necessary to amend the authorisation process associated with TARs, the INSLM considered at length the concerns of submitters in relation to TANs and TCNs:
Almost every non-Government submitter had strong concerns regarding, and objections to, the following aspects of TANs and TCNs:
the absence of independent authorisation for notices
the absence of independent technical assessment of proposed notices in relation to such matters as whether they met the statutory definitions of being ‘reasonable and proportionate’ or ‘technically feasible’, or would result in a ‘systemic weakness or systemic vulnerability’
whether those definitions, as well as the definition of ‘Designated Communications Providers’ (DCPs), should be amended.
7.20
The INSLM considered it inappropriate in Australia’s federal system that the AFP has a role in the approval of state and territory police issuing industry assistance notices. The INSLM recommended that these powers of the AFP be revoked. The Department of Home Affairs, the AFP and NSW Police supported the INSLM’s recommendation. The Law Council of Australia supported the implementation of the INSLM’s recommendation, contingent on the implementation of all of the INSLM’s recommendations relating to the industry assistance framework, and other matters identified by the Law Council.
7.21
While the definitional matters discussed by the INSLM are covered in Chapter 4, the INSLM’s finding on independent authorisation follows.
A proposed model for independent authorisation
7.22
The INSLM consulted with the Investigatory Powers Commissioner’s Office (IPCO) in the United Kingdom (UK) in considering the powers under the TOLA Act. A brief history of the introduction of the Investigatory Powers Act 2016 (UK) and the IPCO is contained in Chapter 3.
7.23
The INSLM recommended that TANs and TCNs should be issued independently of government with those authorising bodies having access to technical advice. Specifically, the INSLM recommended the establishment of an Investigatory Powers Division (IPD) within the Administrative Appeals Tribunal (AAT) who would be empowered to hear applications for TANs and TCNs, based on the existing security division.
7.24
In addition, the INSLM recommended the establishment of a new statutory office, the Australian Investigatory Powers Commissioner (IPC), who could be appointed as a Deputy President within the AAT, and be assisted by technical advisers.
7.25
The rationale for appending the function onto the existing AAT mechanism recognises that, although it is likely that TANs and TCNs will be issued in the future, the INSLM does not consider it reasonable to establish an entirely new body solely for the purpose of overseeing the TOLA Act. In addition, in making the recommendation, the INSLM notes that it is necessary for DCPs to protect their intellectual property, and for agencies to keep operational objectives secret.
7.26
The INSLM considered whether it was appropriate for decisions to be made persona designata, and concluded that decisions should be contestable, and decision-makers should be given the time to build up knowledge and expertise in technology related applications, and therefore decisions should not be made under the persona designata function:
… a key part of the success of the UK IPCO is that the IPC and the judicial commissioners become very familiar with the work and the technology used by the agencies seeking the issue of intrusive warrants and bring that knowledge to bear in considering subsequent applications, ensuring both insight and efficiency. The operation of the persona designata function can mean that the eligible judge or tribunal member never exercises the same function twice and cannot build up experience and knowledge.
7.27
The INSLM noted that a number of submissions into the review were concerned with the absence of a requirement to seek an independent technical assessment of TANs to determine if they were reasonable, proportionate and technically feasible or if they would result in a systemic weakness or vulnerability. The INSLM recommended that the legislation be amended to require that independent technical advice should be available for both TANs and TCNs.
7.28
In addition, the INSLM suggested that the members of the proposed IPD be assisted by a technical advisory panel drawn from Government, industry and academia covering a range of scientific and technical disciplines and that industry should be consulted in their appointment. The INSLM considered that this would strengthen the existing ‘assessor’ requirement for TCNs.
7.29
While the INSLM noted that the Attorney-General considers applications for the exercise of ASIO powers, applications made by ASIO could still be approved by the Attorney-General prior to being heard by the proposed IPD within the AAT – a process currently proposed by the Telecommunications Legislation Amendment (International Production Orders) Bill 2020 (‘IPO Bill’) under consideration by the Committee.
7.30
The Law Council of Australia (hereafter referred to as the ‘Law Council’) supported a process that would allow applications for TANs and TCNs to be authorised independently of the requesting agency, but noted that authorisation by a court was still preferable to an AAT model, given that a judicial officer exercising a power persona designata was constitutionally bound to act in a just and fair manner with judicial detachment.
7.31
Notwithstanding the proposal for a nominated member of the AAT to issue international production orders to ASIO via a double-lock mechanism in the IPO Bill, the Department of Home Affairs said that the AAT may not be the appropriate body to undertake the function:
As a primary decision-making exercise, the approval of technical assistance notices and technical capability notices would be a significant departure from the merits review function performed by the AAT. A similar function is not conferred on AAT members in their official capacity by any other piece of legislation. Therefore, the proposed Investigatory Powers Division would operate differently to any other AAT division and may require significant legislative amendments to the Australian Administrative Appeals Tribunal Act 1975, including modifying the basic objectives of the AAT and creating an entirely new function for the AAT.
Adequacy of oversight and reporting mechanisms
7.32
The Commonwealth Ombudsman has oversight of the use of TARs, TANs and TCNs by interception agencies – including state and territory police forces. Interception agencies have an active obligation to provide notification on the issuing, varying, revoking or extending the notice to the Commonwealth Ombudsman. In addition, the Commonwealth Ombudsman may inspect the records of interception agencies to determine the extent of compliance with TOLA Act requirements and provide a report to the Minister for Home Affairs.
7.33
The INSLM’s report noted that a number of stakeholders raised concerns with the ability of the Minister for Home Affairs to delete information in a report where it could reasonably be expected to prejudice an investigation or compromise operation activities. The INSLM also noted that the Commonwealth Ombudsman explicitly recommended that section be repealed, and concluded that this should occur.
7.34
Additionally, the Commonwealth Ombudsman may disclose information about a TAN or TCN with a State or Territory integrity body in the performance of its functions. The Law Council suggested that this power be expanded to allow for the Commonwealth Ombudsman to communicate more freely with integrity bodies for the purpose of facilitating a national approach to oversight of the powers:
Further, the permitted disclosure provisions applying to the Commonwealth Ombudsman only appear to allow the disclosure of information about a TAR or a TAN to the State or Territory oversight body that has responsibility for oversight of the particular State or Territory law enforcement agency that issued the TAR or TAN. This does not provide a clear basis for the Commonwealth Ombudsman to undertake broader information-sharing with its State and Territory counterparts, about TARs and TANs issued by other State or Territory law enforcement bodies, for the purpose of facilitating national consistency in the approach to the oversight of TARs or TANs that are directed to the same or similar subject-matter.
7.35
Further the INSLM noted the evidence of the Law Enforcement Conduct Commission (LECC) which said that while there were legislative avenues for the LECC to cooperate with the NSW Ombudsman, there was not a provision to allow for broader cooperation in the Telecommunications Act 1997. The INSLM considered there was an opportunity to amend s317ZRB of the Telecommunications Act 1997 to allow for the Commonwealth Ombudsman to undertake joint investigations with a State Ombudsman or Independent Commission Against Corruption oversight bodies like Inspectors-General.
7.36
The Inspector-General of Security (IGIS) has broad oversight of the use of Schedule 1 powers by ASIO, ASIS, and ASD and said that many concerns regarding Schedule 1 powers were addressed by amendments made in December 2018.
7.37
The 2017 Independent Intelligence Review recommended that the ACIC, along with the intelligence functions of the AFP and the ABF – noting that the ABF forms part of the Department of Home Affairs – be subject to oversight by the IGIS and the PJCIS. The Richardson Review recommended that the IGIS have oversight of the ACIC, as well as AUSTRAC, and a Bill to give effect to this recommendation was introduced to on 9 December 2020. The Richardson Review did not consider that the IGIS should have oversight of the intelligence functions of the Department of Home Affairs or the AFP. The reason for this conclusion largely rested on the perceived adequacy of existing oversight functions:
The IGIS does not have oversight of any department of state. Also, the intelligence function in Home Affairs is not encapsulated in a semi-autonomous agency such as DIO. Rather, it is simply another division in a wider department. Home Affairs has existing and effective oversight mechanisms for a department of state. We question the value of adding more oversight.
The AFP is a law enforcement agency, not an intelligence agency. To the extent that the AFP engages in intelligence collection activities, it does so in support of its policing functions. Its intelligence function is integrated across the organisation rather than being a stand-alone unit. Extending the IGIS’ oversight to the AFP’s ‘intelligence functions’ would be challenging, to say the least, given the dispersed nature of that function across the organisation.
7.38
The Richardson Review also noted that the IGIS and the Commonwealth Ombudsman have tools available to de-conflict, and that they have expressed their commitment to coordination. Further, the Richardson Review notes that the Commonwealth Ombudsman expressed that ‘some overlap of oversight bodies responsibilities can be useful to ensure that no gaps arise in coverage.’
7.39
In making the recommendation regarding the establishment of the IPD within the AAT, the INSLM also recommended that the Deputy President of the AAT that heads the IPD should also be a statutory office holder in the role of an IPC, as mentioned above. The INSLM considered that the IPC would be responsible for activities such as:
monitoring the operation of Schedule 1 of the TOLA Act, including sharing information with relevant oversight bodies;
participating in the appointment of technical and legal decision-makers who can assist in the IPC’s monitoring role;
developing a prescribed form for TARs, TANs and TCNs and issuing guidelines;
in consultation with the AAT president, issuing practice notes for the IPD; and
receive reports from agencies on:
the number of industry assistance orders taken each year; and
the number of requests made of carriers of carriage service providers under the Telecommunications Act 1997.
7.40
As mentioned above, agencies accessing TARs, TANs and TCNs are subject to a variety of oversight and reporting mechanisms. For interception agencies, annual reporting requirements are set out in the Telecommunications Act 1997. Additionally, ASIO’s annual reporting requirements are set out in the ASIO Act.
7.41
However, several submitters to the inquiry suggested increasing reporting requirements. Internet Australia noted that the written report required to be published each year was not required to include details on the matters TARs, TANs or TCNs were produced for, and were only required to include numbers sought.
7.42
Access Now said that more extensive statistics should be published each year on the use of TARs, TANs and TCNs:
All uses of TARs, TANs, and TCNs should be tracked and outcomes should be regularly reported. Statistics regarding the judicial approval, denial, or request for modification of TARs, TANs, and TCNs should be published at least semi-annually, along with identification of authorities seeking to invoke the authorities and the specific objectives being pursued that constitute legitimate government aims.
7.43
Internet Australia noted that while DCPs were granted the ability to produce transparency reports, it is a voluntary requirement, and thus cannot be used to ‘build a picture of the extent of the use of the powers’.
7.44
In addition, Internet Australia submitted to the INSLM’s review that transparency reports were not permitted to include the types of matters that requests or notices were submitted for, but rather, were only able to include basic statistics.
7.45
The TOLA Act provides discretionary powers to the Attorney-General, the Director-General of Security and the chief officers of interception agencies to grant requests by DCPs to authorise disclosures. The Law Council recommended that this provision be amended to require that a request for disclosure must be authorised unless there are reasons the disclosure should not occur:
… the Law Council supports the proposed amendment that section 317ZF be amended so that a request for disclosure must be authorised unless it would prejudice an investigation, a prosecution or national security, or unless there are operational reasons for the disclosure not being made.
7.46
Noting the prohibitions on disclosure for activities undertaken under Schedule 1 of the TOLA Act, the Law Council recommended that disclosure of TAR, TAN or TCN information to the Office of the Australian Information Commissioner (OAIC) and the Australian Commission for Law Enforcement Integrity (ACLEI) should form part of the authorised disclosure provisions. Further, the Law Council recommended that a defence to the unauthorised disclosure of information provisions should be included when made in accordance with the Public Interest Disclosure Act 2013 and the Freedom of Information Act 1982:
It is important the legislation provides explicit confirmation that it is lawful and appropriate for public officials to make disclosures in accordance with the PID Act and FOI Act; and for DCPs and DCPs and public officials to make disclosures to the OAIC and ACLEI; and for the OAIC and ACLEI to make subsequent disclosures for the purpose of performing their functions.
The absence of explicit provisions to this effect may create legal uncertainty or complexity. Irrespective of the ultimate, technical legal construction of how the different sets of provisions interact, the mere existence of uncertainty due to the absence of a clear pathway for disclosure on the face of the Telecommunications Act, could create a disincentive to people coming forward to OAIC or ACLEI, or making public interest disclosures under the PID Act (as applicable).
Schedule 2: Computer access warrants
7.47
As discussed in Chapter 5, Schedule 2 of the TOLA Act provided ASIO and law enforcement agencies with the ability to apply for computer access warrants. For ASIO, a computer access warrant is issued by the Attorney-General and for law enforcement agencies the warrant is authorised by an eligible judge or a member of the AAT.
7.48
In addition, a computer access warrant allows for activities to be undertaken to conceal the execution of a warrant and to intercept data for the purpose of facilitating the execution of a computer access warrant without seeking additional authorisation. Committee deliberation on the appropriateness of this ability is contained in Chapter 5.
7.49
Where law enforcement agencies are granted a computer access warrant the chief officer of the relevant law enforcement agency must report to the Minister as soon as possible following the cessation of the warrant to state whether the warrant or authorisation was executed, and if so, give details regarding the execution of the warrant. Law enforcement agencies must include details regarding the number of arrests and prosecutions resulting from the use of computer access warrants, and the number of time in which the safe recovery of a child was assisted by information obtained by a computer access warrant.
7.50
The Commonwealth Ombudsman has the ability to inspect records relating to computer access warrants, and cooperate with state inspection bodies in relation to their own investigations. Law enforcement agencies must report to the Commonwealth Ombudsman on activities taken in respect of concealment of access under a computer access warrant. The Commonwealth Ombudsman said that it has been in discussions with the Department of Home Affairs and the Attorney-General’s Department about funding for oversight of powers exercised under the TOLA Act:
These funding discussions have been premised on my Office monitoring use of the industry assistance powers by the AFP, the Australian Criminal Intelligence Commission, the Australian Commission for Law Enforcement Integrity and each of the state and territory police forces. If the Government were to implement the INSLM's recommendation to extend the industry assistance powers to state and territory anti-corruption bodies (recommendation 1), my Office may need to seek appropriate funding to ensure it has capacity to also monitor those agencies.
7.51
The IGIS retains oversight of ASIO’s functions including the processes in place for seeking computer access warrants. The IGIS does not have oversight of the decision-making process of the Attorney-General, however.
7.52
For computer access warrants sought by ASIO, a report must be provided to the Attorney-General on the usefulness of the warrant in assisting ASIO to carry out its functions and details of anything done to:
intercept communications or
with details of anything that materially interfered with, interrupted or obstructed the lawful use of technology by other persons.
7.53
The IGIS said that including a reporting requirement for all instances of temporary removals of computers and other things would assist in oversight requirements:
IGIS continues to support the inclusion of a reporting requirement for all instances of temporary removals of computers or other things from warrant premises under computer access warrants. The absence of such a requirement will make oversight complex and inefficient:
It will be very difficult to determine whether a temporary removal caused material interference with the lawful use of a computer. Arguably, given the centrality of computers in lawful, routine personal and business activities, any temporary deprivation may be likely to cause a material interference with lawful use.
The absence of a specific reporting requirement for all removals may also mean that suitably detailed records may not be made (or may not be made consistently) of the reasons for, and duration of, each removal.
7.54
In addition, any activities undertaken by ASIO to conceal access to a computer post-cessation of the warrant must be reported to the Attorney-General, including what was done, and the usefulness of the actions to the operations of ASIO.
7.55
While ASIO is not required to publish information publicly about its use of the computer access warrant mechanism in Schedule 2, law enforcement agencies are required to report annually on the use of the warrant regime. Neither law enforcement, nor ASIO are required to report on the use of assistance orders provided for by Schedule 2.
Schedule 3 and Schedule 4: Crimes Act warrants and assistance orders
7.56
As mentioned in Chapter 5, Schedule 3 and Schedule 4 of the TOLA Act amends search warrant provisions under the Crimes Act 1914 and the Customs Act 1901, and introduces assistance orders to the Customs Act 1901.
7.57
The AFP or the Australian Border Force (ABF) applies to a magistrate or a ‘justice of the peace or other person employed in a court of a State or Territory who is authorised to issue search warrants’. For assistance orders sought under the Crimes Act 1914 and the Customs Act 1901 an application may be made to a magistrate. In relation to these powers, the INSLM concluded that there was no requirement to alter how these warrants are issued.
7.58
Statistical reporting on the use of the specific powers granted by Schedule 3 and Schedule 4 is not required as the amendments form part of already existing powers. Additionally, the legislation does not require the AFP or the ABF to retain records of the number of assistance orders issued in a given timeframe.
7.59
The INSLM suggested that the AFP and the ABF should keep a record of the number of assistance orders that are executed, but that there is no need for any record or report on the number of assistance orders obtained but not executed. The INSLM also suggested that should the IPC recommendation be implemented, that these reports should be made to the IPC.
7.60
The Law Council largely supported this position, but added that agencies should be required to maintain records to ensure that oversight bodies – like the Commonwealth Ombudsman – could conduct oversight activities as required. The Law Council considered this could include ‘oversight of agencies’ decision-making about whether to seek an assistance order and the terms of that order, and whether to execute it’.
7.61
Though penalties for failure to comply with an assistance order were increased by the TOLA Act, the INSLM noted there was little statistical evidence to allow for consideration of the appropriateness of the penalty and was ultimately unable to reach a conclusion of the reasonableness and proportionality of the provisions:
I requested information on the number of criminal prosecutions, and ultimately convictions, for these offences and the sentences imposed in respect of those convictions; and also to seek agencies’ views as to what effect (if any) the increase in the penalty for failing to comply with an assistance order has had on those metrics.
The information I received was inconclusive. The absolute number of prosecutions and convictions for breach of these offences is low. For instance, the CDPP response notes 63 charges in respect of the AFP’s assistance order provision in the 17-year pre-TOLA period, 37 of which were discontinued, and ultimately 23 convictions. The CDPP reports that 9 of those convicted were sentenced to imprisonment, 4 were sentenced to a recognisance release order, 9 were given a fine and 1 was a juvenile.
During that same 17-year pre-TOLA period, in respect of the ABF’s assistance order provision, the CDPP report notes there were 8 charges for failure to comply with an ABF assistance order, 6 of which were discontinued, 2 of which proceeded to conviction, and both of which resulted in a fine.
7.62
Further, the INSLM recommended that stakeholders should continue to monitor prosecutions and convictions to permit trends to be established as time passes. The Law Council said that this responsibility should be undertaken by the Commonwealth Director of Public Prosecutions.
Schedule 5: ASIO voluntary and compulsory assistance powers
7.63
As mentioned in Chapter 6, Schedule 5 introduces voluntary and compulsory assistance provisions into the ASIO Act. The voluntary assistance requests are issued by the Director-General of Security or a senior-position-holder to whom the Director-General has delegated authority to make decisions. A senior position-holder is defined as:
… an ASIO employee, or an ASIO affiliate, who holds, or is acting in, a position in the Organisation that is:
a.
equivalent to or higher than a position occupied by an SES employee; or
7.64
Compulsory assistance orders are issued by the Attorney-General after a request from the Director-General of Security. Where a compulsory assistance order is issued, the Director-General of Security is required to report to the Attorney-General on the extent to which both the action taken under the warrant, and compliance with the order, has assisted ASIO in carrying out its functions.
7.65
Additional administratively binding requirements are contained in the Minister’s Guidelines in relation to the performance by Australian Security Intelligence Organisation of its functions and exercise of powers. The Law Council considers that the administrative nature of the guidelines is not sufficient to ensure compliance by ASIO, and recommended that the requirements be contained wholly in primary legislation:
The ASIO Guidelines do not place a legal limitation on the power of ASIO to confer civil immunities, or the power of the Attorney-General to issue compulsory assistance orders. As such, mere administrative requirements in the ASIO Guidelines, which are vulnerable to unilateral repeal or amendment by the Minister for Home Affairs, are not legal safeguards that limit the availability of these extraordinary powers to confer immunities or compel assistance.
Further, the Law Council is concerned that the prolonged inaction in making critical amendments to the ASIO Guidelines (despite multiple recommendations of the Committee for at least the past six years) means that the public and the Parliament do not have a reasonable basis on which to be assured that the Guidelines would be updated in a timely way. In particular, the Law Council notes that the TOLA measures have been operational since December 2018, yet no amendments to the Guidelines have been made to address matters arising from the TOLA Act.
7.66
The Hon. Margaret Stone, Inspector-General of Intelligence and Security said that although aspects of the ASIO Guidelines were valuable, there were still areas for improvement:
Can I say that we are very pleased finally to have new guidelines, but, while they are valuable in many ways, we still have issues, for instance in relation to proportionality, which we think could be more clearly spelt out. There is the provision that there will be a review of these guidelines within 18 months—it will commence within 18 months—and regularly every three years after that. That should enable us to both address outstanding concerns and ensure that we don't have such a long period of outdated guidelines, as we had last time. So we're grateful for what we got out of that and, as usual, we're looking for more.
7.67
In addition, amendments to the ASIO Act made by Schedule 5 of the TOLA Act require ASIO’s annual report to include a statement of the total number of voluntary assistance requests as well as the total number of compulsory assistance orders made during the period.
7.68
The INSLM noted that the requirement to report on compulsory assistance orders was confined to the number of orders, and did not include a requirement to report on the assistance or things implemented as part of the compulsory assistance order. The INSLM therefore recommended that the annual reporting requirement be amended to – similar to the recommendation in Schedule 3 and Schedule 4 powers – provide additional broad information. In addition, the INSLM recommended that the report on the use of these powers should be provided to oversight agencies, and the PJCIS, but may not necessarily be appropriately recorded in a public annual report.
7.69
The Law Council supported additional reporting requirements, but did not agree with the INSLM’s suggestion that such reporting may not be made publicly available. The Law Council said the Committee or the INSLM undertake a review on the ongoing appropriateness of the classification of warrant reporting under telecommunications legislation.
7.70
The IGIS has oversight responsibility of the exercise of ASIO’s powers, and where ASIO has issued a voluntary assistance order, the IGIS must be informed within seven days. The IGIS did not make any further suggestions related to their ability to oversight voluntary assistance requests made by ASIO.
7.71
The Law Council said it supported the need for the IGIS to be adequately resourced to carry out its oversight functions, and said that it was important to ensure the IGIS could undertake oversight of the propriety of ASIO’s decision-making process in conferring immunity under the voluntary assistance provisions:
A hypothetical example of the type of decision-making that would require close scrutiny for propriety issues could be any decision-making by ASIO to focus its efforts on recruiting (as human sources) people who live, work or socialise with the targets of investigations, in order to use the immunity power in s 21A(1) to task them with obtaining information or documents possessed by the target, which are located in a shared place of work or residence, to which the human source (but not ASIO) has lawful access. In this type of scenario, propriety concerns could arise if the threshold for ASIO obtaining a warrant (such as a computer access, surveillance or search warrant) to directly collect the relevant material could not be met. This may indicate that the immunity is being used to circumvent those thresholds.
7.72
The IGIS said that five additional staff would be required to ‘conduct appropriately thorough and rigorous oversight of the new powers’. The Hon. Margaret Stone AO, Inspector-General of Intelligence and Security, said that if the IGIS’ jurisdiction was extended to cover the National Intelligence Community additional funding would be required:
If our jurisdiction was extended to those four agencies then I think we would need this extra assistance in addition to what we have for those four agencies. We're able to manage at the moment, because there has been no final decision on that jurisdiction… I think one needs to remember that the additional legislation, of which we're all aware, not only expands the scope of what we do, but, in order to oversee activities carried out under that legislation, requires additional depth of investigation. And it will also depend on usage by the agencies. So there are some unknowns and some knowns, but with the increasing technical requirements for oversight we will, for instance, need more technically competent or expert staff. We've got technically competent staff, but we will need more expertise than we presently have.
7.73
As discussed in Chapter 6, the provisions relating to the requirements that can be contained in a compulsory assistance order are not specified. The IGIS suggested that the requirements be set out in the legislation to facilitate a standard of compliance, and establish a benchmark for the IGIS to assess ASIO’s compliance.
7.74
In relation to the ability for ASIO to make an oral request to the Attorney-General for a compulsory assistance order, the IGIS suggested that when ASIO makes a subsequent written request, a copy of the oral request should be provided to the Attorney-General to ensure the written request accords with the initial verbal approval.
7.75
In addition, the IGIS noted that the reporting requirements for compulsory assistance orders are incongruent with the reporting requirements for warrants issued under the Telecommunications (Interception and Access) Act 1979 which provides a timeframe for report to the Attorney-General. The IGIS suggested that the ASIO Act could be amended to require ASIO to report to the Attorney-General within three months. Additionally, the IGIS noted that the requirement to report does not require the provision of information on how the orders have been executed. The IGIS suggested that such information could include:
what ‘information’ and/or ‘assistance’ was required under the order;
whether the order has been satisfied;
when the order was served on the person; and
whether the information or assistance satisfied the reason for which the order was issued (i.e. whether the assistance provided ASIO the access it required).
Ongoing oversight and the role of the INSLM
7.76
As discussed in Chapter 2, the TOLA Act came into existence against a backdrop of credible terrorist threats. Though the powers have been in existence for several years, a number of the provisions in Schedule 1 – such as TANs and TCNs – have not yet been used.
7.77
Section 29 of the Intelligence Services Act 2001 was amended at the time the TOLA Act was introduced to provide for the Committee to undertake a review of the operation of amendments made by the act.
7.78
In addition, s 6 of the Independent National Security Legislation Monitor Act 2010 was amended to provide for the INSLM to conduct a review on the operation, effectiveness and implications of the amendments made by the Act.
7.79
Neither amendment requires an additional review or oversight role for the Committee or the INSLM, except as provided as part of the general oversight provisions contained in the relevant acts.
7.80
The INSLM recommended that the enabling legislation be amended to allow for an INSLM to review the act of their own motion as necessary.
Committee comment
7.81
The Committee considers the appropriate oversight and accountability mechanisms for the powers in the TOLA Act are critical in ensuring the public’s ongoing confidence in the use of the powers. Appropriate oversight and reporting mechanisms also provides industry and government agencies with assurance on their use of the powers.
7.82
Part of ensuring adequate oversight means providing certainty in the ability of the IGIS and the Commonwealth Ombudsman to oversee the use of powers. The Committee notes the conclusion reached by the Richardson Review that the oversight responsibilities of the IGIS should not be amended in line with the recommendations of the 2017 Independent Intelligence Review. The Committee is considering IGIS oversight responsibilities further in its current review of the Intelligence Oversight and Other Legislation Amendment (Integrity Measures) Bill 2020.
7.83
The Committee is not persuaded by the conclusion of the Richardson Review that the IGIS should not have oversight of the intelligence functions of the AFP. Given the considerable expertise of the IGIS in overseeing intrusive and covert intelligence functions, and the increasing number of intelligence powers granted to the AFP, the Committee considers that the Government should give further consideration to the implementation of this recommendation.
7.84
As demonstrated by the distinction between AUSTRAC intelligence-related, and non-intelligence-related, functions set out in the Intelligence Oversight and Other Legislation Amendment (Integrity Measures) Bill 2020, the Committee suggests that it would be possible to provide the IGIS with the ability to oversee the intelligence functions of the AFP while still ensuring that the Commonwealth Ombudsman retains the necessary oversight of law enforcement powers. The Committee recommends that the Government amend the Inspector-General of Intelligence and Security Act 1986 to provide the IGIS with oversight responsibilities for the intelligence functions of the Australian Federal Police.
7.85
The Committee recommends that the Government amend the Inspector-General of Intelligence and Security Act 1986 to expand the jurisdiction of the IGIS to oversee the intelligence functions of the Australian Federal Police.
7.86
The Committee notes that the Intelligence Oversight and Other Legislation Amendment (Integrity Measures) Bill 2020 provides the Committee with the ability to oversee the intelligence functions of AUSTRAC. In line with the discussion above, the Committee notes the increasing number of intelligence powers it has had a role in granting to bodies like the ACIC, the Department of Home Affairs and the AFP. The Committee is considering its role in oversight of these agencies in its current review of the Intelligence Oversight and Other Legislation Amendment (Integrity Measures) Bill 2020.
7.87
The Committee considers that the significant and intrusive nature of these powers requires robust oversight with appropriate security considerations provided by the Intelligence Services Act 2001. While the Committee holds the oversight of the Parliamentary Joint Committee on Law Enforcement in significant regard, given that the intelligence powers of the ACIC mirror the powers granted to ASIO in many respects, the Committee considers that it should have a role in overseeing the intelligence functions of the ACIC.
7.88
The Committee recommends that the Government amend the Intelligence Services Act 2001 to provide the Parliamentary Joint Committee on Intelligence and Security with the ability oversee to the intelligence functions of the Australian Criminal Intelligence Commission.
7.89
The Committee notes the consideration undertaken by the INSLM in relation to the implementation of a more robust authorisation process for powers exercised under the TOLA Act provisions.
7.90
The Committee considers that there would be benefits to a ‘double-lock’ model, given the success of the Investigatory Powers Commissioner’s Office model in the United Kingdom, and also notes that a similar process has been recommended for the international production orders process which has been considered by the Committee.
7.91
However, the Committee considers that appropriate weight should be given to the evidence of the Department of Home Affairs that the proposal would be a departure from the usual processes of the AAT and that the AAT may not be the appropriate forum to vest a new authorisation process.
7.92
The Committee therefore recommends that the Government consider the INSLM’s recommendation, and respond with an appropriate model by no later than September 2022.
7.93
The Committee recommends the Government give further consideration to the proposal from the INSLM for an Investigatory Powers Division within the Administrative Appeals Tribunal and provide a response on the proposed model or any recommended alternatives by September 2022.
7.94
The Committee notes that the INSLM also recommended the establishment of a statutory office holder – the Investigatory Powers Commissioner – who would be responsible for the proposed IPD, oversee the use of powers in the TOLA Act, and undertake a number of important additional functions including development of standard form for TARs, TANs and TCNs and take reporting from those using the TOLA Act provisions.
7.95
The Committee acknowledges the reasoning of the INSLM that there would be a benefit in consolidating processes related to the oversight of the use of the regime, especially noting industry concerns outlined in Chapter 4. The Committee agrees, and therefore recommends that the Government give consideration to the appropriate form of an IPC when considering the proposal for an IPD.
7.96
The Committee recommends the Government consider the proposal for an Investigatory Powers Commissioner, as recommended by the INSLM, and provide a response on the proposed model or any recommended alternative models by September 2022.
7.97
The Committee notes the conclusion reached by the INSLM that section 317ZRB (7) of the Telecommunications Act 1997, which provides the power for the Minister for Home Affairs to delete sections of an annual report where there is the potential to prejudice an investigation or compromise operation activities, be repealed. The Committee recommends that the Government expressly clarify that the Commonwealth Ombudsman must consult with relevant agencies to identify operationally sensitive material that should be removed or amended before publication of a report. Section 317ZRB(7) of the Telecommunications Act 1997 should then subsequently be repealed.
7.98
The Committee recommends that the Government expressly clarify that the Commonwealth Ombudsman must consult with relevant agencies to identify operationally sensitive material that should be removed or amended before publication of a report. Section 317ZRB(7) of the Telecommunications Act 1997 should then subsequently be repealed.
7.99
In relation to authorisations, the Committee notes the INSLM’s recommendation that the AFP no longer have a role in the consideration of industry assistance notices requested by or issued on behalf of State and Territory police, and the Department of Home Affairs’ support for this recommendation. The Committee notes the potential impact on the independence of state and territory police investigations of requiring the AFP to approve TANs. The Committee therefore recommends the Telecommunications Act 1997 be amended to remove the requirement for State and Territory police to seek the approval of the AFP for TANs.
7.100
The Committee recommends that s317LA of the Telecommunications Act 1997 be repealed so that State and Territory police are not required to seek the approval of the Australian Federal Police for a technical assistance notice.
7.101
In relation to disclosure of information relating to powers exercised under Schedule 1, the Committee notes the concerns raised by industry and civil society and the Law Council’s recommendation to amend the provision requiring authorisation for release unless it would prejudice an investigation. Given that the Committee has not yet received evidence on the operation of these procedures, the Committee is not willing to make a recommendation on this issue at this time.
7.102
The Committee notes the concerns of Internet Australia in relation to transparency reports provided by DCPs, but considers that the following recommendations to improve transparency in reporting may provide some assurance regarding these concerns. The Committee supports the continued provision of transparency reports by DCPs on a voluntary basis.
7.103
In relation to the computer access warrant provisions in Schedule 2, the Committee supports the view of the IGIS that the ongoing advancement and societal dependence on technology creates difficulty in determining the threshold of material interference, interruption or obstruction in reporting. The Committee therefore recommends the ASIO Act be amended to require ASIO to report to the Attorney-General on when a device is removed from a premises and the duration of removal when exercising a computer access warrant.
7.104
The Committee recommends that s 34 of the Australian Security Intelligence Organisation Act 1979 be amended to require the Australian Security Intelligence Organisation to report to the Attorney-General when a device is removed from premises in the execution of a computer access warrant and the duration of the removal.
7.105
The Committee notes that unlike law enforcement, ASIO is not required to report in a public forum on its use of powers. The Committee notes the views of the Law Council that the ongoing classified nature of aspects of ASIO’s annual report affects the transparency of the use of the regime, however, the Committee considers the classification of some aspects of the ASIO annual report to be proportionate to operational risks.
7.106
The Committee is satisfied with the level of transparency and detail provided in ASIO’s annual report and is not recommending any amendment to considerations of national security classification in annual reporting requirements at this time.
7.107
However, the Committee notes that it is provided annually with a copy of ASIO’s annual report appendix in relation to telecommunications data access authorisations, which includes national security classified material that may not be included in the publicly available report. The Committee would welcome being provided with a copy of ASIO’s annual report appendix in relation to TOLA authorisations also, consistent with current practice for telecommunications data access authorisations. This would assist the PJCIS in its oversight of the functions and powers of ASIO, such as during its annual review of ASIO’s Administration and Expenditure. The Committee further recommends that the Intelligence Services Act 2001 be amended, as required, to provide that the PJCIS may review matters in relation to TOLA authorisations of ASIO.
7.108
The Committee recommends that:
the Australian Security Intelligence Organisation provide annually to the Parliamentary Joint Committee on Intelligence and Security (PJCIS) a copy of its annual report appendix in relation to Telecommunications and Other Legislation Amendment (TOLA) authorisations, consistent with current practice for telecommunications data access authorisations; and
the Intelligence Services Act 2001 be amended, as required, to provide that the PJCIS may review matters in relation to TOLA authorisations of the Australian Security Intelligence Organisation.
7.109
The Committee concurs with the views of the INSLM that reporting of additional details on compulsory assistance orders would provide additional context on the appropriateness of the use of ASIO’s powers. The Committee recommends that ASIO brief the PJCIS on the acts or things implemented as part of the compulsory assistance orders regime to facilitate and assist the ongoing oversight of the legislation.
7.110
The Committee recommends that the Australian Security Intelligence Organisation brief the Parliamentary Joint Committee on Intelligence and Security on the acts or things implemented as part of a compulsory assistance order to facilitate and assist the ongoing review and oversight of the legislation.
7.111
Similarly, the Committee concurs with the conclusion of the INSLM that agencies empowered to seek an assistance order under Schedule 3 and Schedule 4 should be required to retain records and report to the relevant inspection agency on their use of these necessarily intrusive powers. Further, the Committee agrees with the INSLM that requiring the AFP to report on assistance orders sought and not executed would not provide an appropriate view of the use of the powers.
7.112
Therefore, the Committee recommends that the assistance order provisions in in the Crimes Act 1914 and the Customs Act 1901 be amended to require agencies to report to inspection bodies and in their annual reports on the use of these powers.
7.113
The Committee recommends that s 3LA of the Crimes Act 1914 and s 201A of the Customs Act 1901 be amended to require agencies to report to inspection bodies on the execution of assistance orders and publish those figures in their respective annual reports.
7.114
The Committee notes the concerns raised regarding ASIO’s guidelines, and the significant time between the most recent iteration and the version prior. The Committee agrees that it is appropriate for the guidelines to be updated within 18 months in the first instance, and every three years thereafter unless ASIO is granted significant new powers.
7.115
The Committee expects that the next iteration of the ASIO guidelines will address the concerns raised by the IGIS in relation to proportionality, and any other matters identified.
7.116
The Committee notes the Law Council’s concerns in relation to the ASIO guidelines, but is not persuaded that amendments in this respect are required at this point. The Committee notes the evidence from the IGIS regarding the enforceability of the conditions of the guidelines and considers that this evidence provides assurances that the IGIS is appropriately considering ASIO’s use of powers under the relevant guidelines.
7.117
Noting that some of the most contentious powers granted by the TOLA Act have not yet been used, the Committee agrees with the INSLM’s recommendation that it may be appropriate for the INSLM to review the provisions of the TOLA Act at a future time, and therefore recommends that the relevant provisions of the act be updated accordingly so as not to preclude the INSLM from inquiring into the legislation.
7.118
The Committee recommends the definition in s 4 of the Independent National Security Legislation Monitor Act 2010 be amended to allow the Independent National Security Legislation Monitor to review the amendments made by the Telecommunications and Other Legislation Amendment (Assistance and Access) Act 2018 of its own motion.
7.119
The Committee also considers that it would be valuable for the Committee to undertake a review of the TOLA Act in three years when there may be more data available to review the impact and implications of the powers in the act, but notes that this would only be a particularly relevant exercise once TANs and TCNs have been used.
7.120
The Committee notes that stakeholders have contributed to the Committee’s initial consideration of the TOLA Bill and two statutory reviews since the TOLA Act was introduced. The Committee is, therefore, reluctant to impose a continuing administrative burden should TAN and TCN powers not be used in the next three years. Therefore, the Committee recommends that a statutory review only commence once the use of powers have been notified in existing annual reporting obligations.
7.121
The Committee recommends s 29 of the Intelligence Services Act 2001 be amended to require the Parliamentary Joint Committee on Intelligence and Security to commence a review within three years once the Committee becomes aware through existing annual reporting requirements that the technical assistance notices or technical capability notices provided by Schedule 1 of the Telecommunications and Other Legislation Amendment (Assistance and Access) Act 2018 have been used.
Senator James Paterson
Chair
15 December 2021