6.1
The Committee accepts evidence the threat environment from serious cyber-enabled crime is severe and Australian authorities do not currently have the tools to address the threat. It is international, complex, and technologically advanced. The Committee accepts evidence there is a requirement for powers such as these due to the effects of anonymising technology and the dark web in particular. The Committee accepts evidence serious crime is being enabled by these technologies and the Australian Federal Police (AFP) and Australian Criminal Intelligence Commission (ACIC) are currently unable to prevent the harm. The Surveillance Legislation Amendment (Identify and Disrupt) Bill 2020 (the Bill) is world-leading and novel but it also needs to be subject to serious consideration and review. The Committee accepts it is one among many measures being considered to counter these threats.
6.2
The Committee supports these powers and the Bill conditional on the amendments as outlined below. As identified by many submissions to this inquiry, the key issues at the micro level are the articulation and definition of necessity and proportionality with these powers. While almost all submissions generally supported the intent of the Bill, many submissions thought the Bill was either poorly defined or differed substantially from the Explanatory Memorandum (EM). On this latter point, the Committee strongly recommends Government clearly articulate these key issues in the EM as if it had done so then it is likely the inquiry process would have occurred more smoothly as people’s understanding of what the Bill is would have been likely stronger. This is particularly the case for the debate on relevant offences and issuing authorities which are the two key issues from a technical and legislative perspective.
Intelligence oversight and relationship with the Integrity Measures Bill
6.3
The key issue at the macro level relates not to these powers themselves but the broader framework for intelligence oversight in Australia to which this Bill relates quite strongly to. It is at this point the relevance of the Intelligence Oversight and Other Legislation (Integrity Measures) Bill 2020 (the IM Bill) becomes apparent. As noted in evidence to this Committee there is a strong relationship between the SLAID Bill and the IM Bill as evidenced in the co-design and redundant measures implemented in both.
6.4
Currently the Inspector General of Intelligence and Security (IGIS) does not have oversight of the AFP and ACIC. Between the complementary measures of this Bill and the IM Bill, IGIS oversight is proposed for the ACIC (but not AFP) but only as it relates to the ACIC’s intelligence functions. IGIS oversight could apply to the AFP in so far as it relates to a network activity warrant (NAW).
6.5
Currently the PJCIS does not have oversight of the AFP or ACIC, except for the AFP as it relates to certain terrorism functions. This point will be addressed below. Between the complementary measures of this Bill and the IM Bill, PJCIS oversight is not proposed for either the ACIC or AFP, and in particular the intelligence functions of these organisations.
6.6
The Committee is strongly of the view, firstly, that parliamentary oversight of intelligence matters should mirror integrity body (e.g. IGIS) oversight of intelligence matters. As it stands, this Bill risks creating a divergence. Secondly, the Committee is of the view that intelligence matters should be overseen by the parliamentary committee for intelligence matters – regardless of whether it is by a traditional intelligence collector (as is the case in the National Intelligence Community (NIC)) or law enforcement bodies that perform intelligence functions.
6.7
The Committee notes the issue of defining and separating ideas of intelligence and law enforcement has received substantial attention in both the Independent Intelligence Review (IIR) and the Comprehensive Review by Dennis Richardson (the Richardson Review). The Committee notes the Richardson Review differed from the IIR on the topic of oversight and the Government has in part differed from both the IIR and the Richardson Review
6.8
The Committee accepts evidence there is substantial overlap between intelligence and law enforcement matters. You can have intelligence matters that have no bearing on law enforcement and law enforcement matters that have no bearing on intelligence, but for certain agencies and most notably the ACIC and AFP this is far less likely. For the ACIC in particular they have both law enforcement and intelligence in their very title. It is hard to imagine the intelligence functions being a minor part of a body that is titled an intelligence commission.
6.9
The Committee does not believe these areas of law enforcement and intelligence were ever mutually exclusive, but it is certainly the case that the grey area between the two concepts is rapidly growing as the overlapping nature of these concepts is increased. These powers go to that increasing overlap. This causes some structural oversight issues given there is the PJCIS for intelligence, and the Parliamentary Joint Committee on Law Enforcement (PJCLE) for law enforcement. Where the Richardson Review discussed at length the differences between foreign and domestic intelligence and related topics, the issue of law enforcement powers compared to law enforcement intelligence powers has received less attention. It is possible the definition of intelligence function applied elsewhere in the NIC could apply to law enforcement agencies.
6.10
This Bill is a perfect example of something belonging equally to both parliamentary oversight bodies. The Committee notes this Bill was sent to the PJCIS for review which would imply that out of the two bodies, the PJCIS was more suited for this particular query. The Committee agrees with this suggestion. The PJCIS can receive classified hearings, is well-versed in intelligence legislation, and reviews other related matters to this Bill in particular (for example the TOLA Act). This begs the question therefore of why the PJCIS is reviewing this Bill but not being given the oversight of the very bodies it is being asked to empower. It raises the distinct possibility the Committee could authorise these powers, subject to certain provisions, and then not have the capacity to review them once the Bill becomes an Act.
6.11
IGIS oversight is not proposed for the AFP under the IM Bill, but under the SLAID Bill it is proposed for network activity warrants (NAWs) as a specific warrant type. This would have the effect of the IGIS being able to review one particular warrant within the broader AFP intelligence structure, but nothing further. Evidence given to this Committee suggested NAWs would be used in tandem with broader investigative and intelligence powers. This very evidence strengthens the Committee’s view that oversight fragmentation will occur if this Bill proceeds without amendment.
6.12
If the AFP use NAWs in tandem with multiple other warranted and non-warranted powers, then the IGIS could only review the NAW-component even if other clearly intelligence-focussed powers were in use. This appears to the Committee to be an error. This is still higher than the proposed PJCIS oversight of the AFP which is limited to existing restrictions around terrorism – not NAWs at all. This does not reflect either good oversight practice or the current reality of the PJCIS reviewing AFP matters and legislation. The very existence of this Bill inquiry goes to the PJCIS role in these issues.
6.13
The Committee notes that according to the Government the PJCLE has oversight of ACIC and this is sufficient and a reason not to involve the PJCIS. The Committee is not persuaded by this argument. Firstly, the SLAID Bill was deliberately selected for PJCIS review given its experience in reviewing national security intelligence legislation in Australia, not the PJCLE. Should the SLAID Bill have been referred to the PJCLE then the Committee deliberations may have been different. Secondly, the ability of the PJCIS to conduct classified hearings makes it a better oversight body for the ACIC as it relates to intelligence functions. Thirdly the SLAID Bill is a specific intelligence power, rather than general oversight of an agency.
6.14
Already, by virtue of these inquiries occurring, there has been a divergence between the PJCIS and PJCLE. It is the view of the Committee that the correct course of action would be to extend parliamentary oversight to the PJCIS. Even if it were the case that PJCLE oversight was sufficient, the cost to increasing oversight to incorporate the PJCIS is considered to be far lower than the numerous benefits that this would bring. The Committee believes overlapping oversight is far more advantageous than fragmented oversight. Additionally, not all oversight is equal in its scope or functions.
6.15
The Committee notes the IM Bill only proposes increasing PJCIS oversight of AUSTRAC but not the two bodies (the AFP and ACIC) that the Committee has been asked to review for these powers.
6.16
More broadly this highlights a risk of matters not being dealt with appropriately and is a substantial risk. In many ways this Bill is a good test case to determine the responsibilities of the PJCLE compared to the PJCIS. The Committee is strongly of the view that the most suitable thing to do would be to have mutual areas of overlapping jurisdiction rather than potential gaps. This would be in line with the broader recommendations from the Richardson Review in avoiding fragmentation. It could then be for the PJCLE and PJCIS to decide amongst themselves who reviewed certain matters relating to the AFP and ACIC. There is a substantial risk of oversight fragmentation as a result of this Bill. Areas of concurrent jurisdiction are supported in favour of exclusionary models that make oversight gaps more likely.
6.17
Much of the evidence to this inquiry focussed on how the Commonwealth Ombudsman and IGIS would be able to co-oversee several of these bodies, and cited evidence from the Richardson Review in favour of increased oversight that overlapped slightly rather than gaps. The Committee notes this same logic applies to parliamentary oversight as it does to Ombudsman/IGIS oversight and the logical conclusion would be to have PJCLE and PJCIS oversight of the ACIC to avoid an oversight gap. As it stands this logic has been applied to the integrity bodies but not to parliamentary committees. The Committee is not satisfied with the current parliamentary oversight of the ACIC in particular. There is far more to be gained than lost from any such extension of oversight, and it would be expected to apply in the very situation that this inquiry finds itself, a Bill review of intelligence powers.
6.18
Of note the IGIS expansion of oversight on the ACIC and AUSTRAC only applies to the statutorily defined ‘intelligence functions’ of those agencies. This has been deliberately selected after the Richardson Review to encompass the relevant points. This same logic applies for parliamentary oversight as well and the Committee would propose it has oversight of these same agencies so far as it relates to the ‘intelligence functions’ of those agencies.
6.19
As the evidence to this Committee demonstrated, these are serious and extraordinary intelligence powers that do have a relationship to the National Intelligence Community (NIC) via the Australian Signals Directorate (ASD) as evidence to this Committee showed. It is the view of the Committee that the PJCIS is the most appropriate body for reviewing intelligence legislation and that should not be limited by the current definitions that are proposed.
6.20
In summary, the Committee strongly supports and recommends parliamentary oversight mirror integrity body oversight. As it stands, this Bill would create a divergence on this issue which in the Committee’s view, is unacceptable.
6.21
The Committee recommends that, in line with the proposed expansion of the Inspector-General of Intelligence and Security’s oversight role, the Surveillance Legislation Amendment (Identify and Disrupt) Bill 2020, the Intelligence Oversight and Other Legislation Amendment (Integrity Measures) Bill 2020 and, to the extent necessary, other legislation be amended to expand the oversight remit of the Parliamentary Joint Committee on Intelligence and Security to cover the intelligence functions of the ACIC (including, but not limited to, the use of network activity warrants by the ACIC).
6.22
A related point the Committee deliberated on was parliamentary oversight of the AFP. Where the IM Bill proposes changes for ACIC oversight it does not amend AFP oversight which currently does not include the IGIS and only includes the PJCIS to the extent that the matter is a certain terrorism function (this being the existing status rather than a proposed change).
6.23
The Committee finds it unpersuasive whereby PJCIS oversight of the AFP is not proposed, but the PJCIS is asked to review intelligence powers proposed for the AFP. A component argument, that the AFP does not have considerable intelligence powers is considered weak when viewed against the very powers proposed by this Bill. There is a contradiction and oversight quagmire presented by this approach. It is the view of the Committee that if the PJCIS is reviewing intelligence legislation for the AFP, which is appropriate given the role of this Committee, then it should be formalised and expanded to realistically account for the current PJCIS activities related to the AFP.
6.24
As above, the Committee finds the argument of existing PJCLE oversight as unsatisfactory. There is more to be gained than lost by PJCLE and PJCIS having overlapping oversight of the AFP, with particular relevance for the PJCIS on intelligence matters.
6.25
The Committee is strongly of the view that amendments to both this Bill and the IM Bill are required to allow for PJCIS oversight of the AFP beyond the certain terrorism functions the PJCIS currently has oversight over.
6.26
The Committee recommends that the Surveillance Legislation Amendment (Identify and Disrupt) Bill 2020, the Intelligence Oversight and Other Legislation Amendment (Integrity Measures) Bill 2020) and, to the extent necessary, other legislation be amended to expand the oversight remit of the Parliamentary Joint Committee on Intelligence and Security to cover the intelligence functions of the AFP (including, but not limited to, the use of network activity warrants by the AFP).
6.27
As it stands, the PJCIS has been asked by Government to review particular powers for the AFP and ACIC without being given commensurate increases in oversight of these agencies or the explicit ability to review these powers once they are enacted into law.
6.28
The Committee notes IGIS oversight of the AFP is limited to network activity warrants (NAWs) exclusively.
6.29
The Committee recommends that the Surveillance Legislation Amendment (Identify and Disrupt) Bill 2020, the Intelligence Oversight and Other Legislation Amendment (Integrity Measures) Bill 2020) and, to the extent necessary, other legislation be amended to extend the oversight remit of the Inspector-General of Intelligence and Security’s oversight to include all intelligence functions of the AFP (including, but not limited to, not the use of just network activity warrants).
6.30
As this section of Committee Comment shows, the vexed issue of intelligence oversight in a law enforcement context remains unaddressed despite efforts by the IIR and the Richardson Review to solve this very issue. Differing standards across different agencies on different powers by different oversight bodies is hardly ideal and not supported by this Committee.
6.31
There are substantial differences between the IGIS, the Commonwealth Ombudsman, the Australian Commission for Law Enforcement Integrity (ACLEI) the Office of the Australian Information Commissioner (OAIC) and the Australian National Audit Office (ANAO). It does not do well to equate these bodies as they have vastly different powers and mandates. Additionally, quantity of oversight does not equate to quality of oversight, if indeed some of these agencies can be classified as oversight bodies.
6.32
From a Committee perspective there is no equivalent to the oversight powers afforded by the IGIS and as it stands IGIS does not have oversight of the AFP intelligence functions nor the intelligence functions of Home Affairs. For this particular inquiry, the Committee is limiting its criticism to the lack of inclusion of operational agencies where the intelligence function is clearly present compared to policy agencies such as Home Affairs.
6.33
The Committee notes this issue will be likely relevant for the proposed Electronic Surveillance Bill proposed by the Richardson Review to consolidate and normalise all electronic surveillance powers in Australia across intelligence and law enforcement. If not now, at the point this Bill is referred (likely to this very Committee) these issues discussed above will become even more relevant. It appears the Government is moving towards a uniform and centralised piece of legislation to guide electronic surveillance. The Committee supports that endeavour in principle. It should be the case that oversight mirrors this philosophy.
6.34
In relation to oversight, given these are extraordinary powers the Committee recommends Government consider deepening the level of Commonwealth Ombudsman oversight to explore issues of propriety that the IGIS currently considers for intelligence agencies. The Committee notes the significant differences between the Ombudsman and IGIS in this regard.
6.35
The Committee recommends the Surveillance Legislation Amendment (Identify and Disrupt) Bill 2020 and, to the extent necessary, other legislation be amended to expand the inspection mandate and functions of the Commonwealth Ombudsman to cover – in explicit terms – the propriety of the AFP and ACIC’s actions, practices, policies and activities under these new powers.
Technology companies
6.36
The Committee invited several technology companies to public hearings and for various reasons these invitations were rebuffed, ignored or refused. The Committee notes many of these large commercial entities provided written submissions outlining their intention to support the Committee and provide additional information, but when asked to provide additional evidence at a public hearing did not see fit to do so.
6.37
The Committee is disappointed in these technology companies and notes their lack of appearance meant that the evidence base was weaker as it did not comprehensively take into account the concerns of technology providers on these issues. The Committee strongly recommends these companies appear in the future, and not in the form of industry lobby groups. It is not good practice to criticise a Bill but then not turn up to a hearing to discuss said Bill.
Submissions
6.38
The Committee thanks all the submitters to this inquiry and those who appeared before the Committee. The level of detail in many submissions was comprehensive and addressed specifically the proposed sections of the Bill. The Committee particularly thanks those who addressed the Bill itself and the proposed sections within it.
6.39
The Committee notes the ACIC, while seeking these new and extraordinary powers and being one of only two bodies proposed to be receiving these powers, did not submit a standalone submission to this inquiry justifying their need of these powers until asked by the Committee to provide at a public hearing. Given the above comments regarding perceived lack of oversight of the ACIC, the ACIC then not initially providing a submission to the Committee only strengthened the Committee’s view that oversight of the ACIC is substantially lacking. The Committee thanks the ACIC for its subsequent submission it made at the Committee’s request.
6.40
The Committee acknowledges the ACIC position was incorporated within the Home Affairs portfolio submission but this is neither adequate nor persuasive. The Committee required justification for why particular agencies required particular powers. The AFP provided that justification clearly and persuasively – initially the ACIC did not and only provided such justification at the Committee’s request.
6.41
The Committee recommends agencies that are seeking warranted powers provide their own submissions to this Committee. Doing so assist the Committee in providing justification for enabling the agency to receive said powers. This was particularly the case with the topic of disruption which was subject of substantial focus in the Richardson Review.
6.42
The Committee recommends that, where a Bill proposes to give operational or intelligence agencies specific new or expanded powers, those agencies should, in addition to providing input to any departmental submission, provide a separate unclassified submission to the Committee which should, at least, outline the necessity and proportionality of the proposed new or expanded powers. Such a submission should include, where appropriate, case studies on the current environment and how the use of any proposed new or expanded powers will assist the agency in the carrying out of its functions.
The Committee also recommends that the Department of Home Affairs not make any further submission to the Committee that purports to be authored by, or submitted on behalf of, the “Home Affairs Portfolio”.
For the avoidance of doubt this recommendation should not preclude an agency providing a classified submission in addition to any unclassified submission.
Mandate for disruption
6.43
The Committee accepted evidence from the AFP and ACIC that articulated clearly their mandate for disruption and the relationship between disruption and prosecution. These powers have been clearly demonstrated in the offline world and this Bill enables these agencies to attempt to do the same in the online world.
6.44
As above, the disruption mandate lends itself to a stronger focus on intelligence powers which is clearly the domain of the PJCIS.
Issues related to all powers
6.45
Committee comment for this Bill is divided between issues universal (or near-universal) to all powers, and issues that are specific to the particular warrant types.
The proposed Electronic Surveillance Act
6.46
The Committee considered how this particular Bill would be placed within the broader recommendations recommended by the Richardson Review. In particular the Committee notes the proposal for a omnibus Electronic Surveillance Act and evidence by Home Affairs that work is being undertaken to implement this proposal. The Committee is very supportive of any legislative attempt to increase consistency, accountability and transparency around the application of these types of intrusive powers and will take an ongoing interest in the Electronic Surveillance Act.
Additional reporting
6.47
The Committee noted concerns that while these powers were justified in terms of being used for particularly serious offences they could be used for lesser offences. It is of considerable importance to the Committee that powers are used for the purposes they are outlined for. To provide assurance the Committee is recommending a report be provided each year to Parliament and the Committee outlining the specific offences that these powers were used for. Such a report will greatly assist the Committee’s consideration of whether or not to conduct a statutory review of the powers discussed below.
6.48
The Committee recommends that, in support the proposed expansion of the Parliamentary Joint Committee on Intelligence and Security’s oversight remit (see Recommendations 1 and 2), the AFP and the ACIC provide an unclassified annual report to the Committee which sets out:
to the extent it is possible to do so in an unclassified report, similar information to what is required to be provided under section 3ZZVL of Schedule 3 of the Surveillance Legislation Amendment (Identify and Disrupt) Bill 2020 (except that information should be provided in respect of all three of the new powers rather than just the account takeover warrants); and
the offences in respect of which the warrants were sought or obtained.
This new reporting requirement should be supplemented by classified briefings to the Committee outlining the use of the new powers and their relationship both to each other and other existing powers provided to the AFP and ACIC.
Review by the Independent National Security Legislation Monitor
6.49
The Committee accepts that the warrants outlined in the Bill will most liklely be used for law enforcement matters. However there is, equally, a national security element to the proposed use of the warrants. On this basis the the Committee recommends the Data Disruption, Network Activity and Account Takeover warrants be subject to review by the Independent National Security Legislation Monitor (INSLM) three years after the Bill gains assent. The Committee further recommends that a copy of the INSLM’s report be provided to this Committee.
6.50
The Committee recommends the INSLM Act be amended to provide for INSLM review of the data disruption, network activity and account takeover warrants introduced by the Surveillance Legislation Amendment (Identify and Disrupt) Bill 2020 within three years of the Bill receiving Royal Assent.
The Committee further recommends that the INSLM Act be amended to require the INSLM to provide a copy of his or her report to the Committee at the same time the report is provided to the Minister.
Statutory review
6.51
The Committee notes the powers are limited to certain agencies, the AFP and ACIC, and this provides the Committee with a high degree of assurance that they will be used appropriately and within a set scope.
6.52
However, it is the usual practice of the Committee to recommend that it undertake a statutory review into the operation, effectiveness and implications of recently legislated new powers.
6.53
Such a power of review provides the Parliament with additional assurance that the powers are being used as intended for relevant and serious offences the Committee is recommending the Committee be given the ability to elect to review this Bill at least three years after assent. The Committee is deliberately recommending that such a review be optional as the reporting by AFP, ACIC and the INSLM referred to above and any briefings the Committee may request may provide the Committee with the assurance that a formal statutory review is not needed.
6.54
In addition the Committee recommends that the Surveillance Legislation Amendment (Identify and Disrupt) Bill 2020 be amended so that powers sunset five years from when the Bill receives Royal Assent.
6.55
The Committee recommends the Surveillance Legislation Amendment (Identify and Disrupt) Bill 2020 be amended so that the Parliamentary Joint Committee on Intelligence and Security may conduct a review of the data disruption, network activity and account takeover warrants not less than four years from when the Bill receives Royal Assent to allow the Committee to take into account any report by the INSLM.
In addition the Committee recommends that the Surveillance Legislation Amendment (Identify and Disrupt) Bill 2020 be amended so that each of the new powers sunset five years from the date on which the Bill receives Royal Assent.
Issuing authority
6.56
One of the major issues identified by submissions to this inquiry related to the issuing authority of the three powers and what would be appropriate. Generally this came in the form of submitters recommending raising the account takeover warrant (ATW) issuing authority to be in line with network activity warrants (NAWs) and data disruption warrants (DDWs) (at minimum), and recommending raising NAWs and DDWs further to superior court judges alone.
6.57
The Committee heard no compelling evidence, beyond administrative coherence with existing powers, for not raising the issuing authorities and as such is recommending that the Bill be amended so that the issuing authority for all three new powers, including emergency authorisations, is a superior court judge except for Account Takeover Warrants which may be granted by an Eligible Judge per Section 12 of the Surveillance Devices Act 2004 (Cth). These are extraordinary powers and the issuing process should reflect this.
6.58
The Committee recommends the Surveillance Legislation Amendment (Identify and Disrupt) Bill 2020 be amended so that the issuing authority for all of the new powers introduced by the Bill, including emergency authorisations, must be a superior court judge (either of the Federal Court or a State or Territory Supreme Court), except for Account Takeover Warrants which may be granted by an Eligible Judge per Section 12 of the Surveillance Devices Act 2004 (Cth).
Issuing criteria
6.59
The Committee accepted evidence from Home Affairs that the issuing authority criteria sufficiently narrowed the scope of these powers The Committee, after accepting evidence from several submissions, recommends that these criteria can be refined further to provide assurance that the powers will be used for appropriate offences.
6.60
The Committee recommends the Surveillance Legislation Amendment (Identify and Disrupt) Bill 2020 be amended to provide additional requirements on the considerations of the issuing authority to ensure the offences are reasonably serious and proportionality is maintained. The effect of any changes should be to strengthen the issuing criteria and ensure the powers are being used for the most serious of offending.
This should include specific consideration as to whether the offending relates substantially to: offences against the security of the Commonwealth per Chapter 5 of the Criminal Code; offences against humanity including child exploitation and human trafficking per Chapter 8 of the Criminal Code; serious drug, weapons and criminal association offences per Chapter 9 of the Criminal Code; and money laundering and cybercrime offences per Chapter 10 of the Criminal Code. These examples are not exhaustive, but designed to reflect the intention of the Bill as seen through the Explanatory Memorandum and evidence to this Committee.
This should include the nature of the offending and its relationship to other serious offences.
6.61
The Committee recommends the Surveillance Legislation Amendment (Identify and Disrupt) Bill 2020 be amended so that the issuing authority, to the extent known, must consider the following:
consideration to third parties specifically, including their privacy;
specific consideration of privileged and journalistic information; and,
specific consideration of privacy impacts, financial impacts, and the ability of individuals to provide or receive care.
Relevant offences
6.62
The second major issue was the discussion around relevant and applicable offences for the three powers. This was an area of serious debate with many non-governmental organisations arguing that the scope of relevant offences meant that many ‘non-serious’ offences, or offences not mentioned in the EM, were included in the Bill. Government organisations argued the definition of relevant offence was already set by Parliament and this Bill simply sought to use it as a definition, as did many other warrants. The EM clearly articulated that these powers would be used for the most serious types of crime and it is important the Bill reflects that.
6.63
The Committee notes the nuanced relationship between offences and powers which evolve over time. New powers are introduced to address new and serious threats which by their very definition tend to be more significant and extraordinary. There is the risk of a lag if new powers are introduced with no substantial changes to the existing architecture of legislation to which they apply. It is for this reason the Committee is generally unpersuaded by arguments of legislative consistency or coherence when extraordinary powers are introduced. Increases in powers afforded to agencies like the ACIC and AFP should be matched by increases in accountability, oversight and other measures designed to constrain and restrict these powers towards their appropriate purpose.
6.64
The Committee explored alternatives and possible recommendations including raising the threshold or specifically listing offences. For various reasons, the Committee considers it unfeasible to recommend either of these options. It appears that the issue of ‘relevant offence’ is a broader issue than this particular Bill and likely not one that will be addressed via this inquiry. The Committee notes that this is an issue that will need to be addressed as it will become increasingly difficult to ‘tack on’ new and intrusive powers to old definitions. At some point the definitions themselves will require review and it is possible we are fast approaching that point.
6.65
While the EM itself said the powers would be used for the most serious of offences, it clearly became apparent at the hearing that the powers would also be used for ‘lesser’ offences. The most obvious example provided related to outlaw motorcycle gangs and the possible intention to use these powers to degrade these networks by attacking their periphery. Some comparisons can possibly be drawn between this strategy and Al Capone being charged with tax evasion. The argument being that law enforcement would go after minor offending being done by serious criminals as a way to move upstream to the more serious offending. The Committee found this argument persuasive.
6.66
As a general point the Committee notes the argument of legislative consistency is supportive but not determinative of a particular outcome. The Committee considers that arguing for something simply because it is consistent with existing legislation is not entirely persuasive when new legislation or powers are being implemented or considered.
6.67
The Committee does recommend the Government clarify the EM as addressing this specific issue was clearly lacking in the EM as identified by many submissions. Whilst Government subsequently provided arguments to this Committee as to why the definition was appropriate, this could have been addressed at the EM stage of this Bill and in not doing so, likely delayed the progression of these powers. The EM clearly set out that these powers were being used for serious crime, but the evidence given to this Committee in Hansard indicated the powers would also be used to target minor offences that serious criminals were undertaking – a clear distinction from the EM itself. Additionally the EM contained an error regarding to human rights compatibility that was subsequently addressed by Home Affairs.
6.68
Importantly this Bill does not define relevant offence, it is a creature of existing legislation and as such it would be inappropriate for this Committee to address it as a substantial issue for recommendations to apply to. The Committee accepted evidence that a dynamic category was required to ensure operational efficacy of the Bill. However, the issues raised by submissions need to be addressed and as such the Committee recommends the Government undertake a broad review of offence classifications to address the concerns identified by these submissions. It may be that new categories are required to provide assurance to the public that extraordinary powers are not being used for ordinary offences.
6.69
The Committee recommends much greater attention be placed to justifying the ‘relevant offences’ for powers such as these in the future. Arguments of internal legislative coherence are not satisfactory for extraordinary powers such as these. The Committee is satisfied that the issuing authority criteria suitably narrows the de facto ‘relevant offences’. The Committee notes that rather than relying on issuing authorities judgement it is much more preferable that legislation is clear as to which offences are captured by proposed powers. For these reasons several recommendations are outlined below.
6.70
The Committee notes that it is probable the Government will address the issue of relevant offences and definitions with the creation of the proposed Electronic Surveillance Act.
6.71
The Committee recommends the Government commission a review of Commonwealth legislation to determine whether the concepts of “serious offence”, “relevant offence” and other similar concepts:
should be made consistent across different Acts of Parliament (noting that, for example, the definition of “serious offence” in the Telecommunications (Interception and Access) Act 1979 is different to the definition of “relevant offence” in the Surveillance Devices Act 2004; and
whether the threshold for the concept of “serious offence” in all Commonwealth legislation should be – at a minimum – an indictable offence punishable by a maximum penalty of seven years’ imprisonment or more, with a limited number of exceptions.
This body of work should inform the eventual electronic surveillance bill being considered by the Department of Home Affairs and other departments.
Emergency authorisations
6.72
The Committee considered the possible scenarios where emergency authorisations are not subsequently ratified by the issuing authority. In these situations the Committee recommends the issuing authority have discretion to order remedial action as appropriate.
6.73
The Committee recommends the Surveillance Legislation Amendment (Identify and Disrupt) Bill 2020 be amended so that, in order to provide an emergency authorisation for disruption of data held in a computer:
in addition to the matters set out in proposed section 28(1C) of the Surveillance Devices Act 2004, an authorising officer must be satisfied that that there are no alternative means available to prevent or minimise the imminent risk of serious violence to a person or substantial damage to property that are likely to be as effective as data disruption; and
the authorising officer must consider the likely impacts of the proposed data disruption activity on third parties who are using, or are reliant on, the target computer and be satisfied that the likely impacts on third parties are proportionate to the objective of the emergency authorisation.
In addition, the Surveillance Legislation Amendment (Identify and Disrupt) Bill 2020 should be amended so that, where an issuing authority declines to retrospectively approve an emergency data disruption authorisation, the issuing authority may require the AFP or ACIC to take such remedial action as considered appropriate in the circumstances, including financial compensation.
Requesting officers and public interest advocates
6.74
The Committee noted evidence recommending amending the Bill so that only certain officers could apply for these warrants within the AFP and ACIC. The Committee disagrees with this suggestion and is content with the sub-legislative provisions and policies that ensure accountability for this process within both agencies.
6.75
The Committee noted evidence recommending the inclusion of a public interest advocate to act as contradictors in these warrant applications. The Committee does not support this recommendation for this Bill.
Concealment powers
6.76
The Committee is of the view that concealment activities that cannot be completed within 28 days should require the approval of a superior court judge to undertake post-concealment activities at a later date.
6.77
The Committee recommends that the Surveillance Legislation Amendment (Identify and Disrupt) Bill 2020 be amended so that any post-warrant concealment powers must be exercised within 28 days after the relevant warrant has expired unless the AFP or the ACIC (as applicable) has obtained the approval of a superior court judge to undertake post-concealment activities at a later date.
Consistent with the recommendation made by the INSLM, the superior court judge should be required to consider:
how the AFP or the ACIC (as applicable) is proposing to conceal access;
the likely privacy implications at the time and in the place where the concealment activity is proposed to occur; and
whether, in all the circumstances, the concealment activity is appropriate.
In addition, and noting that the Committee did not receive evidence on concealment in relation to computer warrants, the Committee recommends that the Government consider whether the same amendment should be made in respect of computer access warrants in the Surveillance Devices Act 2004 consistent with the recommendation made by the INSLM.
Loss or damage to a third-party
6.78
The Committee considered the fact that integrity body oversight of this Bill, would be by both the Inspector General of Intelligence and Security and the Commonwealth Ombudsman. The Committee is satisfied with the integrity body oversight arrangements of this Bill with only several minor recommendations, some of which have been addressed elsewhere.
6.79
The Committee recommends the Surveillance Legislation Amendment (Identify and Disrupt) Bill 2020 be amended so that:
for the purposes of proposed paragraphs 27KE(7)(b) and 27KE(12) (and any other relevant provision), a data disruption warrant may only authorise the AFP or ACIC to cause material loss or damage to other persons lawfully using a computer if the loss or damage is necessary to do one of the things specified in the warrant (i.e. it is not enough that the loss or damage is “justified and proportionate”); and
the AFP and ACIC must notify the Commonwealth Ombudsman or IGIS (as appropriate) as soon as reasonably practicable if they cause any loss or damage to other persons lawfully using a computer.
The notification to the Commonwealth Ombudsman or IGIS (as applicable) must include, among other things, details of the loss or damage caused by the disruption activity and an explanation of why the loss or damage was necessary to do one of the things specified in the warrant.
6.80
The Committee recommends that the Surveillance Legislation Amendment (Identify and Disrupt) Bill 2020 be amended so that the power to temporarily remove computers and other things from premises under a data disruption warrant or a network activity warrant must be returned to the warrant premises as soon as it is reasonably practicable to do so.
Reporting to the Ombudsman
6.81
The Committee notes that the Commonwealth Ombudsman recommended varying the reporting requirements from six-monthly to annually. The Committee recommends implementing this change.
6.82
The Committee recommends the Surveillance Legislation Amendment (Identify and Disrupt) Bill 2020 should be amended to change the reporting requirements from the agencies to the Commonwealth Ombudsman from six-monthly to annually.
Press freedom
6.83
The Committee noted the previous recommendation it made in the Inquiry into Press Freedoms regarding expanding the role of the Public Interest Advocate for all warrant related provisions that could relate to journalists. The Committee continues to support these recommendations and notes the Government’s current ongoing holistic analysis of all legislation that will implement these changes.
6.84
The Committee recommends that the Government introduce legislation to implement the Committee’s recommendations in its report on press freedom as soon as possible.
In the meantime, the Committee recommends that the Surveillance Legislation Amendment (Identify and Disrupt) Bill 2020 be amended so that the issuing criteria for each of the proposed new powers requires the applicant, and the issuing authority, to consider the following matters in respect of any warrant that relates to – or may affect – a person working in a professional capacity as a journalist or a media organisation:
the public interest in preserving the confidentiality of journalist sources; and
the public interest in facilitating the exchange of information between journalists and members of the public to facilitate reporting of matters in the public interest.
6.85
Consistent with Recommendation 2 of the Committee’s report on press freedom, the Committee recommends that the Surveillance Legislation Amendment (Identify and Disrupt) Bill 2020 be amended to require that – with respect to an application for a data disruption warrant, a network activity warrant or an account takeover warrant that is being sought in relation to a journalist or media organisation – a “public interest advocate” be appointed.
Assistance orders
6.86
Several submissions discussed assistance orders for the powers. A general theme which was present was that the assistance order regime from the TOLA Act was more developed and comprehensive and this Bill would do well to reflect key definitions and concepts from that Bill.
6.87
Several submissions called for mandatory consultation with technology providers prior to warrants being issued, or executed, and for an independent technical advisory board as part of the issuing process. The Committee disagrees with both of these suggestions for this particular Bill. The Committee is supportive of greater technical considerations being placed into the issuing authorities’ considerations but is not supportive of involving technology companies at this stage of the process.
6.88
The Committee accepted evidence from submissions in favour of the assistance order regime in the TOLA Act and accepted evidence that the assistance order regime under the Bill should be modelled, in so far as it is possible to do so, on the TOLA Act assistance order regime.
6.89
The Committee recommends that the Surveillance Legislation Amendment (Identify and Disrupt) Bill 2020 be amended to make clear the issuing criteria for an assistance orders also requires the issuing authority to be satisfied that:
the order for assistance – and not just the disruption of data – is:
reasonably necessary to frustrate the commission of the offences that are covered by the disruption warrant; and
justifiable and proportionate, having regard to (i) the seriousness of the offences that are covered by the disruption warrant and (ii) the likely impacts of the data disruption activity on the person who is subject to the assistance order and any related parties (including, if relevant, the person’s employer) and (iii) the likely impacts of the data disruption activity on other persons, including lawful computer users or clients of the person subject to the order; and
compliance with the request is practicable and technically feasible (noting that these criteria are to be found in the industry assistance measures introduced by the Assistance and Access Act 2018).
6.90
Some submissions discussed the possibility of ‘forum shopping’ for assistance orders under various other regimes. To avoid this, the Committee is recommending provisions be inserted into the Bill to prevent this from occurring.
6.91
The Committee recommends the Surveillance Legislation Amendment (Identify and Disrupt) Bill 2020 be amended to require consideration by the issuing authority, to the extent that is possible, of whether a person is, or has been, subject to other mandatory assistance orders (including mandatory assistance orders made under other Commonwealth legislation).
Having regard to the covert nature of mandatory assistance orders, and the fact that it may not be possible for the issuing authority or applicant to have knowledge of previous (or even concurrent) orders, the Committee further recommends that the Government develop a mechanism to ensure that individuals and companies are not subject to multiple mandatory assistance orders unless specific consideration is given to whether, in all of the circumstances, it is reasonably necessary and proportionate.
6.92
There were substantial concerns raised by the submissions to this inquiry that the assistance order framework was unnecessarily large and it could compel assistance from anyone for any purpose. The Committee supports narrowing the scope to be in line with what Government intends with this Bill, in so far as it is reasonable to do so. The Committee is satisfied that the duration of the assistance is already limited by the duration of the underlying warrant to which the assistance order relates to (i.e. assistance orders could not outlast the underlying warrants).
6.93
The Committee heard substantial evidence on the topic of assistance orders across the three new proposed powers. Some were concerned around the lack of perceived scope in these orders.
6.94
The Committee recommends the Surveillance Legislation Amendment (Identify and Disrupt) Bill 2020 be amended to:
impose a maximum period during with a non-emergency mandatory assistance order may be served and executed (and if the order is not served and executed within that period, the order will lapse and a new order must be sought);
require all applications for a non-emergency mandatory assistance order to be made in writing;
require all applications for a non-emergency mandatory assistance order to include, to the extent known key particulars, including the nature of the mandated assistance;
prohibit the AFP and the ACIC, unless absolutely necessary, from seeking a non-emergency mandatory assistance order in respect of an individual employee of a company (i.e. assistance should only ever be sought from the company or business);
set out the process that must be followed in respect of the service of a non-emergency mandatory assistance order on the specified persons, and link the commencement of an order to the date and time of service; and
require that an issuing authority consider whether a person is, or has been subject, to a non-emergency mandatory assistance orders (including mandatory assistance orders made under other Commonwealth legislation).
6.95
The Committee recommends that the Government make clear that no mandatory assistance order, including those defined in the Surveillance Legislation Amendment (Identify and Disrupt) Bill 2020, can ever be executed in a manner that amounts to the detention of a person.
6.96
Several submissions recommended good faith immunity provisions be included for persons assisting with assistance orders. The Committee supports this.
6.97
The Committee recommends the Surveillance Legislation Amendment (Identify and Disrupt) Bill 2020 be amended to introduce good faith immunity provisions for both assisting entities and those employees or officers of assisting entities who are acting in good faith with an assistance order.
Judicial review
6.98
The Committee notes the evidence provided by Home Affairs that there was an error regarding judicial review of in the initial submission and this will be corrected.
6.99
The Committee recommends the Explanatory Memorandum to the Surveillance Legislation Amendment (Identify and Disrupt) Bill 2020 be amended to make it clear that decisions under the proposed new powers are not excluded from judicial review under the Administrative Decisions (Judicial Review) Act 1977 (ADJR Act).
For the avoidance of doubt, the Committee believes that no decision made in relation to data disruption warrants, network activity warrants and account takeover warrants should be exempt from judicial review under the ADJR Act.
Data Disruption Warrants
6.100
The Committee considered the Law Council’s submission that the terms ‘disruption’ of data and ‘frustration’ of the commission of an offence be statutorily defined. Whilst the Committee accepts the arguments by Home Affairs against further defining these terms, it recommends increasing the considerations built into the authorisation process.
6.101
The Committee recommends proposed paragraph 27KA(3)(b) of the Surveillance Legislation Amendment (Identify and Disrupt) Bill 2020 be amended to provide that the statement of facts and grounds accompanying all applications for data disruption warrants must specify the following matters to the extent that is possible:
the acts or types of acts of data disruption that are proposed to be carried out under the warrant;
the anticipated impacts of those specific acts or types of acts of disruption on the commission of the relevant offence (that is, how they are intended to frustrate that offence); and
the likelihood that the relevant acts or types of acts of disruption will achieve that objective.
6.102
In addition the Committee makes the following recommendations.
6.103
The Committee recommends the Surveillance Legislation Amendment (Identify and Disrupt) Bill 2020 be amended so that only individuals who satisfy the following requirements may apply for a data disruption warrant or an account takeover warrant:
the person is a law enforcement officer in relation to the AFP or ACIC (as applicable) within the meaning of section 6A of the Surveillance Devices Act 2004;
the person has been individually approved, by written instrument made by the AFP Commissioner or ACIC CEO (as applicable) to apply for data disruption warrants; and
the relevant agency head is satisfied that the person possesses the requisite skills, knowledge and experience to make warrant applications, and the person has completed all current internal training requirements for making such applications.
6.104
The Committee recommends that paragraph 27KC of the Surveillance Legislation Amendment (Identify and Disrupt) Bill 2020 be amended so that, rather than a judge having to be satisfied, that a data disruption warrant would be “justifiable and proportionate”, the judge must be satisfied, to the extent possible at the time an application is made, that a data disruption warrant is:
reasonably necessary to frustrate the commission of the offences referred to in the warrant application; and
proportionate, having regard to:
the specific nature of the proposed disruption activities;
the proportionality of those activities to the suspected offending;
the potential adverse impacts of the disruption activities on non-suspects; and
the steps that are proposed to be taken to avoid or minimize those adverse impacts, and the prospects of those mitigating steps being successful.
6.105
The Committee considered the involvement of Australian Signals Directorate (ASD) officers in these powers and, to ensure no gaps in oversight by the IGIS recommends that the IGIS Act be amended to provide that staff members of the Australian Signals Directorate are subject to IGIS oversight if they are seconded to the AFP or ACIC to execute a data disruption warrant for and on behalf of the AFP or ACIC.
6.106
The Committee recommends the Surveillance Legislation Amendment (Identify and Disrupt) Bill 2020 and the IGIS Act be amended to make it clear that staff members of the Australian Signals Directorate are subject to IGIS oversight if they are seconded to the AFP or ACIC to execute a data disruption warrant for and on behalf of the AFP or ACIC.
Network Activity Warrants
6.107
A key issue was the definition of ‘criminal network of individuals’. At the most extreme, some submissions argued it could apply to all users of WhatsApp. The Government response, which this Committee agrees with, is that the issuing authority requirements make this increasingly unlikely. Furthermore, the efficacy of narrowly defining this term could lead to operational inefficiencies. However, there are likely some improvements which could be made to this definition.
6.108
The definition should include consideration of the actions or intentions of the group as a whole, and the possible offending being undertaken by the group as a whole as well as the severity of that offending. It is important that some nexus between the type of offending and the type of group is present to narrow the scope of these warrants while maintaining the intelligence function.
6.109
The Committee recommends the Surveillance Legislation Amendment (Identify and Disrupt) Bill 2020 be amended to strengthen the issuing authority considerations for network activity warrants, including by amending the definition of a “criminal network of individuals” to require there to be a reasonable suspicion of a connection between:
the suspected conduct of the individual group member in committing an offence or facilitating the commission of an offence; and
the actions or intentions of the group as a whole.
6.110
The Committee agrees with the IGIS submission and evidence on clarifying the importance of privacy considerations in the issuing authority criteria for NAWs at proposed section 27KM.
6.111
The Committee recommends the Surveillance Legislation Amendment (Identify and Disrupt) Bill 2020 be amended to clarify that a decision-maker, and the issuing authority, must consider the privacy implications to the extent they are known, of a proposed network activity warrant.
To be clear, the committee does not believe that privacy considerations should be determinative in their own right, just that they should be considered.
Account Takeover Warrants
6.112
The Committee considered several issues in relation to Account Takeover Warrants (ATWs). The Ombudsman recommended that affidavits support ATW applications. The Committee agrees with this recommendation.
6.113
The Committee recommends the Surveillance Legislation Amendment (Identify and Disrupt) Bill 2020 be amended to require a sworn affidavit setting out the grounds of an application for an account takeover warrant (consistent with the delayed notification search warrants in the Crimes Act).
6.114
The Committee recommends that the Surveillance Legislation Amendment (Identify and Disrupt) Bill 2020 be amended to require an issuing authority to consider, to the extent that is possible at the time the application is made, whether a proposed account takeover warrant is likely to have an adverse impact on third parties, including a specific requirement to assess the likely:
impacts on personal privacy;
financial impacts on individuals and businesses;
impacts on a person’s ability to conduct their business or personal affairs; and
impacts on a person’s ability to have contact with family members or provide or receive care.
6.115
The Committee recommends the Surveillance Legislation Amendment (Identify and Disrupt) Bill 2020 be passed, subject to the amendments outlined above.
Senator James Paterson
Chair
4 August 2021