Chapter 4 - Device-based named person warrants
4.1
A broad range of witnesses raised concerns in relation to the proposal
in the Bill to permit devices to be added to a warrant after it had been issued
and without further reference to the issuing authority, and for the
identification of devices in warrants only to the extent that it is known.
These witnesses, which included the Law Council of Australia (the Law Council),
the Castan Centre for Human Rights Law (Castan Centre), Privacy Commissioners
and civil liberties groups, (collectively privacy and civil liberties groups), considered
that the proposed amendments represented an extension of interception powers
that would result in innocent persons who were not the subject of investigation
having their privacy invaded. These concerns are discussed in greater detail
below, under the following broad subject headings:
- Tension between privacy rights and the need for interception
powers;
- Identification of devices;
- Adding devices to device-based warrants after issue;
- Accountability mechanisms;
- Consistency between service-based and device-based warrants;
- Legislative intent concerning device-based named person warrants;
and
- Suggestions for safeguards if devices are added to warrants.
4.2
The chapter incorporates committee conclusions in each section where
appropriate.
The tension between privacy and the need for interception powers
4.3
Evidence heard by the committee was primarily divided between two
viewpoints. Submissions by police forces[1]
and the Attorney General's Department (the Department) considered the
amendments were needed by interception authorities for operational purposes.
Conversely, privacy and civil liberties groups considered the amendments unsatisfactory
in relation to the protection of individuals' rights to privacy and public
accountability standards.
4.4
The committee received evidence that the impact from a privacy perspective
was significant and potentially inconsistent with community expectations. For
example, the Victorian Privacy Commissioner submitted that:
The effect of this bill on the privacy of individuals is
significant.
With the increase in uptake and use of technology, communication
over the internet and telephones (including mobile phones) is the primary method
of communication today. Individuals communicating through telecommunications
devices are likely to exchange all sorts of information, ranging from private
health information to personal business affairs, the nature of professional
advice received as well as sensitive information concerning their health,
sexual orientation and practices, political opinions and religious views.
Australians have the right to expect that the State will not
intercept or access their communications without just cause and due process.
The greater impact a warrant will have on an individual's rights (including their
right to privacy), the more stringent the requirements for obtaining the warrant
should be. If granted, any warrant should be as specific, finite and limited as
is reasonable in achieving its aims. In particular, the ability of the warrant
system to protect individual privacy depends on the issuing authority
considering each individual device from which telecommunication are to be
intercepted under the warrant.[2]
4.5
Conversely, while acknowledging privacy issues, the Victoria Police's
submission expressed its need for these amendments from a law enforcement
viewpoint:
There is clearly an operational need for Law Enforcement
Agencies to be able to obtain a single warrant which authorises the
interception of multiple devices used or likely to be used by the suspect and
which allows additional devices to be added to a warrant if and when they are
identified. ...
Service-based named person warrants exist to allow multiple
services to be intercepted in connection with one named person warrant and also
additional services to be added to a warrant if and when they are identified.
The proposed amendment will allow the provisions governing the issue of
device-based named person warrants to be brought into line with the provisions
governing the issue of service-based warrants.
The expanding use of telecommunication interception powers as an
investigative tool and the associated concerns that this may give rise to, such
as issues of privacy and the expansion of police powers, are always relevant
factors. However, the amendment merely provides a means of obtaining evidence
in a more timely manner than is currently possible under existing legislation.[3]
4.6
Representatives of the Department explained that interception agencies need
the operational flexibility to adapt to changing technology, noting that while
the legislation is intentionally technologically neutral, changes in technology
have required legislative amendment to maintain operational effectiveness:
Advances in technology have created a market where multiple
communications are the norm due to the low cost associated with purchasing
telecommunications services. This is creating an environment whereby it is
reasonably inexpensive to purchase multiple communications devices such as mobile
phone handsets or laptop computers. These devices, when combined with the
availability of multiple services, provide opportunities for evading detection
by law enforcement agencies...
...
To meet community expectations that serious criminal offences
are investigated and prosecuted, it is important that law enforcement [and]
national security agencies can quickly adjust to this changing environment.[4]
4.7
The committee acknowledges the tension between the need for interception
agencies to have the necessary powers to safeguard the community; and the
requirement to protect individuals' rights to privacy, particularly those
persons who are not associated with a particular investigation. These
objectives need to be balanced in any legislative amendment that involves new
powers, or an extension of powers.
Identification of devices
4.8
The accurate identification of telecommunications devices to be
intercepted is contentious because of the potential to intrude upon the privacy
of innocent people if devices are not correctly identified before interception
commences. The submission made by the Law Council illustrated two examples of
how an unjustified invasion of a person's privacy might inadvertently occur:
ASIO or a law enforcement agency may have correctly identified
their suspect but may have erroneously identified the telecommunications
services or devices used by that person, (again perhaps on the basis of
incomplete or unreliable information), with the result that the communications
of an innocent third party are intercepted.
ASIO or a law enforcement agency may have correctly identified
their suspect and correctly identified the telecommunication service or devices
used by that person but may not be technically able to uniquely identify
telecommunications made using that service or device without the risk of
intercepting communications made via an unrelated service or device (This
appears to be more of a real risk with device-based, rather than service-based
interception...).[5]
4.9
The Law Council concluded that 'the proposed amendments will significantly
reduce the role of the warrant authorisation process in safeguarding against
errors of the kind...' illustrated above.[6]
4.10
In relation to identification of devices, several submissions[7]
drew the committee's attention to previous examination of this issue in the
Blunn report;[8]
the committee's previous findings and recommendations in relation to the
introduction of device-based warrants in the 2006 amendment bill; and/or the
subsequent government response. These submissions questioned whether there had
been further development to improve the reliability and accuracy of unique
identifiers that the Australian Government had committed to progress, or
whether this commitment was now being put aside.
4.11
For example, the Law Council submitted that:
There is no information included in the
material supporting the Bill to suggest that the concerns expressed by the Senate committee
in 2006 about the accuracy and reliability of device based interception have
been addressed. Nonetheless, the proposed amendments explicitly invite
Parliament to treat device-based interception as no more risky or problematic
than service based interception.[9]
4.12
The Department stated that unique identifiers are available for devices
such as mobile handsets and laptops:
All telecommunications devices, such as a mobile handset or a
laptop computer, have a unique identifier that allows the device to interact
with telecommunications. For example, the unique identifier for a mobile
handset is called an International Mobile Equipment Identifier (IMEI). A unique
identifier for a computer or any wireless connected device is a Media Access
Control (MAC) address. It is possible to match the unique identifier of the
device to a particular person via subscriber detail or through the monitoring
of known telecommunications services that the person of interest
is using.[10]
4.13
However, the committee also received evidence from the Department which
suggested that accurately identifying a unique and indelible identifier of the
source of telecommunications, as recommended in the Blunn report, remains an
operational challenge. The Department provided the following scenario:
There will be intelligence to say someone has walked into a
particular shop and bought half a dozen phones plus 100 SIM cards, which is not
an unusual scenario. The reality is, that until they use the phone, you cannot
identify the unique identifier.[11]
4.14
Further, there appears to be some doubt about the reliability of the
unique device identifiers, due to the possibility that these may be altered. At
the public hearing, a representative of Electronic Frontiers Australia (EFA) advised
that altering the identification of a device was possible:
In many if not most cases, those [device-based] identifiers
can be altered, cloned or copied, so that they do not reliably provide a unique
identifier. Moreover, we are given to understand that where suspects in
criminal investigations, for example, might be seeking to avoid surveillance by
law enforcement agencies, they might be minded to change identifiers to hide
their tracks. In the types of situations in which these warrants might address
this, there is perhaps a higher than normal chance that identifiers might not
be unique.[12]
4.15
The Department acknowledged this concern, stating that:
In a policy sense, we are working with the industry, ACMA [Australian
Communications and Media Authority] and the Department of BCDE [Broadband,
Communications and the Digital Economy] to look at ways to deal with this
problem. There are offences in the Criminal Code for altering IMEIs
[International Mobile Equipment Identifiers] and IMSIs [International Mobile
Service Identifiers]—being the service number or the actual phone handset
number—and the AFP [Australian Federal Police] enforces those particular laws
in relation to changing IMEIs and IMSIs. But, of course, technology is very
fast moving and people will always find ways to change numbers.[13]
4.16
The New South Wales Council for Civil Liberties (NSWCCC) submitted that
allowing more devices to be intercepted without improving device identification
accuracy was not acceptable on privacy grounds:
A significant number of additional people will have their
conversations and other messages listened to or read if this Bill is passed.
These will include users of intercepted devices other than the targeted person,
and those with whom they communicate. Until such time as devices are
identifiable by unique identifiers and accidental interception of the wrong
devices is eliminated, they will also include persons not connected in any way
with the targeted person. The broader the range of devices which are targeted, the
greater the increase in invasion of privacy.[14]
Adding devices to device-based warrants after issue
4.17
A major change proposed in the Bill relates to allowing interception agencies
to add additional devices to a device-based warrant without further referral to
an issuing authority. Many of the submissions and much of the evidence received
at the hearing objected to this proposed change, viewing it as a major
extension of the existing provisions.
4.18
The following section of this report is laid out as follows:
- Paragraphs 4.19 – 4.22 set out a description, as primarily incorporated
in the Attorney-General's Department's submission, of how privacy issues will
be addressed and how accountability mechanisms will operate;
- Paragraphs 4.23 – 4.26 describe operational practices and needs,
as put forward in evidence by police forces.
- Paragraphs 4.27 – 4.30 then return to the objections raised by
privacy and civil liberties groups.
Requirements, process and safeguards
4.19
The Department described the existing two-tier process to address
privacy in the issuing process for a device-based named person warrant. The
first step is to establish that a device-based named person warrant is the only
practical mechanism available to intercept telecommunications:
The primary issue of the interference with a person's privacy is
addressed by the issuing authority in considering whether to grant a
device-based named person warrant. The interception agency must satisfy the
issuing authority that:
- there
are no other practicable methods available at that time to identify the
telecommunications services being used, or likely to be used, by the person of
interest, or
- it is
impracticable to intercept the service being used by the person of interest.[15]
4.20
If the issuing authority is satisfied that a device-based named person
warrant is appropriate to the circumstances, the issuing authority then must
have regard to the following privacy considerations and other factors:
- the impact
the interception will have on the existing privacy of any persons as a result
of intercepting communications made from any service or of a particular device
used or likely to be used by the person of interest;
- the
extent to which alternative methods of investigation have been used by the
interception agency; and
- that
the interception is for an investigation of a serious offence, generally
punishable by a maximum period of imprisonment of at least seven years.[16]
4.21
The Department's submission also explained the internal procedures to
which an interception agency would be required to adhere if the agency was
permitted to add additional devices to a warrant without independent external
scrutiny:
The Bill allows the head of an agency or a senior officer or
staff member of an agency who has been approved in writing by the chief officer
of an agency, to approve the addition to the warrant of an additional device,
and to notify the relevant carrier. The senior officer is not able to make
decisions that go beyond the limits of the original warrant and therefore is
required to be satisfied that the addition of a device to a named person
warrant would meet the thresholds that an issuing authority must have regard
to, or be satisfied of, in issuing the original warrant.[17]
4.22
The submission went on to explain the existing accountability mechanisms
under the TIA Act that would be safeguards which might address issues raised by
privacy and civil liberties groups:
- An
interception agency is required to revoke a warrant when the grounds for the
warrant no longer exist. This includes where it is no longer impracticable to
intercept telecommunications being used by the person.
- Intercepted
material must be destroyed where it is not relevant to the permitted purposes
of the agency – generally an investigation of an offence that is punishable by
three years imprisonment or more.
- An
issuing authority may impose conditions or restrictions on an interception
warrant.
- The
Ombudsman has independent oversight of the conduct of the interception agencies
in carrying out interception.[18]
Operational need for devices to be
added after issue of the warrant
4.23
The committee received evidence from Victoria Police, the AFP and the
Attorney-General's Department that operational effectiveness requires the
timely interception of devices since:
The evolving practice by the criminal element of utilising
multiple SIM cards in multiple handsets has become a significant inhibitor to
the detection of crime and the apprehension of offenders. LEA’s [law
enforcement agencies] once again will be at a disadvantage when trying to
identify and subsequently intercept telecommunications in a timely manner. The
'educated' criminal element is already utilising such practices to defeat
current methods of telecommunications interception and will continue to do so.
The use of such tactics will certainly increase as it becomes more commonly
known.[19]
4.24
Tasmania Police also noted that the amendments would 'provide for a
greater effectiveness of the Telecommunications Interception warrant regime'.[20]
4.25
A representative of the AFP described the warrant process and need for
timeliness to the committee from an operational perspective:
...when you are seeking the grounds for the original warrant, you
are at the earlier stage of the investigation. You do not have interception in
place, so you are going through that accountability process. I do not think
that anything we are saying or the department is saying is meant to undermine the
importance of that up-front authorisation by an external body. What we are
talking about is the fact that, in the overall architecture of the T(I) Act [TIA
Act], a device based warrant is in the first place really the warrant of last
resort. We have to be satisfied, and we need to be able to satisfy our internal
processes and then the issuing authority, that a service based warrant or some
other TI [telecommunications interception] warrant is not a better way to get
access to the information that we are after to assist with our investigation.
As that investigation progresses and we are aware or become aware that that
person suspects that they are under surveillance by the police, that the police
are interested in them, and they start undertaking those counter surveillance
type activities, we need to be able to try and counter that to maintain our
capability. That is why we are suggesting that, when it comes to adding a
device to an existing warrant where we were not aware of the existence of that
device when we first sought the warrant, an internal authorisation approach, on
balance with the other accountabilities that are available in the Act, is the
best way ahead from an operational perspective.[21]
4.26
A representative of the Department also described some of the internal
accountability and approval requirements that will apply when a device is to be
added subsequent to the issue of a warrant:
...the decision to add another device will be made by a senior
officer within the agency, which does sit separately from any of the actual
investigation itself, so the objectivity does come in there. I should also say
that they will not be able to add a device that is inconsistent with the
purposes of the warrant in the first instance. There has to be not only the
likelihood that the person is using it but the likelihood that the use of it is
in relation to the offence for which the warrant was issued....
I should also say that, as a matter of best practice, the
Attorney-General’s Department must receive copies of all warrants.[22]
Scrutiny of devices added to a
warrant
4.27
The committee heard evidence arguing that the provisions of the Bill
that will permit interception agencies to add new devices to a warrant without further
independent scrutiny by the issuing authority would adversely affect the
privacy rights of individuals.
4.28
The Law Council firstly agreed with the statement in the Department's
submission that 'the primary issue of the interference with a person's privacy is
addressed by the issuing authority in considering whether to grant a named
person warrant.' [23]
However, the Law Council went on to state that:
...it is difficult to see how the threshold test for privacy can
be met where the issuing authority remains unaware of the particular devices to
be targeted under the warrant. [24]
4.29
The Castan Centre elaborated on the privacy consequences of removing the
requirement that an issuing authority scrutinise information pertaining to all
devices in a warrant:
At the time of issuing, the issuing authority does not know what
those devices are or might be and so has no basis on which to adequately
address the question of whether or not the interception of those further
devices would interfere with the privacy of any person or persons in an
inappropriate fashion. The concern arises particularly in relation to device
based warrants because when one looks, for example, at the explanatory
memorandum for the 2006 bill, which introduced the device based warrants, it
makes it clear that the logic of a device based warrant is that it is useful when
a device is being used in respect of multiple services. Of course the device
might also be used by multiple users.
So... it seems quite possible that some person, not of interest to
the authorities and who was not identified in the warrant, might nevertheless
be using the device to make a communication on some service or other and then
become subject to interception pursuant to the warrant. [25]
4.30
The committee questioned several witnesses about whether the requirement
to seek prior approval from an issuing authority before adding devices to a
warrant imposed an additional 'red tape' burden on an interception agency, in
terms of time and identifying the device. Witnesses were consistent in
considering that prior approval is appropriate and necessary. Comments included:
- the 'red tape' includes existing safeguards and there is a
significant difference between extra red tape and the removal of safeguards;[26]
- the requirement to seek approval is consistent with Australia's
international human rights obligations;[27]
- there is a balance to be struck between the lawful interception
needs of an agency and the needs of the public to be protected from the
excesses and abuses to which those powers could conceivably be put. The purpose
of device-based warrants is to address the issue of 'proliferation of SIM
cards', that is, the ability to intercept multiple SIM cards in one device;[28]
- the proposed amendment is fundamentally inconsistent with the
nature of the independent review. An analogy for this proposal is that of a
magistrate issuing a search warrant that allowed the police not only to search
a residence of a particular suspect but any other place in which it is 'likely'
a person might be. It removes the need for showing proof and justification
before an independent party;[29]
-
the one additional step of obtaining a warrant should not be
omitted, as the AFP states in its submission that interception agencies are
required in any case to do the work to identify the additional devices;[30]
- none of the current safeguards prevent interception agencies
doing their jobs;[31]
and
-
the community would expect that a documented case needs to be
made to someone to justify the addition of a device, and that case should
preferably be made to someone external, rather than internal to the agency
actioning the warrant.[32]
Conclusions
4.31
The committee acknowledges that interception effectiveness needs to keep
pace with technological changes and changes in the behaviour of criminals seeking
to avoid detection. This may require ongoing legislative change unless more
'technologically neutral' legislation can be introduced.
4.32
The committee accepts that even a short delay may result in loss of
valuable information and affect investigatory outcomes. This is clearly not
ideal and, in certain circumstances such as life-threatening situations, may be
unacceptable. However, any changes to existing powers and safeguards must
always be weighed against the potential for additional intrusion into
individual rights and privacy.
4.33
The committee accepts that the ability of interception agencies to
rapidly respond to 'turnover' in the telecommunication devices being used by
people being intercepted is somewhat constrained by the current device-based
warrant regime. This problem would be reduced if interception agencies were
able to apply for multiple devices in a single application for a warrant.
Allowing agencies to add devices to a warrant subsequent to its issue may also
increase the capacity of interception agencies to respond in an efficient and
timely manner. However, the TIA Act does not currently permit either process.
4.34
The committee is of the view that as a general principle, it is
unobjectionable for interception agencies to intercept multiple devices on a
device-based named person warrant. The committee is not convinced, however that
an issuing authority can adequately consider potential interference with the
privacy of any person(s), and also consider the other factors against which
this should be balanced, if it is unaware of the identity of the devices that
an interception agency may add subsequently to a device-based named person
warrant.
4.35
During the course of the inquiry, Departmental representatives argued that
replacing external scrutiny of devices that an interception agency wishes to
add to a device-based named person warrant with internal-to-department scrutiny
would still achieve equivalent consideration of privacy issues. The Department explained
that the officer who will assess applications for additional devices would not
be from within the area where the application originates. Additionally, the
Department asserted that the purpose of the interception of the additional
device must be consistent with that in the original warrant, and that each
device is subject to the same test of 'likelihood' that the person named in the
warrant is using the device.
4.36
However the committee considers that these safeguards cannot fully
substitute for independent scrutiny by an issuing authority. The amendments, if
passed, would remove an important existing safeguard, that is, independent
scrutiny of any devices that an interception agency wishes to intercept.
4.37
Privacy Commissioners, civil liberties and rights groups and the Law
Council were unanimous in considering that independent scrutiny is not merely
'red tape'. In their view, removing an existing safeguard is different from
objecting to new safeguards. The committee agrees with this view and, in
particular, considers that:
- compared with service-based interception, device-based
interception is more likely to result in the invasion of privacy of people not
identified in the warrant;
- a balance should be maintained between the protection of the
community by security and law enforcement agencies; and the accidental or
deliberate infringements on privacy that can result from interception; and
- independent review should be an integral part of the balancing
effect of these interception powers on other public rights.
4.38
However, the committee considers that intercepting agencies should only
be permitted to add further devices to a device-based named person warrant
after the warrant has been issued in defined circumstances, not as a general
practice. Any devices added should be notified to the issuing authority within
a limited period. The issuing authority should also have the power to declare
that the interception should cease and all information gathered destroyed if
the issuing authority decides that the facts of the case would not have
justified the addition of the devices.
Accountability mechanisms
4.39
The Law Council disagreed with the Department's statement that existing accountability
mechanisms are sufficient safeguards for these proposed amendments. The Law Council
did not find these mechanisms satisfactory, commenting specifically that:
All but one of these accountability mechanisms are directed at
monitoring the use of interception powers after a warrant has been issued and
executed.
The Law Council submits that 'after the fact' reporting or
oversight mechanisms are not an adequate substitute for a rigorous, external
warrant regime which determines whether, when and how ASIO or police should be
exercising interception powers in the first place.[33]
4.40
A representative of the Privacy Foundation, after being questioned by
the committee on whether the privacy protections outlined by the Department
were sufficient, said:
There are two types of privacy safeguards: those inherent in the
authorisation process and the downstream safeguards. It is true that the
downstream safeguards in terms of reporting and the necessity to comply with
certain record-keeping requirements will still apply, but the upstream
safeguards, the ones that are delivered by the authorisation process, are in a
sense negated by a multiple device based warrant because the issuing authority
is simply not in a position to make the appropriate judgement about the balance
of interests since they will not have any information, as we understand it,
about which other individuals may be users of those devices. Therefore, the
arguments about the likelihood of the suspect or the target using those is information
that simply will not be made available to an issuing authority so that they can
make the appropriate judgement about the balance of interests.[34]
4.41
The Castan Centre discussed the effect of removing independent scrutiny
and broadening the range of telecommunications devices from which
communications may be intercepted. They said that the effect would be to dilute
the statutory obligations of interception agencies to justify interceptions. The
Castan Centre commented that:
One potential consequence of such a dilution of accountability
would be to encourage the undertaking of 'fishing expeditions', as agencies
become freer to form their own, untested, views as to which devices a person is
likely to use. This also further exposes the communications of third parties,
not named in the warrant, to the possibility of interception, which is
objectionable...[35]
4.42
A representative of the AFP disagreed with this view, commenting that
internal safeguards and accountability mechanisms are sufficient:
We believe that, for the addition of a device to an existing
warrant, the internal accountability would be the way to go, and those
additional oversight mechanisms would be through the reporting arrangements and
the oversight of the Ombudsman and its scrutiny of our processes, which is
fairly regular. It is annual and regular.[36]
4.43
The Castan Centre's submission identified several areas where dilution
of accountability has resulted in cases which 'strongly suggest that
investigatory agencies need to be held more accountable in the exercise of
their statutory powers, not less so.'[37]
The submission emphasised that this was not just about protecting human rights,
but also about preserving agencies' integrity, and requiring them to account
for the exercise of their powers.
4.44
The Castan Centre provided two examples to support its argument:
- the recent arrest and subsequent release of Dr Mohammed Haneef;
and
- the case of Izhar Ul-Haque, in which the judgement of Justice
Adams of the New South Wales Supreme Court criticised the conduct of both ASIO
and AFP officers.
4.45
The representative of the Privacy Foundation provided other examples of internal
scrutiny and accountability failure, citing the leakage of information and its
misuse by officers of the Australian Taxation Office and Centrelink. He also
drew attention to what he described as the 'fairly regular' instances of police
corruption and misuse of official information, mainly in state police forces.[38]
4.46
The representative of the Privacy Foundation argued that these types of
occurrences did not give the confidence 'to simply sweep away the safeguards in
the name of efficiency.' He went on to differentiate between the abuse of
information and the 'more general, chilling effect of surveillance' as follows:
We think one of the dangerous trends is the tendency of
governments to assure us that extension of powers to monitor and surveil the
activities of citizens is okay because, as they say, they will put in place the
safeguards that deal with the abuse and suchlike. That, to our view, negates the
important social value of privacy and freedom from surveillance as something
that we actually treasure and, in most liberal democracies, value quite highly.
It simply is not good enough to say, 'If you’ve got nothing to hide you’ve got
nothing to fear.' We all have the right, in our view, to basically go about our
business in private unless it needs to be intruded on. The threshold tests for
that intrusion need to be kept as high as possible.[39]
Conclusions
4.47
The committee is of the view that 'after the fact reporting' is
insufficient to adequately address issues associated with individuals' privacy
and rights.
4.48
In regards to the accountability mechanisms internal to interception
agencies, the committee commends the work done by interception agencies to
improve their processes and accountability mechanisms. However, the internal
processes of any agency, public or private, are susceptible to failure, whether
this be accidental, by oversight or omission, or deliberate. The care and
attention to preserving a (possibly unknown) individual's right to privacy can
be lost in the pressure of work and the need to achieve results.
4.49
The committee considers that best practice is to maintain independent
scrutiny, should agencies be authorised to add devices to a warrant, except in
exceptional circumstances.
Consistency between service- and device-based warrants
4.50
The EM for the Bill states that the changes to the device-based warrant
provisions establish a consistency with the service-based warrant provisions.[40]
The committee concurs that the proposed amendments will, if passed, establish a
consistency or equivalency in terms of wording.
4.51
While the police forces and the Department did not specifically identify
why this consistency is desirable, they drew attention to the operational needs
of interception agencies (as outlined above) and, by inference, the need for the
device-based and service-based provisions to be consistent. The Department and
the AFP confirmed that the current requirement for an issuing authority to
scrutinise every telecommunications device added to a device-based named person
warrant would be removed by the Bill. However, they argued that the current
safeguards and accountability mechanisms contained in the TIA Act, together
with internal guidelines and procedures within agencies, would be sufficient to
ensure privacy and accountability issues are adequately addressed.
4.52
The committee heard evidence from privacy and civil liberties groups and
the Law Council that device- and service-based interception warrants are not similar
in nature and that relaxing provisions for devices to achieve 'consistency'
with services is undesirable. In particular, these groups considered that
device-based warrants were more likely to lead to the invasion of privacy and
civil rights than service-based warrants. These groups concluded that
independent scrutiny of devices added to a warrant is necessary, at the very least.
4.53
The committee acknowledges that accurate identification of devices remains
more difficult than for services, and inaccurate identification may lead to the
interception of the communications of people who not relevant to the
investigation. Compared with services, devices are also more susceptible to having
their identification tampered with or 'stolen', and devices are easier to
dispose of and replace, as outlined above.
4.54
The Castan Centre submitted that another difference between services and
devices is the multi-user nature of devices compared with services, which will potentially
lead to more non-suspects being intercepted on a particular device than a
particular service. The Castan Centre concluded that amending device-based
warrant provisions to make them consistent with service-based interceptions would
increase interception powers, as follows:
One significant consequence of this broadening of the range of
telecommunications devices from which communications may be intercepted would
be to permit further incidental monitoring of people who are themselves of no
relevance to a particular investigation, but who happen to use a
telecommunications device that is ‘likely’ to be used by a person named in an
interception warrant. This may be particularly so in relation to personal
computers that are open for public use (eg in public libraries or internet
cafes). By way of contrast, a service-based named person warrant may well not
authorise interception of all communications from such a device, as many of the
users of such a device may not be using it to communicate via a service that
the person named in the warrant is using or likely to use. Therefore, these
amendments would increase the power of interception, and not merely establish
an equivalence between device and service-based warrants.[41]
Legislative intent concerning device-based named person warrants
4.55
The Department expressed the view that the Bill 'clarifies' the original
intent of the 2006 amendment bill to include multiple devices in a named person
warrant. The Department stated that this is evidenced by the then inclusion of
sections 16 and 60(4)[42]
which appear to recognise that additional devices can be added to a warrant.[43]
The inconsistencies between these provisions are described in detail in Chapter
2 of this report.
4.56
The Department informed the committee that the inconsistencies were the
result of a drafting error that, 'did not allow for the original policy
intention for various devices to be added to a warrant'.[44]
4.57
A representative of the NSW Council for Civil Liberties observed that a
change 'that requires 12 changes in the Act and changes to six of its clauses...
is not merely carrying out the intentions of an original amendment.'[45]
4.58
The submission by the Law Council also disputed the legislative intent
of the provisions, drawing attention to the Government response to the committee's
inquiry into the 2006 amendment Bill, which stated that:
These warrants will only be issued where the requesting agency
can show that the unique identifying number is indeed a unique source and there
are no other practicable methods of identifying the service.[46]
Conclusion
4.59
The committee disagrees with the argument presented by the Department
that the Bill merely 'clarifies' the intent of the Telecommunications
(Interception) Amendment Bill 2006 that a device-based named person warrant
gives the authority to intercept multiple devices.
4.60
The inclusion of the conflicting provisions (described above and in
Chapter 2) in the TIA Act indicates that it may well have been the Department's
intent to incorporate multiple device provisions, including the ability to add
devices to the warrant after the issue of the warrant. However, this cannot
necessarily be used as an indication of the Parliament's intent when it passed
the legislation, and indeed there is evidence to the contrary view, including:
- the committee's report on the 2006 Bill, which made it clear that
there were substantive concerns with the ability to uniquely identify a
telecommunication device and that these concerns related to protection of
individual privacy and rights;
- the government's response to the committee's 2006 report, which also
clearly indicated that a device-based named person warrant required the device
to be identified in the warrant; and
- service-based and device-based named person warrants are to be
clearly differentiated in terms of the nature and extent of their powers, with
devices requiring greater safeguards. This is evidenced by the TIA Act
requiring an issuing authority to be satisfied that there are no other
practicable methods available at that time to identify—or it is impracticable
to intercept—the telecommunications services that the person of interest is
using, before issuing a device-based named person warrant.
4.61
Arguments about the intent of the legislation are, in any case, futile.
It is not disputed that currently, the TIA Act does not allow for multiple devices
on a device-based named person warrant, or for devices to be added after the
warrant has been issued. The objective of this Bill is to enable these changes,
and the purpose of this inquiry is to assess their effects and advise the
Senate accordingly.
Suggestions for safeguards if
devices are added to warrants
4.62
During the course of this inquiry, privacy and civil liberties groups all
clearly agreed that an application for multiple devices, identified in a device-based
named person warrant, is appropriate. The committee questioned witnesses who
had raised other concerns in relation to the Bill's proposed amendments about
whether agencies should be able to apply for a warrant for multiple devices.
None objected to multiple devices being included in a single warrant
application.[47]
4.63
The Castan Centre explained that this was not objectionable in principle
as:
Currently, to intercept a new device, the agency would have to
get a new warrant. If that was rolled into a process whereby, under the one
warrant application and issuing process, they could identify and make the case
for interception of multiple devices, I think that would be unobjectionable.
That would in effect just be combining multiple processes into one process.
There would be no reason to think that would interfere with the oversight and
accountability in respect of each of those devices named.[48]
4.64
However, these groups informed the committee that the existing
safeguards for telecommunication devices, as currently required by the TIA Act,
should be maintained if devices are subsequently added to a warrant. The Law
Council submitted that maintaining the status quo requires an issuing authority
to be satisfied that a person is a legitimate target of suspicion and:
For each and every device that-
- the
interception is likely to yield useful information (unobtainable by other
means);
- the device is used or likely to be used by the suspect;
and
- the device can be uniquely identified.[49]
4.65
Scrutiny of these issues by an issuing authority would enable an authority
to adequately test how much the privacy of any person or persons would be
likely to be interfered with by intercepting under a warrant.
4.66
In a supplementary submission, the Privacy Foundation noted that its
primary stance was to oppose a relaxation of the current issuing requirements
for device-based warrants. However, the Privacy Foundation also put forward a
model whereby an issuing authority would review additional devices within a
short time-period, as follows:
Agencies could be given an 'exceptional discretion' to intercept
additional devices in relation to an existing named person warrant where timing
or other operational circumstances made it impracticable to seek prior authorisation.
However, exercise of this discretion would be subject to 'after the event'
confirmation by an issuing authority, on presentation not only of the 'likely
to be used' justification but also of the reasons for prior authorisation
having been impracticable.
Such an application for confirmation would be required within a
fixed but short period after the interception of the additional device
commenced. An issuing authority not persuaded by the case for the device could
order immediate cessation of the interception....
There is a clear precedent for this 'emergency authorisation'
process in section 10 of the T(I&A) Act, which provides for the
Director-General of Security to issue a warrant without the normal prior
approval, subject to subsequent reporting to the Attorney-General and the
Inspector-General.[50]
4.67
The Privacy Foundation also proposed a system of revocation and
reprimand if the issuing authority was not persuaded by the case presented in
the application for additional devices.
Proposed additional reporting of
device-based warrant use
4.68
Part 2-8 of the TIA Act requires that the Attorney-General, as the
Minister administering the TIA Act, prepare a report each year giving details
of telecommunications interception for law enforcement purposes. The Department
meets this requirement each year by publishing a consolidated report, the most
recent of which is the Telecommunications (Interception and Access) Act
1979, Annual Report for the year ending 30 June 2007.
4.69
In relation to the need for additional safeguards if device-based
warrant provisions are enacted, the Castan Centre's submission drew the committee's
attention to the detail of current reporting requirements. These include, in
relation to named person warrants issued during the year by each agency or
authority, how many of those warrants involved the interception of:
- a single telecommunications service;
-
between two and five services;
- between six and ten services;
- more than ten telecommunications services; and
- the total number of telecommunication services intercepted under
those warrants.
4.70
These requirements incorporate interceptions resulting from both
device-based and service-based warrants, as the reporting is expressed in terms
of the total number of services intercepted. There is no separate information
provided in annual reports about the number or nature of devices intercepted.
4.71
The Castan Centre confirmed that the Bill is currently silent in terms
of device-based reporting requirements and suggested that, were the proposed
provisions for device-based warrants to be enacted, similar reporting to that
in force for services should be required for device-based warrants, separately
from service-based warrants. The Castan Centre argued that this would permit a
degree of public scrutiny of the use to which the new power was being put.[51]
Representatives of the Law Council supported the Castan Centre's view.[52]
4.72
EFA also supported the extension of reporting requirements to disaggregate
device-based warrants. While considering this as a 'minimum', EFA argued that
existing requirements are insufficiently detailed to allow scrutiny of the
extent to which services additional to those identified in the original warrant
application were intercepted. This point was illustrated in the following
example:
For example, one current reporting obligation is to report how
many warrants 'involved the interception of more than 10 telecommunications
services'. If a service-based named person warrant is issued, which identifies
only one telecommunications service, and the agency involved intercepts a
further 10 telecommunications services because they consider it 'likely' that
the named person will use those services, would this warrant be reported as a
warrant involving a single service, or more than 10 services?[53]
4.73
EFA submitted that there is a need for an additional reporting
requirement to allow the disaggregation of services intercepted by services or
devices identified in the original warrant, and those intercepted by services
or devices subsequently added to the warrant. Additionally, this should be
reported independently for service-based and device-based named person
warrants. EFA considered that this is necessary because 'Statistics on this
issue would indicate whether or not interception agencies might be overusing
this power.'[54]
4.74
The committee sought a response from the representatives of the Department
about the merits of this argument. Representatives confirmed that there is no
additional reporting of the actual number of devices, but emphasised that the
number of services intercepted under any device will still be reported in the
annual report, as current reporting is on the number of services intercepted by
all named person warrants:
...regardless of the technology, whether it is done by device or
service, it is the number of services that are intercepted that gives an
indication of how many telecommunication services have been intercepted. The
device is the technology by which the interception takes place.[55]
4.75
When asked to do so by the committee, the Departmental representative
said that she was unable to comment on the merits of a specific reporting
requirement for device based warrants, '...given that I believe the information
is already in the reporting'.[56]
Balance of probabilities test
4.76
EFA submitted to the committee that the term 'likely' (as discussed in
chapter 2, commencing at 2.16) was too open to interpretation in relation to a
suspect 'using or likely to use' each device from which communications will be
intercepted. The EFA stated:
...the standard of a 'real chance or possibility' would be
unacceptably low, and would both encourage and facilitate fishing expeditions
by agencies with interception powers. These fishing expeditions could result in
the interception of telecommunications devices belonging to a suspect's
friends, relatives or workmates, not because the agency concerned believes that
the suspect will use those devices, but merely because they might.[57]
4.77
A representative of the EFA told the committee that the word 'likely' is
unclear, and is given various meanings by different courts, considering
different legislation at different times. He said the meaning can range from
the balance of probabilities, as in 'more likely than not', as a layperson
would interpret it, to the low standard of a real chance or possibility. He
stated that a balance of probabilities test is required.[58]
4.78
The committee asked the Department whether it would consider a balance
of probabilities test. The Department's response was that it considered that
the phrase 'likely to use' is an appropriate test:
The 'likely to use expression in section 46A provides a
mechanism that enables intelligence gathering where something is likely to
occur in the future. Human action is difficult to predict. However, in the
context of the TIA Act, the term 'likely' should be interpreted as being
analogous with a 'real risk'[59]
or 'probable[60]
that the named person is using or likely to use a device. To satisfy such a
test would require evidence as to why an agency suspects that a person is
likely to use a device.[61]
Discarding of data from persons not
named in the warrant
4.79
On being questioned by the committee on additional safeguards that would
limit surveillance of non-suspects in device-based warrants, a representative of
EFA suggested that it could be a requirement that all communications that were
not made by the person named in the warrant be discarded. The representative
went on to state that it was EFA's understanding that:
... under the law as it currently stands, the communications of
those persons can be recorded and are only discarded if they are not really
relevant to a crime which is investigated by that type of agency....It says on
page 4 of the A-G’s [Attorney General's] submission:
- Intercepted material must be destroyed where it is
not relevant to the permitted purposes of the agency—generally an investigation
of an offence that is punishable by three years imprisonment or more.[62]
4.80
A representative of the Department responded to the committee's
questions on the secondary use of data stating that there are no legislative
provisions relating to the collection of interception data for general
intelligence, no centralised database for its storage and that it is an offence
to disclose intercepted information, except for the permitted purposes for
which it is obtained. The representative stated that:
There is no derivative use of TI [telecommunications interception]
product except for those very limited grounds which are in the Act, and that is
for the permitted purpose of the original investigation or to pass it over for
a relevant offence, which has to be punishable by at least three years imprisonment.
So it is very, very tightly guarded. Certainly the AFP can talk more about
their destruction provisions, but each intercepting agency has very strong
accountability regimes inside such that they do have to destroy, and it is part
of the role of those oversight bodies like the Ombudsman that they review and
make sure that that has actually been undertaken. And, if not, then reports are
made to ministers that they have breached their obligations to destroy
particular information.[63]
4.81
The committee notes that the offence threshold for the secondary use of
data appears to be less restrictive, than that which applies when an issuing
authority considers a device-based named person warrant application. For
example, the Department's submission stated that an issuing authority for such
a warrant would need to be satisfied that:
... the interception is for an
investigation of a serious offence, generally punishable by a maximum period of
imprisonment of at least seven years.[64]
Committee findings
4.82
The committee considers it desirable that an issuing authority should
be able to approve multiple devices identified in a device-based named person
warrant application and add additional identified devices to that warrant at
later stages.
4.83
The committee considers that the process of adding a device to a
device-based named person warrant after the warrant has been issued should
include an independent scrutiny process. The committee considers that the model
proposed by the Australian Privacy Foundation, discussed at paragraph 4.66, provides
a useful starting point.
4.84
The committee considers that the annual report on the TIA Act is
reasonably comprehensive in terms of providing a breakdown of interceptions
that have taken place and the agencies undertaking the interceptions. However,
it is also important for the Parliament to be able to discern the effects of
any new legislation and accordingly, the committee is of the view that
additional reporting of the use of these powers is required.
4.85
The committee considers that the number of services intercepted by
service-based and device-based named person warrants should be disaggregated,
and the results presented in a similar manner to that currently for intercepted
services. The committee also considers that the number of services intercepted
pursuant to the services or devices in the original application should be
reported separately to the services intercepted by later additions to the
warrant. This should be reported separately for device-based and service based
named person warrants in a similar manner to that currently used for the
reporting of intercepted services.
Recommendation 2
4.86
The committee recommends that the recommendation at paragraph 3.2.5 of
the Blunn report, which reads:
3.2.5. Accordingly, I recommend that priority be given to
developing a unique and indelible identifier of the source of
telecommunications and therefore as a basis for access.
be adopted, and priority given to developing a unique and
indelible identifier of the source of telecommunications.
Recommendation 3
4.87
The committee recommends that the Bill be amended to provide that an
agency be permitted to add a device to a device-based named person warrant
after the warrant has been issued if the facts of the case would have justified
the issue of a warrant by the issuing authority; and the investigation in
relation to the person named in the warrant will be, or is likely to be,
seriously prejudiced if the interception does not proceed.
Recommendation 4
4.88
The committee further recommends that the Bill be amended to provide
that if an agency adds a telecommunications device or devices not identified on
a device-based named person warrant at the time that the issuing authority
issued the warrant:
- the
agency be required to notify an issuing authority, within 2 working days, that
a device had been added to the warrant; and
- the
issuing authority must examine the supporting documentation against the
criteria that it would have considered, in accordance with the requirements of
the Telecommunications (Interception and Access) Act 1979, in relation
to an application by the agency for a device-based named person warrant, and
make a determination about whether the facts of the case justified the addition
of the device; and
- the
issuing authority shall order that the interception cease immediately and that
all evidence gathered be destroyed if it determines that the facts of the case
would not have supported the issue of a device-based named person warrant.
Recommendation 5
4.89
The committee recommends that the Bill be amended to insert a
requirement that the Annual Report in relation to the Telecommunications
(Interception and Access) Act 1979 incorporate the following additional
information over and above that already required by the Act:
- the
number of service-based and device-based interceptions, to be reported upon separately
but in a similar format to that currently used for the total number of intercepted
telecommunication services; and
- the
number of devices in the original warrant and the number of additional devices added
to the warrant, reported in a similar format to that currently used for
reporting the total number of intercepted telecommunications services.
Navigation: Previous Page | Contents | Next Page