Chapter 3


Chapter 3

Warranted access to telecommunication content

3.1        The Telecommunications (Interception and Access) Act 1979 (TIA Act) provides a legislative framework that criminalises the interception and accessing of telecommunications. However, the Act prescribes exceptions that enable law enforcement, anti-corruption and national security agencies to apply for warrants to intercept communications when investigating serious crimes and threats to national security. The warrant regime provides these agencies with lawful access to telecommunications content.

3.2        This chapter provides an overview of the existing warrant framework within the TIA Act and then discusses opportunities for legislative reform. The overview provides an insight into the complexity of the current legislation.

3.3        In examining the warranted access regime to telecommunications content, the committee was informed by the 2013 report of the Parliamentary Joint Committee on Intelligence and Security (PJCIS) which recommended that the proportionality test within the TIA Act be revised and consideration be given to implementing a consistent proportionality test across interception and access to telecommunications content. The committee was also informed by the 2015 report of the PJCIS into mandatory data retention that re-considered the issue of proportionality in context of necessity, efficacy and the current risk environment.[1]

An overview of the warrant regime

3.4        Chapters 2 and 3 of the TIA Act[2] provide for warranted access to telecommunications,   including   both   communications   passing   across telecommunications services (that is, the interception of live communications), and stored telecommunications content.[3]

3.5        The Attorney-General's Department (the department) provided the following description of the four existing warrant regimes that enable law enforcement and anti-corruption agencies to lawfully access the content of communications:

The TIA Act contains four warrant regimes for lawful access to the content of communications by law enforcement and anti-corruption agencies. Three of these warrants relate to access to 'live' communications, and the fourth relates to access to 'stored' communications held by carriers.

The distinction between access to live and stored communications currently embodied in the TIA Act is based on an assumption that stored communications were generally more 'considered' and so less privacy sensitive.[4]

3.6        In addition, the Act provides for warrants to be issued for specific purposes, such as locating missing persons or locating a caller in an emergency.

Telecommunications service warrants and named person warrants

3.7        The provisions within Chapter 2 of the TIA Act enable 'agencies' to apply for telecommunications service warrants and named person warrants to an eligible judge or nominated member of the Administrative Appeals Tribunal (AAT). The Act prescribes that the judge or nominated member of the AAT may issue a warrant in the circumstances where they are satisfied that the information likely to be obtained under the warrant would be likely to assist in the investigation of a 'serious offence' and they have had regard to a number of factors to ensure that the issuing of a warrant is proportionate in the circumstances.[5] This is referred to as a proportionality test.

3.8        For the purposes of Chapter 2 of the TIA Act, 'agencies' is defined as 'interception agencies' which is further defined as the Australian Federal Police (AFP), the Australian Crime Commission (ACC) or the Australian Commission for Law Enforcement Integrity (ACLEI); or an eligible authority of a state in relation to which a ministerial declaration under section 34 is in force. Section 34 of the TIA Act enables the Minister, by legislative instrument, at the request of the Premier of a State, to declare an 'eligible authority' of that State to be an 'agency' for the purposes of the Act. The Act defines an 'eligible authority' in relation to a state to mean:

  • in any case—the police force of that state; or
  • in the case of New South Wales—the Crime Commission, the Independent Commission Against Corruption, the Inspector of the Independent Commission Against Corruption, the Police Integrity Commission or the Inspector of the Police Integrity Commission; or
  • in the case of Victoria—the Independent Broad-based Anti-Corruption Commission (IBAC) or the Victorian Inspectorate; or
  • in the case of Queensland—the Crime and Misconduct Commission; or
  • in the case of Western Australia—the Corruption and Crime Commission or the Parliamentary Inspector of the Corruption and Crime Commission; or
  • in the case of South Australia—the Independent Commissioner Against Corruption.

3.9        'Serious offence' is defined in section 5D of the TIA Act. The definition is complex but includes, among other things, murder, kidnapping, bribery, market misconduct and other offences that are punishable by imprisonment for life or for a period, or maximum period, of at least seven years.

Stored telecommunications warrants

3.10      In certain circumstances, 'enforcement agencies' (defined below) can require that a carrier preserve all stored communications the carrier holds that relate to the person or telecommunications service specified in a notice.[6]  The communications stored may then be accessed, by warrant,  in  prescribed  circumstances.[7] Like telecommunications service warrants, a proportionality test is also applied. The proportionality test applied in this circumstance involves 'serious contravention'.

3.11      Where an 'enforcement agency' has applied to an 'issuing authority' (defined below) for a stored telecommunications warrant, the TIA Act provides that the 'issuing authority' may issue the warrant if satisfied that the information likely to be obtained under the warrant would be likely to assist in the investigation of a 'serious contravention' and the 'issuing authority' has had regard to a number of matters to ensure that the issuing of a warrant is proportionate in the circumstances.[8]

3.12      'Enforcement agency' is defined in section 5 of the TIA Act. The definition includes: the AFP, a police force of a state, anti-corruption bodies, the ACLEI, the ACC, authorities prescribed by legislation, and, any body whose functions include: (i) administering a law imposing a pecuniary penalty; or (ii) administering a law relating to the protection of the public revenue.

3.13      'Issuing authority' is defined in section 5 of the Act as 'a person in respect of whom an appointment is in force under section 6DB'.[9] Certain judges, magistrates and AAT members who are also enrolled as legal practitioners may be appointed by the Minister to be an 'issuing authority'.[10]

3.14      'Serious contravention' is defined in section 5E of the TIA Act. Like the definition of 'serious offence' in section 5D of the Act, the definition of 'serious contravention' in section 5E is complex. It includes a Commonwealth, state or territory offence punishable by imprisonment for a period, or a maximum period, of at least three years. The definition also includes offences punishable by a maximum fine of at least 180 penalty units[11] or a contravention of the law which would make an individual liable to pay a pecuniary penalty of the same magnitude.

Removing legislative duplication in the warrant regime

3.15      Throughout this inquiry the committee received evidence regarding the complexity of the existing legislative framework that governs warranted access to telecommunications content.[12] Stakeholders consistently impressed upon the committee the need to remove legislative duplication from the warrant framework. Many proposed the introduction of a single warrant regime that authorised interception of content, whether live or stored, on the basis of prescribed attributes. This is referred to as 'attribute-based interception'. Proponents of this approach argued that it would reduce complexity by removing the distinction between a 'serious offence' and a 'serious contravention' while also providing a single clear proportionality test.[13]

3.16      Submitters identified an administrative burden associated with the complex duplication within the existing TIA Act. The then Director-General of Security explained:

[I]n order to look at a particular individual we may need to take out three or four different warrants, each of which requires a considered three- or four- page argument, and yet the argument is actually the same in all of the warrants. So to be able to combine a number of warranted activities together...is one such example. The ability to intercept according to a number of different selectors, rather than just the name of a person and a telephone number, for example, to be able to intercept on the basis of other attributes—call areas, time or whatever—would be a great help. It does not in any way change the level of intrusiveness but it simply makes the bureaucratic processes a lot simpler.[14]

3.17      ASIO noted however, that there would be instances where legislative duplication would remain both necessary and appropriate:

Over time, the many amendments to the TIA Act have resulted in duplication and complexity making the Act difficult to understand and apply. Conversely, there is intentional duplication for provisions that apply specifically to ASIO with separate provisions for enforcement agencies. For example, voluntary disclosure provisions for ASIO are covered under section 174 whereas section 177 relate[s] to enforcement agencies. ASIO supports the recommendation to remove legislative duplication but notes it should not be applied in instances where there is a necessary distinction between ASIO's security intelligence role and law enforcement agencies.[15]

3.18      The Australian Federal Police (AFP) stated that in its view, '[r]emoving duplicative processes and complexity within the TIA Act [would] simplify the processes for agencies and may assist in achieving transparency by removing legislative intricacy'.[16] The Australian Mobile Telecommunications Association (AMTA) and the Communications Alliance similarly supported removing legislative duplication; these organisations added that legislative duplication between the TIA Act and the Telecommunications Act 1997 (Telecommunications Act) should also be considered.[17]

3.19      Although many submitters were strongly supportive of a single warrant regime, the Law Council of Australia (Law Council) cautioned that it would be important not to introduce such a regime at the expense of privacy safeguards:

The Law Council supports the removal of legislative duplication but not where this involves a single warrant regime which would make it difficult for issuing authorities to adequately assess the privacy impacts of the powers under the warrant. Given the particularly intrusive nature of telecommunications interception, legislative clarity must not be achieved to the detriment of privacy principles.[18]

A single attribute-based interception regime

3.20      The department explained that under the existing provisions of the TIA Act, warrants issued may only authorise the interception of 'services' or 'devices'—such as a particular internet connection or telephone:

The service or device identifiers are the technical means that the telecommunications industry uses to identify the communications for retrieval under a warrant. This approach is technologically-specific and reflects historic assumptions about how telecommunications operate. The diversification of the telecommunications industry, changing communications habits and changes to the technical operation of modern telecommunications networks mean that new ways of identifying communications are both available and required.[19]

3.21      The department stated that in its view '[w]ithout reform, technological change will make the current, service and device-based provisions obsolete'.[20] The department recommended the single attribute-based warrant regime as a more targeted and technologically-neutral approach:

[T]he reality is that this Act was very cleverly drafted in 1979 in that it was technologically neutral and it has been able to capture all communications as they have come along, without any need to consider the implications of that technology. The reality now is that people communicate with very smart phones...and they do allow you to communicate in many, many ways with one device. The Act really is just saying that law enforcement can intercept that device without any approach that allows you to target the kind of information that you want.

What the Act does not do at the moment is have any real way to define what kind of information should be collected by law enforcement for them to investigate crimes. What the Act currently says is you can collect evidence; however, you must do it in a very broad, crude way.[21]

3.22      The department explained that it was advocating for a change in the legislation to a single attribute-based warrant regime as such a regime would:

  • better protect the privacy of communications 'because law enforcement and national security agencies [would] have to determine the kind of communications they want to collect'; and
  • allow telecommunications providers 'to target a stream of traffic rather than volumes of traffic'.[22]

3.23      ASIO echoed these views. According to ASIO, the TIA Act, as currently written, 'limits the technical means by which agencies can conduct interception by requiring interception be based on either a "service" identifier (for example, a telephone number or email address) or a piece of "equipment" (for example, a mobile telephone handset)'.[23] ASIO advocated the 'decoupling' of the techniques for interception from the authorisation to intercept and expressed its support for attribute-based interception:

"Attributes" are specific identifying characteristics that can be used in combination to identify unique communications of interest to ASIO. Attribute-based interception encompasses service-based or equipment-based interception. It also allows ASIO to target specific attributes to collect communications of interest more effectively and less intrusively.[24]

3.24      ASIO provided some examples of attributes that could be used:

  • ...some individual attributes that could be combined to enable better interception targeting could include:
  • the source and/or destination of the communication;
  • the type of communication (for example, a video call, email, SMS);
  • the equipment being used to convey the communication (for example mobile telephone handset, cell tower);
  • any identifier being used in connection with the communication (such as a number or username);
  • a time period in which a communication is made or received; or
  • the location of the person making or receiving the communication.

3.25      The selection of a combination of attributes in each particular case would involve a number of considerations, including the extent to which:

  • the telecommunications provider had the ability to intercept the chosen attributes;
  • attributes (singly or in combination) were sufficiently precise to give a high degree of certainty communications of interest are accessed; and
  • certain components of a communication could be excluded on the basis they were likely to be irrelevant.[25]

3.26      In ASIO's view the approach of 'attribute-based interception':

...would allow agencies to filter and limit the communications they intercept more efficiently, helping to minimise the collection of extraneous information. With this more specific method of targeting the telecommunications of interest, the more certain we can be that we are excluding from incidental interception the communications of persons who are not of interest and whose privacy should be protected.[26]

3.27      In its 2013 report, the PJCIS observed that advancements in telecommunications technology were diminishing the effectiveness of the current interception framework. As a result, the PJCIS recommended that the interception of communications should be conducted on the basis of specific attributes of communications as a means of 'arresting the decline of interception capability, while also offering additional privacy protections by better targeting communications which are of particular relevance to the serious crime or national security threat which is being investigated'.[27]

3.28      Submitters to this inquiry cited the PJCIS's recommendation of a single warrant regime and suggested that the introduction of such a regime would be a means by which telecommunications interception legislation could be simplified and also respond to advancements in technology. The ACC and AFP also expressed support for a single attribute-based interception regime.[28]

How would it work?

3.29      The department explained how it anticipated 'attribute-based' interception would apply in practice. A warrant would still need to be issued to authorise access to a particular person's communications but, according to the department, that 'attribute-based' warrant:

...would describe the communications that the service provider is to access and provide to the agency by using a combination of technical features or 'attributes'—rather than just a service or device identifier. Those attributes could include a specific account, a time of day, a geographic location or a technical feature of the communication.[29]

3.30      The department explained that, in its view, attribute-based interception would enable warrants to be more targeted and would also minimise the lawful collection of irrelevant communications.

Concerns raised in relation to attribute-based interception

3.31      Although there was wide-spread support for the introduction of an attribute-based interception warrant regime throughout the law enforcement community, some concern was expressed by other stakeholders.

3.32      The Law Council advised that its reservations in relation to attribute-based interception are based on the view that 'attribute-based' has not been sufficiently defined to allow the 'true privacy implications' associated with such a model to be assessed.[30]

3.33      In raising its objections, the Law Council noted the challenges that 'existing and emerging telecommunications technologies pose for agencies attempting to accurately identify the communications they intend to intercept or access',[31] and went on to express general support for:

...efforts to develop a warrant regime that focuses on better targeting the characteristics of a communication and enables it to be isolated from communications that are not of interest. However, the Law Council is keen to ensure this does not occur at the expense of specific provisions designed to ensure that each particular device or service to be intercepted or communication to be accessed is clearly identified and shown to be justifiable and necessary, and that it occurs in a manner that has the least intrusive impact on individual rights and privacy.[32]

3.34      The department explained to the committee that a single attribute-based warrant would enable more targeted interception and, therefore, provide a higher level of privacy protection. To demonstrate this, the department noted how the current framework provides for a law enforcement agency to intercept a device without any approach to targeting the kind of information wanted:

[For example] [a]t the moment, a service warrant would allow you to collect against a particular service. If it is Joe Bloggs's smart phone, that actually is the service, and everything that sits on that smart phone—every bit of content, whether it be Candy Crush, Skype or their email—that service is all of that, and the warrant does not have the specificity at the moment to say, "Actually, we don't want their livestreaming of the cricket; we just want the particular communication".

...

The problem at the moment is that the warrant is quite broad in its approach, and what we want to do is have much better specificity. It may be that they will collect the voice, the email and the livestream of the cricket, but we want to be able to identify those as attributes of the whole communication channel rather than just saying, "Give it all to us, and we'll decipher it later".[33]

3.35      In expressing support for the introduction of a single attribute-based warrant regime both ASIO and the ACC acknowledged the need to ensure the maintenance of 'the proportionality thresholds and accountability requirements...to deliver public confidence and assurance regarding the use of these powers'[34] in any new regime.

Senator Scott Ludlam
Inquiry Chair

Navigation: Previous Page | Contents | Next Page