We recognise the importance of ensuring security of Australians’ and their freedoms. The rationale for national security law comes from the importance of ensuring that freedoms are protected. We are concerned to ensure that the ‘forest isn’t lost for the trees’ in this reform process and that the guiding and predominant principle in this reform is that our national security framework serves to protect the freedoms that ought to be enjoyed by all Australians.

Key points from the submission (please see here for complete details):

• Time for Consultation with Experts, Stakeholders and the Community

The timeframe for introduction of a Bill repealing the Telecommunications (Interception and Access) Act 1979 (“the TIA”), the Surveillance Devices Act 2004 (“the SD Act”) and aspects of the Australian Security Intelligence Organisation Act 1979 Act (“the ASIO Act”) be delayed by at least twelve (12) months to allow for consultation with experts, stakeholders and the community.

• Compliant with Human Rights

The objects of a simplified Act ought to be coupled with clear requirements that the use of national security and surveillance powers are expressly balanced with Australia’s obligations pursuant to international human rights law.

• Warrants and Judicial Oversight 

Warrants for access to information should only be authorised by the Federal Court of Australia or a Supreme Court of a State or Territory.

• Decision Records of Judicial Authorisation

A redacted form of judicial decision records for the issue of warrants ought to be published. Transparency, accountability and oversight of the operation of warrants is possible by publicizing the legal principles (rather than the specific facts) of warrants issued and would enhance public confidence in the oversight of such Australia’s electronic surveillance regime.

• Revised Definition of ‘Communication’

A simplified definition of communication could be introduced as “any exchange or record of information in any form between two or more locations”. This would ensure that the definition of ‘communication’ is widened, simplified and technology neutral.  This definition of communication would only be acceptable with an enhanced focused on the protection of human rights and with judicial oversight and increased reporting obligations. 

Media Contacts:

“The limited information until Sunday was released by poorly-briefed Ministers with little understanding of the problem and of the proposed solution. Sunday’s incomplete documents raise more questions than they answer. Public trust has been undermined rather than earned. We need an open, independent Privacy Impact Assessment based on wide public and expert consultation,” said board member Dr Monique Mann.

What would be the basis for trust in an app like this?

APF recently encouraged the federal government to approach the proposed virus app in a way that supports, rather than undermines, trust and confidence in their bona fides and competence:

1. Publish the Design Specifications, so many more than just ‘Five Eyes’ can check them for effectiveness and vulnerabilities, and assess whether they are best practice ‘Privacy by Design’.
2. Conduct an open, independent Privacy Impact Assessment process, consulting not just public service and security interests, but appropriate representatives of the public interest from health, privacy, civil liberties, research and technical perspectives to help address all issues.
3. Before a working prototype is released, publish Technical Details, including source-code, data model and communications protocols, to help review conformance with design and squash bugs.
4. Do this before release, so serious concerns can be addressed and resolved before v1.0.

On Sunday afternoon the app was released, along with a regulatory direction and a PIA. What score out of 4 did they get for releasing the virus app in a way worthy of trust?

1. No Design Specifications. – 0
2. A Privacy Impact Assessment (PIA) dated Friday appeared on Sunday. It does not appear to have been conducted in a consultative fashion, just federal agencies talking to each other; nor to have involved a robust risk assessment on a quantitative basis. See comments below. – 0.5
3. No Technical Details except a brief undated flow illustration from the law firm doing the PIA. – 0.5
4. None of this available before the app was released, so there has been no opportunity to help spot and avoid overlooked mistakes, unintended consequences or foreseeable risks. – 0

So at best 1 out of 4. Not a promising start, however glossy the ads.

While the absence of this key information makes further analysis of other material which was released more difficult and painstaking, it’s useful to look briefly at the PIA.

The PIA?

The Privacy Impact Assessment released Sunday is a dense 78 pages. It does not identify which version of the app it refers to. It was not done using ‘a rigorous risk assessment methodology to identify the magnitude of each of the identified risks’, so it is of limited use for any ‘necessity’ or ‘proportionality’ analysis (is level of risk worth the benefits)?

For outside input, the documents cited are mostly foreign material, none from the now-failed Singapore experiment from which the code apparently originated, and only two documents from Australia were mentioned. The only other outside input appears to be second hand, via Health, comments from two other federal agencies, OAIC and Australian Human Rights Commission (there is no longer an independent dedicated Privacy Commissioner). It is unacceptable that a PIA for a critical app that could affect every Australian and their attitude to trusting government at this time did not seek independent expert or community input.

Most of the PIA is instead a painstaking analysis of formal legal compliance with the Australian Privacy Principles (APPs). The APPs have been weakened over the years to become a very complex wish list of permissive exceptions, loopholes, get-outs and exemptions. While necessary, privacy impact assessment needs to start with a close understanding of the actual impacts on and concerns of those affected by the proposal, and of those in an informed position to independently scrutinise the design and technical information. This has not been done.

(NB: APP breaches are in any case not enforceable by Australians, since unlike NZ, UK, and most other countries, we still have no right to sue for breach of privacy. The only option is a complaint to the OAIC which has endured years of government attempts to abolish or nobble it. Complaints to OAIC need not be investigated, or decided, and decisions are rare and not enforceable. So if anything goes wrong, this is not a remedy which encourages trust.)

Apparent technical input last week from government-funded entities closely linked to security agencies may have contributed something, but for many Australians the continual encroachment of these surveillance agencies into our digital lives is part of the problem, so the fact that they have apparently found nothing they are concerned about offers little comfort, and may raise concerns for some.

The PIA has 9 pages of recommendations. Without time for close analysis, without many of the core documents, and without the input from other outside entities to flush out the full range of issues, it is not possible to assess the degree to which they identify or remedy any of the problems which may arise from the app. Further inquiry is also needed to confirm what action will be taken on them, whether they would have real impact on the design or operational aspects of concern, and when anything will happen. For all its detail the PIA is flawed, somewhat reminiscent of the secretive Census 2016 PIA which failed to identify the problems or the nature and depth of public concern, and set the scene for controversy rather than trust.

This could be avoided by proper and open consultation, which APF joins many others in calling for, starting with the provision of the missing information.

The Australian public, along with scientists and researchers around the world, are also very concerned about gifting future governments the power to impose contact tracing on the populace through the use of apps, or having surveillance embedded within their mobile devices, as Apple and Google are proposing.

The Australian Privacy Foundation (APF) argued today that the government must earn trust in its project, and avoid emotive marketing appeals to use the app before providing full information.

• The first requirement is publication of Design Specifications, so many more than just ‘Five Eyes’
  can check them for both effectiveness and vulnerabilities, and assess whether they are best
  practice for ‘Privacy by Design’.
• The next essential is an open independent Privacy Impact Assessment process, consulting
  not just within the public service and security interests, but with appropriate representatives of the
  public interest from health, privacy, civil liberties and technical perspectives.
• Once a working prototype exists, but before it is released, the Technical Details need to be
  published, including source-code, data model and communications protocols, so that
  conformance of the implementation with the design can be reviewed.

“This public health crisis is too important to risk a repeat of recent personal data disasters that
undermined community trust in governments’ use of IT. The last Census, council exploitation of
metadata retention, ‘Robodebt’, laws undermining encryption, and compulsory registration for an empty My Health Record loom large in public memory,” said David Vaile, chair of the Australian Privacy Foundation.
“One core concern is that, like the My Health Record, the app could creep from an ‘opt-in’ consent arrangement to an effectively mandatory imposition. This could arise as simply as a demand for its use as a condition of entry to workplaces or shopping malls, or being out on the street. We need rock solid legislative protection,” said longstanding board member Prof Graham Greenleaf.

“The limited information to date has been released by poorly-briefed Ministers with little understanding of the problem and of the proposed solution. Public trust has been undermined rather than earned. We need an open, independent Privacy Impact Assessment based on wide consultation, and strong legal safeguards in place,” said board member Dr Monique Mann.

Media Contacts for Australian Privacy Foundation board members:

The AA Act has wide implications for the international community as it has been enacted despite:

• Vague and unclear limits on ill defined, wide reaching powers;
• Involving Australia’s enforcement of laws of foreign countries including countries with the death penalty or offences not recognised in Australia (lack of dual criminality);
• Limited transparency and a lack of detailed reports accessible to Australians seeking to assess threats impacting on their information security;
• The removal of judicial review; and,
• Enhanced capability for information sharing among ‘Five Eyes’ (intelligence services from Australia, New Zealand, Canada, the UK and the US) nations, with no effective protections from abuse or misuse due to a lack of human rights protections for Australians.

The rapid development of technology in the Australia human rights context requires careful consideration as technology can be used for both the benefit and detriment of society. The lack of human rights legislation in Australia makes this consideration particularly important.

It is our submission that many of the concerns contained in this submission may be able to be alleviated with an increased focused on human rights education and the introduction of a comprehensive and enforceable federal human rights legislative framework.

The APF, QCCL and EFA appreciate the Commissioner’s Issues Paper and the opportunity to provide this submission on this important issue.

The full submission can be read here

The Australian government has released a draft of its long awaited bill to provide law enforcement and security agencies with new powers to respond to the challenges posed by encryption.

According to the Department of Home Affairs, encryption already impacts 90% of Australian Security Intelligence Organisation’s (ASIO) priority cases, and 90% of data intercepted by the Australian Federal Police. The measures aim to counteract estimates that communications among terrorists and organised crime groups are expected to be entirely encrypted by 2020.

The Department of Home Affairs and ASIO can already access encrypted data with specialist decryption techniques – or at points where data are not encrypted. But this takes time. The new bill aims to speed up this process, but these broad and ill-defined new powers have significant scope for abuse.

The Department of Home Affairs argues this new framework will not compel communications providers to build systemic weaknesses or vulnerabilities into their systems. In other words, it is not a backdoor.

But it will require providers to offer up details about technical characteristics of their systems that could help agencies exploit weaknesses that have not been patched. It also includes installing software, and designing and building new systems.

Compelling assistance and access

The draft Assistance and Access Bill introduces three main reforms.

First, it increases the obligations of both domestic and offshore organisations to assist law enforcement and security agencies to access information. Second, it introduces new computer access warrants that enable law enforcement to covertly obtain evidence directly from a device (this occurs at the endpoints when information is not encrypted). Finally, it increases existing powers that law enforcement have to access data through search and seizure warrants.

The bill is modelled on the UK’s Investigatory Powers Act, which introduced mandatory decryption obligations. Under the UK Act, the UK government can order telecommunication providers to remove any form of electronic protection that is applied by, or on behalf of, an operator. Whether or not this is technically possible is another question.

Similar to the UK laws, the Australian bill puts the onus on telecommunication providers to give security agencies access to communications. That might mean providing access to information at points where it is not encrypted, but it’s not immediately clear what other requirements can or will be imposed.

For example, the bill allows the Director-General of Security or the chief officer of an interception agency to compel a provider to do an unlimited range of acts or things. That could mean anything from removing security measures to deleting messages or collecting extra data. Providers will also be required to conceal any action taken covertly by law enforcement.

Further, the Attorney-General may issue a “technical capability notice” directed towards ensuring that the provider is capable of giving certain types of help to ASIO or an interception agency.

This means providers will be required to develop new ways for law enforcement to collect information. As in the UK, it’s not clear whether a provider will be able to offer true end-to-end encryption and still be able to comply with the notices. Providers that breach the law risk facing $10 million fines.

Cause for concern

The bill puts few limits or constraints on the assistance that telecommunication providers may be ordered to offer. There are also concerns about transparency. The bill would make it an offence to disclose information about government agency activities without authorisation. Anyone leaking information about data collection by the government – as Edward Snowden did in the US – could go to jail for five years.

There are limited oversight and accountability structures and processes in place. The Director-General of Security, the chief officer of an interception agency and the Attorney-General can issue notices without judicial oversight. This differs from how it works in the UK, where a specific judicial oversight regime was established, in addition to the introduction of an Investigatory Powers Commissioner.

Notices can be issued to enforce domestic laws and assist the enforcement of the criminal laws of foreign countries. They can also be issued in the broader interests of national security, or to protect the public revenue. These are vague and unclear limits on these exceptional powers.

The range of services providers is also extremely broad. It might include telecommunication companies, internet service providers, email providers, social media platforms and a range of other “over-the-top” services. It also covers those who develop, supply or update software, and manufacture, supply, install or maintain data processing devices.

The enforcement of criminal laws in other countries may mean international requests for data will be funnelled through Australia as the “weakest-link” of our Five Eyes allies. This is because Australia has no enforceable human rights protections at the federal level.

It’s not clear how the government would enforce these laws on transnational technology companies. For example, if Facebook was issued a fine under the laws, it could simply withdraw operations or refuse to pay. Also, $10 million is a drop in the ocean for companies such as Facebook whose total revenue last year exceeded US$40 billion.

Australia is a surveillance state

As I have argued elsewhere, the broad powers outlined in the bill are neither necessary nor proportionate. Police already have existing broad powers, which are further strengthened by this bill, such as their ability to covertly hack devices at the endpoints when information is not encrypted.

Australia has limited human rights and privacy protections. This has enabled a constant and steady expansion of the powers and capabilities of the surveillance state. If we want to protect the privacy of our communications we must demand it.

The Telecommunications and Other Legislation Amendment (Assistance and Access) Bill 2018 (Cth) is still in a draft stage and the Department of Home Affairs invites public comment up until 10th of September 2018. Submit any comments to assistancebill.consultation@homeaffairs.gov.au.

This article was originally published on The Conversation. Read the original article.

In the brief, we first provide an overview of some of the systemic issues in Australia’s human rights and privacy framework, followed by an examination of some of the recent symptomatic manifestations of these systemic issues. We conclude the brief with a list of key recommendations for the UN Special Rapporteur on Privacy to consider in the Australian context.