3.1
This chapter discusses the global and domestic threat environment, Australia’s international law obligations, and the compatibility of the Telecommunications and Other Legislation Amendment (Assistance and Access) Act 2018 (TOLA Act) with the requirements of the CLOUD Act.
Current and emerging technological landscape
3.2
Digital innovation has occurred in waves since the 1980’s, first with the development and adoption of personal computers and then with the introduction of mobile and wireless technology that has greatly expanded the internet. It is estimated that digital industries account for around 11 per cent of GDP in advanced economies and this figure is predicted to grow.
3.3
The Independent National Security Legislation Monitor (INSLM) said that Australia relies on technology and is among the fastest adopters of new communication technologies:
Day-to-day communication in Australia relies almost wholly on technology that is complex and constantly evolving. Australians have been among the fastest adopters of new communication technologies in the world. We have become almost entirely dependent on these technologies for everyday activities: business operations, financial transactions, economic development, social interactions and public engagement.
Indeed, new and emerging technologies have been at the forefront of burgeoning industries, and enabled the growth and vitality of others, in Australia and around the world. It is believed that in future technologies will be developed that have business, private, military and intelligence applications – for example, neuromorphic hardware, artificial general intelligence, fully autonomous vehicles and robots, and nanotube electronics.
3.4
To allow for innovation and growth, Amazon said that trust in the security of data is an integral part of the uptake of new technology:
Trust in the security of information is fundamental to business innovation and economic growth – it is crucial in a digital economy. Information security tools, processes and protocols are deployed to protect the personal data of Australian citizens, and the commercial or sensitive information of businesses and governments.
3.5
Encryption is one way that service providers on the internet secure information and build trust with their consumers. Internet Australia said encryption is the foundation of trust on the internet:
Encryption is a technical foundation for trust on the Internet. It promotes freedom of expression, commerce, privacy, user trust, and helps protect data from bad actors. Encryption and related techniques are also used to build increased security for financial transactions and to protect the private communications of end users. Examples include establishing whether data has been tampered with (data integrity), increasing users’ confidence that they are communicating with the intended receivers (authentication), and forming part of the protocols that provide the evidence that messages were sent and received (nonrepudiation).
3.6
However, while increasing encryption ensures consumer confidence in new and emerging forms of technology, it is also an ongoing challenge for national security and intelligence agencies in investigating and prosecuting serious crimes.
3.7
At the time the Bill was introduced approximately 90% of telecommunications information lawfully intercepted by the Australian Federal Police used some form on encryption, such as through security messaging applications, social media and Voice over Internet Protocol (VoIP) services.
3.8
When law enforcement and intelligence agencies successfully disrupt criminal activities, users are driven to the ‘dark web’ which stifles the ability of law enforcement agencies to investigate and prosecute crime:
The dark web is the part of the internet that allows its users to remain anonymous. It is not easily accessible. The dark web facilitates illegal activity such as child sexual abuse, identity theft, drug and firearm trafficking and the planning of terror attacks.
The use of anonymising technologies has made it easier to commit serious crimes at volume and across jurisdictions. It allows criminals and other malicious actors to operate outside the visibility of law enforcement.
3.9
Several pieces of domestic legislation provide powers to law enforcement and intelligence agencies to intercept and access communications, to use surveillance devices, and allow communications providers to disclose communications when permitted under law.
3.10
Despite this, the Department of Home Affairs said that the utility of the full range of investigatory tools has been undermined by new technology and legislation like the TOLA Act allows agencies to keep pace with the volume of change:
The utility of the interception framework has been undermined by new technology and the evolving communications environment. While the growth of technologies such as encryption is overwhelmingly positive, it has severely undermined the powers previously granted to law enforcement, national security and intelligence agencies to fulfil their functions. To combat this, successive Governments have reformed the law to ensure these important investigatory powers are adapted to the realities of modern communications.
…
The passage of this legislation was a further step in modernising the capacity of Australia’s law enforcement, national security and intelligence agencies to operate in the rapidly evolving communications environment. Agencies now have access to additional tools and investigatory powers to help them adapt to the pace and scale of technological innovation, and the increasing digital sophistication of those who commit serious crimes or seek to harm our national security.
3.11
In the INSLM’s report into the TOLA Act, the threat of terrorism, foreign interference and other serious crimes supported the necessity of a legislative response to the ongoing challenges of encryption. Discussion on the nature of these threats follows.
Terrorism
3.12
The Committee’s consideration of the Telecommunications and Other Legislation Amendment (Assistance and Access) Bill 2018 was hastened by correspondence from the Minister for Home Affairs indicating the potential for terrorist activity at the end of 2018. The circumstances underpinning the Committee’s consideration of the Bill at that time will be discussed further in Chapter 3.
3.13
The Australian Security Intelligence Organisation (ASIO) summarised the current terrorism threat to Australia in its annual report:
Australia’s threat environment is complex, challenging and changing.
Based on current trends, we anticipate that espionage and foreign interference will supplant terrorism as Australia’s principal security concern over the next five years. This is not to downplay the threat of terrorism, which represents an ongoing and evolving challenge. Countering threats to life will always be a priority for ASIO. …
Australia’s national terrorism threat level remains at PROBABLE. This means we have credible intelligence that there are individuals in Australia with the intent and capability to conduct an act of terrorism.
Religiously motivated violent extremists want to kill Australians. Groups such as the Islamic State of Iraq and the Levant (ISIL) continue to urge attacks, 24 convicted terrorism offenders are eligible for release over the next 10 years, and some battle-hardened foreign fighters may yet return to Australia.
At the same time, our investigations into ideologically motivated violent extremists, such as racist and nationalist violent extremists, have grown. During 2020–21, these investigations approached 50 per cent of our onshore priority counter-terrorism caseload. …
At the same time, espionage and foreign interference attempts by multiple countries remain unacceptably high.
These attempts occur on a daily basis. They are sophisticated and wide-ranging. They are enabled and accelerated by technology. And they take place in every state and territory, targeting all levels of government, as well as industry and academia. …
I remain concerned about the potential for Australia’s adversaries to pre-position malicious code in critical infrastructure, particularly in areas such as telecommunications and energy. Such cyber enabled activities could be used to damage critical networks in the future.
3.14
Dr Isaac Kfir of the Australian Strategic Policy Institute said that there is evidence that those engaging in online violent extremism have moved to online niche communication platforms:
There is evidence that those engaging in online violent extremism have largely left mainstream social media, opting instead to use niche social media platforms and messaging applications such as Telegram, 4chan, 8chan, Viber, Kik, Ask.fm, etc.
3.15
Mr Mike Burgess, Director-General of ASIO, said that ‘encrypted communications damage intelligence collection and coverage in nine out of 10 priority counterterrorism cases’ and in its submission to the INSLM’s TOLA Act inquiry ASIO said that ‘over 95 per cent of ASIO’s most dangerous counter terrorism targets use encrypted communications’.
3.16
The Australian Federal Police (AFP) said they have accessed computer access warrants as provided by Schedule 2 of the TOLA Act on 11 occasions in relation to counter-terrorism matters, with the first issued in April 2019 following the passage of the legislation. The AFP Commissioner said that during the COVID-19 pandemic, the operational tempo of counterterrorism activities undertaken by federal and state police remained high:
Since September 2014, when the national terrorism threat level was raised, there have been seven attacks, however, nationally, there have been 18 major counter-terrorism disruption operations in response to potential or imminent attacks.
There have been 110 people charged as a result of 51 counter-terrorism-related operations in Australia.
And just since December last year, joint AFP and state police operations have conducted two major counter-terrorism disruptions into potential domestic attacks.
Our operational tempo has remained high during the pandemic.
3.17
At the time of this inquiry Australia’s national terrorism threat level is PROBABLE.
Protecting Australia’s interests
3.18
While technology can be used as part of the commission of an otherwise non-technology related offence, technology is increasingly used in the commission of cybercrime.
3.19
During the 2019-20 financial year the Australian Cyber Security Centre (ACSC) responded to more than two thousand cyber security incidents and the most common type of cyber security incident was malicious email.
3.20
The Department of Home Affairs said these types of incidents can involve nation-states and state-sponsored actors targeting governments and infrastructure providers:
Highly sophisticated nation states and state-sponsored actors continue to target governments and critical infrastructure providers. Australian Government or state and territory government entities were targeted in 35.4% of the incidents the ACSC responded to in the year to 30 June 2020... Around 35% of incidents impacted critical infrastructure providers that deliver essential services including healthcare, education, banking, water, communications, transport and energy.
3.21
ASIO said that Australia remains an attractive target for foreign espionage and interference, and cyber espionage is a scalable and cost-effective mechanism for hostile foreign actors to seek information:
Foreign states continue to undertake acts of cyber espionage targeting Australian Government, academic, industrial and economic information technology networks and individuals, to gain access to sensitive and commercially valuable information—these threats to Australia’s security continue to increase in scale and sophistication. Cyber espionage is a relatively low-risk and scalable means of obtaining privileged information, which adds another potent method to the array of espionage techniques through which foreign intelligence agencies and other hostile actors can target Australians and Australian interests.
Serious criminal offences
3.22
Technology continues to be a valuable tool in the commission of serious offences for a number of reasons, summarised by the Australian Criminal Intelligence Commission (ACIC) in a 2017 report:
Technology is attractive to criminals as it can provide anonymity, obfuscate activities and locations, and increase their global reach by connecting them to potential victims and information around the world. Using technology to commit crime is also significantly more efficient and less resource intensive than traditional methods of perpetrating crime.
3.23
The ACIC also said that encryption was a key tool used by serious and organised crimes groups to impede law enforcement:
High-end encrypted smartphones continue to be preferred by serious and organised crime groups to reduce visibility of their activities to law enforcement. Multiple OMCGs and other serious and organised crime groups use encrypted communication devices and software applications such as Phantom Secure BlackBerry and Wickr as their primary means of communication, due to the content protection features available on these devices and applications.
Increased availability and ongoing advancement of technology will continue to provide criminals with a diverse range of resources to conduct criminal activity and impede law enforcement investigations.
3.24
The AFP Commissioner said that end-to-end encryption will impact the ability to investigate and prosecute child sex exploitation:
Between July 2019 to May 2020 - just 10 months - the AFP has laid 1078 Commonwealth Child Exploitation charges against 144 people.
It compares to 74 summons and arrests; and 372 charges laid in the previous financial year.
This crime type is getting worse. The average number of images seized when an offender is arrested has been steadily increasing. In the early-to-mid 2000s, a child sex predator had about 1000 images, now it’s between 10,000 to 80,000 images and videos.
…
As a country we need to be more outraged about those who produce and distribute child exploitation material, and we need to be better engaged when the inevitable debate arises with Facebook and other platforms when they move to end- to-end encryption.
To put it simply, when these platforms move to end-to-end encryption, the job becomes harder for police to catch predators. We are very worried about when that day comes, while on the other hand, paedophiles are counting down the days because they cannot wait.
3.25
The AFP said the TOLA Act framework is essential to their efforts to disrupt criminal activities:
As noted in our previous submissions and appearances before this Committee, and in the INSLM review of TOLA, the tempo and complexity of the criminal threat environment is ever evolving with increasing use of technology by criminal groups and their networks, to facilitate and obfuscate criminal conduct. TOLA provides an essential framework to strengthen the AFP’s ability to overcome technological impediments to lawful access to digital content, where necessary and appropriate.
3.26
In 2018-19 the AFP and the NSW Police reported using Technical Assistance Request powers provided under TOLA for serious criminal offences such as homicide (2), drugs (1), organised offences (2), theft (1), as well as telecommunications and cybercrime offences (11). In 2019-20 the ACIC, the AFP and the NSW Police used Technical Assistance Request powers for cybercrime offences (1), drugs (7), and robbery (1).
International developments
3.27
The global nature of the telecommunications environment requires a high degree of cooperation between international law enforcement organisations. For member parties, cooperation is facilitated through international treaties such as the United Nations (UN)’ Convention against Transnational Organised Crime and the Council of Europe’s Convention on Cybercrime.
3.28
These treaties encourage international cooperation and provide for mutual legal assistance processes that allow parties to approach countries that hold information and legally obtain information to assist with the investigation and prosecution of serious offences.
3.29
Under the UN Convention against Transnational Organised Crime, countries have the ability to negotiate agreements to clarify or expedite parts of the process. At the time of this report, Australia had 30 bilateral mutual assistance relationships in place. The Council of Europe’s Convention on Cybercrime does not invite a Party to make alternative procedures or arrangements, but does not prohibit such arrangements.
UK Investigatory Powers Act 2016
3.30
In 2014 the European Court of Justice declared the precursor to the Investigatory Powers Act – the Data Retention (EC Directive) Regulations 2009 – invalid. The outcome led the United Kingdom (UK) to develop and pass the Data Retention and Investigatory Powers (DRIPA) Act 2014 (UK).
3.31
In 2015, the UK equivalent to Australia’s INSLM presented a report that recommended the establishment of the Investigatory Powers Act 2016 (UK) and introduced the Investigatory Powers Commissioner’s Office (IPCO). The INSLM’s TOLA Act report summarises:
Among other matters, it led to the enactment of the Investigatory Powers Act 2016 (UK). It also led to the creation of the Investigatory Powers Commissioner’s Office (IPCO). For warrants authorising intrusive powers of access equivalent to those conferred by Schedules 1 and 2 of TOLA, in addition to administrative or ministerial approval, there is a ‘double-lock’ so that retired judges, with access to high level technical advisers, must also approve the exercise of the powers by reference to those judges’ assessments of the lawfulness, proportionality and intrusiveness of the proposed warrant. IPCO also performs the complaint and audit functions undertaken in Australia by the Inspector-General of Intelligence and Security (IGIS), the Hon Margaret Stone AO FAAL, and the Commonwealth Ombudsman, Michael Manthorpe PSM.
3.32
The IPCO model and the INSLM’s recommendations regarding authorisation processes are discussed further in Chapter 7.
3.33
In 2018, the UN Rapporteur on the promotion and protection of the right to freedom of opinion and expression stated concerns with the technical capability notices provided for under the Investigatory Powers Act 2016 (UK) and the potential to affect encryption.
3.34
However, in the same year the UN Special Rapporteur on the right to privacy praised the Investigatory Powers Act 2016 (UK) in its development and implementation of a double-lock system for warrant authorisation and in providing better resourcing for the IPCO.
US CLOUD Act
3.35
The terms of reference for the inquiry require consideration of whether the provisions of the TOLA Act are compatible with the United States of America (US) Clarifying Lawful Overseas Use of Data Act (CLOUD Act). In considering this aspect of the terms of reference, the Committee refers to its September 2021 report on its review of the Telecommunications Legislation Amendment (International Production Orders) Bill 2020 and the passage of the legislation through the parliament which will facilitate Australia’s cooperation with the US on cross-border data sharing.
3.36
The US CLOUD Act was introduced in March 2018, stating that a company within US jurisdiction can be required to produce electronic data regardless of where it is stored at the time, and allowing the US to enter into executive agreements with other countries when certain criteria are met:
The CLOUD Act provides that the United States may enter into CLOUD Act agreements only with rights-respecting countries that abide by the rule of law. In particular, before the United States can enter into an executive agreement anticipated by the CLOUD Act, the CLOUD Act requires that the U.S. Attorney General certify to the U.S. Congress that the partner country has in its laws, and implements in practice, robust substantive and procedural protections for privacy and civil liberties, based on factors such as:
adequate substantive and procedural laws on cybercrime and electronic evidence, such as those enumerated in the Budapest Convention;
respect for the rule of law and principles of non-discrimination;
adherence to applicable international human rights obligations;
clear legal mandates and procedures governing the collection, retention, use and sharing of electronic data;
mechanisms for accountability and transparency regarding the collection and use of electronic data; and
a demonstrated commitment to the free flow of information and a global Internet.
3.37
In July 2020 a data-sharing bilateral agreement provided for by the CLOUD Act between the US and the UK came into force, and allows either country to approach a provider to seek stored or live communications through each party’s Designated Authority, or approach a communications provider directly for subscriber information.
3.38
Some submitters to the inquiry raised concerns about the compatibility of Australian law with the provisions of the CLOUD Act. The Law Council of Australia said that Australia’s laws will be insufficient to allow for an executive agreement to be made under the CLOUD Act:
The Law Council considers that the current law in Australia as it relates to storing and accessing telecommunications data will be insufficient to allow Australia to qualify for entry into an ‘executive agreement’ with the US. This means that law enforcement agencies in Australia will be restricted to seeking access to data held by a service provider in the US through the existing and time consuming MLAT process.
3.39
BSA | The Software Alliance said that the current TAN and TCN process does not provide for merit review and may be considered an arbitrary incursion on individual privacy which does not accord with CLOUD Act requirements:
In particular, the Assistance and Access Act authorizes the Australian government to issue technical assistance notices (TANs) and technical capability notices (TCNs) to compel private companies to build or implement certain surveillance capabilities, without any recourse to a merits review by an independent judicial authority before or after a TAN or TCN is issued, and limited recourse to judicial review of the administrative decision to issue the TAN or TCN after the fact. Further, while TCNs can only be issued by the Attorney-General with prior approval from the Minister of Communications (and Cybersafety), no such safeguard exists in respect of TANs, which can be issued by the heads of the relevant enforcement agencies with no pre-issuance review by any independent authority.
…
The above shortfalls in the overall TAN/TCN regime (among others) could result in the potentially arbitrary and non-transparent issuance of TANs and TCNs, in turn resulting in an arbitrary impact on privacy and liberties. This, coupled with the general lack of review or oversight by independent authorities in the TAN/TCN issuance process, would pose serious concerns as to whether the pre-conditions for entering into an executive agreement under the CLOUD Act are met.
3.40
In addition, the Law Council of Australia said that the terms of the TOLA Act were incompatible with the Communications Assistance for Law Enforcement Act 1994 (US) which allows a carrier to deploy an encrypted service that it is not capable of decrypting:
This Act does not preclude a carrier from deploying an encryption service for which it does not retain the capacity to decrypt if and when requested by lawenforcement to do so. That is, it does not ‘mandate that US providers of encrypted communications, devices, and storage services be able to decrypt communications for law enforcement access’. In these circumstances, as argued by Riana Pfefferkorn, Associate Director of Surveillance and Cybersecurity at the Stanford Centre for Internet and Society in the United States, citing §2523(b)(3) of the US Code: ‘Any executive agreement with Australia is flatly barred from “creating any obligation that providers be capable of decrypting data”’.
3.41
In April 2020, the Committee received correspondence from the US Department of Justice that explained the US position on encryption and indicated that there was nothing in the TOLA Act that would preclude an agreement being made:
As I discussed at the February meeting, the CLOUD Act requires that the agreements it authorizes be “encryption neutral.” The statute provides that CLOUD Act agreements “shall not create any obligation that providers be capable of decrypting data or limitation that prevents providers from decrypting data.” 18 U.S.C. 2523(b)(3). This means that CLOUD Act agreements may not create any new requirement on service providers to decrypt communications, nor may CLOUD Act agreements prevent or limit service providers from assisting in decryption. In short, CLOUD Act agreements may not prevent partner countries from addressing encryption requirements in their own domestic laws.
This neutrality allows for encryption issues to be discussed and addressed separately among governments, companies, and other stakeholders pursuant to domestic law and policy, and addressing such requirements in domestic law does not affect a country’s eligibility for a CLOUD Act agreement. Accordingly, it is the view of the U.S. Department of Justice that there is nothing in Australia’s Assistance and Access Act that would preclude or prevent the conclusion of a CLOUD Act agreement between our governments.
Committee Comment
3.42
The Committee would like to extend its thanks to the Deputy Assistant Attorney General of the US Department of Justice, Mr Richard Downing, for meeting with the Committee to discuss the compatibility of the TOLA Act with the CLOUD Act.
3.43
While the Committee notes the concerns of submitters regarding the compatibility of the TOLA Act with the provisions of the CLOUD Act, the Committee must give appropriate weight to the evidence provided by the US Department of Justice that there is nothing within the provisions of the TOLA Act that would preclude the making of an agreement under the CLOUD Act between the US and Australia.
3.44
The Committee accepts the important role of technology in Australia’s economy. While the constantly evolving nature of technology and communication allows for growth and innovation, the Committee is sympathetic to the difficulties faced by law enforcement and intelligence agencies in Australia and across the world in combatting serious crime in the face of technological innovation.
3.45
The Committee notes the current terrorism threat levels, and ASIO’s and the AFP’s assessment of the terrorist threats Australia continues to face. The Committee also notes the evidence of growing serious and organised crime, child exploitation as well as drugs and firearms offences that the powers within the TOLA Act have been used to combat.
3.46
Likewise, the Committee notes that foreign interference and espionage is an ongoing threat to Australia’s defence, businesses and individuals, where hostile foreign actors seek to obtain information at the expense of Australia’s interests. The Committee is examining this issue further in its inquiry into national security risks affecting the Australian higher education and research sector.
3.47
The Committee acknowledges that Australia’s law enforcement and intelligence agencies need a range of tools to combat the likelihood of criminal offenders ‘going dark’, and agrees with the INSLM that the challenges faced by these agencies warrants a legislative response.
3.48
Additionally, the Committee agrees that trust in the communication and storage of data on the internet is foundational, and appropriate protections should be in place to ensure that the access of this information is reasonable and proportionate to the threat posed by criminal offenders.
3.49
The recommendations made by the Committee in this report attempt to more fully balance the concerns of industry with Australia’s national security interests.