A. Summary of evidence

Matters raised by stakeholders in the 2018 Bill Review and 2019 Act Review
The Committee engaged with a broad range of stakeholders throughout its review of the Telecommunications and Other Legislation Amendment (Assistance and Access) Bill 2018 (the 2018 Bill Review) and its review of the subsequent Act (the 2019 Act Review).
Whilst many acknowledged the challenge of new technologies, the need for properly authorised law enforcement and the need for security agencies to have access to communications;1 stakeholders expressed a significant number of concerns about this legislation.
This Appendix is a summary of evidence received in both the 2018 Bill Review and the 2019 Act Review. It canvasses that evidence on each of the five separate schedules of the Act. As noted in the body of this Report, the Committee does not seek to respond to these matters, and their inclusion in the Appendix does not indicate whether the Committee concurs with these matters.
For clarity, the Appendix contains a brief overview of the five schedules of the amending Act, before proceeding to the matters identified by stakeholders during the 2018 Bill Review and the 2019 Act Review.

Overview of the Assistance and Access Act

The Assistance and Access Act amends a range of Commonwealth legislation2 in order to ‘introduce measures to better deal with the challenges posed by ubiquitous encryption’.3
The amending Act contains five schedules. Schedule 1 contains amendments to provide a series of ‘industry assistance measures’ to both lawfully request and compel industry to provide technical assistance to security agencies in response to the challenges of ubiquitous encryption.
Schedule 2 establishes powers which enable federal, state and territory law enforcement agencies to obtain covert computer access warrants when investigating certain federal offences.4
Schedules 3 and 4 amends the search warrant framework under the Crimes Act and the Customs Act to expand the ability of criminal law enforcement agencies to collect evidence from electronic devices.5
Schedule 5 clarifies that where a person voluntarily provides assistance to ASIO, that person can be conferred immunity from civil liability. It provides for new powers which enable ASIO to compel a person to provide assistance in accessing data held on a device.6

Schedule 1 – Industry assistance measures

The majority of submitters to the 2018 Bill Review focussed on the proposed amendments contained in Schedule 1—the industry assistance measures. Almost all expressed concerns about the amendments proposed in Schedule 1 or stated direct opposition.7
Many of these concerns were echoed by submitters to the 2019 Act Review who felt that Government amendments passed alongside the Act did not adequately resolve these issues.8
Stakeholder issues are arranged in the following eighteen broad categories:
Concerns regarding security and human rights:
a.
The potential to increase security risks as a result of industry assistance measures
b.
The impact on privacy rights and other human rights including the freedom of expression
Scope of potential applications:
c.
Scope of the proposed definition of designated communications providers
d.
Scope of the assistance required to be provided (including problems with the availability of the proposed limitations)
e.
Grounds for seeking industry assistance (including concerns regarding the breadth of a relevant objective and the performance of a function or exercise of a power under law)
Issuing of notices and requests:
f.
Decision-making criteria
g.
Consultation required with the provider and compensation for costs incurred
h.
Statutory time-limits for requests and notices
i.
Judicial authorisation and oversight (including prior- and postissue)
j.
Centralised and efficient administration (including concerns about the breadth of agencies that may request industry assistance and recommendations for a single ‘clearing house’ and simplified contracting)
Enforcement and immunities:
k.
Enforcement matters including severity of noncompliance, framing of secrecy offences
l.
Immunity provisions (including scope, extraterritorial application, users’ rights and ability to pursue civil action, and authorisation and decisionmaking)
Transparency and oversight:
m.
Transparency (public assurance, and independent design scrutiny)
n.
Oversight of legality and propriety of administration of industry assistance
o.
Exclusion of anti-corruption commissions from Schedule 1 powers
p.
Statutory reviews and sunset periods
International context and alignment:
q.
Global competitiveness
r.
Relationship with foreign laws including the United States’ Clarifying Lawful Overseas use of Data Act

Industry assistance measures could increase security risks

An overarching general concern heard by the Committee was that industry assistance measures, rather than improving security, could cause significant security risks to Australians, Australian businesses and organisations and our national security.9 Noting the global reach of these systems, stakeholders advised that systems and user’s security could be weakened across the globe.10
It was noted by many that encryption and secure systems are critical to ensure the security of day-to-day activities and communications and are central to Australia’s national, personal and financial security.11 Indeed, endtoend encryption has greatly improved the security of ordinary Australians against malicious actors.12 It was commented that strong encryption is the cornerstone of the modern information economy’s security and protects vast numbers of people and businesses against countless threats from petty crime to serious criminal fraud and corporate espionage.13
Stakeholders felt that the Assistance and Access Act will erode consumers trust in secure platforms by enabling those systems to be either voluntarily or compulsorily weakened,14 with no transparency or assurance provided to the public as to what systems have been impacted.15 In a digital age, where so much business and communication occurs through complex and interconnected systems, traditional concepts of privacy and security now equate with trust and confidence.16
Stakeholders advised that the erosion of consumer trust in systems and devices could, in turn, impact the take up of automated routine system updates, presenting a challenge to the security of the entirety of those systems and impacting other users.17 Senetas for example, referred the Committee to advice produced by the Australian Signals Directorate which advises that one of the most critical and fundamental aspects of cybersecurity is the need to ensure that computer systems’ software is constantly kept up to date.18 It was identified that automated updates are necessary to ensure that vulnerabilities can be fixed quickly and efficiently, yet, in the view of stakeholders, the Act risks creating an incentive for users to disable automated update processes to preserve their trust and understanding of the software operating on their devices.19
However the Department of Home Affairs asserted that the legislation ‘cannot be used to create a backdoor to encryption or impact the security of digital systems’.20 It argued that amendments made to the Act as it passed through Parliament ensure that ‘no requirements in the Act should be able to weaken or make vulnerable the services and devices that are used by the general public, business community or legitimate and specialised subsets of either’.21
Transparency and public assurance are discussed later in this Appendix.

Privacy and other human rights concerns

A large number of submitters expressed concerns regarding the Act’s impact on the right to privacy.22 The Australian Human Rights Commission provided a detailed submission to the 2018 Bill Review. It felt that the Assistance and Access legislation would ‘significantly limit human rights’ such as the right to privacy and that ‘it has not been demonstrated that such limitations are necessary and proportionate’.23 The Commission noted:
it is difficult to confine the impact of a law that regulates different platforms used across jurisdictions to a single targeted individual. Consequently, the human rights impacts extend beyond just the people who may be of interest to law enforcement agencies,24 and
the ability to access the content of private communications is said to have a chilling effect on human rights as the self-adjustment of behaviours by members of the community, even if their proposed actions would not have been wrongful, in the knowledge that one’s interactions and communications may be recorded and judged by unknown others.25
Other stakeholders expressed further concerns regarding the legislation’s impact on other human rights, including the right to freedom of expression.26
As a matter of law, any interference with human rights must be subject to careful and critical assessment of its necessity, legitimacy and proportionality.27 The Australian Human Rights Commission advised that the test of proportionality requires a measure to be the least intrusive instrument amongst those which might achieve the desired result.28 Serious invasions of privacy should be reserved for only the most serious incidents, and only with judicial oversight.29
Some stakeholders referred the Committee to a 2015 report by the United Nation’s Special Rapporteur on the promotion and protection of the right to freedom of opinion and expression, David Kaye. In that report, the Special Rapporteur advised that encryption (and the anonymity that is provided by that type of security) is essential for the enjoyment of freedom of expression and the right to privacy in the digital age.30
Stakeholders submitted a range of recommendations for the Committee’s consideration with regard to necessity, proportionality and judicial oversight. These proposals are summarised later in this Appendix.

Scope of designated communications providers

Outside of these matters of principle, stakeholders provided much evidence on the specific detail of the Act. This included concern regarding the scope of providers that captured by the definition of a ‘designated communications provider’.31
Some noted that the definition goes beyond those ordinarily used in telecommunications services.32 While a number of submitters noted that it is the intent to capture the ‘global supply chain’ of communications networks, a number questioned whether it was reasonable to do so.33 Concern was also expressed that the proposed measures will unfairly impact small businesses and startups.34
Consequently, it was strongly recommended that both the definition of ‘designated communications provider’ and their ‘eligible activities’ be narrowed.35 More specific recommendations for amendment included:
defining a ‘designated communications provider’ in a way that is referrable to the objective of the Act;36
that industry assistance measures be limited to companies with direct control and access to encrypted information;37
defining a ‘designated communications provider’ to apply only to those providers with a tangible and direct connection to Australia;38
narrow the definition to only providers of a certain size,39 or specifically, larger businesses;40
replace definition with that already provided in the Telecommunications Act (sections 108111B) to avoid confusion;41
remove component manufacturers from the definition;42 and
defining a ‘designated communications provider’ in a manner which is limited to companies and not individual employees.43

Scope of assistance required

Stakeholders expressed concern about the breadth of the types of assistance that can be requested or be compelled under industry assistance measures.44 The breadth of conduct captured is not of itself, limited to conduct that is only relevant to accessing communications, as is the stated focus of the industry assistance scheme.45
Stakeholder concerns related to both the definition of ‘listed acts or things’ (section 317E) and ‘listed help’ for the purposes of technical capability notices (subsections 317T(4)-(6)).
For example, the Australian Human Rights Commission stated that the scope of the assistance that may be requested or compelled is ‘so vague as to potentially permit almost limitless forms of assistance’ and consequently is ‘inappropriately ambiguous and overbroad’.46 The Commission was of the view that such a large potential suite of assistance measures also increases the risk of agencies choosing the most rightsintrusive form of assistance as a matter of convenience, when a less restrictive measure would suffice.47 Professor Joseph Cannataci, the United Nations’ Special Rapporteur on the right to privacy, made similar comments.48
Stakeholders recommended narrowing the definition of ‘listed acts or things’ to reduce the scope of the Act,49 specifically:
removing the ability for a request or a notice to include the ‘removal of electronic protection’ from the definition of 317E,50 and
ensuring that the definition of ‘listed help’ is exhaustive,51 with any further acts or things requiring legislative amendment or legislative instrument subject to parliamentary consideration.52
Other stakeholders expressed concern about the inclusion of ‘an act or thing done to conceal the fact that any thing has been done covertly’ within the definition of listed acts or things.53
However, the Department of Home Affairs noted that all assistance which may be requested or compelled under the Act ‘must be related to the performance of a relevant agencies’ function conferred by, or under, a law of the Commonwealth, State or Territory’.54 Further, it noted that ‘the industry assistance framework is designed to support the use of existing interception powers and other lawful means of accessing content and non-content data’.55 It is not designed to extend the interception powers of agencies.

Amendments introduced and passed

The Committee sought to respond these concerns by recommending in its 2018 Report that the then Bill be amended to render the definition of ‘listed acts or things’ and ‘listed help’ which may be requested or compelled, exhaustive.56
Amendments introduced and passed on 6 December 2018 partially implemented this recommendation by removing the ability for assistance, other than ‘listed acts or things’ to be compelled under technical assistance notices (TANs) (see amended subsection 317L(3)) and technical capability notices (TCNs) (see amended subsection 317T(7)). 57
However, amendments have not altered the ability for a technical assistance requests (TAR) to request assistance outside of those matters listed in the definition of ‘listed acts or things’ as prescribed in the Act (section 317G(6)).58
Moreover, TCNs may also be used to compel providers to develop new capabilities in the form of ‘listed help’, a term which is not exhaustively defined under the Act. Indeed, the Act explicitly empowers the Minister for Home Affairs to proscribe additional capabilities.59
Government amendments to the Act also expanded the list of acts or things which may be the subject of a request or notice for industry assistance to include acts or things done to assist in, or to facilitate:
giving effect to a warrant or an authorisation under a law of the Commonwealth, state or territory; and
the effective receipt of information in connection with a warrant or authorisation under a law of the Commonwealth, state or territory.60
The Department of Home Affairs asserted that inclusion is appropriate as ‘it will only authorise activities that are immediately incidental to doing a thing that has been approved pursuant to an underlying authority subject to existing safeguards and thresholds, including judicial review’. It claimed that the amendment was necessary to ensure the powers provided by the legislation keep pace with technological advancement.61
However, in a submission to the 2019 Act Review, Internet Australia argued that the inclusion was inappropriate as it expands the scope of the legislation beyond telecommunications.62

Problems identified with systemic weakness and systemic vulnerabilities limitation (section 317ZG)

Undefined or inadequate definitions

Stakeholders who participated in the 2018 Bill Review welcomed the inclusion of a limitation aimed at preventing a TAN or a TCN from requiring the introduction of a ‘systemic weakness’ or ‘systemic vulnerability’ into a form of electronic protection.63 However, a large number were concerned that the terms were not defined in the Bill and as a result, the effect of the limitation was ambiguous.64
The Committee sought to address these concerns by recommending that the Bill be amended to clarify the meaning of the terms ‘systemic weakness’ and ‘systemic vulnerability’, and to further clarify that TCNs cannot be used in this manner.65

Amendments introduced and passed

Amendments introduced and passed on 6 December 2018 responded to these concerns and section 317B of the Act includes the following definitions:
systemic vulnerability means a vulnerability that affects a whole class of technology, but does not include a vulnerability that is selectively introduced to one or more target technologies that are connected with a particular person. For this purpose, it is immaterial whether the person can be identified.
systemic weakness means a weakness that affects a whole class of technology, but does not include a weakness that is selectively introduced to one or more target technologies that are connected with a particular person. For this purpose, it is immaterial whether the person can be identified.66
The term ‘target technologies’ is also defined in the Act. They are described as technology (such as a particular carriage service, electronic service, software update, equipment or device) used, by a particular person (whether directly or indirectly), regardless of whether that person can be identified.67
The terms ‘whole class of technology’ and ‘connected’ are not defined in the Act, but are described in the Supplementary Explanatory Memorandum:
Technological classes include particular mobile device models carriage services, electronic services or software. The term is intended to encompass both old and new technology or a subclass within a broader class of technology; for example an iOS mobile operating system within a particular class, or classes, of mobile devices. Where requirements in a notice make the whole set of these items more vulnerable, it will be prohibited…
The term ‘connected’ is intended to capture technologies associated with the particular person and reflects the modern use of communications devices and services. It is narrower than the broader notion of ‘connectivity’ with the internet.68
According to the Supplementary Explanatory Memorandum, a request or notice for industry assistance does not constitute a systemic weakness or vulnerability if requirements weaken a form of electronic protection against target technologies connected to a person of interest.69
The Supplementary Explanatory Memorandum suggests that the inclusion of these definitions ‘enhance[s] the protections against systemic weakness or vulnerabilities by making clear that industry assistance cannot be requested or required if it would, or would be likely, to jeopardise the security of any information held by a person other than a person connected with a target technology, including if the act or thing or requested or required would create a material risk that otherwise secure information can be accessed by an unauthorised third party’.70
Likewise, the Department of Home Affairs asserted that ‘the combined effect of the new definitions and amendments… is comprehensive and ensures that a solid legal guarantee to information security applies to all activities under the framework, including voluntary activities’.71
However, submitters to the 2019 Act Review were not confident that these definitions have achieved this purpose and many argued that the definitions are ambiguous or unclear.72
The Law Council of Australia asserted that ambiguity surrounding the undefined terms, ‘whole class of technology’ and ‘connected’, make it difficult to interpret the limitation on introducing systemic weakness or vulnerability. It suggested that it appears that, ‘requirements which permit the weakening of a form of electronic protection are expressly permissible [by the Act] when the electronic protection is “connected” to a person of interest’. However, the term connected is not defined in the Act and therefore ‘casts the net of technologies and their uses by individuals… very wide’. The Law Council recommended amending the Act to forbid any request or notice from requiring any act or omission that might require a provider to implement or build any weakness or vulnerability into a current or proposed product or service.73
A similar point was made by industry groups and professional associations in a joint submission. They argued that ‘the definitions are difficult to understand, ambiguous and are significantly too narrow’. They noted that the term ‘whole class of technology’ is undefined and suggested that, if its common meaning is assumed, the Act provides a too narrow definition of what constitutes a systemic weakness.74 Mozilla suggested that the limitation could be strengthened by further clarifying that a ‘systemic weakness or vulnerability applies to an exploit that affects any individual product, service, or system available to more than one person’.75
Dr Chris Culnane and Associate Professor Vanessa Teague warned that the current definition may enable industry to provide technical assistance that ‘undermines the cybersecurity of millions of people, as long as something less than a “whole class of technology” is affected’.76
The Australian Human Rights Commission recommended that the Act be amended to ‘prevent assistance measures that negatively impact on the privacy or cybersecurity of a significant proportion or number of innocent third parties’.77
The Law Council, BSA | The Software Alliance and the Digital Industry Group Inc (DIGI) recommended that the limitation be recast to apply to any weakness or vulnerability, and the requirement for such conduct to amount to a systemic weakness or vulnerability, be removed.78

Exceptional access cannot avoid systemic weakness

Submissions also questioned whether access of any kind to encrypted communications can be done without introducing a systemic weakness.79 It was argued that, once developed, any such access may be capable of extension to any and all users, and could subsequently create an opening for malicious actors to take advantage of new and existing weaknesses in a system, device or platform.80
It was also identified that these broader and future opportunities are not matters required to be considered by the decisionmaker when considering to issue the notice or request.81 While the initial development may be interpreted as not creating a systemic weakness—as it has a target of one—the ability to configure the capability to facilitate future requests would likely represent a systemic weakness or systemic vulnerability. Until the capability was destroyed after its use under the notice, its very existence ‘represents a threat to similar endpoints all over the world’.82
Similarly, Future Wise noted that without a decisionmaker tracking each instance and understanding the relationship a single notice bears to all other notices issued, it is impossible to know whether the scheme overall is creating structural systemic weaknesses or vulnerabilities.83
This led the Office of the Victorian Information Commissioner to conclude that the legislation will ‘create systemic risk’.84 Similarly, Professor Teague and Dr Culnane advised that ‘every instance … of governmentmandated weakening of cryptographic protections has eventually been shown to be exploitable by bad actors’.85 They further commented that ‘there is no way for a mathematical tool (whether for offence or defence) to behave differently depending on the morality of the person using it’.86
It was also suggested that the legislation does not take account of how a provider would implement new capabilities required under a compulsory notice. A provider’s solution to accessing a ‘particular’ device in compliance with a one-off notice will likely neither be tied to the specific device, nor be deleted after single use.87
Professor Teague and Dr Culnane suggested that the creation of a ‘backdoor’ or systemic weakness/vulnerability may not be always immediately apparent.88 This was echoed by the MIT Internet Policy Research Initiative.89
The Office of the Australian Information Commissioner and the United Nations’ Special Rapporteur on the right to privacy advised that the risk of a single notice creating a systemic risk or systemic vulnerability presents a significant challenge to the enjoyment of privacy and other human rights by third-parties who are not the target of law enforcement or intelligence agency investigations or prosecutions.90

Limitation may not be capable of meeting its stated objective

As a result of the concerns listed above, a number of stakeholders questioned whether the limitation on systemic weaknesses and vulnerabilities was effective in meeting its stated objective.91 This led some to propose that TCNs be removed from the legislation completely as it was not considered possible for a new capability that would not increase the risk to other users more than it benefits law enforcement efforts.92
It was also noted that while the limitation prevents agencies from requiring a provider to build a systemic weakness into their products or systems, a provider is nonetheless free to do so. Further, the legislation does not require a provider to make any effort to minimize the security impact of that systemic flaw.93

Extension of limitation to ‘listed acts or things’ other than electronic protection

In evidence to the 2018 Bill Review, BSA | The Software Alliance noted that the systemic weakness limitation is not available to other ‘listed acts or things’ (other than the removal of a form of electronic protection). According to the Alliance, the limitation:
…applies only to forms of electronic protection and it is unclear if, for example, the agency were to require us or our members to install software onto a device which causes it to become a listening device whether that would necessarily be prohibited by that exception.94
The Law Council identified similar limitations in the proposed safeguard.95
BSA | The Software Alliance was of the view that the limitation should therefore be expanded and apply to all ‘listed acts or things’.96
The Committee sought to address these concerns by recommending that ‘the bill be amended to apply the ‘systemic weakness’ limitation (section 317ZG) to all ‘listed acts or things’.97 This recommendation was not implemented; there have been no amendments that extend the systemic weakness limitation to other types of assistance. Stakeholders remain concerned.98
The Law Council suggested this issue could be resolved by replacing the term ‘electronic protection’ in subsection 317ZG(1) of the Act with the phrase ‘current or proposed product or service’.99

Problems identified with the limitation relating to warrants or authorisations (section 317ZH)

The Act provides a second limitation on industry assistance measures. It prevents requests or notices from requiring a provider to engage in conduct for which a warrant or authorisation is required under certain Commonwealth and state/territory laws.100 An intent of this limitation, is that a request or notice does not displace the need for an agency to obtain a warrant or authorisation to view the content of that communication.

Clarifying the intent of the limitation

During the 2018 Bill Review, the Law Council was supportive of this limitation. It felt that the limitation accorded with recommendations it made during the Exposure Draft process that the legislation should expressly state that the power to request or require decryption (or an individual to facilitate opening up a password protected device) under a compulsory notice does not displace the need for an agency to obtain lawful authority to view the content of a communication or electronic record.101
However, the Law Council was concerned that the limitation is unlikely to be understood by many individuals within the diverse range of agencies that may utilise these powers and the greatly expanded range and nature of recipient entities within and outside Australia that will be subject to complex Australian law enforcement legislation for the first time. The Law Council noted that the legislation purports to apply to providers outside Australia of an electronic service that has one or more end-users in Australia, and the encrypted communication may have no other relevant link to Australia or to that of those end-users in Australia, so the provider may have little or no familiarity with Australian law.102
Similarly, Telstra recommended that the legislation be amended to clarify that the exercise in Schedule 1 in no way provides for the content of communications to be provided to a relevant agency, and that accessing the contents of any type of communications require a warrant through established processes.103

Amendments introduced and passed

Amendments introduced and passed on 6 December 2018 responded to these concerns by amending section 317ZH of the Bill. This section of the Act now explicitly provides that communications providers cannot be requested or required to ‘do an act or thing for which the agency, or an officer of the agency, would be required to have, or obtain, a warrant or authorisation’ under a Commonwealth, state or territory law. Unless the thing or act relates to the performance of a function or the exercise of a power already afforded to the agency under law.104
The Law Council welcomed these amendments, but expressed some reservation about their effect by suggesting they ‘seek to add clarity to the prohibition against the side-stepping of warrants’.105 The Law Council of Australia also suggested that there is uncertainty regarding the potential for ASIO to issue a TAR requiring a provider to perform acts or things, including telecommunications interception, for which they would otherwise require a warrant.106
The InspectorGeneral of Intelligence and Security (InspectorGeneral) provided detailed advice on this matter during both the 2018 Bill Review and the 2019 Act Review. The InspectorGeneral’s advice is summarised in the following section.

InspectorGeneral of Intelligence and Security advice regarding warrants limitation and ‘giving effect to’ a warrant exception to the limitation

In evidence to the 2019 Act Review, the InspectorGeneral noted that, despite the amendments introduced and passed on 6 December 2018, the Act contains an exception to the limitation that would allow ASIO to issue a TAR, TAN or request a TCN that ‘gives effect to’ one of its warrants.107 That is, the limitation would not prevent ASIO from requesting or compelling assistance from a provider that ASIO would itself require a warrant to engage in such conduct, if such a request or notice would ‘give effect to’ a warrant otherwise obtained.108
This evidence expands upon evidence from the InspectorGeneral during the Committee’s 2018 Bill Review, where the InspectorGeneral queried that the relationship between ‘providing technical information’ (as a specific type of ‘listed act or thing’ as defined in section 317E) and ASIO’s existing questioning warrants or questioning and detention powers, and the warrants limitation.109
The InspectorGeneral noted advice from the Department of Home Affairs that the provision was intended to cover the doing of an act authorised under a warrant but only an extant warrant. The InspectorGeneral reiterated earlier suggestions that the meaning of the limitation is ambiguous and should be clarified, or, the provision simply removed and sole reliance placed on the ‘assistance and facilitation’ exception in subsection 317ZH(4)(e).110
In evidence to the 2019 Act Review, the Inspector-General also noted that Act potentially enables intelligence operations to utilise multiple, interrelated sources of authority (for example, TARs, TANs, TCNs and special powers warrants). It suggested that this may impede oversight activities by making it difficult to identify which powers were used in each operation without a ‘forensic search of ASIO’s records’. The InspectorGeneral therefore advocated for a clear requirement for ASIO to identify connections between TARs, TANs and TCNs and special powers warrants, in its reports on relevant warrants which would then form a basis for targeted searches and analysis by IGIS officials during inspections.111

An avenue for expanding data retention requirements

A large number of submitters to the 2018 Bill Review questioned whether industry assistance measures could be used to expand the scope of data retention measures.112

Amendments introduced and passed

The Government responded to concerns raised in the 2018 Bill Review by introducing section 317ZGA of the Act to specify that the existing data retention regime in Part 5-1A of the Telecommunications (Interception and Access) Act 1979 is the ‘explicit vehicle for expanding or contracting the data set’.113 The intent of subsection 317GA(4) is that a TCN cannot be used to require a provider to retain web browsing histories or associated metadata.114
Evidence from the Law Council suggests it is satisfied that this amendment addressed these concerns.115
However, industry groups and professional associations made a joint submission to the 2019 Act Review which identified that without an exhaustive definition of ‘listed acts or things’ (with reference to technical assistance requests) or ‘listed help’ (with reference to technical capability notices), providers could nonetheless be requested or compelled to provide assistance could still be used to expand the scope of data retention measures, including:
acts or things which facilitate giving effect to a warrant or authorisation, or the receipt of information in connection with a warrant or authorisation; and
installing, maintaining, testing or using software or equipment.116
The joint submission characterised these listed acts or things as ‘loopholes’ which enable the mandatory data retention regime to be bypassed.117

Grounds for seeking industry assistance – relevant objectives

As amended, Schedule 1 establishes broad grounds or ‘relevant objectives’ on which agencies may seek industry assistance measures. The relevant objectives of TARs, TANs and TCNs differ slightly, but objectives common to all requests and notices encompass:
the interests of Australia’s national security or safeguarding national security;
enforcing criminal law, so far as it relates to serious Australian offences (offences with a penalty of a maximum period of three year’s imprisonment or more);118 and
assisting the enforcement of criminal laws in force in a foreign country, so far as those laws relate to serious foreign offences.119
Submitters to both the 2018 Bill Review and the 2019 Act Review felt that the relevant objectives are too broad and risk contravening the human rights tests of proportionality and necessity.120
Stakeholders identified two areas for further consideration. First, stakeholders also recommended that a warrant for access to the content of communications should be made the precondition for the issue of an industry assistance measure.121 It was argued that there is little purpose in issuing a request or notice if access to the content of the communications is not subsequently gained through a warrant or other authorisation.122 Such a requirement will ensure that a request or notice is actually relevant and give guidance as to the proportionality of the notice.123 It was also commented that the provider should also be advised that a warrant for the access to the content of communications has been obtained, and broadly what it permits.124
The second matter identified in the 2018 Bill Review was that the powers should only be available in response to serious offences,125 with some proposing the use of the term as defined in Telecommunications (Interception and Access) Act 1979.126
In response to this second matter, the Committee sought to address concerns about the threshold for a serious offence by recommending that industry assistance measures, so far as they relate to criminal law enforcement, apply to offences with a penalty of a maximum period of three year’s imprisonment or more.127

Amendments introduced and passed

Serious offences

Amendments introduced and passed on 6 December 2018 gave effect to the Committee’s recommendation regarding serious offences. Industry assistance measures can only be used by law enforcement agencies (Commonwealth, state or territory) where that agency is enforcing the criminal law so far as it relates to a serious offence—defined as an offence punishable by an imprisonment term of three years or more—under either Australian law or the laws of a foreign country.128
However, stakeholders in the 2019 Act Review advocated for the threshold—three years—to be raised.129
During both reviews, the Australian Human Rights Commission advocated for the definition of ‘serious offences’ in the Telecommunications Act 1997 to be aligned with the definition contained in section 5D of the Telecommunications (Interception and Access) Act 1979 (TIA Act). The TIA Act defines a serious offence as those ‘punishable by imprisonment for life or for a period, or maximum period, of at least 7 years’ which includes acts of terrorism, sabotage, espionage, foreign interference, and other serious criminal offences, including child sex offences.130
The Law Council also recommended that the definition of ‘serious offences’ be made consistent with the TIA Act so ‘serious offences’ is ‘defined as laws of the Commonwealth, a state or a territory that is punishable by a maximum term of imprisonment of seven years or more’.131
Access Now recommended removing the power to issue notices to assist the enforcement of the criminal laws of a foreign country. It was concerned that requests or notices could be issued to support law enforcement in countries with a poor human rights record, and therefore risks Australia ‘becoming the enabler of repressive and authoritarian regimes’.132

Relevant objectives specific to TARs

The Government introduced other amendments, later passed by the Parliament, that clarified the relevant objective as it relates to TARs for each agency separately.
The Act explicitly notes the grounds or relevant objectives according to which each individual agency may seek the issuance of a TAR. Stakeholders expressed concerns in relation to two of the relevant objectives specific to TARs, namely:
ASIS’s ability to issue a TAR in ‘the interests of Australia’s national security, the interests of Australia’s foreign relations or the interests of Australia’s national economic wellbeing’;133 and
ASD’s ability to issue a TAR to ‘provide material, advice, and other assistance … on matters relating to the security and integrity of information that is processed, stored or communicated by electronic or similar means’.134
In evidence to the 2018 Bill Review and the 2019 Act Review, the Australian Human Rights Commission characterised the breadth of objectives on which a TARs could be issued as ‘unjustifiably wide’. It argued that, ‘while measures that significantly limit human rights may, in some circumstances, be permissible to protect national security, it is more difficult to establish proportionality with respect to achieving comparatively less important and pressing objectives’. For example, seeking industry assistance for tax and superannuation law compliance in the interests of Australia’s national economic wellbeing. 135
Access Now advocated for limiting the relevant objectives for TARs. It suggested that ‘the interests of Australia’s foreign relations or the interests of Australia’s national economic well-being’ (as applicable to ASIS) should be removed and the ‘matters relating to the security and integrity of information’ (as applicable to ASD) should be modified to clarify that requests should only be issued in pursuit of improving the security and integrity of information.136

Relevant objectives specific to TANs and TCNs

The Act does not provide agency-specific relevant objectives under which TANs or TCNS can be issued, as in the case of TARs. Rather, the Act specifies that a TAN or TCN can be issued by ASIO or a law enforcement agency for the purposes of:
enforcing criminal law, in so far as it relates to serious Australian offences;
assisting the enforcement of the criminal laws in force in a foreign country, in so far as those laws relate to serious foreign offences; and
safeguarding national security.137
In addition, and in respect of TANs only, ASIO or a law enforcement agency may issue a notice for a matter facilitates, or is ancillary or incidental to, a matter covered by the other three relevant objectives.138
Stakeholders suggested that further consideration is required in relation to two of the relevant objectives specific to TANs and TCNs, namely:
the performance of a function, or the exercise of a power, conferred by or under a law of the Commonwealth, a state or a territory, so far as the function or power relates to a relevant objective; and
a matter that facilitates, or is ancillary or incidental to, a matter covered by the preceding point.
These relevant objectives do not require agencies issuing a notice to do so only in connection with their powers or their functions. Rather, the Act merely requires that requests or notices be issued in relation to a performance of a power or a function under Commonwealth or state law.
Stakeholders expressed some concern about the breadth of the matters for which an agency may seek to issue compulsory industry assistance measures.139 Some expressed further concern that a notice need only be directed towards a matter that facilitates, or is ancillary or incidental to, the performance of a power or function under law.140 The Law Council and Access Now recommended an amendment to remove this additional scope.141

Decision-making criteria

The Act requires that requests and notices are ‘reasonable and proportionate’, ‘practicable’ and ‘technically feasible’ (sections 317P and 317V). In determining whether the requirements imposed by a requests or notices are ‘reasonable and proportionate’, the decisionmaker issuing the request or notice must have regard to the following:
the interests of national security and law enforcement;
the legitimate interests of the designated communications provider to whom the notice relates;
the objectives of the notice;
the availability of other means to achieve the objectives of the notice;
whether the industry assistance requested is in the form least intrusive on persons not of interest (for compulsory notices only);142
the legitimate expectations of the Australian community relating to privacy and cybersecurity;
such other matters (if any) as the decisionmaker considers relevant.
The Law Council asserted that Act confers ‘an unstructured discretion to determine whether the use of the measures is “reasonable and proportionate”’.143 Whilst the Law Council supported the requirement that the relevant decisionmaker must have regard to ‘the availability of other means to achieve the objective of the notice’, the Council expressed the following concerns:
the proposed criteria do not provide guidance on how the individual factors are to be weighed or balanced when considering whether an industry assistance measure is reasonable and proportionate. This may mean in practice that, for example, higher weight is always given to the interests of national security and law enforcement rather than the other factors listed;
the threshold of the individual factors are low. For example, ‘the interests of national security or law enforcement’ may capture a broad range of benign activity, and the Council recommended that a higher threshold of ‘significant’ or ‘serious national’ security and law enforcement interests be required;
the consideration of the ‘legitimate expectations of the Australian community relating to privacy and cybersecurity’ are overly broad and vague, and should be amended to refer explicitly to the fundamental human right to privacy;
the decisionmaker should be explicitly required to consider the likely cost of complying with a request or notice, recommending that the decisionmaker be required to consider ‘the legitimate interests of the designated communications provider to whom the request or notice relates, including commercial interests’, and
the decisionmaking criteria be exhaustive, and that the ability for the decisionmaker to consider ‘such other matters … as the case requires’ be omitted.144
The Inspector-General also identified that the consideration of the ‘legitimate interests of a provider’ does not necessarily provide a clear directive to routinely consider the cumulative impact of the exercise of multiple coercive powers. Consequently, the Inspector-General suggested amendments that:
where a TAN is sought, a requirement for the decision-maker to assess the ‘potential for oppression arising from the exercise of multiple coercive powers against a provider’; and
where a TAN is sought, a requirement for the requesting agency to provide information to the Attorney-General about any previous requests made and notices issued, and information about the exercise or proposed exercise of other coercive powers in relation to the provider.145
Stakeholders also expressed concern about the subjective test established in the reasonable and proportionate tests.146 For example, Kaspersky Lab advised that a subjective state of mind of the decisionmaker ‘cannot serve as a criteria for what is essentially a technical discussion, which requires specific knowledge and technical competence. This knowledge may not always be readily available in the public sector’.147 Kaspersky Lab noted that the subjective test presents challenges for what is otherwise a technical discussion that requires specific knowledge and technical competence.148 This was echoed by the Coalition of Civil Society Organisations and Technology Companies and Trade Associations, and Apple Inc.149
Amendments to the decisionmaking criteria considered necessary by stakeholders include:
compulsory consideration of the necessity of the industry assistance measure so that the availability of other means is considered prior to the request or notice being issued;150
requiring agencies to have exhausted both their own means and commercially-procured means before issuing an industry assistance measure, and that these prior attempts be documented;151
that the benefits to the community of issuing the request or notice outweighs the costs (including the impact on trust and confidence in networked systems);152 or, similarly, whether the imperatives of law enforcement demonstrably outweigh reasonable expectations of citizens in confidentiality in communications;153
that human rights protections be inserted into the decisionmaking criteria to ensure adequate consideration and protection in all the circumstances;154
that the conduct required by a request or notice be the leastintrusive approach to address privacy concerns and to limit the stifling effect on innovation;155
that privacy protections in the decision-making criteria are bolstered, with the model in the Telecommunications (Interception and Access) Act, section 180F proposed, where the decisionmaker must consider and be satisfied on reasonable grounds that interference with privacy is justifiable and proportionate, having regard to the gravity of any conduct, the likely relevant and usefulness of the information or documents, and the reason why the disclosure or use concerned is proposed to be authorised;156
that consideration of the likelihood of any weakness or vulnerability that may be exploited by malicious actors;157
that the systemic weakness limitation in section 317ZG be specifically considered by the decision-maker,158 and
that ‘practicable’ and ‘technically feasible’ be defined.159
In evidence to the 2018 Bill Review, the Inspector-General discussed the importance of clear decisionmaking criteria in legislation. The InspectorGeneral advised that statutory decision-making criteria ensure that the relevant matters are clearly drawn to the attention of the decisionmaker in each case. Further, in the experience of the InspectorGeneral, a statutory requirement is the most effective way of facilitating better practice by agencies in keeping appropriately detailed and consistent record-keeping about their decisions to exercise a discretionary power. It also ensures that the relevant decisionmaking process is auditable, including by the Inspector-General.160

Consultation and compensation

Consultation with a provider

The Act requires a 28day consultation period with a provider prior to issuing a TCN (section 317W). Consultation can be waived under certain circumstances (subsection 317W(3)).
During the 2018 Bill Review, stakeholders raised a variety of concerns with respect to these consultation requirements. Broadly, these concerns included:
that the consultation process does not adequately address residual disputes regarding technically feasibility or systemic weakness or vulnerability matters;161
the role and importance of a technicallycompetent third party to make independent evaluations was also emphasised by stakeholders;162
that absent a definition of ‘systemic weakness’ or ‘systemic vulnerability’, it is unclear what the technical expert is attempting to detect;163
that the costs incurred by engaging a technical expert should be fully borne by government and not providers,164 and
that the 28-day timeframe provided for consultation is unduly short,165 and some recommended that the period be extended to 60 days.166

Amendments introduced and passed

These concerns led the Committee to recommend amendments to provide for an independent review mechanism by which independent legal and technical experts could assess a proposed TCN (before it has been issued) on whether:
it contravenes the systemic weakness limitation;
the requirements it imposes are reasonable and proportionate;
compliance with the notice is practical and technically feasible; and
it is the least intrusive measure that can be used to achieve the relevant objective.167
The Committee recommended that the findings of this assessment would be binding on the AttorneyGeneral’s decision to issue the proposed TCN.168
Amendments introduced and passed on 6 December 2018 provided for an independent review mechanism for proposed TCNs though the assessment will not be binding on the AttorneyGeneral.

Independent legal and technical assessment of TCNs

The Act empowers a provider, who has been issued with a TCN, to write to the Attorney-General (within the 28 day consultation period) to request that a former, senior court judge and technical expert be appointed to assess whether the proposed TCN should be issued.169 Together the two assessors must consider and report on whether the proposed TCN:
contravenes the systemic weakness limitation of the Act;170
imposes requirements which are reasonable and proportionate;
is practicable and technically feasible; and
is the least intrusive measure that would be effective in achieving the legitimate objective.171
In preparing their report, the assessors must consult both the provider and the requesting agency.172 The assessors’ final report must be provided to the Attorney General, the provider as well as the relevant oversight agency (either the Inspector-General of Intelligence and Security or the Commonwealth Ombudsman depending on the issuing agency).173
Whilst the findings of the report are not binding, the Attorney-General must have regard to it when considering the reasonableness, proportionately, practicality and technical feasibility of the proposed TCN as part of deciding to issue it.174
Before the Attorney-General can approve the issuance of a TCN they must seek the approval of the Minister for Communications. This requirement was added into the legislation following a recommendation of the Committee.175 It was the Committee’s intention that the Minister for Communications could provide a further avenue for industry representation in relation to a proposed TCN. In deciding to authorise the TCN, the Minister for Communications must consider:
the objectives of the notice;
the legitimate interests of the provider;
the impact of the notice on the efficiency and international competitiveness of the Australian telecommunications industry.176
Whilst submitters to the 2019 Act Review welcomed the addition of a mechanism by which the appropriateness of proposed TCNs can be assessed prior to being issued, many questioned the independence of legal and technical experts appointed by an Attorney-General seeking to issue the notice.177
Concerns were also expressed regarding the non-binding nature of the assessors’ findings178 and the fact that this review mechanism may only be sought by providers in relation to a TCN.179 For example the Australian Human Rights Commission, BSA | The Software Alliance and Access Now advocated for TARs and/or TANs to be subject to a similar review process or another appropriate form of review.180
Evidence also highlighted the need to clarify arrangements for consultation and review in the case of urgent TANs or TCNs, the extension of an existing TCN or the issuance of a new TCN substantially similar to an earlier notice.181
BSA | The Software Alliance noted that agencies are not required to consult providers in relation to TANs or TCNs in cases of ‘urgency’; a term undefined in the Act.182
The Law Council noted that it appears that TCNs can only be extended with the agreement of a provider, whereas subsections 317W(7) and (8), appear to enable a substantially similar TCN to be issued to a provider without their agreement or opportunity to submit their concerns.183
Stakeholders asserted that providers’ right to be consulted and to seek a review of a proposed TCN shouldn’t be waived in any circumstances and must inform the Attorney-General’s decision, even in cases where the consultation period is curtailed, a TCN is extended or a substantially similar TCN is issued.184

Ongoing consultation post-issue

A number of stakeholders noted that the legislation does not specifically enable a provider to seek review or apply for revocation of a notice.185 The Act does not include:
a positive obligation on the decision-maker to consider whether the grounds for mandatory revocation are met during the period in which the notice is in force; nor
a positive obligation on the decision-maker to consider any representations that are made by the provider about the revocation of a notice; nor
any obligations on agency staff members to bring information to the attention of the decision-maker that suggests that the grounds of issuing have ceased to exist.186
This led the Inspector-General to conclude that, in practice, this may limit the effectiveness of the revocation requirements.187 It suggested that the power to revoke or vary a notice be clarified beyond doubt to make compliance and oversight more effective.188
Ms Riana Pfefferkorn, a cryptography fellow at the Stanford Law School, was of the view that such an avenue could address circumstances where implementation of the conduct required by the notice leads to widespread negative security impacts or systemic vulnerabilities.189 Similar comments were made by Optus, which further commented that a provider should have a clear avenue to seek a variation to a request or notice and be able to submit evidence which demonstrates that the practicality, reasonableness or technical viability of assistance has been adversely affected by new and changed circumstances.190
The Australian Human Rights Commission echoed these concerns, recommending amendments that would establish a process for a provider to apply for revocation on grounds of reasonableness, proportionality, and whether a notice was practicable or technically feasible.191

Extension of consultation requirements to TARs and TANs

During the 2018 Bill Review, a large number of stakeholders recommended that consultation requirements be extended to voluntary TARs and compulsory TANs.192 For example, the Office of the Australian Information Commissioner recommended that a technical expert assessment of all voluntary TARs and TANs should be required to confirm that the effect of the proposed conduct will not have any unintended consequences on the security of systems.193
These concerns were partially addressed through amendments which inserted a new section 317PA into the Bill which require ASIO or a law enforcement agency to consult providers before issuing a TAN.194 This section also requires providers to be informed of their right to complain about a proposed TAN to the Inspector-General of Intelligence and Security or Commonwealth Ombudsman (depending on which agency issued the notice).195 However, these amendments stopped short of extending the requirement to consult to TARs.
In advocating for the extension of the requirement to consult, Optus commented that the absence of consultation creates a risk that any decision might be based on an incomplete or incorrect understanding of a service provider’s capabilities, and that such notices may not have a proper basis and may impose obligations on a provider which they cannot satisfy.196 In such circumstances, a provider will bear both commercial and compliance risks that, in the view of Optus, is not a reasonable outcome.197 Similar comments were submitted by Telstra.198

Compensation for compulsory conduct

The Act contain a ‘no profit or loss’ provision for compliance with compulsory notices unless the relevant decisionmaker and the provider otherwise agree (section 317ZK), or where the Director-General of Security, the chief officer or the Attorney-General decide it is contrary to the public interest for this to occur (section 317ZK(3)). Stakeholders made recommendations for amendment to the legislation with the effect that:
more fulsome compensation arrangements be available;199
a provider should have a right to compensation when it has undertaken acts as required by a notice and as a result, has suffered damage to infrastructure or loss of revenue that is directly attributable to that conduct’;200 and
provision of commercial remedies where a provider’s confidential technical information is compromised as a result of complying with a notice or request.201
The Law Council also advised that the threshold for determining that it is not in the public interest for the ‘no profit, no loss’ provision to apply is too low. It felt that ‘there is the potential risk that it could be determined that the interests of law enforcement and national security outweigh the regulatory burden on the provider because it is in the interests of the former that its resources and funding be directed at its other efforts in law enforcement and national security’.202

Time limits

During the 2018 Bill Review, a range of stakeholders expressed concern regarding the absence of a strict statutory timelimit for TARs, TANs and TCNs. For example, the Office of the Victorian Information Commissioner recommended that all requests and notices should be subject to a strict time limit, commenting that it is undesirable to have openended vulnerabilities and that the AttorneyGeneral should be obligated to monitor the duration, expiry and revocation of all TCNs.203
The Committee agreed with stakeholders and recommended that the Bill be amended to provide that TANs and TCNs be subject to statutory time limits, and that any extension, renewal or variation of a TAN or TCN also be subject to a statutory time limit.204

Amendments put and passed

Following the Committee’s recommendation, amendments were introduced and passed on 6 December 2018 which altered subsections 317MA(1A) and 317TA(1A) to ensure that TANs and TCNs cannot be in effect for longer than 12 months.205
Amendments also introduced a measure to extend the life of a TAN or TCN past the 12 month limitation with the agreement of a provider so long as each extension does not exceed an additional 12 months.206
However, maximum statutory time-limits were not imposed on TARs, nor recommended by the Committee in its 2018 Report. Voluntary industry assistance requests are subjected to a 90 day maximum only if an expiry date isn’t specified by the issuing agency and there is no limit on the expiry date that may be specified.207
The Australian Human Rights Commission recommended a fixed timelimit for all requests and notices, commenting that a maximum duration will also help to promote more regular review by decisionmakers of the necessity and appropriateness of the assistance requirements specified in them.208 The Law Council made similar statements, recommending amendment to:
establish a maximum timelimit after which a TAR would have to be issued;
include a limit on the number of fresh requests or notices that can be issued; and
be subject to periodic review by the decisionmaker;
require providers to be informed of their right to refuse an extension of a TAR, TAN or TCN.209
The Inspector-General noted that from the perspective of both legality and propriety, there are many advantages to prescribing a fixed maximum period of effect for a coercive or intrusive power, such as the power to issue a TAR.210 The Inspector-General therefore suggested amendments that would provide:
a limitation on the power of the decision-maker to set an expiry date, specifically through the insertion of a statutory maximum period of effect that is aligned with the ‘default’ period of effect if no expiry date is specified; and
an explicit limitation that a variation which extends (or further extends) the period of effect of a request or notice cannot extend the total period beyond the applicable statutory maximum. This would be consistent with existing provisions of the ASIO Act that limit powers of variation in relation to the duration of special powers warrants and authorities for the conduct of special intelligence operations;
if no maximum period of effect is prescribed for TARs, then an express periodic review requirement should be included in the Telecommunications Act or in Ministerial Guidelines to the relevant intelligence agencies.211

Judicial authorisation and oversight

Prior judicial authorisation

A large number of stakeholders expressed concern that that judicial authorisation is not required before issuing a TAR, TAN or a TCN.212
The Australian Human Rights Commission expressed strong concern about the appropriateness of notice-giving powers being solely afforded to decision-makers within the agencies that seek to obtain the relevant industry assistance. A self-regulating approach, according to the Commission, raises questions about effective transparency and accountability.213
A large number of submitters noted that a judicial warrant, also known as a ‘double lock’ provision, is required under the United Kingdom’s Investigatory Powers Act 2016, and recommended that a similar approach be required for Australia’s comparable scheme.214
The Investigatory Powers Act 2016 establishes similar TCN-giving powers, however that notice is subject to approval the Secretary of State in first instance, as well as a judicial commissioner of the Investigatory Powers Tribunal. The Judicial Commissioner is an independent statutory agency exercising judicial functions. In considering whether to approve the giving of a notice, the judicial commissioner must apply the same principles as would be applied by a court on an application for judicial review.215
In deciding whether to approve a decision to give a relevant notice, a Judicial Commissioner must review the Secretary of State’s conclusions with regard to whether the notice is necessary and whether the conduct required by the notice is proportionate to what is sought to be achieved by that conduct. When assessing proportionality, the Judicial Commissioner must have regard to the general duties in relation to privacy that are set out in the Investigatory Powers Act.216
This effectively creates a ‘double-lock warrants approval process’ whereby the Secretary of State and Judicial Commissioner must both approve the granting of certain warrants, including an interception warrant. The UK scheme also permits a provider to refer a notice back to the Secretary of State for review.217
The Australian Information Industry Association noted that the UKapproach extends judicial review to questions of proportionality and necessity which would enliven merits review.218 Similar comments were made in a joint submission by Communications Alliance, Australian Industry Group, Australian Information Industry Association, Australian Mobile Telecommunications Association, and in separate submissions by the Office of the Victorian Information Commissioner and the Australian Human Rights Commission.219
Many submitters argued that any decision to issue a request or notice should made by a judicial officer and not the Attorney-General.220 The Law Council felt that this would ensure that decision-making involves someone outside the issuing agency with a ‘more objective, external perspective’. The Law Council argued that the Act’s review mechanism for TCNs does not meet this requirement as, although it involves a former senior judge, they are not the primary decision maker.221
The Law Council supported amending the Act to require an eligible judge to refuse the issuance or variation of a TAN or TCN unless satisfied that:
the provider can comply with the notice;
the notice can validly be given;
the provider has been consulted and given a reasonable opportunity to make submissions on whether the requirements to be imposed by the notice are reasonable and proportionate and whether compliance with the notice is practicable and technically feasible.222
The Law Council noted that decision-making must be prompt and confidential on these matters. However it was of the view that judicial authorisation of industry assistance measures could be provided promptly and confidentially. In New South Wales, the Council explained, the Chief Judge of the district court rosters a judge to deal by telephone with New South Wales Police surveillance warrant requests. The process appears to function effectively and is timely.223
Although the Council expressed strong support for external judicial authorisation, it proposed, in the alternative, that judicial review of decisions under the Administrative Decisions (Judicial Review) Act 1977 should be available, commenting that it offers applicants a simplified review process that allows courts to be more flexible in tailoring remedies for the particular circumstances of the case.224
The Australian Human Rights Commission suggested that an external merits review, as distinct from internal merits review, would enhance the independence and quality of decisionmaking.225
Strongly advocating for prior judicial authorisation, Professor Joseph Cannataci, the United Nations’ Special Rapporteur on the right to privacy, commented that ‘review needs to be undertaken by a judge who, by his or her independence from government, provides the greatest authority and legitimacy’.226 Professor Cannataci further submitted:
The limitations and safeguards revolve around the decision-maker and the Explanatory Memorandum asserts that these officers are well equipped to consider the reasonableness and proportionality of any requirements. … While ‘heart-warming’ that such a state of trust exists in Australia, greater confidence would be generated in domestic and international quarters if the legislation established an independent mechanisms that verifies proper conduct and use of these far reaching powers by such decision-makers. The role of head of an agency does not confer automatically adequate ‘oversight’ and less so when the decision-making power can be delegated, even if restricted to [senior officials]. 227
Objective scrutiny independent from organisational pressures and culture is critical as the individual would necessarily be prevented from seeking an effective remedy of his or her own accord or from taking a direct part in any review proceedings, it is essential that the procedures establishes should themselves provide adequate and equivalent guarantees safeguarding his or her rights. In such circumstances, it is critical that supervisory control be provided to a judge, as judicial control offers the best guarantees of independence, impartiality, and proper procedure.228

Ongoing oversight by the courts and grounds for appeal

Stakeholders also advised that the legislation does not create a clear process for commencing legal proceedings in regards to industry assistance measures nor a ‘clear and meaningful’ standard for a court to apply in reviewing such a challenge.229 Further, it does not provide a ground for challenge by affected third parties—individuals and businesses alike.230 It was recommended that grounds for civil appeal should include cost, security management, risk management, business management processes, disruption to business, disparity with the Privacy Act or other common law duties, or the public interest.231 User’s interests are also discussed in more detail in the ‘Immunity provisions’ section of this briefing paper.

Centralised and efficient administration

Single clearing house

A number of stakeholders expressed concern about the breadth of agencies that may seek industry assistance, commenting that there should be a single ‘clearing house’ in an effort to minimise duplication or contradictory or incompatible notices being issued from multiple agencies.232
The existing Communications Access Coordinator was suggested as an appropriate body that could serve as a model for such a body.233

Amendments introduced and passed

In its 2018 Report, the Committee recommended amendments which require all TANs, issued by state and territory law enforcement, to be subjected to the approval the Australian Federal Police (AFP) Commissioner.234 This recommendation was given effect in amendments introduced and passed on 6 December 2018.
The Committee’s intent in this recommendation was to ensure that the decision to issue TANs is made consistently across jurisdictions and that duplicate, contrary or incompatible requests are not being issued by state and territory law enforcement.
However, the Department of Home Affairs raised some concerns with this requirement. In a submission to the 2019 Act Review, it claimed that requiring the AFP Commissioner to approve TANs proposed by state and territory law enforcement agencies risks:
reducing the effectiveness of these powers for state and territory police and their willingness to use them;
imposing an undue ‘resource and process burden’ on both the AFP and state and territory police; and
creating ‘a structural conflict between co-equal policing agencies within the Australian federal framework’.235

Simplified contracting

Both Telstra and Optus, telecommunications carriers with existing responsibilities under the Telecommunication (Interception and Access) Act 1979, recommended a more efficient form of contracting, including consideration of a standard form contract.236
In the absence of a standard contract, each provider faces the prospect of having to negotiate separate arrangements with each authorised decisionmaker. Noting that there are twenty authorised agencies under the scheme, and multiple decisionmakers may exist within a single agency, providers may incur significant transaction costs.237

Voluntary assistance should be sought prior to exercise of compulsive powers

A number of stakeholders commended the inclusion of voluntary assistance requests, commenting that it is always preferable for voluntary collaboration between government and industry rather than the exercise of compulsive powers.238 It was also noted that a collaborative and cooperative approach is more likely to result in efficient and timely outcomes.239
It was recommended that an amendment to the legislation be sought to require a voluntary assistance request be issued before compulsive powers are used and a TAN or TCN is issued.240
The Law Council emphasised that this graduation—mandatory prior issue of a voluntary TAR—should be followed except where the requesting agency has reasonable cause to believe, having regard to prior dealings (which may or may not include the requesting agency) with the relevant recipient, that it will be necessary to proceed to a higher step in order to achieve a practically useful response.241
BSA | The Software Alliance suggested that agencies should have to demonstrate that ‘they have exhausted all options before escalating their request to require a TAN or TCN’.242

Enforcement matters

Compliance measures

Noncompliance with a compulsory notice will attract significant civil penalties, ranging from $50,000 to $10 million. Stakeholders expressed concern about the proportionality and reasonableness of penalties for noncompliance.243 Furthermore, Professor Teague and Dr Culnane noted an apparent inconsistency created by the new offence for counselling circumvention of a notice (proposed section 317ZA) whilst also not limiting the ability for a provider from rectifying a systemic weakness or vulnerability. It was identified, for example, that the offence may accidentally catch providers who explain to their consumers how to keep their data secure.244
Civil Society advised that the compliance provisions do not require any knowledge in relation to the existence of a compulsory notice, and, this in turn creates an opportunity for a person to unknowingly commit an offence.245
Two specific recommendations were made on the compliance measures:
that the compliance measure (section 317ZA(2)) be removed completely,246 and
that a reasonable belief that a notice does not comply with the systemic weakness or systemic vulnerability limitation (section 317ZG) should be a defence to all the enforcement provisions in Division 5.247

Secrecy offences

A number of submitters to the 2018 Bill Review raised concerns regarding secrecy offences and obligations, including the scope of the offence, the severity of the proposed penalties and that an exemption for public interest disclosures should be available.248
Some questioned the reasonableness of the offences which would prohibit the disclosure of information to third parties with whom a provider may otherwise wish to consult in the assessment of technical feasibility, systemic weakness or systemic vulnerability.249
For example, BSA | The Software Alliance noted that the ‘unauthorised disclosure’ provisions in the Act do not require offenders to have intention or knowledge of wrong doing. It warned that this exposes the employees of providers to imprisonment for up to five years if they, in seeking to comply with a request or notice, innocently consult their colleagues in relation to technical questions. BSA | The Software Alliance recommended that unauthorised employee disclosures be decriminalised.250
Other concerns included that the legislation does not include provisions permitting disclosure after the facts no longer indicate that secrecy is required.251
Cisco advised that the secrecy obligations and the limited grounds for authorised disclosure could render prior statements regarding the security or lack of surveillance features to be misleading with no ability to correct that prior statement.252
Stakeholders noted that the secrecy offences do not include a harm element.253 More specifically, concerns were expressed that the nondisclosure requirements are not limited to certain types of cases (such as where disclosure would present a threat to national security, interfere with an investigation or threaten the safety of a person).254
Stakeholders therefore recommended:
that a harm element should be inserted into the offence;255
that requirements be subject to strict time limits in an effort to promote government accountability about the use of industry assistance measures;256
offences should only apply to intentional disclosures;257
greater protections for whistle-blowers and disclosures made in the public interest,258 or in accordance with the Public Interest Disclosure Act;259
that the offence be amended to include a more comprehensive list of defences as applies with other secrecy provisions such as those in the National Security Legislation Amendment (Espionage and Foreign Interference) Act 2018,260 and
that the secrecy offence be removed altogether.261

Defences available to IGIS officials

During the 2018 Bill review, the Committee also heard concerns regarding the impact of the unauthorised disclosure provisions on Inspector-General of Intelligence and Security’s ability to adduce the evidence necessary to discharge the evidential burden required by the provision.262 That is because current and former Inspector-General officials are under a legal disability as a result of the secrecy obligations and attendant offences in section 34 of the Inspector-General of Intelligence and Security Act 1986. To enable its oversight functions, the Inspector-General suggested an amendment to the authorised disclosure provisions to bring it into alignment with the prevailing approach to equivalent provisions under other secrecy laws, including the official secrecy offences in Division 122 of the Criminal Code as enacted by the National Security Legislation Amendment (Espionage and Foreign Interference) Act 2018.

Amendments introduced and passed

The Committee recommended that amendments be introduced to address this issue.263 Amendments introduced and passed on 6 December 2018 removed the evidential burden from IGIS officials in section 317ZF(5) and inserted new provisions in section 63AC into the TIA Act to enable:
a person to make use of, or make a record of, ASIO computer access intercept information if it is in connection with the performance of IGIS officials’ powers, functions or duties;
an IGIS official to make use of, make a record of, or tell another person about ASIO computer access intercept information if it is in connection with their powers, functions or duties; and
a person or IGIS official to make use of, make a record of, or tell another person about ASIO computer access intercept information in connection with their powers, functions or duties, even if that information was obtained by intercepting communications and the interception was for the purposes of doing a thing specified in an ASIO computer access warrant but the interception was not authorised by the ASIO computer access warrant.264
In evidence to the 2019 Act Review, the Inspector-General advised that Government amendments have ‘satisfactorily’ addressed her concerns.265

Immunity provisions

Scope of immunity, users’ rights and limitation of civil tort

The conferral of immunity for acts done in accordance with a TAR, TAN or a TCN is not subject to any express limitations or exclusions. Some stakeholders expressed concern about the indemnity provisions which may serve the interests of technology companies, but not those of their users.266
The Australian Human Rights Commission, for example, expressed concern that the immunities could detrimentally impact the rights of innocent third parties, including their ability to bring a civil action for loss, damage or injury cause by a provider.267 In such circumstances, the Commission was of the view that it is likely that a provider will opt for a more rightsintrusive option when a less restrictive measure might suffice.268 The Commission also noted that the immunity will remain even despite a notice being legally ineffective.269
The Commission recommended that:
immunities should not be available to acts that would be likely to cause significant loss or damage to third parties;
criminal immunity for voluntary conduct under TARs should not be available; and
any grant of civil or criminal immunity be reported to the relevant oversight body at time of issue.270
Professor Teague and Dr Culnane recommended amendments that would provide redress for ordinary users harmed by a data breach that directly or indirectly is the result of an industry assistance measure.271 Similarly, the Office of the Australian Information Commissioner recommended amendments to ensure that steps taken by a provider in response to a voluntary request or compulsory notice do not enable broader misuse, interference, loss or unauthorised access, modification or disclosure of personal information.272
Similar comments were made by the Inspector-General and Australian Information Security Association.273 For example, the Inspector-General noted that there is no specific requirement for the decisionmaker to consider the potential impact on third parties who may be adversely affected by the conferral of civil immunity due to the loss of a right to a legal remedy for any loss, damage or injury caused by the providers’ actions in compliance or purported compliance with a notice.274

Extraterritorial application and limited availability of immunities in foreign jurisdictions

The Act provides a statutory defence for noncompliance where a provider proves that compliance would contravene a law of the foreign country (section 317ZB(5)). However, Apple expressed concern that despite the statutory defence, immunity provisions will be unavailable to actions done pursuant in Australia in foreign jurisdictions which may enliven liability in those foreign jurisdictions.275 Similar concerns were expressed by Senetas.276
The Law Council explained that this safe harbour provision is only available in relation to legal proceedings for imposition of a civil penalty order. That is, the safe harbour is only in respect of the imposition of a financial penalty for committing an offence, and is not a safe harbour from being found to have committed an offence. In the view of the Law Council, this creates potential reputational and financial risk and jeopardy for many organisations that are required to report as to their compliance with laws.277
The Council therefore recommended that the statutory defence should not only be in respect of imposition of a financial penalty, but also a defence in relation to the offence.278

Authorisation and decisionmaking

The authorisation requirements and statutory decisionmaking criteria for the provision of immunities were widely discussed in evidence to both the 2018 Bill Review and the 2019 Act Review. The Law Council expressed concern that the proposed sections conferring civil immunity on providers who comply with a voluntary request or compulsory notice are overly broad, and do not contain important safeguards on the operation of the conferral, such as exclusions or express limitations on the operation of the civil immunity.279
The Law Council noted three existing avenues for the conferral of immunity in civil and criminal matters, with more robust decisionmaking and reporting obligations to oversight bodies including the Australian Security Intelligence Organisation Act 1979, the Intelligence Services Act 2001 and the Australian Federal Police’s controlled operations scheme. Broadly, these schemes include:
limitations that enhance oversight of the scheme, such as reporting and notification requirements to oversight bodies and relevant ministers;
that civil and criminal immunities are only conferred with respect to acts done in proper performance of a function of the agency;
that the grant of either immunity or civil indemnification is limited for the purpose of obtaining evidence that may lead to the prosecution of a person for a serious offence;
that persons are only granted immunity or indemnification from liability if their conduct was likely to cause death, serious injury or result in the commission of a sexual offence.280
The Inspector-General provided similar evidence,281 commenting that overseeing the conferral of immunities will be complex. It welcomed Government amendments to the legislation which require decisions makers whom are deciding to issue a TAR, TAN and TCN to consider the impacts of the immunity on third parties whose rights to legal remedies against the provider may be extinguished.282 However, the Inspector-General was concerned that amendments only require decision makers to consider the impacts on third parties who are not of interest to agency operations. There is no requirement to consider the impact on individuals who are of interest.
The Inspector-General questioned whether it is appropriate to limit considerations in this way ‘especially given that persons who are of interest to an intelligence agency may ultimately be eliminated as an investigative target; or may be unknowingly or unwittingly involved in prejudicial activities (for example, as a conduit through which someone else is acting)’.283
The Law Council advocated for a range of safeguards to be introduced to ensure that the conferral of immunities under the provision of industry assistance is appropriate.284 Specifically, the Council recommended that the legislation be amended to provide:
limitations on the conferral of civil liability for providers who provide assistance so that civil immunity is not conferred if the conduct results in significant loss of, or damage to, property, economic loss or physical or mental harm or injury;
that the conferral of immunity in relation to TARs may only be provided by the AttorneyGeneral;
that a notice with no legal effect (by virtue of breaching the systemic weakness or systemic vulnerability limitation) will not confer criminal immunity;
for the purpose of voluntary TARs, that criminal immunity is only conferred in relation to acts done in accordance with that request, and that the provision of civil indemnification285 (as opposed to criminal immunity) may be more appropriate for voluntary acts, and
mandatory annual reporting to the Parliament on the number of times the immunities are used, the kinds of assistance requested and provided, and the extent to which the immunity provision did not apply.286

Transparency

Transparency for public assurance

Stakeholders supported provisions in the Act which provide a measure of transparency, including those provisions which:
enable providers to publish statistics about the number of TARs, TANs or TCNs it has received in a six month block; 287 and
require the Minister for Home Affairs to include in their annual report, a list of the TARs, TANs and TCNs issued by interception agencies and a list of the types of serious Australian offences that industry assistance has been used to enforce during the preceding year;288
require ASIO to detail in its classified annual report the number of TARs, TANs and TCNs given to the Director-General or the Attorney-General for approval;289
require the Inspector-General of Intelligence and Security to be notified when a TCN consultation request is issued and to be provided with a copy of any assessors report on the proposed TCN produced.290
However, a range of stakeholders called for greater transparency of the types of industry assistance that are being provided.291 It was argued that transparency is critical for promoting public trust in the agencies exercise of their proposed powers but also critical for retaining trust between consumers and the providers of the platforms, services and devices they use.292 These issues are addressed separately below.

Public reporting by agencies

It was argued by a number of stakeholders that public reporting should include:
the number of requests and notices considered, given, varied, revoked, expired and refused or challenged;
the durations of the requests and notices given;
the types of acts or things done by providers in compliance with a request or notice;
the number of requests that were refused and then compelled by way of a notice in the same or similar terms;
reasons given by a provider for not voluntarily providing the assistance;
a highlevel description of the information or capability sought and the respective category of providers subject to the notice;
the number of arrests made as a consequence of assistance;
a breakdown of the types of notices issued and the types of offences for which they were connected (such as terrorism, child sex offences, organised crime etc);
the number of prosecutions for relevant offences commenced;
the expenditure of agencies in relation to requests and notices, and
whether or not information under an access warrant has been obtained and accessed by reason of exercise of industry assistance powers.293
The Australian Human Rights Commission also recommended mandatory public reporting by all agencies with powers, not just interception agencies, which would extend public reporting requirements to ASIO, ASD and ASIS.294
The Inspector-General noted that, while ASIO is subject to classified annual report requirements, these do not extend to the activities of ASD and ASIS.295 In the experience of Inspector-General, reporting requirements about the exercise by intelligence agencies of intrusive and coercive powers significantly aid independent oversight. Reporting requirements are valuable as they mandate the consistent collection and maintenance of records, and the evaluation by the agency (and its Minister) of how each exercise of those powers assisted the agency to perform its functions. Reports also assist Inspector-General to:
develop a comprehensive understanding of the way in which those powers are used;
identify and analyse trends or patterns, including with respect to systemic issues; and
compare the approaches of different agencies (where appropriate) including to identify best practice, or inconsistent practices not attributable to specific functions of individual agencies, or common compliance issues.
While the Inspector-General acknowledged that there may be security reasons against requiring public reporting by ASD and ASIS, it stated that it is unclear why those agencies could not at least be subject to classified reporting requirements to their Ministers and the InspectorGeneral in relation to their use of the scheme. The Inspector General noted that this requirement could be introduced administratively, but that ‘it has not been advised of any commitment to do so’.296

Public disclosure by providers to consumers

Professor Teague and Dr Culnane submitted:
Ordinary users should have the opportunity to walk away based on their understanding of their risks, even if the corporation consents to the risks they are being asked to put their users’ date to. Public awareness of the extent or usage of surveillance tools is critical to allowing ordinary consumers to make appropriate riskmanagement decisions about the trust they place in technology.297
Both Cisco and Apple made strong recommendations to provide for the ability to publicly disclose any form of surveillance techniques which are implemented in consumers’ devices, platforms and services.298
The Committee concurred and recommended in its 2018 Report amendments that would allow a provider to request that the AttorneyGeneral approve disclosure of a technical capability. The recommendation made clear that the Committee expected that the AttorneyGeneral would agree to such a request except to the extent that doing so would prejudice an investigation or compromise national security. This would complement existing provisions in the then Bill that enable a provider to disclose publically the fact that they were issued a technical capability notice.299
Amendments introduced and passed on 6 December 2018 in response to Committee recommendations partially addressed this issue.300 The Act enables providers to disclose information about a TANs or TCNs (but not about TARs) to persons within their supply chain, or where otherwise relevant, with the written permission of the relevant Government body and subject to specified conditions.301
However, the amendments to not give effect to the element of the recommendation that would establish a presumption in favour of disclosure. In a submission to the 2019 Act Review, the Department of Home Affairs indicated that, ‘the expectation that the Attorney-General would agree to such a request, and the considerations which may go to a refusal (like a compromise to national security, or revealing operation capabilities), are being set out in the administrative guidance being jointly developed with industry and agencies’.302
The International Civil Liberties and Technology Coalition welcomed the amendments, but argued that they do not adequately narrow the broad nondisclosure requirements of the Act.303

Transparency for independent design scrutiny

A number of stakeholders also called for greater transparency of new capabilities developed under the industry assistance scheme to facilitate independent design scrutiny.304 Such scrutiny is critical to ensure unintended consequences are fully appreciated and that no systemic weaknesses or vulnerabilities have been inadvertently created.305
Mozilla commented that building new capabilities requires collaboration with a broad community. Capability-development that lacks independent design scrutiny risks making the product developed less secure.306
The MIT Internet Policy Research Initiative advised that such transparency could be achieved in a way that avoids operational risks to law enforcement or national security investigations.307
It is anticipated that some of these concerns will have been addressed by the Committee’s recommendation (and the subsequent amendments) discussed in the previous section regarding authorised public disclosure by providers for the benefit of consumer confidence.

Oversight of legality and propriety of administration of powers

A large number of stakeholders expressed the view that the Act lacks appropriate oversight of the administration of industry assistance measures once issued.308 It was submitted that, given the breadth of new powers, it is ‘critical that the law provide for robust oversight of authorising agencies to ensure accountability’.309 In the absence of stronger controls and oversight, the benefits provided to law enforcement and intelligence agencies appeared to some stakeholders to be considerably outweighed by the risks posed to the cybersecurity of the nation.310
The Uniting Church in Australia, whilst generally supportive of the proposed industry assistance measures,311 emphasised that broad powers must be matched by high levels of oversight and accountability to ensure that law enforcement and intelligence agencies do not misuse the powers entrusted to them.312
The Office of the Victorian Information Commissioner emphasised the need for sufficient oversight from an independent body with the expertise and resources to monitor the aggregate impact of the powers.313 Such oversight, it was argued, could increase public confidence that the cumulative purposes to which the notices were being issued were balanced with appropriate civil liberties and human rights considerations.314
Professor Joseph Cannataci, the United Nations’ Special Rapporteur on the right to privacy, noted that despite significant expansion in Australia’s national security laws in recent years, corresponding expansion in oversight is yet to be legislated.315
At the federal level, the Inspector-General oversees the actions of ASIO, ASD and ASIS in making and administering industry assistance measures.316 The Commonwealth Ombudsman oversees the actions of the Australian Federal Police, as well as the state and territory police, in making and administering industry assistance measures.

Amendments introduced and passed

Following Committee recommendations,317 amendments were introduced and passed on 6 December 2018 which provided for the inclusion of oversight provisions which:
require the Inspector–General of Intelligence and Security or the Commonwealth Ombudsman (depending on the issuing agency) to be notified within seven days of a TAR, TAN or a TCN being issued, varied or extended or revoked;
require the Inspector-General of Intelligence and Security or the Commonwealth Ombudsman (depending on the issuing agency) to be notified when the relevant agency decides it would be contrary to the public interest to apply the Act’s no profit, no loss provisions;318
empower the Commonwealth Ombudsman to inspect the records of an interception agency and report their findings to the agency Chief Officer and the Minister for Home Affairs; and
provide for the Commonwealth Ombudsman officials to receive and disclose information in connection with their oversight responsibilities.
The Department of Home Affairs asserted that these amendments will ensure that industry assistance measures are used ‘appropriately and as intended’ by strengthening ‘existing powers that authorise oversight bodies to examine the legality and propriety of the operation of the Act’.319
Whilst the Commonwealth Ombudsman welcomed these new oversight powers, it was concerned about a new section 317ZRB(7) which provides for the Minister for Home Affairs to delete information from Commonwealth Ombudsman reports if that information could be reasonably expected to:
prejudice and investigation or persecution; or
compromise any interception agency’s operational activities or methodologies.
The Commonwealth Ombudsman noted that it already provides agencies with an opportunity to advise on whether a report contains operationally sensitive material. It suggested that the power to edit reports is ‘unnecessary’ and could impact the statutory independence of the Ombudsman’s office.320
The Inspector-General advised that for her oversight to be effective, it must be efficient, suggesting that record keeping and reporting by ASIO, ASD and ASIS will be critical.321 The InspectorGeneral also suggested that oversight of the exercise of the powers would be significantly assisted by a requirement for agencies to report periodically to Inspector-General (and potentially their respective Ministers) on circumstances where:
a provider engaged in conduct in accordance, or purported accordance, with a voluntary request or a compulsory notice;
the provider’s conduct caused significant loss of, or serious damage to, property; or significant financial loss, or
the provider engaged in conduct in purported compliance with the request or notice that is excluded from the immunity. (For example, as a result of the limitations in section 317ZH in relation to a notice.)322
Such a requirement would, by extension, require ASIO, ASD and ASIS to take reasonable steps to obtain visibility of the acts and things done by providers in accordance with a request or notice, as applicable. In the view of the InspectorGeneral, this may be implemented by including conditions in requests or notices, or associated contracts. In any event, standards of propriety in relation to the making of requests or issuing of notices would require agencies to consider the likely impact of an immunity, and to have means to ensure that the conferral and application of that immunity remain proportional.
The Inspector-General further suggested that intelligence agencies be required to inform their Minister and the Inspector-General in relation to conduct that engages the civil and criminal immunity, where that conduct results in material loss, damage or harm to a third party, or material interference with or obstruction of the lawful use of a computer.323 It suggested that annual reporting of statistical information about these instances should be provided, on a classified basis if necessary.324
The Inspector-General also advised that oversight of the legality and propriety of decisions made by intelligence agencies, particularly with respect to the application of the systemic weakness limitation, will be challenging. Such oversight, will require the Inspector-General to obtain, within existing resources, necessary access to independent technical expertise to inform such assessments and to critically analyse ASIO’s assessments and any information that may be provided by communications providers, and make an independent assessment.325
The Law Council recommended that additional resources for oversight bodies be made available.326 The Committee also made a recommendation to this effect. However, it is yet to be actioned.327

Exclusion of anti-corruption commissions from Schedule 1

In its 2018 Report, the Committee recommended that state and territory independent commissions against corruption be excluded from the scope of Schedule 1 of the Bill.328 For the record, it was the Committee’s intention to limit the scope of the then Bill to aid in expediting its passage in time for the Christmas and New Year break. The Government had advised the Committee that the passage of the legislation was necessary to safeguard national security throughout that period. Government amendments effected this recommendation during the Bill’s passage.
A number of anti-corruption commissions have since made submissions to the 2019 Act Review highly critical of these amendments. The Commissions noted their important role in identifying and investigating misconduct, maladministration and corruption in public administration and/or in law enforcement agencies.329 The Law Enforcement Conduct Commission suggested that, given the expansion of law enforcement powers provided by the Assistance and Access Act, a corresponding expansion of the powers of anti-corruption commissions is required to provide appropriate oversight and to prevent abuses of these powers.330 The also heard that corruption is becoming more sophisticated331 and the use of encrypted communications is expanding. The Commissions argued that access to the industry assistance measures in Schedule 1 would better equip anti-corruption commissions to address these challenges.332
The Committee has since made statements in the House of Representatives to signal its bipartisan agreement that commissions against corruption should be re-instated in Schedule 1 of the amending Act.333

Statutory review and sunset periods

Noting the breadth of the powers provided to agencies, stakeholders proposed that the industry assistance measures be subject to a statutory review (in either two334 or three335 years).336 It was identified that such a review is an important public accountability and transparency measure.337
Stakeholders also suggested that the amendments be subject to a sunset period.338
The Committee also felt that further review of the Act is necessary. It recommended that the Independent National Security Legislation Monitor (INSLM) be required to review the Act within 18 months of its commencement. However, Government amendments updated the Independent National Security Legislation Monitor Act 2010 to require the INSLM to commence a review of the Act after it has been in force for 18 months.
The Committee has since made statements in the House of Representatives to signal its bipartisan agreement that this statutory review should be brought forward to accord with its original recommendation.339 Under the Independent National Security Legislation Monitor Act 2010, the Committee has the authority to refer matters to the INSLM for inquiry and report.340

International context and alignment

Global competitiveness

A large number of stakeholders advised that the legislation may present a ‘powerful disincentive’ for foreign investment in Australia,341 or that companies currently operating in Australia may cease to do so, both presenting a significant impact on Australia’s global competitiveness.342
For example, Senetas advised the Committee that the legislation will damage the reputation of Australian developers and manufacturers in international markets and will result in a loss of trust and confidence in Australian cybersecurity research and development, and cybersecurity products. Senetas further warned that this will result in a decline in the current value of exports in this category and the loss of jobs and technical expertise in this industry as companies will look to relocate from Australia.343
Senetas claimed that ‘Australian based providers of information technology products and services are now regularly fielding questions regarding the impact of the Act on their installed products and in the context of prospective sales engagements’. It also claimed that foreign based companies are ‘making use of the media and other material to improve their competitive position’.344
Since the passage of the Act, and in the 2019 Act Review, the Australian Information Industry Association also advised the Committee that some of its multinational members ‘have indicated that they are considering withdrawing from the Australian market due to existing contractual and legislative compliance obligations (such as the European Union’s General Data Protection REgulation) to customers overseas’.345
The Committee also heard from industry professionals who were concerned that the legislation would make them less hireable or jeopardise their employment, because it appears to enable individual employees to be served with a request or notice independently of their employer.346

Multijurisdictional challenges and the relationship with the CLOUD Act

Some stakeholders questioned whether industry assistance measures would be effective in achieving the desired outcome in the context of global supply chains and existing regulations operating in foreign jurisdiction.347 This international context is highlighted when considering the number of devices, platforms and services that operate in Australia but are based overseas, particularly in the United States.
For example, the Australian Industry Group stated it was unclear to what extent the Government has taken a holistic approach and adequately considered the practicality of creating domestic laws that may be ineffective, out of step and overreaching with other relevant jurisdiction. The Group recommended that Australia align its laws to work more effectively in concert with key foreign jurisdictions and leverage international standards and best practices from other jurisdictions. 348
Digital Industry Group Inc (DIGI) advised that Australia’s access to the United States’ Clarifying Lawful Overseas use of Data Act 2018, (the CLOUD Act) may be jeopardised as the legislation does not contain sufficient safeguards.349 DIGI is an industry group representing Facebook, Google, Instagram, Oath:, Periscope, RedBubble, Twitter, Yahoo and YouTube in Australia.
The CLOUD Act expands the obligations of technology companies operating in the United States to preserve and disclose the contents of electronic communications held by those companies. It also allows the United States’ government to enter into agreements with foreign governments to enable those foreign governments to directly request assistance from American technology companies. At time of writing, the United Kingdom is the only country to progress negotiations with the United States for such an agreement, though these are yet to be finalised.
Ms Riana Pfefferkorn also advised that the Assistance and Access Act may hinder Australia’s access to the CLOUD Act. Ms Pfefferkorn provided a detailed submission to the 2018 Bill Review on the possible interaction between the two Acts, advising that:
the CLOUD Act imposes several prerequisites on any executive agreement that may be entered into between the United States and foreign governments, including that the qualifying country (Australia) must afford ‘robust substantive and procedural protections for privacy and civil liberties’ as well as data minimisation procedures;
any agreement entered into between Australia and the United States shall not create any obligation that providers decrypt data or otherwise prevent a provider from decrypting data;
Australia may issue a compulsory notice in accordance with its own domestic laws, but the CLOUD Act makes clear that providers and evidence in the United States will be required to follow American law;
the CLOUD Act requires a specific person, account, address or device be the object of the order, and as such, a compulsory notice would have to satisfy this requirement;
the CLOUD Act merely permits an American provider from disclosing user data, but that there is no guaranteed compliance;
American law prohibits—despite a CLOUD-Act agreement—voluntary interceptions or disclosures, rendering voluntary TARs potentially ineffective, and
an American provider may not be willing, and even unable, to comply with a compulsory notice as the range of ‘listed acts or things’ go beyond what United States’ law requires of those providers.350
Ms Pfefferkorn advised that perhaps the greatest challenge presented by the legislation is that the CLOUD Act requires that an order issued by the foreign government (Australia) shall be subject to review or oversight by a court, judge, magistrate or other independent authority prior to, or in proceedings regarding, enforcement of the order.351 It is not clear whether the Assistance and Access Act would satisfy this threshold.

Schedule 2 – Computer access warrants

Schedule 2 of the Assistance and Access Act amended a number of separate acts to:
reform existing computer access warrants in the case of ASIO,
extend a similar warrant power to law enforcement agencies, and
establish an avenue for foreign governments and international courts and tribunals to make requests for assistance in accessing data via a computer access warrant.
The following sections discuss these powers separately, and include a synopsis of each power and possible matters for further consideration relevant to the respective powers.

ASIO warrants for computer access

Synopsis

The Assistance and Access Act amends ASIO’s existing powers for computer access under the Australian Security Intelligence Organisation Act 1979 (ASIO Act).
The ASIO Act provides three separate avenues for accessing data held on a computer:
a computer access warrant (issued by the AttorneyGeneral on request from the DirectorGeneral of Security) under section 25A,
a foreign intelligence warrant (issued by the AttorneyGeneral on advice from the Minister of Defence or the Minister for Foreign Affairs) under section 27A, and
an authorisation for computer access (approved by the DirectorGeneral of Security or the AttorneyGeneral under the authority of a separately obtained identified person warrant issued by the AttorneyGeneral), under sections 27C and 27E.

Existing provisions: Computer access warrants

On request from the DirectorGeneral of Security, the AttorneyGeneral may issue a computer access warrant if satisfied there are reasonable grounds for believing that access by ASIO to data held in a computer352 (the target computer) will substantially assist the collection of intelligence in respect of a security matter. Prior to amendment, a computer access warrant may have authorised any of the following:
entering a premises for the purpose of obtaining data that is relevant to the security matter;
using the target computer, a telecommunications facility, any other electronic equipment or a data storage device to:
obtain access to data relevant to security that is held in the target computer at any time while the warrant is in force; and
add, copy, delete or alter other data (though this is limited and this action cannot materially interfere with, interrupt or obstruct a communication in transit, or the lawful use by third parties, unless it is necessary to do the things specified in the warrant);
copying any data that appears relevant to security;
anything reasonably necessary to conceal the fact that anything has been done under the warrant;
any other thing reasonably incidental to any of the above; and
the use of force that is necessary and reasonable to do the things specified in the warrant.353

Existing provisions: Foreign intelligence warrants

Foreign intelligence warrants are issued under section 27A of the ASIO Act, and permit ASIO to conduct intelligence collection (including computer access to obtain data) on behalf of Australia’s foreign intelligence community. On the request of the DirectorGeneral of Security, the AttorneyGeneral may authorise a foreign intelligence warrant if satisfied, on advice from the Minister for Defence or the Minister for Foreign Affairs, that the collection is in the interests of Australia’s national security, foreign relations or national economic interests.354

Existing provisions: Authorised computer access under an identified person warrant

Identified person warrants are issued under section 27C of the ASIO Act, and conditionally permit ASIO to use multiple special powers against a person identified in the warrant. Issued by the AttorneyGeneral,355 an identified person warrant does not itself permit ASIO to carry out the special powers that are specified in the warrant.
Rather, it provides conditional approval for ASIO to use special powers and a separate authorisation is required to exercise each individual special powers (such as search of premises (section 27D or computer access (section 27E)). In the case of computer access, an authorisation may permit the same types of activities lawfully done under a computer access warrant discussed above. These separate authorisations may be provided by the AttorneyGeneral or the DirectorGeneral of Security.
The Assistance and Access Act does not amend the provisions relating to identified person warrants issued by the AttorneyGeneral. Rather, the Act amended the provisions that establish the conditions for the authorisation of computer access under the identified person warrant, specifically, section 27E of the ASIO Act.

Amendments to warrants and authorisations introduced under Assistance and Access Act

The Assistance and Access Act made three key amendments to ASIO’s computer access powers:
authorising ASIO to undertake telecommunications interception for the purpose of doing any thing that is specified in the warrant, including but not limited to accessing relevant data held on, or from, a computer (which would otherwise require a separate telecommunications service warrant under sections 9 or 9A of the Telecommunications (Interception and Access) Act 1979;356
authorising ASIO to temporarily remove a computer or other thing from premises, for the purpose of doing any thing specified in the warrant;357 and
authorising ASIO to do things that conceal access to a computer, including for up to 28 days after the warrant ceases to be in force, or as soon as reasonably practicable after the 28day period.358
The amending Act also reformed ASIO’s reporting requirements. Prior to the passage of the Assistance and Access Act, the DirectorGeneral of Security had obligations to report to the AttorneyGeneral in respect of each warrant issued under ASIO’s special powers (including computer access warrants, foreign intelligence warrants, and identified person warrants), detailing the extent to which the action undertaken under the warrant has assisted ASIO in carrying out its functions. The amendments extended this reporting function include the impact of concealment of access activities.359
Amendments introduced and passed on 6 December 2018 included:
requiring that if a computer is removed from a premises, the computer must be returned within a reasonable period, or, if returning would be prejudicial to security, when the return would no longer be prejudicial to security;360
requiring that activities to conceal access must not represent a material interference with, interrupt or obstruct communications in transit or the lawful use of that computer by a third person, or cause any material loss or damage;361 and
provisions clarifying ASIO’s reporting obligations with respect to concealment of access activities authorised under warrant.362

Possible matters for further consideration

Threshold and scope matters

As noted above, the Assistance and Access Act has extended ASIO’s computer access warrant powers to include undertaking telecommunications interception that, prior to the passage of the amending Act, would have required a separate telecommunication access warrant under the Telecommunications (Interception and Access) Act 1979.
The threshold for a telecommunication access warrant is that the Attorney-General must be satisfied that the telecommunication service is being or is likely to be used for purposes ‘prejudicial to security’.363 For the same type of interception under an expanded computer access warrant, the AttorneyGeneral need only be satisfied that access to data held in a computer will substantially assist the collection of intelligence that is ‘important in relation to security’.
The Committee received evidence during the 2018 Bill Review from stakeholders concerned by the lowering of the threshold for the same type of interception activity.364 These concerns remain and were echoed in evidence received by the Committee in the 2019 Act Review.365
Evidence received during both reviews also indicated stakeholder concerns regarding the scope of activities that may be authorised under ASIO’s extended computer access warrant. This concern extended to the following matters:
that any data may be obtained under a revised computer access warrant, and recommendations that further amendments be introduced to restrict the warrant to obtaining access to ‘relevant data’ only,366 and that the removal powers be similarly restricted,367 and
that ASIO may use force to execute a computer access warrant—representing a significant departure from equivalent warrant powers under the TIA Act—and recommendations to remove such activity from the conduct that may be authorised under the warrant.368

Reporting obligations and effective oversight

While amendments introduced and passed on 6 December 2018 addressed some of the IGIS concerns expressed in the 2018 Bill Review with respect to reporting requirements, not all suggestions designed to improve oversight arrangements were adopted. The IGIS advised the Committee in the subsequent 2019 Act Review that the warrant reporting requirements do not oblige ASIO to specifically identify whether a computer or other thing has been removed from premises in all instances. Rather, reporting will only be required under existing provisions, if ASIO has assessed the removal to have caused material interference with the lawful use of the computer.369
The absence of a reporting obligation on this matter will make it difficult for the IGIS to oversee the exercise by ASIO of the new temporary removal powers, and its decision-making about whether a temporary removal caused a material interference. Specifically, IGIS stated it will be ‘very difficult’ to determine whether a temporary removal caused material interference with the lawful use of a computer. The IGIS was of the view that this may lead to inconsistent interpretations, and therefore inconsistent reporting practices by ASIO.
The IGIS was of the view that standing inspection functions under the InspectorGeneral of Intelligence and Security Act 1986370 to obtain such information on a casebycase basis would result in ‘significant inefficiency in oversight’.371 The IGIS clarified that ASIO warrant reports required under different provisions of the ASIO Act are used by that office as a basis for focussing inspection activities. In the absence of a reporting requirement, the IGIS would separately ask ASIO, for each and every computer access warrant, to provide information whether a computer or other thing was removed from those premises, so that IGIS could then examine those activities (including ASIO’s decision-making about whether each removal caused a material interference).372

Law enforcement agency warrants and orders for computer access

Synopsis

Schedule 2 amends the Surveillance Devices Act 2004 (SD Act) and provides two new powers for law enforcement agencies to obtain computer access:
undertaking certain activities authorised under a new computer access warrant regime; and
obtaining an assistance order to compel a person with knowledge of a computer or computer system to assist in accessing data held on that device or system.
Both are examined below.

Computer access warrants

Schedule 2 provides a new power for Commonwealth, state and territory law enforcement agencies investigating a federal offence punishable by a maximum of three years imprisonment or more to obtain covert computer access warrants under the Surveillance Devices Act 2004 (SD Act). These warrants are similar to the computer access warrants already available to ASIO, as amended by the Assistance and Access Act.373
The new warrant power is in addition to warrants for data surveillance devices, which enable the use of software to monitor inputs and outputs from certain devices.374
Like the existing surveillance devices regime, the amending Assistance and Access Act established the framework for law enforcement agencies to obtain computer access warrants for the following investigations and operations:
offence investigations,
recovery orders,
mutual assistance investigations,
integrity operations, and
control order access.
Table 3.1 sets out the relevant threshold that applies to the computer access warrant for the above listed investigations/operations.
Thresholds for applying for computer access warrants under the Surveillance Devices Act
Purpose of warrant
Threshold for application
Offence investigations
Law enforcement officer375 suspects on reasonable grounds that:
(a) one or more relevant offences376 have been, are being, are about to be, or are likely to be, committed; and
(b) an investigation into those offences is being, will be, or is likely to be, conducted; and
(c) access to data held in a computer (the target computer) is necessary, in the course of that investigation, for the purpose of enabling evidence to be obtained of:
(i) the commission of those offences; or
(ii) the identity or location of the offenders.
Recovery orders
A law enforcement officer may apply for the issue of a computer access warrant if:
(a) a recovery order is in force; and
(b) the law enforcement officer suspects on reasonable grounds that access to data held in a computer may assist in the location and safe recovery of the child to whom the recovery order relates.
Mutual assistance investigations
A law enforcement officer may apply for the issue of a computer access warrant if the law enforcement officer:
(a) is authorised to do so under a mutual assistance authorisation; and
(b) suspects on reasonable grounds that access to data held in a computer is necessary, in the course of the investigation or investigative proceeding to which the authorisation relates, for the purpose of enabling evidence to be obtained of:
(i) the commission of the offence to which the authorisation relates; or
(ii) the identity or location of the persons suspected of committing the offence.
Integrity operations
A federal law enforcement officer may apply for the issue of a computer access warrant if:
(a) an integrity authority is in effect authorising an integrity operation in relation to an offence that it is suspected has been, is being or is likely to be committed by a staff member of a target agency; and
(b) the federal law enforcement officer suspects on reasonable grounds that access to data held in a computer will assist the conduct of the integrity operation by enabling evidence to be obtained relating to the integrity, location or identity of any staff member of the target agency.
Control order access
A law enforcement officer may apply for the issue of a computer access warrant if:
(a) a control order is in force in relation to a person; and
(b) the law enforcement officer suspects on reasonable grounds that access to data held in a computer (the target computer) to obtain information relating to the person would be likely to substantially assist in:
(i) protecting the public from a terrorist act; or
(ii) preventing the provision of support for, or the facilitation of, a terrorist act; or
(iii) preventing the provision of support for, or the facilitation of, the engagement in a hostile activity in a foreign country; or
(iv) determining whether the control order, or any succeeding control order, has been, or is being, complied with.
Source: Surveillance Devices Act, section 27A—(Assistance and Access Act, Schedule 2, Item 49).
A computer access warrant for one of the above listed purposes may only be issued by an eligible Judge or Administrative Appeals Tribunal member, who must be satisfied that:
in the case of an offence investigation—that there are reasonable grounds for the suspicion founding the application for the warrant;
in the case of a recovery order—that such an order is in force and that there are reasonable grounds for the suspicion founding the application for the warrant;
in the case of a mutual assistance authorisation—that such an authorisation is in force and that there are reasonable grounds for the suspicion founding the application for the warrant;
in the case of a warrant sought for the purposes of an integrity operation—that the integrity authority for the operation is in effect, and that there are reasonable grounds for the suspicions founding the application for the warrant, and
in the case of a control order access warrant—that a control order is in force in relation to a person, and that access to data held in the relevant target computer to obtain information relating to the person would be likely to substantially assist in:
protecting the public from a terrorist act, or
preventing the provision of support for, or the facilitation of, a terrorist act, or
preventing the provision of support for, or the facilitation of, the engagement in a hostile activity in a foreign country, or
determining whether the control order, or any succeeding control order, has been, or is being, complied with.377
The computer access warrant must specify the range of things that may be lawfully undertaken by law enforcement agencies, which may include:
entering specified premises;
entering any premises (third party premises) for the purposes of gaining entry to, or exiting, the specified premises;
adding, copying, deleting or altering other data in the target computer,
removing a computer or other thing from premises for the purposes of doing any thing specified in the warrant, and returning the computer or other thing to the premises;
intercepting a communication passing over a telecommunications system, if the interception is for the purposes of doing any thing specified in the warrant and if necessary to achieve that purpose—adding, copying, deleting or altering other data in the computer or the communication in transit;
if, having regard to other methods (if any) of obtaining access to the relevant data which are likely to be as effective, it is reasonable in all the circumstances to do so:
using any other computer or a communication in transit to access the relevant data, and
if necessary to achieve that purpose—adding, copying, deleting or altering other data in the computer or the communication in transit;
the use of any force that is necessary and reasonable to do the things specified in the warrant; and
activities to conceal the fact that a thing as been done under a computer access warrant.378
A computer access warrant cannot authorise the addition, deletion or alteration of data, or the doing of any thing, that is likely to:
materially interfere with, interrupt or obstruct a communication in transit, or the lawful use by other persons of a computer (unless such acts are necessary to do one or more of the things specified in the warrant), or
cause any other material loss or damage to other persons lawfully using a computer.379
A number of other provisions were also included in the Assistance and Access Act to establish:
emergency authorisation for access to data held on a target computer where:
there is a serious risk to persons or property,
urgent circumstances relating to a recovery order, and
risk of loss of evidence;380
extraterritorial access to data under a computer access warrant;381
information handling restrictions, including how information is to be handled in court proceedings;382
evidentiary certificates that set out facts relevant to computer access warrants) are admissible in court proceedings as prima facie evidence of the matters stated in the certificate,383 and
reporting obligations to the Minister which must include, among other things, the name of any person whose data was accessed and the benefit to the investigation or operation (as applicable).384

Assistance orders

Separately to the computer access warrant framework, law enforcement agencies may access a computer through a compulsory assistance order.385 As amended by the Assistance and Access Act, the SD Act now provides that a law enforcement officer may apply to an eligible Judge or to a nominated AAT member for an assistance order in relation to the following investigations or operations:
offence investigations;
recovery orders;
mutual assistance investigations;
integrity operations;
control order access; and
emergency authorisations relating to risk of loss of evidence.
An assistance order may require a specified person to provide any information or assistance that is reasonable and necessary to allow the law enforcement officer to do one or more of the following:
access data held in a computer that is the subject of:
a computer access warrant, or
an emergency authorisation given in response to an application under subsections 28(1A), 29(1A) or 30(1A),
copy data held in the computer to a data storage device,
convert into documentary form or another form intelligible to a law enforcement officer:
data held in the computer, or
data held in a data storage device to which the data was copied.386
When issuing an assistance order, the Judge or AAT member must be satisfied that there are reasonable grounds for suspecting that access to data will assist in the investigation/operation identified in the warrant application, and that a specified person:
is the owner or lessee of the computer or device, or
is an employee of the owner or lessee of the computer or device, or
is a person engaged under a contract for services by the owner or lessee of the computer or device, or
is a person who uses or has used the computer or device, or
is a person who is or was a system administrator for the system including the computer or device, and
has relevant knowledge of:
the computer or device or a computer network of which the computer or device forms or formed a part, or
measures applied to protect data held in the computer or device.387
Failure to comply with an assistance order attracts a maximum imprisonment term of 10 years or 600 penalty units, or both.388

Amendments introduced and passed on 6 December 2018

With respect to the SD Act, additional amendments introduced and passed on 6 December 2018 included:
if a computer is removed from a premises, the computer must be returned within a reasonable period,389
that activities to conceal access, must not represent a material interference with, interrupt or obstruct communications in transit or the lawful use of that computer by a third person, or cause any material loss or damage;390
clarification that the computer access warrant regime does not affect parliamentary powers, privileges and immunities;391
requirements to notify the Commonwealth Ombudsman in relation to concealment of access under a computer access warrant within 7 days of the relevant acts being undertaken,392 and clarifying the powers of the Ombudsman to inspect records,393 and
that the Commonwealth will be liable for loss or injury suffered by a person resulting from activities authorised under a computer access warrant under certain conditions.394

Possible matters for further consideration

Privacy impact on third parties

The Law Council remains concerned that the privacy rights of third parties under the International Covenant on Civil and Political Rights will be limited under the new computer access warrant powers in the SD Act. In the 2018 Bill Review, the Law Council recommended that the provisions be amended to minimise the impact on third party privacy rights by requiring the decisionmaker (an eligible Judge or AAT member) to have regard to the rights of third parties.395 These concerns and recommendation was repeated in the Council’s evidence in the 2019 Act Review.396

Threshold and scope matters

The Law Council remains concerned that the threshold offences for obtaining a new computer access warrant to undertake telecommunications interception in the SD Act is lower than the relevant offences required under the TIA Act. Under the TIA Act, a law enforcement agency may only obtain a telecommunications access warrant for the investigation of ‘serious offences’, which is defined as an offence punishable by imprisonment for at least seven years.397 The Law Council noted that the amendments to the SD Act have effectively lowered that threshold to offences carrying a 3 year imprisonment term.398 The Council made similar observations with respect to telecommunications interception where there is a control order in force in relation to another person.399
Consequently, the Law Council recommended further consideration of amendments that would apply the same thresholds to a computer access warrant that authorised telecommunications interception as currently required under the TIA Act.400
Evidence received during both reviews also indicated stakeholder concerns regarding the scope of activities that may be authorised under a new computer access warrant. These matters are broadly similar to those concerns noted above with respect to ASIO’s revised computer access warrants, and extends to the following matters:
that any data may be obtained under a revised computer access warrant, and recommendations that further amendments be introduced to restrict the warrant to obtaining access to ‘relevant data’ only,401 and that the removal powers be similarly restricted,402 and
that law enforcement agencies may use force to execute a computer access warrant—representing a significant departure from equivalent warrant powers under the TIA Act—and recommendations to remove such activity from the conduct that may be authorised under the warrant.403

Assistance orders

Stakeholders in both reviews submitted concerns regarding the assistance order regime in the SD Act. Broadly, this included:
ambiguity in the term ‘specified person’, and whether these compulsive powers would only extend to natural persons or bodies corporate,404
disproportionate penalties in comparison to the penalties that apply for ‘serious offences’ elsewhere that impose 2 year penalties as opposed to the 10 year penalty for failure to comply with an assistance order,405 and
the privilege against self-incrimination and the use of information obtained under the assistance provisions.406

Amendments to assist foreign governments and international courts and tribunals

Synopsis

The Assistance and Access Act amends the Mutual Assistance in Criminal Matters Act 1987 to allow requests by foreign governments for assistance in relation to data held in computers.407 The amendments allow the AttorneyGeneral to authorise an eligible law enforcement officer to apply for a computer access warrant under section 27A of the SD Act (see below) where the Attorney-General is satisfied that:
a criminal investigation involving an offence against the law of a foreign country (that is punishable by a maximum penalty of imprisonment for three years or more, imprisonment for life or the death penalty) has commenced in the requesting country, and
the requesting country requests the Attorney-General to arrange for access to data held in a target computer, and
the requesting country has given appropriate undertakings in relation to:
ensuring that data obtained as a result of access under the warrant will only be used for the purpose for which it is communicated to the requesting country, and
the destruction of a document or other thing containing data obtained as a result of access under the warrant, and
any other matter the Attorney-General considers appropriate.408
This mechanism is also available for requests from the International Criminal Court and the International War Crimes Tribunal for assistance in relation to data held on computers. The provisions establish the same decisionmaking criteria (as described above) for the AttorneyGeneral when considering a request from either court or tribunal.409
There were no relevant amendments made to these provisions on 6 December 2018 when the then Bill was passed.

Possible matters for further consideration

During the 2018 Bill Review, the Law Council expressed concern regarding the breadth of the AttorneyGeneral’s discretion to assist foreign government requesting assistance through a computer access warrant, commenting that the discretion may create a risk, despite good intentions, that Australian assistance prior to arrest or detention may lead to the imposition of the death penalty.410 This concern was echoed in evidence by the Law Council in the 2019 Act Review.411
On a separate matter, the Uniting Church of Australia, Synod of Victoria and Tasmania, expressed concern in the 2018 Bill Review that some foreign jurisdictions may impose a criminal penalty lower than the three year threshold despite the fact that a comparable offence in Australia carries a three year imprisonment term. The Church proposed amendments that would allow information to be provided to the foreign government where the offence in question could carry a penalty of three years in prison or more, in either the foreign jurisdiction or under Australian law.412

Schedules 3 and 4—Search warrants issued under the Crimes Act 1914 and the Customs Act 1901

Synopsis of Schedule 3

Schedule 3 of the Assistance and Access Act amended the search warrant framework under the Crimes Act 1914 (the Crimes Act) to ‘enhance the ability of criminal law enforcement agencies to collect evidence from electronic devices under warrant’.413
Prior to the passage of the Assistance and Access Act, section 3E of the Crimes Act provided that a warrant may be issued authorising police to search either a premises or a person for the purpose of obtaining evidential material relevant to a specified offence.414 Such a warrant may be issued by either a magistrate, or a ‘justice of the peace or other person employed in a court of a State or Territory who is authorised to issue search warrants’.
The amending Assistance and Access Act expanded the types of actions that may be authorised by a search warrant to include:
using electronic equipment to access ‘relevant data’ that is held in a computer or data storage device found in the course of a search, in order to determine whether the data is evidential material of a kind specified in the warrant, and
using electronic equipment to access relevant ‘account-based data’ in relation to a person (living or deceased) who is (or was) an owner, lessee or user of a computer found in the course of a search.415
Combined, the activities that may be authorised under an expanded search warrant are broader than those detailed in Schedule 2, or contained in the Australian Security Intelligence Organisation Act 1979. However, in contrast to those powers, the Schedule 3 search warrant powers are intended to be used overtly.
Schedule 3 also authorises police to add, copy, delete or alter other data, if necessary to obtain access to the relevant data or account-based data. If it is reasonable in all the circumstances, having regard to other methods of obtaining access, police may also use any other computer or communication in transit to access the relevant data or account-based data (i.e. remote access).416
Under the amended provisions, a search warrant could not authorise police to do anything that is likely to materially interfere with, interrupt or obstruct a communication in transit or the lawful use of a computer (unless it is necessary to execute the warrant), or to cause any other material loss or damage.417
Further, the Schedule extended the time in which a computer or data storage device may be taken to another place for analysis from 14 to 30 days,418 and increased the maximum penalty from 2 years to up to 10 years for noncompliance with an assistance order requiring a person to assist police with accessing data.419

Amendments introduced and passed

Amendments introduced and passed on 6 December 2018 amended Schedule 3 to assert the primacy of parliamentary privileges and immunities (new section 3SA).
There were no other amendments made to Schedule 3.

Synopsis of Schedule 4

Schedule 4 of the Assistance and Access Act amended the search warrant framework under the Customs Act 1901 (the Customs Act) to ‘enhance the ability of the Australian Border Force (ABF) to collect evidence from electronic devices under warrant in person or remotely’.420
Prior to the passage of the Assistance and Access Act, section 198 of the Customs Act provided that a judicial officer may issue a warrant authorising Australian Border Force (ABF) officers to search a premises for evidential material in relation to a specified offence.421 A ‘judicial officer’ may be either a magistrate, or a ‘justice of the peace or other person employed in a court of a [s]tate or [t]erritory who is authorised to issue search warrants’.422
The amending Assistance and Access Act expanded the types of actions that may be authorised by a warrant to include using electronic equipment to access ‘relevant data’ that is held in a computer or data storage device found in the course of a search, in order to determine whether the data is evidential material of a kind specified in the warrant.423
Similarly to search warrants under the Crimes Act (Schedule 3 above), ABF officers may now be authorised under warrant to add, copy, delete or alter other data, if necessary to obtain access to the relevant data or accountbased data. If it is reasonable in all the circumstances, having regard to other methods of obtaining access, officers may use any other computer or communication in transit to access the relevant data or account-based data (i.e. remote access).424
Under the amended provisions, a search warrant could not authorise officers to do anything that is likely to materially interfere with, interrupt or obstruct a communication in transit or the lawful use of a computer (unless it is necessary to execute the warrant), or to cause any other material loss or damage.425
Schedule 3 also provided ABF officers with a new power to request a search warrant in relation to a person, in order to search for a computer or data storage device and access ‘relevant data’ that is held in a computer or data storage device.426
The Assistance and Access Act also extended the time in which a computer or data storage device may be taken to another place for analysis from 72 hours to 30 days,427 and increased the maximum penalty from 6 months to up to 10 years imprisonment for noncompliance with an assistance order requiring a person to assist the ABF with accessing data.428

Amendments introduced and passed

Amendments introduced and passed on 6 December 2018 amended Schedule 4 to assert the primacy of parliamentary privileges and immunities (new section 202B).
There were no other amendments made to Schedule 4.

Possible matters for further consideration

Search warrants are not subject to external oversight

Whilst the expanded search warrant powers are issued by an independent authority (predominantly judicial officers), the acts authorised by that warrant are not subject to oversight.
The Commonwealth Ombudsman has standing authority to investigate once a complaint is lodged, but no ‘own motion’ inspection or reporting power with respect to Schedules 3 and 4.

Assistance orders and the privilege against selfincrimination

Both schedules amended the existing assistance order provisions that would require a person to assist law enforcement agencies with accessing data. As noted above, the Assistance and Access Act extended the penalties for noncompliance with an assistance order from 6 months imprisonment (under the Customs Act) and 2 years under the Crimes Act, to up to 10 years imprisonment under both Acts.
Several stakeholders in the 2018 Bill Review discussed assistance orders under both Schedules 3 and 4, including:
how the orders would apply to persons who are unable to provide the required assistance, and
the interaction of the provisions with the privilege against selfincrimination.429
The AHRC, for example, considered that the explanations put forward by the Government ‘do not sufficiently justify such a substantial increase in penalties’.430 These matters overlap significantly with the proposals for similar assistance orders found in Schedule 2 (discussed above) and Schedule 5 (discussed below).

Impact on privacy and other human rights

Several stakeholders in the 2018 Bill Review identified the potential impact on privacy and other human rights and questioned whether the measures were reasonable and proportionate to the challenge sought to be addressed.431 It was recommended that search warrants issued under Schedules 3 and 4 should only authorise access to third party computers or communications where the issuing authority is satisfied that access is necessary in all the circumstances, having regard to:
other methods of obtaining access to the data which are as likely to be as effective, and
the human rights of the third party, including their right to privacy.432

Availability of the ‘material interference’ safeguard and definition of key terms

As noted above, a search warrant authorised under Schedule 3 or 4 cannot authorise the doing of anything that is likely to materially interfere with, interrupt or obstruct a communication in transit or the lawful use of a computer (unless it is necessary to execute the warrant), or to cause any other material loss or damage.433
However, stakeholders considered the effectiveness of the safeguard is limited in light of the exception— ‘unless it is necessary to do one more things specified in the warrant’.434 It was also noted that the terms ‘material loss’ and ‘damage’ are not defined,435 though the Department of Home Affairs submitted that defining the terms would ‘unnecessarily narrow their application’.436 In the absence of definitions, the terms will take their ordinary meaning.

Extension of time period of removal of a device

The extension of the time period for the removal of a device for up to 30 days was also discussed in evidence to the 2018 Bill Review. Stakeholders commented that it would be undesirable if the extension of time simply meant that an electronic device was held in custody, but not actively used because the law enforcement agency knows it has an extended period of time.437 It was identified that a law enforcement agency who has obtained a search warrant under Schedule 3 or 4 should make all reasonable endeavours to examine the device in the shortest possible time.438

Notification of the person subject to the search warrant

Unlike the ‘covert’ computer access warrant powers provided for in Schedule 2 to the Act, the search warrant powers amended by Schedules 3 and 4 are considered ‘overt’.439 The expanded search warrant powers could only be considered ‘overt’ where the person the subject of the warrant was made aware of its issue and execution.
A copy of the search warrants obtained under Schedule 3 and 4 must be provided to the person the subject of the warrant if they are present. Noting that a search warrant would enable a device to be searched remotely—and therefore, potentially, without the need for a physical presence of officers at the premises —it is possible that a person might never be made aware of the execution of a search warrant. A similar circumstance might occur if a person was not at the premises where warrant is executed by officers physically present.

Schedule 5 – ASIO device access and immunities

Schedule 5 of the Assistance and Access Act amends the Australian Security Intelligence Organisation Act 1979 (ASIO Act) to insert two new powers:
provision of voluntary assistance (accompanied by a grant of civil immunity), and
compulsory provision of assistance to ASIO.
These new provisions and possible matters for further consideration are detailed below.

Voluntary assistance and civil immunity

Synopsis

The amendments enacted seek to encourage voluntary cooperation with ASIO in relation to the performance of its functions by offering immunity from civil liability to a person that voluntarily provides assistance to ASIO in accordance with a request made by the DirectorGeneral of Security, or in an unsolicited manner.
New section 21A of the ASIO Act provides that a person is not subject to any civil liability for conduct engaged in at the request of the DirectorGeneral of Security, or a delegated senior positionholder, as long as the conduct:
is likely to assist ASIO in the performance of its functions, to the satisfaction of the DirectorGeneral or his or her delegate, on reasonable grounds, by way of certificate;440
does not involve the person committing an offence against a law of the Commonwealth, or a State or Territory, and
does not result in significant loss of or serious damage to, property.441
These powers are significantly similar to those contained in Schedule 1 of the amending Assistance and Access Act, (referred hereafter as the ‘industry assistance measures’), though are substantially broader as they are not limited to communications providers nor operate under the same decisionmaking criteria and oversight. For clarity, assistance provided under Schedule 5 is only able to be requested by ASIO (whereas industry assistance measures are available to ASIO, ASD, ASIS and designated interception agencies).
Amendments introduced and passed on 6 December 2018 include:
a request must be made in writing unless the DirectorGeneral is satisfied that:
the request should be made as a matter of urgency; or
making the request in writing would be prejudicial to security; or
making the request in writing would be prejudicial to ASIO’s operational security,442 and
the DirectorGeneral must inform the InspectorGeneral of Intelligence and Security within 7 days of making a request.

Possible matters for further consideration

The following matters were identified by stakeholders in the 2018 Bill Review as possible matters for further consideration, and were confirmed in submissions to the 2019 Act Review as ongoing matters (see footnotes). These matters were not addressed in the amendments introduced and passed on 6 December 2018.

Scope and limits of the grant of civil immunity

These new provisions represent a departure from the existing process for granting a statutory immunity for assisting ASIO. Further, the grant of a civil immunity has the effect of depriving third parties of a right of civil action. These two factors prompted stakeholders, including the IGIS, the AHRC and the Law Council, to recommend in the Committee’s 2018 Bill Review further consideration of the following:
that a grant of civil immunity under new section 21A should only be made by the AttorneyGeneral, in line with other preexisting processes for the grant of civil immunity for participants in a special intelligence operations;443
amendments requiring the decisionmaker to consider proportionality and reasonableness of not only the request for voluntary assistance, but also the provision of civil immunity (and the impact on third parties),444 and
greater clarity in the types of conduct that would be covered by the immunity (recommending that conduct that results in ‘pure economic loss’ and ‘harm or mental injury’ be excluded from the immunity).445

Interaction with other powers available to ASIO

Stakeholders also sought clarification of the interaction between the provisions contained in Schedule 5 with ASIO’s other powers. For example, the IGIS, the AHRC and the Law Council identified the following as possible matters for further consideration:
the amending Assistance and Access Act does not expressly exclude conduct that would require ASIO to obtain a warrant (or another form of authorisation) if it were to undertake itself. Absent of a clear and express exclusion, section 21A could provide a mechanism through which ASIO could effectively bypass standard practice to obtain warrants and authorisations for certain activities, and may allow ASIO to request a person to engage in conduct that ASIO would otherwise require a warrant to undertake,446 and
further amendments that would provide clarity on the provision of civil immunity for industry assistance under Schedule 1 of the amending Assistance and Access Act and the provision of civil immunity under Schedule 5 under the same act. The civil immunity provisions in Schedule 5 are broader than its counterpart in Schedule 1 and the decisionmaker is not required to consider reasonableness, proportionality and the impact on third parties.447

Transparency, accountability and oversight matters

Although the provisions establish a legal avenue for voluntary assistance to be provided and are therefore not compulsive powers, the impact on third parties prompted stakeholders to identify a range of matters to improve the transparency, accountability and oversight of ASIO use of voluntary assistance requests. This included further amendments to provide for:
a maximum statutory period for assistance requests and accompanying grants of civil immunity;448
greater clarity in the authorisation of oneoff requests and/or standing requests for assistance,449 or the express exclusion of standing requests;450
specified grounds on which such requests may be varied or must be revoked,451 and
improved periodic reporting requirements to Parliament, including information related to:
the number of times requests have been issued over the reporting period, and
the type of assistance requested and provided, and
any instances that are known to ASIO (if any) in which a person, requested to assist ASIO, engaged in conduct falling outside the scope of immunity, and if so,
the quantum of any incurred loss (if known), or an estimated quantum.452

Compulsory assistance orders

Synopsis

New section 34AAA empowers the AttorneyGeneral, at the request of the DirectorGeneral of Security, to issue a compulsory assistance order requiring a ‘specified person’ to provide any information or assistance that is ‘reasonable and necessary’ to allow ASIO to access data held in, or accessible from, a computer or data storage device that is the subject of, or is found, removed or seized, under a separate ASIO warrant.453
The penalty for non-compliance with such an order is five years imprisonment, or 300 penalty units ($63,000), or both.454
This power is broadly similar to the assistance orders available under Schedules 2, 3, and 4 of the amending Assistance and Access Act.
The decisionmaking criteria that would be applied by the AttorneyGeneral depends on the type of warrant or authorisation that ASIO seeks to give effect to. The amending Act distinguishes between foreign intelligence warrants and any other warrants or authorisations under the ASIO Act.
To issue an order that gives effect to foreign intelligence warrant, the AttorneyGeneral must be satisfied on reasonable grounds that,
ASIO’s access to the relevant data will be for the purpose of obtaining foreign intelligence relating to a matter specified in the warrant, and
the collection of foreign intelligence is in the interests of Australia’s national security, foreign relations or national economic well-being.455
To issue an order that gives effect to warrants or authorisations other than a foreign intelligence warrant, the Attorney-General must be satisfied, on reasonable grounds, that the relevant access will substantially assist the collection of intelligence in respect of a matter that is important in relation to security.456
Irrespective of the type of warrant or authorisation that ASIO seeks to give effect to in a compulsory assistance order, the amending Act establishes additional decisionmaking criteria. The AttorneyGeneral must be satisfied, on reasonable grounds, that the specified person is:
reasonably suspected of being involved in activities that are prejudicial to security, or
the owner or lessee of the computer or device, or
an employee of the owner or lessee of the computer or device, or
a person engaged under a contract for services by the owner or lessee of the computer or device, or
a person who uses or has used the computer or device, or
a person who is or was a system administrator for the system including the computer or device, and
the specified person has relevant knowledge of:
the computer or device or a computer network of which the computer or device forms or formed a part, or
the measures applied to protect data held in the computer or device.457
Amendments introduced and passed on 6 December 2018 include:
that the DirectorGeneral of Security may request a compulsory assistance order orally or in writing to the AttorneyGeneral, though if requested orally, the DirectorGeneral must make a written record of the request within 48 hours;458
that a request must be must be accompanied by a statement setting out the particulars and outcomes of all previous requests;459
that if the DirectorGeneral is satisfied that the grounds on which a compulsory assistance order was made have ceased to exist, the DirectorGeneral must inform the AttorneyGeneral, and if the AttorneyGeneral concurs, the AttorneyGeneral must revoke the order,460 and
ASIO must provide a written report to the AttorneyGeneral on the extent to which the action taken under the warrant has assisted ASIO in carrying out its functions, and the total number of requests and orders made must be included in ASIO’s annual report to the Minister.461

Possible matters for further consideration

The following matters were identified by stakeholders in the 2018 Bill Review as possible matters for further consideration, and were confirmed in submissions to the 2019 Act Review as ongoing matters (see footnotes). These matters were not addressed in the amendments introduced and passed on 6 December 2018.

Clarity, scope and limits compulsory powers

Noting the significant criminal penalty for failing to comply with an assistance order, stakeholders identified the following as possible matters for further consideration:
the term ‘specified person’ may lack clarity, and it is ambiguous as to whether the term extends only to a natural person or bodies corporate;462
that the enacted provisions do not require there to be a nexus between the prejudicial activities in which a specified person is involved and the security matter in respect of which the relevant warrant is issued;463
that compulsory assistance orders (which, as enacted, may be issued to a person who is reasonably suspected of ‘being involved in’ activities prejudicial to security) be limited to persons ‘knowingly or intentionally involved in’ activities prejudicial to security, as the current threshold is ‘very low’;464 and
that the procedural requirements applied when a computer or data storage device is not on a premises in relation to which a warrant is in force (including a specified time period, the place at which a person must provide the information or assistance, and other relevant conditions) should apply irrespective of the physical location of a computer or storage device that is accessed.465

Interaction with other powers available to ASIO

Stakeholders also sought clarification of the interaction between the provisions contained in Schedule 5 with ASIO’s other powers. For example, the IGIS and the Law Council identified the following as possible matters for further consideration:
that additional amendments be introduced to clarify the interaction with ASIO’s compulsory questioning and detention and detention powers;466 and
that additional amendments be introduced to clarify the use of a technical assistance notice issued by ASIO under Schedule 1 of the Assistance and Access Act (industry assistance measures) as opposed to ASIO’s specific powers to request a compulsory assistance order.467
The IGIS and the Law Council recommended consideration of statutory safeguards to protect against the oppressive use of multiple coercive powers by ASIO.468 In a submission to the 2018 Bill Review, the IGIS suggested amendments that would require ASIO to provide the AttorneyGeneral with information when requesting a compulsory assistance order, including information about previous orders and requests for orders in relation to that same person. Amendments introduced and passed on 6 December 2018 included provisions to this effect.469

Potential for arbitrary detention

While a person the subject of an assistance order may not be physically restrained, the new powers may, in effect, prevent that person from leaving a location prior to the completion of the designated assistance task, under pain of criminal penalty. This was considered as creating the potential to authorise detention by nonjudicial officers. This prompted a number of stakeholders to suggest that the safeguards that are required under ASIO’s questioning warrants or questioning and detention warrants should be applied to an assistance order issued by the AttorneyGeneral.470
The risk that a compulsory assistance order may result in arbitrary detention was discussed by a number of stakeholders, with the AHRC making a detailed recommendation in the 2018 Bill Review for amendments to include:
a maximum time limit on the period during which assistance must be provided;
a right to contact a family member and a lawyer;
an obligation on officers to explain the nature of the assistance order and what it requires;
an obligation on officers to explain how to make a complaint to the IGIS or to challenge the making of the assistance order in court;
a right to an interpreter, if necessary;
an obligation to treat the specified person humanely and with respect for their human dignity; and
sufficient safeguards to protect the interests of children in respect of whom an assistance order may be issued (for example: age limits, notification of parents or guardians, and suspension of any obligations until a parent or guardian is present).471

Privilege against selfincrimination

The AHRC and the Law Council echoed concerns regarding the privilege against selfincrimination, as discussed earlier in relation to the provisions contained in Schedules 2, 3 and 5 of the amending Assistance and Access Act.472

  • 1
    Australian Computer Society Inc, 2018 Bill Review Submission 1, p. 1; Mr Craig Marchant, 2018 Bill Review Submission 26, p. 1; Mr Joe Zucco, 2018 Bill Review Submission 28, p. 1; Cybersecurity Coalition, 2018 Bill Review Submission 34, p. 1; Information Technology Professionals Association, 2018 Bill Review Submission 37, p. 1; Internet Australia, 2018 Bill Review Submission 38, p. 1; Australian Information Security Association, 2018 Bill Review Submission 40, p. 2; Optus, 2018 Bill Review Submission 41, p. 2; Communications Alliance, Australian Industry Group, Australian Information Industry Association, Australian Mobile Telecommunications Association, 2018 Bill Review Submission 43, p. 3; Telstra, 2018 Bill Review Submission 44, p. 4; Mozilla, 2018 Bill Review Submission 46, p. 1; Australian Communication Consumer Action Network, 2018 Bill Review Submission 49, p. 3; Law Council of Australia, 2018 Bill Review Submission 76, p. 6; Digital Industry Group, 2018 Bill Review Submission 78, p. 2; Mr Charling Li, 2019 Act Review Submission 45, p. 2.
  • 2
    The Assistance and Access Act amends the following legislation: Telecommunications Act 1997, Telecommunications (Interception and Access) Act 1979, Surveillance Devices Act 2004, Crimes Act 1914, Mutual Assistance in Criminal Matters Act 1987, Australian Security Intelligence Organisation Act 1979.
  • 3
    Assistance and Access Act, Explanatory Memorandum, p. 2, para. 1.
  • 4
    Assistance and Access Act, Explanatory Memorandum, p. 4, para. 12.
  • 5
    Assistance and Access Act, Explanatory Memorandum, p. 5, para. 15.
  • 6
    Assistance and Access Act, Explanatory Memorandum, p. 6, paras 22-23.
  • 7
    Australian Computer Society Inc, 2018 Bill Review Submission 1, p. 2; Mr Paul Wilkins, 2018 Bill Review Submission 2, p. 1; Mr Paul Wilkins, 2018 Bill Review Submission 2.1, p. 1; Australian Industry Group, 2018 Bill Review Submission 3, p. 1; Mr John Reisner, 2018 Bill Review Submission 4, p. 1; Mr Michael Miller, 2018 Bill Review Submission 5, p. 1; Mr Kristofer Eager, 2018 Bill Review Submission 6, p. 1; Mr Vincent Scollo, 2018 Bill Review Submission 7, p. 1; Mr Jack Coughlin, 2018 Bill Review Submission 8, p. 1; Ms Lisa Burgess, 2018 Bill Review Submission 9, p. 1; Mr Ian Platten, 2018 Bill Review Submission 10, p. 1; Ms Tanya Cumpston, 2018 Bill Review Submission 11, p. 1; Name Withheld, 2018 Bill Review Submission 12, p. 1; Kaspersky Lab, 2018 Bill Review Submission 13, p. 1; Name Withheld, 2018 Bill Review Submission 14, p. 1; Mrs Jan Pukallus, 2018 Bill Review Submission 15, p. 1; Mr Glenn Petrie, 2018 Bill Review Submission 17, p. 1; Ms Celina Truelove, 2018 Bill Review Submission 19, p. 1; Global Digital Foundation, 2018 Bill Review Submission 21, p. 1; Mr Nicholas Robinson, 2018 Bill Review Submission 22, p. 1; Internet Architecture Board, 2018 Bill Review Submission 23, p. 1; Mr Peter Pronczak, 2018 Bill Review Submission 25, p. 1; Mr Joe Zucco, 2018 Bill Review Submission 28, p. 1; Dushan Karovic-Wynne, 2018 Bill Review Submission 30, p. 1; FastMail Pty Ltd, 2018 Bill Review Submission 31, p. 1; MIT Internet Policy Research Initiative, 2018 Bill Review Submission 32, p. 1; MIT Internet Policy Research Initiative, 2018 Bill Review Submission 32.1, p. 1; Access Now, 2018 Bill Review Submission 33, p. 1; Access Now, 2018 Bill Review Submission 33.1, p. 1; Cybersecurity Coalition, 2018 Bill Review Submission 34, p. 1; Riana Pfefferkorn, 2018 Bill Review Submission 35, p. 1; Riana Pfefferkorn, 2018 Bill Review Submission 35.1, p.1; Information Technology Professionals Association, 2018 Bill Review Submission 37, p. 1; Internet Australia, 2018 Bill Review Submission 38, p. 1; Australian Information Industry Association, 2018 Bill Review Submission 39, p. 1; Australian Information Security Association, 2018 Bill Review Submission 40, p. 1; Optus, 2018 Bill Review Submission 41, p. 1; Cisco, 2018 Bill Review Submission 43, p. 1; Communications Alliance, Ai Group, Australian Information Industry Association, and Australian Mobile Telecommunications Association (joint 2018 Bill Review Submission), 2018 Bill Review Submission 43, p. 1; Telstra, 2018 Bill Review Submission 44, p. 1; Office of the Victorian Information Commissioner, 2018 Bill Review Submission 45, p. 1; Mozilla, 2018 Bill Review Submission 46, p. 1; Australian Human Rights Commission, 2018 Bill Review Submission 47, p. 1; BSA | The Software Alliance, 2018 Bill Review Submission 48, p. 1; Australian Communications Consumer Action Network, 2018 Bill Review Submission 49, p. 1; Mr Eric Wilson, 2018 Bill Review Submission 50, p. 1; Ms Sandra Neal, 2018 Bill Review Submission 51, p. 1; Apple Inc, 2018 Bill Review Submission 53, p. 1; Future Wise, 2018 Bill Review Submission 54, p. 1; Civil Society, 2018 Bill Review Submission 55, p. 1; Mr Benjamin Smith, 2018 Bill Review Submission 56, p. 1; Mr Nic Bressan, 2018 Bill Review Submission 58, p. 1; Mr Chris Higgins, 2018 Bill Review Submission 59, p. 1; LaunchVic, 2018 Bill Review Submission 62, p. 1; Joint councils for civil liberties, 2018 Bill Review Submission 63, p. 1; Office of the Australian Information Commissioner, 2018 Bill Review Submission 65, p. 1; Dr Zoltan Somogyi, 2018 Bill Review Submission 66, p. 1; Mr Jerry Gubecka, 2018 Bill Review Submission 67, p. 1; Name Withheld, 2018 Bill Review Submission 68, p. 1; Name Withheld, 2018 Bill Review Submission 69, p. 1; Name Withheld, 2018 Bill Review Submission 70, p. 1; Name Withheld, 2018 Bill Review Submission 71, p. 1; Name Withheld, 2018 Bill Review Submission 72, p. 1; Name Withheld, 2018 Bill Review Submission 73, p. 1; Name Withheld, 2018 Bill Review Submission 74, p. 1; Law Council of Australia, 2018 Bill Review Submission 76, p. 1; Mr Mark McDougall, 2018 Bill Review Submission 77, p. 1; Digital Industry Group Inc (DIGI), 2018 Bill Review Submission 78, p. 1; Media Entertainment and Arts Alliance (MEAA), 2018 Bill Review Submission 79, p. 1; Mr Paul Templeton, 2018 Bill Review Submission 80, p. 1; Professor Joseph Cannataci, United Nations’ Special Rapporteur on the right to privacy, 2018 Bill Review Submission 81, p. 1; Senetas, 2018 Bill Review Submission 85, p. 1.
  • 8
    For example: Pirate Party, 2019 Act Review Submission 31, p. 2; Mr Peter Young, 2019 Act Review Submission 34, p. 1; BSA|The Software Alliance, 2019 Act Review Submission 36, pp. 1-2; StartupAUS, 2019 Act Review Submission 37, p. 1; Senetas, 2019 Act Review Submission 38, p. 1; Withheld, 2019 Act Review Submission 42, p. 1; Riana Pfefferkorn, 2019 Act Review Submission 44, p. 1; Paul Templeton, 2019 Act Review Submission 46, p. 1; Assoc. Prof Boztas, Dr Clarke, Dr Hall, Prof Horadam and Prof Rao, 2019 Act Review Submission 47, pp. 1-2; International Civil Liberties and Technology Coalition, 2019 Act Review Submission 50, p. 1; Access Now, 2019 Act Review Submission 53, pp. 1-2; Australian Civil Society Coalition, 2019 Act Review Submission 55, p. 2; Dr Les Kitchen, 2019 Act Review Submission 59, p. 1; Ruby Australia, 2019 Act review Submission 60, p. 1.
  • 9
    Australian Computer Society Inc, 2018 Bill Review Submission 1, p. 2; Australian Industry Group, 2018 Bill Review Submission 3, p. 1; Associate Professor Vanessa Teague and Dr Chris Culnane, 2018 Bill Review Submission 16, p. 1, 2; Coalition of Civil Society Organisations and Technology Companies and Trade Associations, 2018 Bill Review Submission 29, p. 1; MIT Internet Policy Research Initiative, 2018 Bill Review Submission 32, p. 1; Access Now, 2018 Bill Review Submission 33, p. 1; Cybersecurity Coalition, 2018 Bill Review Submission 34, p. 1; Australian Information Security Association, 2018 Bill Review Submission 40, p. 2; Cisco, 2018 Bill Review Submission 42, p. 2; Office of the Victorian Information Commissioner, 2018 Bill Review Submission 45, p. 2; Mozilla, 2018 Bill Review Submission 46, pp. 1-2; Apple Inc, 2018 Bill Review Submission 53, p. 1; Digital Industry Group Inc (DIGI), 2018 Bill Review Submission 78, p. 3; Professor Joseph Cannataci, United Nations’ Special Rapporteur on the right to privacy, 2018 Bill Review Submission 81, p. 5; Senetas, 2018 Bill Review Submission 85, pp. 1-5.
  • 10
    Global Digital Foundation, 2018 Bill Review Submission 21, p. 1; Apple Inc, 2018 Bill Review Submission 53, p. 2; Kosmas Stergiou, 2019 Act Review Submission 35, pp.1-2.
  • 11
    Associate Professor Vanessa Teague and Dr Chris Culnane, 2018 Bill Review Submission 16, p. 2; Global Digital Foundation, 2018 Bill Review Submission 21, pp. 1-2; Cisco, 2018 Bill Review Submission 42, pp. 3-4; Communications Alliance, Australian Industry Group, Australian Information Industry Association, Australian Mobile Telecommunications Association, 2018 Bill Review Submission 43, p. 3; Apple Inc, 2018 Bill Review Submission 53, p. 2; Mr Peter Young, 2019 Act Review Submission 34, p. 1; Mr Charling Li, 2019 Act Review Submission 24, p. 5.
  • 12
    Associate Professor Vanessa Teague and Dr Chris Culnane, 2018 Bill Review Submission 16, p. 6; Communications Alliance, Australian Industry Group, Australian Information Industry Association, Australian Mobile Telecommunications Association, 2018 Bill Review Submission 43, p. 3; Digital Industry Group Inc (DIGI), 2018 Bill Review Submission 78, p. 2.
  • 13
    Coalition of Civil Society Organisations and Technology Companies and Trade Associations, 2018 Bill Review Submission 29, p. 1; see also, Mr Nic Bresnan, 2018 Bill Review Submission 58, p. 1.
  • 14
    Australian Computer Society Inc, 2018 Bill Review Submission 1, p. 2, 5; Australian Industry Group, 2018 Bill Review Submission 3, p. 1; Global Digital Foundation, 2018 Bill Review Submission 21, p. 2; Mr Scott McIntyre, 2018 Bill Review Submission 24, p. 2; Australian Information Security Association, 2018 Bill Review Submission 40, p. 3; Communications Alliance, Australian Industry Group, Australian Information Industry Association, Australian Mobile Telecommunications Association, 2018 Bill Review Submission 43, p. 3; Mr Nic Bresnan, 2018 Bill Review Submission 58, p. 1; Senetas, 2019 Act Review Submission 38, p. 4.
  • 15
    Kaspersky Lab, 2018 Bill Review Submission 13, p. 1, 3; Cisco, 2018 Bill Review Submission 42, p. 3.
  • 16
    Global Digital Foundation, 2018 Bill Review Submission 21, p. 2.
  • 17
    Internet Architecture Board, 2018 Bill Review Submission 23, p. 2; Mr Joe Zucco, 2018 Bill Review Submission 28, p. 3; Coalition of Civil Society Organisations and Technology Companies and Trade Associations, 2018 Bill Review Submission 29, p. 3; Access Now, 2018 Bill Review Submission 33, p. 11; Mozilla, 2018 Bill Review Submission 46, p. 4; Senetas, 2018 Bill Review Submission 85, p. 3.
  • 18
    Senetas, 2018 Bill Review Submission 85, p. 3; see also Australian Signals Directorate, Essential Eight Explained, March 2018, <https://acsc.gov.au/publications/protect/essential-eight-explained.htm> last accessed 25 November 2018.
  • 19
    Mozilla, 2018 Bill Review Submission 46, p. 4.
  • 20
    Department of Home Affairs, 2018 Bill Review Submission 18, p. 6.
  • 21
    Department of Home Affairs, 2019 Act Review Submission 16, p. 10.
  • 22
    Mr Paul Wilkins, 2018 Bill Review Submission 2.1, p. 6; Mr Michael Miller, 2018 Bill Review Submission 5, p. 1; Mr Kristofer Eager, 2018 Bill Review Submission 6, p. 1; Mr Vincent Scollo, 2018 Bill Review Submission 7, p. 1; Mr Jack Coughlin, 2018 Bill Review Submission 8, p. 1; Ms Lisa Burgess, 2018 Bill Review Submission 9, p. 1; Name Withheld, 2018 Bill Review Submission 12, p. 1; Associate Professor Vanessa Teague and Dr Chris Culnane, 2018 Bill Review Submission 16, p. 9; Mr Glenn Petrie, 2018 Bill Review Submission 17, p. 1; Ms Celina Truelove, 2018 Bill Review Submission 19, p. 1; Global Digital Foundation, 2018 Bill Review Submission 21, p. 1; Mr Peter Pronczak, 2018 Bill Review Submission 25, p. 1; Mr Joe Zucco, 2018 Bill Review Submission 28, p. 1; Coalition of Civil Society Organisations and Technology Companies and Trade Associations, 2018 Bill Review Submission 29, p. 2; Dushan Karovic-Wynne, 2018 Bill Review Submission 30, p. 1; Australian Information Security Association, 2018 Bill Review Submission 40, p. 4; Optus, 2018 Bill Review Submission 41, p. 2; Australian Human Rights Commission, 2018 Bill Review Submission 47, pp. 20-21; Australian Communication Consumer Action Network, 2018 Bill Review Submission 49, p. 4; Ms Sandra Neal, 2018 Bill Review Submission 51, p. 1; Office of the Australian Information Commissioner, 2018 Bill Review Submission 65, p. 2; Name Withheld, 2018 Bill Review Submission 68, p. 1; Name Withheld, 2018 Bill Review Submission 69, pp. 1-2; Name Withheld, 2018 Bill Review Submission 72, p. 1; Australian Human Rights Commission, 2019 Act Review Submission 56, p. 2; Name Withheld, 2019 Act Review Submission 6, p. 4; International Civil Liberties and Technology Coalition, 2019 Act Review Submission 50, p. 7.
  • 23
    Australian Human Rights Commission, 2018 Bill Review Submission 47, pp. 20-21.
  • 24
    Australian Human Rights Commission, 2018 Bill Review Submission 47, p. 4.
  • 25
    Australian Human Rights Commission, 2018 Bill Review Submission 47, p. 10.
  • 26
    Australian Computer Society Inc, 2018 Bill Review Submission 1, p. 5; Mr Paul Wilkins,