Review of the Surveillance Legislation Amendment (Identify and Disrupt) Act 2021

Mr Jake Blight

Independent National Security Legislation Monitor

3-5 National Cct

BARTON ACT 2600

 

Dear Mr Blight,

 

By Email: INSLM@inslm.gov.au

 

RE: Review of the Surveillance Legislation Amendment (Identify and Disrupt) Act 2021

 

We refer to the Issues Paper on Data disruption, network activity and account takeover warrants in the Crimes Act 1914 and Surveillance Devices Act 2004 released on 7 November 2024 (“the Issues Paper”) and we appreciate the opportunity to provide submissions in response to the same.

 

This submission is made on behalf of the Queensland Council for Civil Liberties (“the QCCL”) and it is supported by the Australian Privacy Foundation. The QCCL is a not-for-profit organisation that promotes civil liberties and receives queries from members of the public regarding their civil liberties and individual rights.

 

Background to this Submission

 

We have previously made submissions in response to the Surveillance Legislation Amendment (Identify and Disrupt) Bill 2021 (Cth) (“the Bill”) and in relation to the Reform of Australia’s electronic surveillance framework discussion paper (“the Electronic Surveillance Framework”) which are relevant to the Issues Paper. It has been our view that the powers introduced by the Surveillance Legislation Amendment (Identify and Disrupt) Act 2021 (Cth) (“the SLAID Act”) are disproportionate to the reasonable expectations of the Australian community and that these powers should not exist in the absence (and with the check and balance of) an enforceable and functional human rights framework.

 

We consider that it is useful to recount the position that was taken in response to the Electronic Surveillance Framework where we stated that:

 

At the outset, national security is fundamentally important to Australia. We recognise the importance of ensuring security of Australians’ and their freedoms. The rationale for (indeed the very existence of) national security comes from the importance of ensuring that freedoms are protected. We are concerned to ensure that the ‘forest isn’t lost for the trees’ in this reform process and that the guiding and predominant principle in this reform is that our national security framework serves to protect the freedoms that ought to be enjoyed by all Australians.

 

We maintain this position in response to the Issues Paper and consider that it is important to highlight that the SLAID Act was introduced in the course of a rapid development of Australia’s surveillance powers[1]. We have written extensively on the rapid expansion of legislated power and, relevant to the Issues Paper, we consider that it is useful to recount the view taken on the powers contained in the SLAID Act and repeat that:

 

One of the main criticisms concerning the ID Bill is the low threshold for the seriousness of offences, with a maximum penalty of three or more years’ imprisonment[2]. This is not consistent with the rationale supporting the introduction of the powers. According to the Explanatory Memorandum, the ID Bill ‘addresses gaps in the legislative framework to better enable the AFP and the ACIC to collect intelligence, conduct investigations, disrupt and prosecute the most serious of crimes, including child abuse and exploitation, terrorism, the sale of illicit drugs, human trafficking, identity theft and fraud, assassinations, and the distribution of weapons’[3]. The low threshold, combined with the definition of an electronically linked group of individuals, means that the warrants can be used to target relatively minor criminal activities, as well as people acting in the public interest such as journalists and whistleblowers. Indeed, the AFP raided journalist Annika Smethurst’s home for reporting on the introduction of these powers.[4]

It should also be noted that these powers may not relate only to surveillance and disruption of the online activities of Australian citizens. As they are an attempt to uncover ‘dark’ networks that operate through identity and geolocation concealing technologies such as Virtual Private Networks and Tor, when these powers will be exercised the physical location of the target computer and suspect will not be known by Australian law enforcement.[5] Therefore, these powers extend the reach of Australian law enforcement (the AFP and the ACIC) outside of the sovereign jurisdiction of Australia.

On 6 August 2021, the PJCIS released its advisory report on the ID Bill which recommended that the Bill pass subject to thirty-three (33) recommendations. These recommendations included that the Home Affairs portfolio include an unclassified submission that expressly addresses the necessity and proportionality of national security powers; increased reporting obligations; increased privacy-focused considerations prior to issuing of warrants; and a revised definition of ‘serious offence’, with the threshold increased to an indictable offence of a minimum period of seven years’ imprisonment[6].”[7]

 

As the Monitor would likely appreciate, the concern about the SLAID Act permeated the Bill and the subsequent advisory report by the Parliamentary Joint Committee on Intelligence and Security (“the PJCIS”) released on 6 August 2021.

 

In our submission, these concerns have not been adequately addressed by the Government and the background to the introduction of the SLAID Act paints a concerning picture that ought to colour this review.

 

Overarching Concern with the SLAID Act

 

Our overarching concern about allowing the SLAID Act to continue is simple - Australia’s lack of an enforceable human rights framework places its citizens in a particularly bleak position with respect to the potential for misuse of the powers provided in the SLAID Act.

 

As Lord David Anderson recently stated in the Denning Society Lecture, the issue we highlight arises because:

 

“… human rights have had a significant impact: not in preventing the use of valuable capabilities or powers, but in ensuring that their use is appropriately safeguarded. That impact is constitutional in nature. By requiring the State and its agencies to account to Parliament and to the courts, human rights law has ended the tradition of total executive control and transformed the national security landscape”.[8]   

 

Lord Anderson continued to endorse the role of human rights in national security stating that “does not need to be a starry-eyed human rights campaigner to approve both the Belmarsh[9] [relating to arbitrary indefinite detention] and the stop and search rulings[10] [relating to insufficiently circumscribed search powers without adequate legal safeguards]: they each brought practical benefits to those entrusted with defending our national security”.[11]

 

Ultimately, in relation to the United Kingdom’s continued adherence to the European Human Rights Convention, Lord Anderson stated:

 

A democratic Parliament expresses the will of the majority – but electoral majorities under our system may be drawn from a small proportion of the population. As Lord Sumption has himself pointed out, we saw during the Covid pandemic how easy it was for the government to control almost every aspect of our public and private lives by regulations which could not even be debated before they were brought into force. Due regard for minority rights depends on government being composed, in Peter Hennessy’s phrase, of “good chaps”: not a reliable assumption in all possible futures (citations omitted).[12]

 

We do not offer an opinion on whether or not the Australian government (or previous Governments) are “good chaps”; however, we share the concern that Government’s bona fides are an insufficient safeguard.

 

As the Issues Paper identifies, “at the time these ‘world-leading and novel’ powers were introduced they were described as being necessary to combat cyber-enabled serious and organised crime, including child abuse and exploitation, terrorism, the sale of illicit drugs, human trafficking, identity theft and fraud, assassinations, and the distribution of weapons[13]. In significant part, the novel aspect of the powers in the SLAID Act are novel because they effectively authorised the State to hack with minimal oversight and in a manner which inherently would be conducted in the dark.

 

In our submission, these powers should cease at sunset because they remain disproportionate to human rights protections in Australia, their (limited) use does not justify their continued existence and ultimately, they are better repealed to be the subject of the outcome to the Electronic Surveillance Framework.

 

If this general submission on the proportionality of the SLAID Act is not accepted, we respectfully note that, to the extent that these powers were introduced as a tool to combat heinous crimes, the powers provided to authorised agencies have not been used to the extent that would justify their ongoing existence.

 

It follows that our position is that the SLAID Act should sunset and cease on 4 September 2026.

 

Specific Responses to the Issues Paper

 

More specifically, we respect the work of the Issues Paper and commend a careful review of how Australia’s surveillance powers have so rapidly reached notorious status of “world-leading and novel”; however, we are concerned to ensure that a useful outcome to the Issues Paper avoids shuffling around the deck chairs on the Titanic until the Electronic Surveillance Bill is released.

 

For these general submissions, we consider that the SLAID Act should cease with the recommendation that the powers it provides not be reintroduced in the Electronic Surveillance Framework until Australia has introduced an enforceable human rights framework.

 

We appreciate that the Issues Paper is structured in a coherent and clear manner, and we make the following specific responses to the Issues Paper.

 

Use of the powers and their effectiveness at addressing current threats (Chapters 2-3) 

 

What specific contribution has the use of SLAID powers made to responding to cyber dependent and cyber-enabled crimes? [3.4.1] 

 

We are not appropriately placed to comment on the specific contribution that the SLAID Act has had to responding to cyber dependent and cyber-related crimes; however, we note that:

 

  1. the AFP has had a total of:

 

    1. three (3) DDWs issued;

    2. four (4) NAWs issued; and

    3. eleven (11) ATWs issued.

 

  1. the ACIC has had a total of:

 

    1. nil (0) DDWs issued;

    2. three (3) NAWs issued; and

    3. nil (0) ATWs issued.

 

In total the statistics provided in the Issues Paper demonstrates that one (1) arrest has resulted from the SLAID powers. In our view, this cannot justify the necessity of these powers and we are left only with the assertions made by agencies (and recited at Para 3.10 of the Issues Paper) that these powers are useful. Indeed, to the extent that power appears to be necessary (and we challenge the proportionality separately in this regard), what appeared to be used in Operation Ironside is powers that predate the SLAID Act.

 

Given its intelligence focus, does ACIC need data disruption and account takeover warrants or should data disruption and account takeover operations be led by AFP? [3.23.1] 

 

We do not consider that ACIC requires data disruption and account takeover warrants. We respectfully draw attention to the inspection conducted in relation to the Report to the Attorney-General on agencies’ compliance with the Surveillance Devices Act 2004 (Cth) where it was found on inspection that:

“We identified that the ACIC did not have a declaration instrument in place for certain executive officers to be 'endorsing officers' for data disruption warrants. Although the ACIC is yet to obtain a data disruption warrant, having a declaration in place will prevent the ACIC from being delayed should a need to use the powers arise in the future.[14]

 

As ACIC is “seeking to be Australia’s national criminal intelligence agency”, it follows that they should not have access to DDWs or ATWs as these powers (should they continue, which we reject) do not align with the function of an intelligence agency.

 

Have issues arisen in practice that significantly affect the effectiveness of SLAID powers for the purpose that they were intended? [3.29.1]

 

We cannot respond to this question as the issues in practice are unknown save as to where they are raised in the Issues Paper. However, we respectfully draw the Monitor’s attention to the opinions expressed in both the Electronic Surveillance Framework and the Report of the Comprehensive Review of the Legal Framework of the National Intelligence Community[15] which strongly suggest that the SLAID Act forms a part of a “overly complex legal framework governing surveillance in Australia and recommends the need to overhaul the legislative framework by repealing all existing surveillance laws and enacting a consolidated Electronic Communications Surveillance Act[16].

 

Respectfully, it appears clear that there are issues with the practical effectiveness of SLAID powers and the responsible response is to sunset those powers.

 

Who should issue the warrants and whether the current issuing arrangements to support independent issuing of warrants are appropriate (Chapter 4)

 

Who should issue SLAID warrants? (this is a broad question and should take account of practical issues as well as legal ones) [4.47.1] 

Our position has been, and remains, that the powers under the SLAID Act should only be authorised by a superior Court (being a Justice of the Federal Court of Australia or a Supreme Court of a State or Territory).

 

What, if any, independent technical advice should be available to issuing authorities? [4.47.2] 

 

In the course of applying for a warrant under the SLAID Act, the agencies ought to discharge a burden that, in being reasonable and proportionate, the effectuation of the warrant is technically viable and does not adversely impact the reasonable expectations, including the privacy of, potentially affected individuals. It is not unusual for independent expert opinion evidence to be adduced to assist the Court in determining technical matters and we consider that this ought to occur in relation to the use of SLAID powers.

 

Should there be some sort of public interest monitor (PIM) available to review applications and assist independent issuing authorities? [4.47.3] 

 

We reaffirm the position taken in response to the Bill in that a public interest monitor system be implemented more generally for law enforcement warrants.

 

Would it support the work of issuing authorities (or PIMs) to be provided with information about how SLAID powers are used in practice and the outcomes of thematic reviews or inspections by oversight bodies? [4.47.4]

 

We consider that greater transparency and oversight is required generally in relation to the SLAID Act and it would be beneficial to have further information about how SLAID powers are used in practice and the outcomes of thematic reviews or inspections by oversight bodies.

 

Whether the criteria for issuing warrants and authorisations is appropriate, including which offences the warrants should be available for and the breadth of terms such as ‘criminal network of individuals’ and ‘computer’ (Chapter 5) 

 

What, if any, changes should be made to key definitions including ‘relevant offence’, ‘criminal network of individuals’ and ‘computer’? [5.21.1] 

 

In the first instance, we consider that the key definition of ‘relevant offence’ should be referable to the specific and heinous crimes that the SLAID Act was introduced to combat. If this is not accepted, we agree with the finding by the PJCIS in its Report released on 6 August 2021 that the threshold should be elevated to a serious offence punishable by a maximum of seven (7) years or more. We also remain sceptical about the threshold requirement of "reasonable suspicion" to engage the operation of the SLAID Act. As the Monitor would appreciate, the concept of "reasonable suspicion" has received judicial attention[17] and it is, in our submission, important to ensure that a high enough threshold exists so as to ensure that warrants issued are only in circumstances where cogent evidence is available.

 

As regards to ‘‘criminal network of individuals’ and ‘computer’, the Telecommunications and Other Legislation Amendment (Assistance and Access) Act 2018 (Cth) also made significant amendments to the Australian Security Intelligence Organisation Act 1979 and the Surveillance Devices Act 2004 (SD Act), including the incorporation of computer access warrants. It also significantly widened the definition of ‘computer’ at s6(1) of the SD Act to encompass: ‘... all or part of ... one or more computers ... or computer systems ... or computer networks; or any combination of the above’. The effect of the amendment of the definition of ‘computer’ is the potential conferral of power on law enforcement to obtain warrants for the entire internet as a network of computer systems and networks. It follows that this definition has potentially extraterritorial effects. We consider that the definition of ‘computer’ requires narrowing as a recommendation in this review.

 

Do the current issuing criteria provide sufficient safeguards or are changes required? In particular, are additional protections required for LPP and similar privileges, journalists and the risk of a cyber operation introducing potential systemic vulnerabilities [5.35.1] 

 

We do not accept that the current issuing criteria provides sufficient safeguards. We repeat the recommendation we made in response to the Bill that “the decision making criteria for the issue of any of the Warrants or an Assistance Order explicitly include consideration of the potential impact on the human rights of the subject and any other, directly or indirectly, affected person(s)[18].

 

Are the approving officers and the criteria for (internal) granting and (external) approval of emergency authorisations appropriate? [5.38.1] 

 

We decline to respond to this question.

 

Are the provisions relating to assistance orders appropriate or are additional safeguards and/or specificity required? [5.40.1]

 

We do not accept that the current issuing criteria provides sufficient safeguards. We repeat the recommendation we made in response to the Bill that “the decision making criteria for the issue of any of the Warrants or an Assistance Order explicitly include consideration of the potential impact on the human rights of the subject and any other, directly or indirectly, affected person(s)[19].

 

Regulation of the life cycle of data obtained from the warrants (including how it is used, disclosed and destroyed) (Chapter 6) 

 

Should there be an express requirement that the retention, analysis, use or disclosure of information obtained under warrants be necessary and proportionate? [6.16.1] 

 

Yes.

 

Are the current disclosure and secondary disclosure provisions appropriate? [6.16.2] 

 

No.

 

Should there be specific statutory safeguards in relation to disclosures to foreign entities? [6.16.3] 

We decline to respond to this question.

 

Are additional statutory protections required for special categories of data? [6.16.4]

 

We decline to respond to this question.

 

Oversight arrangements (Chapter 7) 

 

Is the division of functions between the IGIS and Ombudsman in relation to SLAID powers an efficient and effective way for inspection and other oversight safeguards to operate? [7.11.1]

 

No. We repeat submissions made in relation to oversight above.

 

Does each oversight agency have sufficient powers and functions? In particular, should the Ombudsman have a broader oversight mandate to assess the ‘propriety’ of activities connected to SLAID powers? [7.11.2] 

 

No. We repeat submissions made in relation to oversight above.

 

Do the information sharing provisions for Ombudsman and IGIS support the level of information sharing and cooperation likely to be required? [7.11.3]

 

We decline to respond to this question.

 

Public and ministerial reporting, record keeping and notification requirements (Chapter 8) 

 

Are the current requirements about reporting to Ministers appropriate? [8.7.1] 

 

No. We repeat submissions made in relation to oversight above.

 

Are the current public reporting requirements about SLAID powers appropriate? [8.8.1] 

 

No. We repeat submissions made in relation to oversight above.

 

Are the current record keeping obligations and requirements about notifying IGIS and Ombudsman of certain matters effective for facilitating oversight? [8.11.1]

 

No. We repeat submissions made in relation to oversight above

 

Whether the legislative framework is consistent with international obligations (Chapter 9)

 

Are there other measures not addressed elsewhere which are required in order to ensure that Australia complies with its international human rights and other obligations? [9.16.1]

 

We consider that there is a significant issue of extraterritorial application of law enforcement powers, and authorising law enforcement activities outside of their lawful jurisdiction to do so – this cannot be addressed because by the nature of the exercise of these powers (noting this is picked up in the hypothetical scenarios) agencies are attempting to identify unknown locations – but it doesn’t mean it should be ignored.

Without a clear transnational regulatory structure supporting transnational government hacking operations in cases where the physical location of the target computer and suspect is not known, the SLAID Act should not continue to facilitate extraterritorial overreach.

We trust that these submissions are of assistance.

 

Please do not hesitate to contact the writer should you wish to discuss these submissions.

 

We look forward to public hearings following these submissions and to your Report.

                                                                         

Angus Murray                                                                                    Dr Monique Mann

Vice-President,                                                                                  Vice-Chair and Chair,

Queensland Council for Civil Liberties                                              Surveillance Committee

                                                                                                           Australian Privacy Foundation

 

 


[1] Mann, Monique; Murray, Angus, "Striking a balance: Legislative expansions for electronic communications surveillance" [2021] PrecedentAULA 58; (2021) 166 Precedent 44.

[2] See submission by Queensland Council for Civil Liberties, Liberty Victoria, Electronic Frontiers Australia and the Australian Privacy Foundation to the Parliamentary Joint Committee on Intelligence and Security review of the Surveillance Legislation Amendment (Identify and Disrupt) Bill 2020 (Submission 4, 2020) <https://privacy.org.au/wp-content/uploads/2021/02/110221_Submission-to-PJCIS-Identify-Disrupt-Bill.pdf>.

[3] Explanatory Memorandum to the Bill.

[4] See A Remeikis, ‘Police raid on Annika Smethurst shows surveillance expose hit a nerve’, The Guardian (5 June 2019) <https://www.theguardian.com/australia-news/2019/jun/05/police-raid-on-annika-smethurst-shows-surveillance-expose-hit-a-nerve>.

[5] See also I Warren, M Mann and A Molnar, ‘Lawful illegality: Authorising extraterritorial police surveillance’, Surveillance and Society, Vol. 18, No. 3, 2020, 357–69.

[6] Parliament of Australia, Advisory report on the Surveillance Legislation Amendment (Identify and Disrupt Bill 2020 (Report, August 2021) <https://www.aph.gov.au/Parliamentary_Business/Committees/Joint/Intelligence_and_Security/IdentifyandDisruptBill/Report>.

[7] Mann, Monique; Murray, Angus, "Striking a balance: Legislative expansions for electronic communications surveillance" [2021] PrecedentAULA 58; (2021) 166 Precedent 44.

[8] Lord Anderson of Ipswich KBE KC, ‘National Security and Human Rights’ (Speech, National Society Lecture, 27 November 2024) at [27].

[9] A v SSHD [2004] UKHL 56.

[10] Gillan and Quinton v The United Kingdom (Case No. 4158/05, 12 January 2010).

[11] Ibid at [42].

[12] Lord Anderson of Ipswich KBE KC, ‘National Security and Human Rights’ (Speech, National Society Lecture, 27 November 2024) at [60].

[13] Issues Paper, p 1.

[14] Report to the Attorney-General on agencies’ compliance with the Surveillance Devices Act 2004 (Cth) (September 2023) available at URL https://www.ombudsman.gov.au/__data/assets/pdf_file/0022/301927/SD-September-Report-inspections-conducted-1-Jan-to-30-June-2023-Sept-2023-Report-A2371190.pdf accessed 17 December 2024.

[15] Attorney-General’s Department, Australian Government, Report of the Comprehensive Review of the Legal Framework of the National Intelligence Community (Report, December 2020).

[16] Mann, Monique; Murray, Angus, "Striking a balance: Legislative expansions for electronic communications surveillance" [2021] PrecedentAULA 58; (2021) 166 Precedent 44.

[17] See: George v Rockett (1990] HCA 26.

[18] Queensland Council for Civil Liberties et al (QCCL et al), Submission No 4 to PJCIS, Review of the Surveillance Legislation Amendment (Identify and Disrupt) Bill 2020 (February 2021) 8.

[19] Queensland Council for Civil Liberties et al (QCCL et al), Submission No 4 to PJCIS, Review of the Surveillance Legislation Amendment (Identify and Disrupt) Bill 2020 (February 2021) 8.

SubmissionQueensland Council for Civil LibertiesASIO, police powers, police, Terrorism, technology, Data Protection, Surveillance, Human Rights