Tim Watts (Gellibrand, Australian Labor Party) Share this | Hansard source

The Telecommunications and Other Legislation Amendment (Assistance and Access) Bill 2018 before the House today is one with the most serious of stakes and it is a bill that the Morrison government has abjectly failed to treat with the gravity that it deserves. It involves policy decisions with the gravest of consequences. It concerns the tools available for our law enforcement and security agencies to ensure the safety of Australians in the face of threats like terrorism and child abuse and it also deals with the tools that Australians use in their everyday lives to protect the security and privacy of their data when using the internet.

The Parliamentary Joint Committee on Intelligence and Security had been treating these issues with the seriousness which they deserve. We should pay some attention to the chronology here: 18 months ago, Malcolm Turnbull, in his infamous 'war on maths' speech, told Australia that the threat of terrorist networks going dark was urgent and that the government proposed to introduce legislation of the kind which we see before parliament today. They did nothing. They subsequently said they would introduce a bill to deal with this in the first quarter of 2018. We saw nothing until September of this year. Then the PJCIS gets the referral and starts doing the substantive, serious, sober work of review, in the national interest, that we know the PJCIS provides this chamber, only for the Minister for Home Affairs to lob into the middle of it and say, 'This is now a matter of urgency.'

Those of us in this House who are not members of the committee but who followed the public hearings that they were undertaking saw a very high quality of interrogation of the issues at hand. I put on the record my thanks and regard for the shadow Attorney-General, the shadow minister for foreign affairs, the member for Eden-Monaro, Senator McAllister and in particular the committee deputy chair, my friend the member for Holt.

Labor always tries to work constructively, on a bipartisan basis, with all members of parliament on national security issues. National security ought to be about keeping Australians safe and preserving the freedoms that we enjoy in a democratic society, not doing harm to your political opponents. The PJCIS has been an institution in our democracy that has lived up to this principle—a place where proposals can be rigorously interrogated in the national interest and where members from both sides of politics can work constructively together on improving these proposals. There are plenty of cynics who will roll their eyes at this—I get that—but, as a party of government, Labor members have to confront the reality that the decisions that we make in this place on these issues have very real consequences; they have human consequences.

Regrettably, my own city experienced a terrorist incident during the conduct of this inquiry. As a member of parliament, I attended Sisto Malaspina's state funeral while the committee did its work. Similarly, as someone who spent a not insignificant period of my time before coming to this place working in an Australian telecommunications company, I gained some appreciation of the seriousness and the prevalence of online child exploitation and the important work that law enforcement agencies, and those who assist them in private sector companies, play in identifying and prosecuting paedophiles. These are not imaginary threats. They are not made up, and they are not abstract. They involve real human beings. They involve crimes that destroy people's lives, and the public rightly expects governments to treat them seriously.

Despite the government's transparent politicisation of national security and law enforcement through this process, this desperate politicisation, they have done this. Some repugnant things have been said in this debate. Members opposite should reflect on the repugnant claims and behaviour we've seen during debate on this bill. Australian democracy is not held in high regard by people outside this building. Indeed, it is held in contempt. Despite this, we treat our democracy very poorly in this building. The trashing of the PJCIS as a bipartisan institution, the debased attacks on the motives and integrity on this side of the chamber—they're accusing people of wanting to assist terrorists and paedophiles—merely for exercising our responsibility as parliamentarians to scrutinise complex government proposals in the national interest has hurt the public's regard for our democracy. Those of us who have gone into public service because we believe in the importance of our democratic institutions have the highest obligation to treat these democratic institutions with respect and not to behave in a way that feeds public cynicism towards them. Those opposite ought to spend the Christmas recess reflecting on that in the lead-up to the next federal election.

That said, I am pleased that the government came back to the negotiating table within the PJCIS process. I want to say a little bit about the context for this bill and the way that we approach it on the Labor side. I understand that there are some on the left of politics who philosophically object to any form of online surveillance. I respect that view and I acknowledge it—it is one that citizens are entitled to hold—but I have never agreed with it. I have not agreed with it as a member of parliament and did not agree with it when I was working in a major telco. Telcos assist law enforcement with their work and have done so for decades. That's not a new thing. Phone taps—telecommunications interception—play an important role in shutting down all name of criminal syndicates. But this principle—the idea that the private sector ought to help, when appropriate, in law enforcement—is a starting point for a conversation about what's possible and what is sensible to do. It is not a conclusion on this bill.

And a big problem with the public debate over this bill has been the government, ministers and MPs saying one thing about the effect of this bill while our security agencies and, indeed, even the Home Affairs department have said quite contradictory things in front of the PJCIS and in front of specialist forums dealing with these issues. For example, in a podcast published just this week, Adam Ingle, of Australia's Department of Home Affairs, said to the Crypto 2018 workshop on encryption and surveillance: 'I know some of you may have heard our Prime Minister Malcolm Turnbull'—a little bit out of date; it was from a speech from some time ago—'say that the laws of mathematics don't apply in Australia. They very much do. And this legislation reflects that. We don't want to undermine security. We don't want to undermine the laws of mathematics.'

Lots of talk from government ministers about this bill has implied that it is a way of breaking strong encryption and about accessing messages delivered via encryption. Despite this, security agencies and technical experts from ASD and AFP who appeared in front of the PJCIS insisted that this was not their intent. Indeed, in hearings on this bill, officials said that this bill would preclude them from requesting a technical assistance notice that provided for a key escrow regime, a regime where the encryption keys for communications are held by some third party in being able to be accessed by government. It ruled out an assistance notice that required an entity to weaken the level of encryption, simplifying the mathematical models that underpin encryption between communications. At conferences, it said that this bill would not allow a technical assistance notice that required password rate limits to be lowered. The bill doesn't allow for a decryption capability to be imposed. These are substantive provisions in this bill that do not reflect the public comments of government.

Let me be clear on another point in this respect: because of these constraints, there will be situations in which this bill is not able to facilitate the access to communications that is desired by law enforcement agencies. It just won't be possible. It's not a total solution to this idea of going dark. Anyone who claims that is crazy. That in itself, though, is not a reason to not do what we can. We can do sensible things.

I also want to point out, in the face of some of the online commentary, that this is not a bill about introducing some kind of mass online surveillance regime. As the Inspector-General of Intelligence and Security confirmed in its submission to the PJCIS process, warrant processes are unchanged by the access and assistance provisions:

… 317ZH(1) provides that a technical assistance notice or a technical capability notice has no effect to the extent, if any, that it would require a designated communications provider to do an act or a thing that would require a warrant or an authorisation under certain Acts.

That is, any law of the Commonwealth or of a state or territory. If you are not a subject of law enforcement inquiries, you are not going to have to worry about being a target of this bill. If you are not a security threat, as identified by ASIO, you are not going to have to be worried about being a target of the bill.

Indeed, these provisions can't require Silicon Valley firms to provide data that they have themselves to our law enforcement and security agencies. This bill doesn't resolve, and may even make more difficult, the mutual legal assistance treaties and the CLOUD Act problems in us accessing data from these providers overseas. In this bill, we can only access information from the targets of these warrants. This bill is not about 'Donald Trump reading your emails', as Senator Steele-John has suggested, nor is it about putting spyware into everyone's devices or spying on unions, as some people have suggested to me. This is a targeted regime that gives ministers the power to issue notices. In this context, the role before the PJCIS was to ensure that the decision-making ability from the responsible ministers, in assisting issuing these notices, did the right thing, made the right decision and enabled providers to assist with things that were sensible but didn't enable assistance notices that caused wider harm.

This is where we come to the provisions in the bill around preventing the installation of a so-called back door. A back door doesn't mean anything in a technical sense. This bill provides for a preclusion on the issuance of these notices where it may create a systemic weakness. This is a complex issue. It is a hard thing to judge even in the technical community. People argue about what a systemic weakness is. Unfortunately, the bill, as originally introduced, provided no definition for this at all. I'm pleased that the PJCIS is, importantly, defining this.

Similarly, checks and balances on this decision-making criteria are also important. The upshot of all this is whether a technical assistance notice will be reasonable and whether it will cause harm more broadly outside the context of that specific notice. That is something that will turn on the circumstances. It will turn on the individual facts of a particular security system of a particular IT platform. That's what we've sought to do through the PJCIS. We've sought to bolster the checks and balances. We've sought to bolster the criteria governing the minister's decision-making so that no harm is done through this.

I do want to make one comment. There has been an information vacuum on this bill, which has been partly created by the contradictory statements of the government and partly created by our law enforcement and security agencies. Their unwillingness not to be specific about the methods that they intend to use is perhaps understandable. But this has created a real paranoia online and in the sector about what this bill may do. So, in the limited time left available to me, I want to bust a few myths about what is in this bill. First, I just want to say really clearly: this bill will not break internet banking. If this bill were going to break internet banking in Australia, there would have been a submission to the PJCIS from the CBA, the NAB, Westpac and ANZ. We are dealing with a targeted regime here. There is nothing in this bill that bans strong encryption on passage. There is nothing in this bill that makes strong encryption unworkable in a banking security system. It is just nonsense.

I want to also specifically say that there is nothing in this bill that provides for the serving of individuals within corporations with these notices. This bill won't create a situation where an individual DevOps guy gets a notice from the government that he or she is not allowed to tell their boss or co-coders about in doing their job. There are provisions in this bill about service of these notices on individuals, but that is only when the individual is a separate entity, when someone has created a product off their own bat.

So what is this bill actually about? It is difficult to speculate, because, as I said before, the different circumstances of each security system will govern it, but I do want to point to some examples that we've seen from overseas of things that might be possible under this bill, might be workable, without breaking encryption. Recently in Germany—a country with a very high regard for strong encryption—we've seen its intelligence agencies intervening in the identity management system of apps to add additional end points to group chats. Indeed, their group chat in Telegram is a very high profile app. It was something that we raised through the PJCIS process, to say: 'Would this be a systemic weakness?' It is fair to say that the answer to that was different from the key escrow and the encryption maths answers. That might be possible. We might be looking at end point exploitation instead of breaking end-to-end encryption. We might be dealing with the way that communications are stored and managed on handsets or at end points rather than getting in the middle of it. These are the things which we could productively do, without breaking encryption, and which could assist our law enforcement and security agencies, without breaking the internet. That being said, it would have been nice to spend more time exploring these proposals through a rigorous committee process.

See this speech in context