Electronic surveillance law reform a step in the right direction

The legislative framework governing electronic surveillance by Australia’s policing and intelligence agencies is undergoing major reforms. There have long been calls for such an overhaul given the significant changes in the way we communicate since the first of these laws was passed in 1979. However, developing a new, concise, ‘streamlined’ and ‘future-proofed’ act that lets security agencies do their jobs without excessively compromising Australians’ right to privacy is a task complicated by the equally compelling prioritisation of the security concerns of federal agencies and the privacy concerns of civil society.

In December last year, the Department of Home Affairs invited public submissions on a discussion paper about the planned legislative reforms at a granular, operational level. The paper shows a genuine commitment to regulating agency powers and actions in accordance with both sides of this argument. But while government agencies and industry are engaged at a detailed, operational level with how the reforms will work in practice, the civil-society debate remains overwhelmingly a high-level conceptual discussion about security and what a rights-based approach looks like in theory.

The public only really appreciates the overarching themes and values of security and privacy and the prospect of Orwellian state power. This is likely (at least in part) because getting across former Australian Security Intelligence Organisation chief Dennis Richardson’s 2020 review of the legal framework of the national intelligence community, the government’s response and the Department of Home Affairs paperwork on it means wading through a whopping 1,485 pages combined—and each document requires significant sectoral knowledge and time to fully understand.

The three acts set to be repealed and replaced are the Telecommunications (Interception and Access) Act 1979, parts of the Australian Security Intelligence Organisation Act 1979 and the more recent Surveillance Devices Act 2004.

Technological advancements have made communication faster, cheaper, more convenient and in some cases more private. But in doing so, it has also made policing more difficult, particularly due to the popular use of encryption and anonymisation software.

The current laws have not proven adaptable to the new operational and legal challenges resulting from these iterative advancements and the ways criminals have exploited new technology. A host of quick-fix attempts through legislative amendments has succeeded only in creating a ‘patchwork of overlapping, and at times inconsistent and incompatible parts,’ according to Home Affairs’ discussion paper.

This makes it difficult for law enforcement to frustrate and prosecute organised crime activities like drug trafficking, child sexual exploitation, and the recruitment, financing and organisation of violent extremist attacks. With an archaic legal framework supporting operations, it’s become hard to deliver security outcomes without compromising civil liberties.

As a result, Richardson’s review recommended that the relevant laws be scrapped and replaced with an entirely new, fit-for-purpose act.

This imperative is the result of three key developments since the laws were passed: how we communicate, how the associated industry and infrastructure works, and how organised crime is, for want of a better word, organised.

First, telecommunications has completely transformed since the original laws were passed. Communication is no longer unprotected, point-to-point and with clear endpoints. The internet and over-the-top messaging services such as WhatsApp and Signal, which provide communications services over data and may encrypt those communications, have reduced the ability of security agencies to legally monitor criminal activity under the current framework.

End-to-end encryption of the entire communications channel and anonymisation software that hides the user’s identity have made policing more difficult. Even if law enforcement agencies can legally ‘tap the line’, they can’t see the content, and even if they can see the content or see that two devices are communicating, they can’t necessarily identify the individuals communicating.

For a long time, the telecommunications infrastructure that this data runs across hasn’t been fully government owned and controlled. The physical components and electronic layers of communication are now likely to have multiple owners. Whereas a telephone company used to have all your records, you can now use your mobile phone to connect to wi-fi and then to an application providing over-the-top messaging services.

Private industry now contributes to decision-making and regulation, bringing necessary considerations about market forces and consumer confidence. The government understands the importance of this contribution and wants it to continue, which means that industry also plays an active role in the legal, ethical and implementation aspects of this national security issue.

Telecommunications has evolved from fixed-line telephones to smartphones, and communication over the internet (and all the hidden infrastructure that makes it work) has become more complex. As part of the reform process, industry providers are rightly being engaged on the implementation issues most pressing for them, generally regarding compliance costs, feasibility and the administrative burden for companies and government agencies. But the expectations the public has of industry responses to these reforms are complicated by the fact that Australians are now both citizens with a right to privacy and clients willing to pay money. We may choose providers based on the privacy and the security they can offer.

Transnational and serious organised crime groups have exploited the privacy and ease of communications that technology can provide within and between criminal groups in Australia and internationally. Through these new ways of communicating, organised crime has been able to leverage the increasing interconnectedness of nations’ economies and societies at a global level to elevate its business models from regional to global in terms of supply chains and target markets.

The development of a new act is a step in the right direction for both these interests, because it will line up this conversation and the legislation with the current technology and threat landscape.

Tricky questions about how to balance security and liberty in practice remain in developing the new law and the Telecommunications and Other Legislation Amendment (Assistance and Access) Act 2018 that is pending review.

We should keep, as a guiding principle, the need to hold online law enforcement to a rights-based standard that is equal to or even higher than the standard for offline work due to the heightened capacity for insecurity and abuse by other actors in the online world.