Chris Berg, Director of Policy and Simon Breheny, Director of the Rule of Law Project at the Institute of Public Affairs appeared before the Parliamentary Joint Committee on Intelligence and Security on Wednesday 5 September. The Committee is currently considering potential reforms of national security legislation. Here are a few excerpts from the IPA’s committee appearance (which lasted for over 45 minutes).
Mr BREHENY: …The suite of policies proposed in the Attorney-General’s discussion paper adds up to one of the most significant attacks on civil liberties in Australian history. Many of the proposals breach the rule of law, severely curb civil liberties and threaten freedom of speech… The burden of proof rests on the government to prove to the public that after 10 years of continuous, unrelenting increases in national security powers – the last major change was as recently as August this year – there is still a clear need for such extraordinary changes…
[T]he most extraordinary proposal we would like to talk about is that of data retention. This draconian proposal for mandated and indiscriminate retention of the online data of all Australians is completely lacking in proportionality, undermines basic freedoms and is in fundamental conflict with the right to privacy. Extraordinary claims require extraordinary evidence, yet no evidence has been presented to justify one of the world’s most onerous data retention regimes. Abstract references to emerging threats and cybercrime are patronisingly insufficient as justification for such an extreme example of state power.
The collection and storage of data by internet service providers also creates a considerable data security problem. Rather than dispersing information, data retention creates silos of information begging to be attacked by the very criminals this proposal seeks to limit.
Mr DANBY: Mr Breheny, you are the Director of the Rule of Law Project at the Institute of Public Affairs.
Mr BREHENY: Yes.
Mr DANBY: I do not normally comment on a submission in full but rather on specifics; however, I found both the presentation now and the submission extraordinary—extraordinary in its extremism, extraordinary in its one-eyed view of extreme civil liberties. This is a view that I would accept from the Human Rights Law Centre and from the Castan Centre for Human Rights Law, but from an organisation that has a wider brief than just civil liberties this is an extraordinary submission, including the kinds of adjectives used in your introductory submission.
I would have thought a person who is the Director of the Rule of Law Project would have been concerned about the safety and security of Australian citizens—presumably that is the mainstay of the rule of law in Australia. I see no evidence in your submission that the security agencies have breached the responsibilities that were very carefully given to them by the federal parliament. I see no attempt by the Institute of Public Affairs to address the well-known concerns of the community or those of the security agencies which have arisen with the changes in technologies and the changes in the nature of the terrorist threat to Australia and that these things should be considered seriously.
Only last night the Director-General of ASIO said that there are 200 people who are Australian citizens whom they have to keep an eye on to make sure that the record of no mainstream terrorist attacks in Australia is successful. There has been no terrorist attack on mainstream Australia. There have been eight cases where, under the existing laws, various groups of people who would have attacked their fellow Australian citizens have been arrested, charged and convicted under the laws that you denigrated so strongly in your presentation and submission. Frankly, I find it offensive that a responsible organisation like the Institute of Public Affairs comes along and makes such a one-eyed presentation. I would like to hear Mr Berg’s response to my general remarks.
Mr BERG: I did not hear a question—
Mr RUDDOCK: He wants to hear whether you said the same things to the two other organisations you mentioned.
Mr DANBY: I did not. I made it very clear that I did not, because I expect them to be more responsible.
Mr BERG: With due respect, Mr Danby, I think you have misread our submission, because we make a number of important points that address your concerns. The first one is obviously that we have had a decade of continuous, repeated increases in national security power. The discussion paper does not demonstrate to anywhere near any required standard that they would have to be increased again, especially, as my colleague pointed out, as new cybercrime legislation was just introduced in August. I cannot see how the committee is going to be able to deal with the fact that there has just been new legislation and we have not seen it play out.
Also, we have recommended a very specific response to what we think are very real threats. Yes, we openly recognise that there have been substantial changes in the way criminals, terrorists and law-breakers use the internet. But in our view, as you have heard from many other submissions, the appropriate response to that is a targeted, supervised and carefully delineated data protection order, not a broad brush requirement that everybody has to keep everybody else’s data. I think we can strike a balance here. If the committee imagine that there has not been a decade of anti-terror and national security changes then they are kidding themselves.
Mr DANBY: There has been, but there have been no terrorist attacks on mainland Australia. Surely that is the point, that there have been 35 people arrested, charged and convicted under Australian laws – not with the development of a national security state but with laws and groups being carefully monitored by parliament. We have seen the security agencies behave within the laws. In fact, Senator Faulkner, Mr Byrne and I were surprised that they have not used some of the laws that we have granted to them. They have been able to effect their responsibilities within those laws.
Mr BERG: Sure, but I am not certain what that proves.
Mr DANBY: What it proves is that it was necessary to have those laws, because there has been no successful killing of Australians. I am sure that is important to the Institute of Public Affairs too.
Mr BERG: Absolutely. Our submission makes no reference to the existing suite of laws, some of which we would approve of, some of which I am sure we could be critical of. We can have another inquiry in the future, if you like, where we can go through the 50 plus laws that have been passed over the last decade one by one and decide what we like and what we do not like. This submission is directed specifically to just a few of the proposals in the Attorney-General’s discussion paper.
Mr RUDDOCK: I would like to ask, for the purposes of the record, that we invite the relevant agencies to comment on the last paragraph on page 4 of the institute’s submission, which suggested strictly limited, supervised, transparent data protection orders targeted at specific subjects would strike the right balance. I would like to hear whether they believe that such a proposal would be workable in terms of the issues that they believe they need to address.
Mr BERG: In my understanding, the cybercrime legislation that was passed in August, in order to accede to the Council of Europe’s Convention on Cybercrime, had to introduce that sort of scheme. In our view, and we can comment more specifically on it, that may even have slightly tipped the balance in a direction that we are not happy with. But at the very least, as I understand it, those data preservation orders are already available to those agencies. I hope you will ask them how that interacts with the proposals presented here today.
Senator FAULKNER: Did you hear the South Australian and Victorian police provide evidence earlier today?
Mr BERG: No.
Senator FAULKNER: In a nutshell, I think it is fair to say that they said that the data retention scheme was critically important in terms of their capacity to fight serious crime. How should the committee deal with very stark evidence like that?
Mr BERG: I think there is contrary stark evidence. The data retention is not entirely hypothetical. It has been tried and it exists in a number of European states. I think it is important for the committee to critically assess the evidence that has come out of that.
…Off the top of my head, I will direct to the committee to a shadow report into the data retention scheme. That makes reference to a report that the research wing of the German parliament made into the efficacy of these laws between 2005 and 2010. They found, as my colleague pointed out, that there is no statistically significant increase in clearance rates. I think that the committee will have to come to terms with that evidence, even if it is just to take it on board and move on. But I think it is important that you critically assess the real world implication rather than just talking in hypothetical terms. I understand that many police agencies would like the capacity to have a continuous tap on absolutely every Australian. I am not convinced that that is something that should be welcomed by the public.
Mr BREHENY: …The main point here is that there is a fundamental conflict between indiscriminate data retention, which would mean companies collecting and storing all the data that comes through them from clients, and a right to privacy. The two are in complete conflict. You cannot have an indiscriminate blanket data retention policy and also have a right to privacy in Australia.
Mr DANBY: How does that jibe with the fact that many of the companies we are talking about already keep information for seven years, not two?
Mr BERG: I think it is important to split a couple of issues here. A lot of companies keep phone records and they do that in order to bill. This is something they have to keep as part of their operations and we do not have a problem with that, assuming that it is kept safe and according to national privacy principles.
The committee is being asked to consider whether there should be a creation of a new bank of data that does not exist, of a substantially larger amount of data. We make maybe a couple of phone calls a day – and the committee makes a few more than that – but we spend a lot time on the internet and we look at hundreds and hundreds of websites during one day. The government would be asking for an enormous bank of data, hugely disproportionate to any security goal.
Senator FAULKNER: …This is always the difficulty in these matters – finding the balance between individual liberties and rights and freedoms on the one hand and our broader obligations in terms of national security and the safety of our citizens on the other hand. Do you accept that our national security legislation needs to be modernised?…
Mr BERG: Certainly there is a balance, but I want to take up the point about modernisation. There is an assumption within the discussion paper that telecommunications interception legislation has not been modernised since it was introduced. That is empirically not the case. You are talking about modernising legislation that was changed in August. I do not think that there has been a demonstrated need to do that. It is all well and good to talk about balance and we are all for balance, except that appears to only go in one direction, which is towards more national security power and against individual liberties and privacy… I am not convinced that the balance needs to be struck continuously in the favour of more government power. As far as we can tell, there is only one proposal in this discussion paper that would reduce the size of the national security state, and that is the proposal to reduce the number of interception agencies. Everything else gives the government more power. If parliament is going to strike a balance it will have to offer up a different discussion paper and a different set of proposals.
Senator FAULKNER: Do you accept that we can have a more safe and secure environment in this country through changes to national security legislation?
Mr BERG: Perhaps, but I am not convinced that any of the discussion papers and proposals help that. To a large degree, they push in the other direction. The data retention one is a classic example here. It is supposed to keep us safe; it will actually expose us to many more risks. If you ask hundreds of ISPs and telecommunications providers to keep an extraordinary amount of data on its own, that will create a honey pot and increase the risk that somebody will break in and use that data nefariously. We think that some of these proposals, like the data retention one, will actually make us less safe. Even if your only purpose and concern is national security, we think that this could be counterproductive.
Mr WILKIE: We are probably jumping around two issues. One is recording a certain amount of data for years, storing that – and being able to mine it, which is another issue – versus a warrant being taken out to target a particular person, in which case they might actually record the voice conversation.
Mr BERG: You are confusing three issues now: the first is specific warrants in data preservation orders, where there is no data retention scheme; the second is what we think the data retention proposal would be, which is simply recording the fact that someone emailed someone rather than the content of that email; and the third option is recording absolutely everything, including content of email, video sends et cetera.
Mr WILKIE: We have learned that they are doing it already for landline and mobile but not, we understand, for emails. As was described to us this morning, people buy capacity in a pipe and all this stuff just goes through there, and they are not recording who is sending an email to whom.
Mr BREHENY: Yes.
Mr WILKIE: That would be a new capability if they were to go down that path.
Mr BREHENY: Precisely. In this case the difference between the kind of data that is stored and collected by telcos, when you are talking about mobile or landline telephone calls, is for business purposes. They keep that so that they can bill their clients. That is not required for ISPs. What we are saying is that the government would be creating silos of information that ISPs simply do not need for business purposes. The important point to make here is that under the national privacy principles ISPs, if they were to go down this path without data retention legislation being mandated by the government, would be breaching national privacy principles. Telcos are not doing that in the case of telecommunications, because they need to do what they do for business purposes. They need to do it to bill clients.
Mr WILKIE: We now come to an interesting issue. We are saying it is acceptable for a business to store data for billing purposes. I could take you to mean that that is seen as more important than a government storing data for national security purposes.
Mr BREHENY: Sure. I would say that there is a stark philosophical difference between the government mandating for data to be stored, on one hand, and, on the other hand, a contractual relationship between a client and a telecommunications company whereby their privacy policies are made clear. They would probably be on a website or in the contract. There is a clear difference between those two scenarios.
Mr WILKIE: So your concern then is more a philosophical concern rather than a practical concern about whether we are able to collect the call data for our mobiles phones or whether they are stored properly.
Mr BERG: That is the subject, perhaps, of a different inquiry – the management of existing customer data. This is not the proposal; the proposal is to create an entirely new bank of data, which we would oppose. It is hard enough for existing companies to look after the data they already look after, as we are seeing with a number of very high-profile and prominent data breaches. The idea that parliament would mandate the creation of a new set that would be so broadly applied and so destructive should it be breached is, we think, very objectionable.
Mr WILKIE: It is interesting: this is our very first day of hearings and we have already brushed up against this a number of times – the fact that so much data is already stored by so many organisations, everything from Coles FlyBuys through to the poker machine loyalty cards to the banks.
Mr BERG: Sure. And with a warrant, agencies can get access to that enormous set of data as it is. We should not pretend that suddenly there is no way for law enforcement agencies to access information at the moment, because that is just not the case.
[The complete transcript can be found online.]