Image source: Nullfy on Flickr
Australia’s Assistance and Access Act (the “AA Act” or “TOLA”) has become globally infamous anti-encryption legislation. While governments around the world, evidently frustrated with the increasing security of everyday communications, are attempting to push through similar legislation, it’s possible that no other proposed regime will land quite as “successfully” as the AA Act has “down under.” Here we have a Commonwealth country with no Bill of Rights, leaving a gaping lack of federal protections for privacy, freedom of assembly, and freedom of expression. The AA Act was passed under enormous political pressure in 2018 and has been placed under numerous reviews (five so far) to evaluate its necessity and proportionality, as well as its impact on individuals’ rights. To date, all has been for naught.
Sadly, Australia’s surveillance problem doesn’t begin or end with its Assistance and Access powers. Australia has gradually dug even deeper into the surveillance rabbit hole, and so far with full support from its Parliament, a failure of responsibility to protect human rights that Aussie NGO Digital Rights Watch recently highlighted when they published a bipartisan timeline of digital rights-harming legislation in Australia. There is a quiet sense of dread in the human rights space, as we watch Home Affairs absorb independent agencies and portfolios, making independent oversight of any overreaching surveillance capabilities functionally impossible.
Mission creep and consolidation of authority
It doesn’t end there, either. The news that the Australian Security Intelligence Organization (ASIO), whose mission is to “reveal their secrets, protect our own,” will expand its mandate to encompass looking through the communications of Australians domestically, rather than only poking through international communications (to gather intelligence about foreign allies and national security threats), has only compounded fears.
While it might appear more efficient to give Home Affairs control of everything under one roof, the traditional separation of agencies and powers in governments isn’t there to frustrate bureaucrats. It ensures compromise and dialogue between agencies that often have contrary objectives. To grant singular control over the people meant to protect and secure Australia’s infrastructure (cybersecurity) and those picking it apart to catch criminals (ASIO or Australian Federal Police) is the snake eating its own tail. We made this point in our submission to the Australian national cybersecurity consultation in November.
Data retention without sufficient rights protection
In many jurisdictions globally, there is a battle between law enforcement agencies and privacy advocates over retention of our telecommunications data. Due to the lack of federal data privacy protections in Australia, the government is able to hold on to data in ways that severely undermine human rights. Australia’s metadata retention regime is taking place under the Telecommunications (Interception and Access) Amendment (Data Retention) Act, which was passed in March 2015. It was only last year that a review of the Act was finally launched, and this has shed light on law enforcement agencies’ extensive, overbroad use of its powers. The Parliamentary Joint Committee on Intelligence and Security (PJCIS) is expected to complete the review in the second half of this year.
Alongside other digital rights groups, we have urged the Australian Parliament to revise its data retention scheme to restrict the scope and ensure that authorities retain only data that is strictly necessary; to require judicial warrants for access to metadata; to reduce the overall retention period requirement; and to extend protections and safeguards for journalists and whistleblowers who may be impacted by the regime’s creeping scope.
Surveillance goes abroad
In the ongoing Assistance and Access Act reviews, many submissions, ours included, pointed out that Australia could become the “weak link” or “back door” to enable the “Five Eyes” governments to increase their surveillance powers. While Home Affairs has vigorously rejected that argument, in March 2020, they referred the draft Telecommunications Legislation Amendment (International Production Orders) Bill 2020 to the PJCIS. The proposed legislation would do exactly what we and other digital rights groups warned against.
Specifically, the draft bill, which is open for consultation until April 9th, introduces “a regime for Australian agencies to obtain independently-authorized international production orders for interception, stored communications, and telecommunications data directly to designated communications providers in foreign countries.” This would enable Australian law enforcement authorities to issue requests for data to overseas communications providers directly, often circumventing decision-makers in other jurisdictions (which could have better protection for privacy) as well as skipping out on the warrant requirement within Australia. There is text in Schedule 1 offering protection against arbitrary or unlawful interferences with privacy, but it is not convincing because the text presents more carve-outs than protections. Furthermore, it is not likely to meet the necessary human rights standards of international agreements such as the U.S. CLOUD Act, even though it is intended to provide a backbone to those agreements.
COVID-19: current climate ripe for abuse
While the above is its own recipe for compounding the risks to human rights, we may see these risks deepen as the Australian government explores surveillance-based responses to the coronavirus pandemic.
At Access Now we’ve recently put our heads together and issued recommendations to governments considering such options. While temporary measures may be necessary to protect the public, they must be limited in scope and protect against mission and scope-creep. Those limitations are currently missing from the Australian government’s COVID-19 app which is based on close cooperation with private companies without any adequate public-facing explanation as to the nature of the contract, the ownership of the app, or the data it collects and utilizes.
Will the Australian authorities engage in contact tracing? Will they be surveilling individuals (and their surroundings) to aid enforcement? The government must immediately articulate the duration, scope, and application of the measures it is taking and fully inform the public.
The way out of the rabbit hole
Even in the worst situations, there is often a pathway to redemption. That said, the surveillance apparatus in Australia is complex and the policymaking playing field is multi-tiered. That means it will require significant effort by government leaders to restore integrity and rebuild public trust. The Parliament must undertake its oversight role with vigor and ask critical questions to challenge the approach Home Affairs has taken. With a renewed commitment to safeguarding human rights, Australia can climb back up into the light.
May 2020 update:
- View our coalition comments to the IPO Bill consultation here.
- View our supplementary submission to INSLM on the TOLA review here.
Follow our work on the protection of digital rights in the context of the COVID-19 pandemic.