Australia’s national security legislation: Where are we going?

| August 18, 2014

The government has announced a review of the national anti-terrorism legislation, including changes to mandatory data retention. Intelligence and security expert Dr Patrick Walsh explains the proposed changes and puts them into a global context.

Starting in late July the government made several announcements about changes to various national security legislation and counter-terrorism approaches. The context for change is part of a broader review of Australia’s counter-terrorism and intelligence capabilities in the wake of a growing number of Australian based jihadists going to areas of concern (Iraq and Syria) to fight with extremists groups and the impact they will have on national security when they return home.

A broader review of counter-terrorism legislation and various other intelligence related legislation (e.g. the Intelligence Services Act 2001 and the ASIO Act 1979) makes sense, given it’s now 13 years since 9/11, and the global security environment is becoming ever more complex. Much of the planned reforms are being encapsulated in the government’s new National Security Legislation Amendment Bill (No 1).

The Bill includes a broad suite of reforms from amends to the intelligence collection processes of ASIO and ASIS, increased penalties for ‘future Snowdens’ working inside our agencies, who leak intelligence, to more mundane minor changes such as renaming our defence based intelligence agencies – Defence Signals Directorate to Australian Signals Directorate (ASD) and the Defence Imagery and Geospatial Intelligence Organisation to the Australian Geo-Spatial Intelligence Organisation (AGO).

Many of the changes embodied in the National Security Legislation Amendment Bill are overdue and important.  But they got sidelined by the government’s muddled explanation over another planned change – mandatory data retention legislation. The Attorney General’s unclear explanation of what definition of meta-data the government was likely to use in this legislation cast a shadow on the broader set of much needed national security reforms being announced.

For example, in addition to capturing IP addresses, was meta-data also going to include a user’s web browsing history? It seems no after ASIO ‘s DG David Irvine, AFP’s Deputy Commissioner Andrew Colvin and the Communications Minister Malcolm Turnball all helped to get the government back onto a clearer message.

Nevertheless, in this post Snowden environment such early missteps did not help build trust in the community about what was being proposed, its need or how changes would impact on innocent citizen’s privacy and human rights. Meta-data generally refers to the bulk collection of telephone data (call numbers, time of call but not content of call) for domestic and international calls. Though with the digital revolution it has also been extended to mean the IP address your ISP company assigns you as a customer when you go online and for billing purposes.

But ‘meta-data’ has now become a  toxic  word after the Snowden leaks in 2013 revealed various aspects of the US National Security Agency (NSA) systematically collected records of American phone calls. The leaks also highlighted the NSA’s PRISM program, which allowed the agency to access a large amount of digital information – emails, Facebook posts and instant messages, including their contents.  So the government’s stumble to clarify what was going to be collected for some conjured up the image of the start of a similar mass surveillance program by agencies of the Australian Intelligence Community.

But what is really being sought here is on a much smaller scale and includes the mandatory retention of meta-data by telcos for two years NOT by our intelligence agencies. Our intelligence community does not have the interest or bandwidth to build up a mass surveillance metadata capability à la the NSA. Both ASIO and the AFP have been accessing meta-data for years, and the process for them to access the content of communications will, as always, require a warrant. What is new is making it mandatory for telcos to retain meta-data for two years and allowing our intelligence agencies access to it. ASIO and AFP are concerned that if retention is not mandatory telcos will get rid of the data, or other technological changes will make access difficult down the track. Data retention gives them some time and flexibility to make connections particularly in counter-terrorism operations that warrant closer exploration and may signal a planned attack.

As terrorists and organized criminals have shifted their communications away from using one telephone to multiple and to the online environments, so too do our intelligence agencies need to have access to this data. A similar debate has been going on in the UK about the need to formalise data retention. In July 2014, the UK Data Retention and Investigatory Powers Act (2014) was rushed through parliament further clarifying what the UK government argues are existing surveillance powers, but what privacy and some legal advocates suggest is providing intelligence agencies with powers well beyond the existing surveillance legislation (i.e. the RIPA 2000).

The Australian and UK legislative changes are in contrast with post Snowden legislative changes in the US and half a dozen EU countries. For example, in the US following on from Presidential Policy Directive 28, the US Senate is set to vote on a new bill (the USA Freedom Act) in late 2014 which would no longer allow the NSA to systematically collect bulk telephone meta-data. Such data would have to stay with the phone companies, and the NSA would instead need to get court orders from the Foreign Intelligence Surveillance Court (FISC) to obtain call data on specific numbers. It will remain to be seen how workable it will be for US intelligence agencies to have to go to the FISC every time they need to access telephone meta-data in a quickly unfolding terrorism operation.

Another dimension to the meta-data retention debate though is how effective is it? The jury is still out in how useful meta-data programs are in preventing or disrupting terrorist attacks. This is something that the national security committee of cabinet will need to monitor. The NSA eventually had to admit in the US context that the number of specific cases of prevention of attack was very small, though ASIO’s chief, David Irvine, has publicly stated that in the last eight years his agency has stopped at least four mass casualty terrorist attacks occurring in Australia. So the effectiveness of data retention provisions will need regular reviewing.

We also have to recognise that in part thanks to Mr Snowden some terrorist groups have moved to advance their obfuscation methodologies to hide IP addresses and greater encryption of communications. So again it’s unclear how beneficial data retention changes will be in monitoring people that may be involved in areas of national security concern.

The final data retention legislation is not likely to be ready before September. We still need to see in legislation how the government will define meta-data and what checks and balances will be built into the legislation. However, Australians at this point should not be overly concerned about this legislation.  What is being proposed is not a massive ‘NSA-esque’ surveillance program; rather the ability for our intelligence agencies to access meta-data of a few thousand people that may be of concern.  Accessing the content of communications will still require warrants as before. Additionally, Australia’s intelligence accountability mechanisms, unlike the USA which has surprisingly a very fragmented and partly politicized system, is extremely robust – particularly the role of the Inspector General of Intelligence and Security (IGIS) which is independent from government and the intelligence agencies.

The only major change here is mandatory data retention for two years. The bigger issue is who is going to pay for the storage of the data? We do need some perspective in what is being proposed here and keep in mind that large amounts of meta-data and more personal details are already stored by private sector companies without warrants.

While privacy will always be the ‘other’ important human right, I do have some sympathy with ASIO’s Director General who, perhaps with a sense of drama, said publicly: ‘For the life of me I cannot understand why it is somehow correct for all of your privacy to be invaded for a commercial purpose and not allow me to save your life.’



  1. Malcolm Crompton

    Malcolm Crompton

    September 8, 2014 at 5:21 am

    Unfortunately this is only part of the debate Australia needs

    Patrick's blog makes a case for increased powers for law enforcement and national security.  However, it only addresses the first A of the Information Commissioner's 4As Framework: Analysis and part of the last, Appraisal.

    There is more to do:

    • Authority – what head of authority (An Act of Parliament) and who should be authorised when to do what
    • Accountability – what are the additional accountabilities that must apply to any body or person to whom society grants covert or coercive powers (or both).  They inevitably lead to bad things happening as well as (hopefully) good things, either through error, security failures or the conscious intent of the entity with such powers.
    • Appraisal – what is the established process for appraising whether the powers achieved their objective and what have been the unintended consequences?

    For more, see "There's more to the national security debate than 'more powers please'" just posted on Open Forum.

    Malcolm Crompton