pdf (197.81 KB)

Submission by the Office of the Federal Privacy Commissioner – June 2003

Review of Certain Provisions of the Telecommunications (Interception) Act 1979

1. The review of the operation of the Telecommunications (Interception) Act 1979 (the Interception Act) relates primarily to the provisions introduced by the Telecommunications (Interception) Act Legislation Amendment Act 2000 (‘the Amendment Act’). The primary objective of the Interception Act is to protect the privacy of individuals who use the Australian telecommunications system by making it an offence to intercept communications passing over that system. The Interception Act also seeks to balance privacy interests with law enforcement and national security objectives. The Interception Act specifies the circumstances in which it is lawful for law enforcement agencies and the Australian Security Intelligence Organisation (ASIO) to intercept communications under the authority of a warrant, subject to reporting and accountability mechanisms.

2. This Office is conscious of the need to strike an appropriate balance between the privacy of individuals within the community and the ability of law enforcement and national security agencies to undertake their legitimate functions. Section 29(a) of the Privacy Act 1988 Cth (the Privacy Act) requires the Privacy Commissioner to have “… due regard for the protection of important human rights and social interests that compete with privacy, including the general desirability of a free flow of information and the recognition of the right of government and business to achieve their objectives in an efficient way.” While national security agencies are not subject to the Information Privacy Principles in the Privacy Act, we have been asked to provide comment for this review addressing the terms of reference, which refer to both law enforcement agencies and national security agencies, and we have done so in this submission.

3. The Amendment Act introduced two new categories of warrants: named person warrants and foreign communications warrants. These warrants authorised law enforcement agencies and ASIO to undertake more privacy-intrusive forms of interception than were previously permitted. They facilitate the interception of a greater number of telecommunications services and increase the likelihood of the interception of conversations involving third parties who may not be relevant to legitimate law enforcement or national security activities. The powers of interception may be necessary but they must be accompanied by effective safeguards and accountability and review measures. The Office has developed a proposed framework for assessing and implementing new law enforcement and national security powers. The framework was first outlined in a paper for the Australian Institute of Criminology’s conference in June 2001[1] and again in a submission to the Senate Legal and Constitutional Committee in April 2002 on proposed anti-terrorism legislation[2].

4. The framework sets out a life cycle approach to such proposals from development to implementation and review. The aim of the framework is to bring balance and perspective to the assessment of proposals for law enforcement or national security measures with significant effects on privacy. It proposes several key steps in the development, implementation and review of such measures.

5. First, careful analysis is needed in the development phase to ensure that the proposed measure is necessary, effective, proportional, the least privacy invasive option and consistent with community expectations. This analysis should involve consideration of the size, scope and likely longevity of the problem, as well as the range of possible solutions, including less privacy invasive alternatives. The impact on privacy of the proposed solution should be analysed and critical consideration given to whether the measure is proportional to the risk.

6. Second, the authority by which the measure is implemented should be appropriate to its privacy implications. Where there is likely to be a significant impact on privacy, the power should be conferred expressly by statute subject to objective criteria. Generally, the authority to exercise intrusive powers should be dependent on special judicial authorisation. Intrusive activities should be authorised by an appropriately senior officer.

7. Third, implementation of the measure should be transparent and ensure accountability. Accountability processes should include independent complaint handling, monitoring, independent audit, and reporting and oversight powers commensurate with the intrusiveness of the measures.

8. Finally, there should be periodic appraisal of the measure to assess costs and benefits. Measures that are no longer necessary should be removed and unintended or undesirable consequences rectified. Mechanisms to ensure such periodic review should be built into the development of the measure. This could involve a sunset clause or parliamentary review after a fixed period.

9. In summary:

• Analysis – is there a problem? Is the solution proportional to the problem? Is it the least privacy invasive solution to the problem? Is it in line with community expectations?
• Authority – Under what circumstances will the organisation be able to exercise its powers and who will authorise their use?
• Accountability – What are the safeguards? Who is auditing the system? How are complaints handled? Are the reporting mechanisms adequate? And how is the system working?
• Appraisal – Are there built in review mechanisms? Has the measure delivered what it promised and at what cost and benefit?

10. This submission applies the relevant aspects of this framework to the terms of reference for the review. In particular, it comments on the adequacy of the safeguards and reporting and review mechanisms in the Interception Act and recommends measures to minimise the adverse impacts on the privacy of third parties whose communications are intercepted. The submission is not intended to be a comprehensive discussion of the privacy implications of the operation of the Interception Act. In the limited time available, it has not been possible to consider all the relevant provisions or practices.

Operation of amendments – Telecommunications (Interception) Legislation Amendment Act 2000

The need for named person warrants

11. Named person warrants authorise the interception of more than one telecommunications service that the person named on the warrant uses or is likely to use during the course of the warrant. This enables agencies to intercept telecommunications services that are not listed on the face of the warrant. The Interception Act makes named person warrants available to the Australian Federal Police, the Australian Crime Commission, ASIO and eligible state law enforcement authorities. Named person warrants enable the connection, disconnection and reconnection of multiple services used by a suspect without requiring the agency to obtain a new warrant. The warrant was designed to address the problem of multiple services being available as a result of digital technology and the deregulation of the telecommunications market. According to law enforcement agencies, suspects may use several pre-paid SIM cards in one mobile telephone handset in order to evade detection or surveillance.

12. The available annual reports on the Interception Act indicate a significant upwards trend in the number of interception warrants issued. The most recent published report at the time of writing is for the financial year ending 30 June 2001. There were 1,284 warrants issued in 1998-99, 1,689 in 1999-00 and 2,157 in 2000-01. These figures include both telecommunications service warrants and named person warrants. Named person warrants allowing interception of several services only became available in 2000-01 and the number issued was not separately reported. The total number of warrants in 2000-01 is almost double that for 1998-99, and the increase in the number of actual services intercepted would be even greater. These reports indicate that law enforcement agencies are increasingly relying on telecommunications interception as an investigative tool. Statistics on named person warrants issued by the Attorney-General on application from ASIO, are not publicly available. The comments about the level of telecommunications interception in this submission are made without the benefit of the 2001-02 annual report, which is not available at the time of writing, 11 months after the end of the financial year.

13. The interception of larger numbers of services raises greater risks of adverse privacy impacts for more individuals. As the interception of telecommunications services rises, careful consideration needs to be given to the balance between law enforcement and security concerns on one hand, and the privacy of individual Australians on the other. Interception of telecommunications not only intrudes on the privacy of the individual under investigation, but also other individuals who use that service. The Interception Act contains extensive reporting obligations, however there is little public information on the privacy impacts of interceptions. No public information is available on the volume of communications recorded that are not relevant to the investigation or are conducted between individuals other than the named person, or on the level of sensitivity of the personal information recorded. If these matters are not to be subject to public accountability mechanisms, in any review, the reviewer must have appropriate security clearances and sufficient independence to ensure the review has wide credibility. The growing use of interception warrants increases the need for ongoing scrutiny of the privacy impacts of interceptions. At the current rate of increase of interceptions, regular reviews of the operation of the Interception Act would appear appropriate. We recommend that such reviews be undertaken by an independent and respected figure. We recommend that that such reviews be conducted at two year intervals.

Adequacy of safeguards governing the issue of named person warrants

14. The increasing reliance of law enforcement agencies on interception increases the importance of ensuring that the Interception Act includes adequate safeguards. The provisions governing the issue of named person warrants to law enforcement agencies differ from those for national security organisations.

Issue of named person warrants to law enforcement agencies

15. Sections 42(4A), 45A and 46A of the Interception Act govern the issue of named person warrants to law enforcement agencies. The Interception Act implicitly recognises the more privacy-intrusive character of named person warrants by imposing additional issuing and reporting requirements. The agency must provide the issuing authority, an eligible judge or nominated member of the Administrative Appeals Tribunal (AAT), with the name or names by which the person is known and provide details sufficient to identify the telecommunications services the person is using or likely to use. The issuing authority must be satisfied that there are reasonable grounds for suspecting that the named person is using, or is likely to use, more than one telecommunications service.

16. As with telecommunications service warrants, the issuing authority must be satisfied that information available through interception of those services is likely to assist an investigation of a Class 1 or Class 2 offence. Class 1 offences include murder, kidnapping, narcotics offences under the Customs Act and related aiding, abetting and conspiring offences. Class 2 offences include serious offences involving loss of life or serious personal injury, serious damage to property, trafficking of prescribed substances, serious fraud and related offences, generally offences punishable by imprisonment for at least seven years. For both types of offences the issuing authority must have regard to the extent to which other methods of investigation are available, how much of the information likely to be obtained by interception would be likely to be obtained by other methods and how much other methods would be likely to prejudice the investigation. In relation to Class 2 offences, consideration must also be given to how much the privacy of any person would be likely to be interfered with by intercepting any service the named person is likely to use. This does not apply to Class 1 offences.

Issue of named person warrants to ASIO

17. Sections 9A, 9B and 11A govern the issue of named person warrants to ASIO. The Attorney-General is the issuing authority for such warrants. Section 9A provides that the Attorney-General must be satisfied that the individual under investigation is engaged in, or reasonably suspected of being engaged in, or likely to be engaged in, activities prejudicial to security. The Attorney-General must also be satisfied that the interception is likely to assist ASIO in carrying out its function of obtaining intelligence in relation to security. Section 9A(1)(c) expressly requires the Attorney-General to be satisfied that “relying on a telecommunications service warrant … would be ineffective.”

Adequacy of the grounds for issuing named person warrants to law enforcement agencies

18. The Explanatory Memorandum of the Amendment Act states that before issuing a named person warrant to a law enforcement agency, the issuing authority must first be satisfied that other methods of investigation, including a less intrusive telecommunications service warrant, have been considered and are either unavailable or ineffective in the circumstances. However, the relevant clauses of the Interception Act do not appear to impose such a requirement. As noted above, for named person warrants issued to ASIO, the Attorney-General must be satisfied that a telecommunications warrant would be ineffective. There is no such express requirement with respect to the issue of named person warrants to law enforcement agencies. Sections 45A(a)–(d) and 46A(1)(a)-(e) set out the requirements that must be met before the judge or AAT member can issue a named person warrant. Sections 45A(e)(i) and 46A(2)(d) enable the judge or AAT member to grant a warrant by merely “having regard to the extent to which methods (including the use of a [telecommunications service] warrant)” have been used by the agency (emphasis added). Sections 45A and 46A provide a less stringent requirement than clause 9A by not expressly requiring that the judge or the AAT member be satisfied that a telecommunications service warrant would be ineffective.

19. Section 94B of the Interception Act requires the agency to report to the Minister within three months of the warrant’s expiry on the warrant’s effectiveness, and, in this report, to state why it would not have been effective to obtain a telecommunications service warrant. However, this ex post facto justification provides a less effective safeguard against the inappropriate issue of a named person warrant than the issuing criteria in section 9A. The three month delay in the reporting process provides additional grounds for imposing equivalent requirements for the issue of named person warrants to ASIO and law enforcement agencies. We recommend that the Interception Act be amended to require the judge or AAT member to be satisfied that “relying on a telecommunications service warrant would be ineffective” before issuing a named person warrant to a law enforcement agency.

Interception of additional services

20. Sections 47 and 60(4) of the Interception Act enable agencies to intercept additional services that are not identified in the warrant of a named person. The only requirement imposed on agencies for new interceptions is that the agency’s chief officer is obliged to inform the carrier of the details of additional services being intercepted which are not identified on the face of the named person warrant. As stated above, section 94B of the Interception Act requires the agency to provide a written report to the Minister on the activities carried out under the named person warrant within three months of the expiry of the warrant. The report must include the services intercepted under the warrant, including those not initially identified.

21. In relation to an application for a named person warrant, section 42(4A) of the Interception Act requires an agency to provide sufficient details to identify the telecommunications services that an individual is using or is likely to use. It would therefore be reasonable to require those services that have been identified in the application for a named person warrant to be listed on the face of that warrant. This means that the telecommunications services identified in relation to the named person warrant will be subject to the scrutiny of the issuing authority. We recommend that the Interception Act be amended to require that the telecommunications services identified under section 42(4A) be listed on the named person warrant.

22. Named person warrants enable law enforcement agencies and ASIO to intercept additional services that are used or likely to be used by the individual under investigation but are not identified on the face of the warrant. These additional services will not be subject to the independent scrutiny of the issuing authority like those services identified prior to the issue of the warrant. Sections 60 and 16 of the Interception Act provide that agencies may intercept additional services that are not identified in the warrant provided that the agency has given the managing director of the relevant carrier sufficient details to identify the service. It is acknowledged that section 94B requires the agency to include in its report to the Minister a list of the services intercepted, including those not identified on the face of the warrant. However, the reports are required to be submitted three months after the expiry of the warrant. The reporting mechanisms therefore do not prevent potentially inappropriate interceptions taking place.

23. It is clear that the degree of independent scrutiny of services to be intercepted and the safeguards in place to prevent the unnecessary interception of services vary according to whether the service is identified before or after the warrant is issued. This is a matter of concern. In order to protect the interests of third parties who would not have been subject to interception before the Interception Act was amended, it would be appropriate for the same precautions to apply to the services identified on the face of the warrant and to the additional services intercepted after the warrant has been issued. We recommend that the Interception Act include procedures for providing independent, effective supervision of the interception of new services under named person warrants:

• each new service intercepted should be reported to the issuing authority as soon as practicable;
• the report should set out the grounds for believing that the named person is likely to use the service;
• the issuing authority may require the interception of the new service to cease if there are insufficient grounds for it to continue.

Destruction of intercepted information

24. Section 79 of the Interception Act provides that intercepted information must be destroyed when the chief officer of the agency is satisfied that the information is not likely to be required for an investigation. This provision only applies to ‘restricted records’, that is, the original recording of the intercepted information. Intercepted information must not be destroyed unless the agency has received written notice from the Commissioner of the Australian Federal Police that the Attorney-General has inspected the entry in the General Register relating to the warrant under which the information was obtained. We understand that the inspection of the General Register by the Attorney-General and notification of the agency may take up to 12 months. The concern is that records of the private conversations of third parties which are unrelated to the agency’s legitimate law enforcement activities, will be held for extended periods of time without adequate justification. The increase in the number of interception warrants also increases the privacy risks in relation to this irrelevant personal information. In order to minimise the privacy impact on third parties whose communications have been inadvertently or unnecessarily intercepted by agencies, we recommend that intercepted information irrelevant to an investigation be destroyed as soon as practicable or, in any case, within six months of the expiry of the warrant.

National security and foreign intelligence

25. Section 9A of the Interception Act enables the Attorney-General to issue named person warrants to ASIO for the collection of national security and foreign intelligence. Section 11A enables the Attorney-General to issue named person warrants for the collection of foreign intelligence in respect of a particular person or a foreign organisation. As discussed earlier, before issuing named person warrants under these clauses, the Attorney-General must be satisfied that relying on a telecommunications service warrant would be ineffective. The request for a warrant must include the name or names by which the person is known and details sufficient to identify the services the person is using.

26. The Interception Act requires the Director-General of ASIO to report to the Attorney-General on the extent to which the interception of communications under named person and foreign communications warrants has assisted ASIO in carrying out its security and foreign intelligence functions. The report must be made within three months of the expiry of the warrant.

27. However, the Interception Act does not impose time limits for the destruction of intercepted information that is not relevant to national security or foreign intelligence purposes. In particular, a named person warrant in respect of a foreign organisation enables ASIO to intercept a potentially large number of telecommunications services associated with that organisation and thus adversely affect the privacy of a large number of people. Given the likelihood of intercepting some communications irrelevant to national security or foreign intelligence purposes, irrelevant information should be destroyed as soon as practicable or, in any case, within six months of the expiry of the warrant.

The adequacy of reporting mechanisms for monitoring the issue of named person warrants

28. Under the Interception Act, law enforcement agencies are required to maintain detailed records of applications for warrants, warrants issued, details of interceptions conducted and use made of the information obtained. These records are monitored by the Ombudsman. Registers of warrants must be kept by the Commissioner of Police, including those issued to state agencies, and provided to the Minister for inspection.

29. The annual reports to the relevant Minister by Commonwealth agencies on named person warrants require an assessment of the usefulness of the information obtained by interception. Ministerial reports on Commonwealth and State agencies must include the proportion of ‘eligible warrants’ to total warrants; a condition of eligible warrants is that a prosecution was initiated or ‘likely to be instituted’. The reports must also include a range of details including categories of offences, number of arrests made, or likely to be made, on the basis of information obtained and proceedings where such information was given in evidence.

30. The record-keeping and reporting obligations for ASIO in relation to warrants are considerably less extensive. Within three months of the expiry of a warrant, the Director-General of Security is required to provide a report to the Attorney-General on the extent to which the warrant assisted ASIO in carrying out its functions.

Adequacy of reporting mechanisms in assessing privacy issues

31. The reporting mechanisms for law enforcement agencies focus on the number and effectiveness of the warrants. There are no specific reporting provisions on how many third party conversations are recorded or how long irrelevant information or conversations between third parties are kept. Named person warrants could be expected to increase the volume of irrelevant information collected. Privacy issues about the retention of such information are also raised by the potential for full transcripts of intercepted information to be released to a defendant[3]. While this promotes the defendant’s privacy rights in providing them with access to their personal information, it does so to the expense of the privacy rights of other individuals. It raises significant privacy risks for recordings of conversations between third parties. Consideration should be given to audit, reporting and review mechanisms that enable a broad assessment of the privacy impact of named person warrants.

32. The Ombudsman reports annually to the Minister on the results of inspections conducted on records of interception warrants. The Ombudsman’s reporting obligations focus on due process, particularly destruction of intercepted material and record keeping. Section 82 of the Interception Act sets out the Ombudsman’s functions including inspecting Commonwealth agencies records to ascertain the accuracy of entries in the registers of interception warrants and the extent of compliance with obligations for destruction of recordings of intercepted information and record-keeping. The reports by the Ombudsman are confidential but it is understood that they do not specifically address privacy issues. Given the privacy intrusiveness of interception and concerns about the third party information, there is a need for monitoring to address privacy issues. This could be addressed by the Ombudsman including consideration of privacy matters in the report to the Minister. The Ombudsman could be required to consult with the Privacy Commissioner before reporting to the Minister. Consideration could also be given to ensuring similar oversight by the Inspector General of Intelligence and Security for the interception warrants issued by ASIO, to the extent that it is not done already.

Should the definition of ‘restricted record’ be limited to the original recording of an intercepted communication?

33. The Interception Act relevantly defines ‘restricted record’ as ‘a record other than a copy, that was obtained by means of an interception …of a communication passing over a telecommunications system’ (emphasis added). This has the effect that several obligations do not apply to copies, extracts or transcripts made of the recording, including obligations to:

• keep the intercepted recording secure (s.5(1)(f));
• destroy it when it is no longer needed for a permitted purpose (s. 35(1)(g), s.79); or
• keep records of each occasion when the recording came into the possession of, or ceased to be in the possession of, the agency and which bodies it was received from or supplied to (s.81, s.81A).

34. Other record keeping obligations relating to use and giving of information in evidence apply to both original recordings and copies. The limited definition of ‘restricted record’ has the effect of reducing the safeguards on the use, disclosure or handling of personal information collected in an intercepted recording.

35. The same safeguards that apply to the original recording should also apply to any copies, extracts or transcripts of the recording held by the relevant agencies. Otherwise there is little logic in the additional protections applying to the original recordings. Consideration should be given to amending the definition of ‘restricted recording’ so that it is not limited to the original recording of an intercepted communication.

Further regulation of secondary use of information obtained by interception and the need for further safeguards governing the use and disclosure of information obtained by interception

36. Recordings of private conversations may well contain highly sensitive personal information. Use of such information should be strictly limited to that necessary for the relevant investigation. In addition, there is particular concern about the potential for function creep, and the adequacy of safeguards for irrelevant third party information obtained by interception. Personal information about third parties which is irrelevant to the investigation can be obtained without the knowledge of the individual concerned and potentially disclosed to the defendant.

37. Consideration should be given to notifying individuals that their information has been collected and how long it will be held in cases where notification would not prejudice prevention, detection, investigation or prosecution of a Class 1 or Class 2 offence.

Foreign communication warrants

38. Section 11C of the Interception Act establishes a type of foreign communication warrant which authorises the interception of communications that relate to a specified issue that is important to the Commonwealth’s defence or conduct of foreign affairs. Foreign communications warrants do not identify a particular telecommunications service or person who will be the subject of interception, but must specify a matter and identify a part of the telecommunications system that is likely to carry the foreign communications. Foreign communications warrants will authorise the interception of all communications being carried by a part of telecommunications system rather than specific services identified by ASIO.

39. The Attorney-General may issue foreign communication warrants at the request of the Director General and on the advice of the Minister for Defence or Minister for Foreign Affairs. The Attorney-General must be satisfied that:

• the collection of foreign intelligence relating to the specified matter is important for defence or the conduct of international affairs; and
• it is necessary to intercept foreign communications to collect such intelligence; and
• relying on a telecommunication service warrant or named person warrant to obtain intelligence would be ineffective.

40. The Director-General is required to destroy any record of a communication that is not relevant to the purposes specified in the warrant.

41. The need for foreign communications warrants may arise from the emergence of sophisticated digital technologies in national telecommunications systems that operate so as to preclude the interception of communications with reference to a specific service or named person. On the other hand, it is obvious that foreign communications warrants will authorise activities that will adversely impact on the privacy of a potentially large number of telecommunications services. We note that the Interception Act provides no time frame for the destruction of intercepted information. Given the potential for a large volume of irrelevant information to be intercepted, it would be appropriate for irrelevant material to be destroyed as soon as practicable or, in any case, within 6 months of the expiry of the warrant.

Recommendations

42. Effective law enforcement and national security provisions must be able to address technological change in telecommunications. The Interception Act includes extensive reporting requirements and a number of safeguards. However, the procedures and reporting mechanisms for named person warrants and foreign communication warrants do not provide adequate safeguards and accountability measures.

43. In order to ensure that named person warrants and foreign communication warrants will be used when appropriate and so as to minimise the adverse impact of the proposed amendments on the privacy of third parties, I wish to make the following recommendations:

(i) Public reviews of the operation of the Interception Act should be conducted on a regular basis by a respected independent authority.

(ii) The interval between reviews should be no greater than two years.

(iii) Public reviews of the operation of the Interception Act should include consideration of the privacy impacts of interception and appraisal of the adequacy of safeguards.

(iv) The Interception Act should be amended to require that the issuing authority is satisfied that a telecommunications service warrant would be ineffective before granting a named person warrant to a law enforcement agency.

(v) The Interception Act be amended to require that the telecommunications services identified under section 42(4A) be listed on the face of a named person warrant.

(vi) The Interception Act should be amended to include the following additional safeguards for the interception of new services not identified on the face of the warrant:

(a) each new service intercepted should be reported to the issuing authority as soon as practicable;

(b) the report should set out the grounds for believing that the named person is likely to use the service;

(c) the issuing authority may require the interception of the new service to cease if there are insufficient grounds for it to continue.

(vii) The Interception Act should be amended to provide that irrelevant information obtained under named person warrants and foreign communication warrants be destroyed as soon as practicable or, in any case, within six months of the expiry of the warrant

(viii) Consideration should be given to amending the Interception Act to provide that the Ombudsman is to include a consideration of privacy matters in the report under section 84 of the Interception Act.

(ix) Consideration should be given to requiring that the Ombudsman’s consideration of privacy matters in the report to the Minister take place after consultation with the Privacy Commissioner.

(x) Consideration should be given to amending the definition of ‘restricted recording’ so that it is not limited to the original recording of an intercepted communication.

(xi) To the extent that it is not empowered to do so, consideration should be given to ensuring oversight by the Inspector General of Intelligence and Security of the interception warrants issued to ASIO similar to that by the Ombudsman in relation to law enforcement agencies.

(xii) Consideration should be given to amending the Interception Act to require that individuals be notified that their information has been collected and how long it will be held in relation to Part IV warrants where notification would not prejudice prevention, detection, investigation or prosecution of a Class 1 or Class 2 offence.

Office of the Federal Privacy Commissioner

www.privacy.gov.au

Privacy Hotline 1300 363 992 (local call charge)