Director-General of Security opening statement to PJCIS review of the amendments made by the Telecommunications and Other Legislation Amendment (Assistance and Access) Act 2018
Friday, August 7, 2020
Thank you for the opportunity to appear before the Committee today.
I am joined by one of my deputies, Heather Cook.
Since its introduction in December 2018, the Telecommunications and Other Legislation Amendment (Assistance and Access) Act has repeatedly helped ASIO protect Australia and Australians from threats to their security.
The name of the Act itself is a bit of a mouthful, so if the Committee has no objections I’ll just refer to it as the Assistance and Access Act.
I have spoken many times about the real threats to Australia from both terrorism and espionage. I am sure the Committee is familiar with those issues so I won’t repeat my remarks other than saying that the threat environment remains complex, challenging and changing.
As the threats evolve and technology evolves, it is critical that ASIO’s ability to respond also evolves. And that’s why the Assistance and Access Act is so important. Its powers are more relevant than ever.
I completely agree that the security and privacy of information is vitally important. Encryption is a good thing. But the same technology that enables Australians to use online shopping, banking and social networking platforms is also obscuring the capabilities and plans of people who threaten our safety and security.
Right now, a foreign spy will be using encryption to hide an attempt to steal our secrets, interfere in our democratic processes or undermine our sovereignty. Right now, a potential terrorist will be using encryption to contemplate an atrocity, radicalise the vulnerable or share a hateful ideology.
It is no exaggeration to say that almost all communications of investigative value would be difficult or impossible to access in an intelligible form without lawful access tools such as those available under the Assistance and Access Act.
Encrypted communications damage intelligence coverage in nine out of 10 priority counter terrorism cases.
We needed to take advantage of the new powers within 10 days of the legislation coming into effect – a clear indication of its significance to our mission.
Since then, the Assistance and Access Act has repeatedly proved important in counter-terrorism and counter-espionage investigations.
But I want to stress that we only use it in a very targeted and proportionate way. All up, we have used the industry assistance powers fewer than twenty times, and always to protect Australians from serious harm.
And the internet did not break as a result!
In many ways, the legislation is a licence to cooperate with industry. Industry engagement has been important to ASIO for a long time.
We, like our law enforcement partners, have had long-standing powers to seek assistance from telecommunications providers to enable warrants. These arrangements were geared to an environment dominated by telephony, because for decades that was the most important source of information about the activities of terrorist and foreign spies.
In today’s complicated communications environment we are dealing with many more communication pathways, with a much wider sector of industry involved in hosting or operating them.
Communications today is a globalised, multi-layered industry and multiple communications providers can be involved in the delivery of a single service.
Our objective hasn’t changed – we are seeking assistance to give effect to our warrants so we can gather important information to identify and stop threats to Australia and Australians.
But the Assistance and Access Act recognised that we need the assistance of a broader range of industry partners, traditional and new.
I’d like to emphasise that none of the industry assistance provisions in the Assistance and Access Act displace the need for a warrant.
Any activity that would have required a warrant before it came into force still requires a warrant today. What the Assistance and Access Act has given ASIO is a well-defined framework for engaging with industry.
Like all ASIO capabilities, there are appropriate levels of safeguards and accountability that go with the Assistance and Access powers.
In addition to the unchanged requirement for warrants, requests must also be reasonable and proportionate. Compliance with the request must be practically and technically feasible.
And before I authorise a request I personally must consider whether it is the least intrusive form of industry assistance and how it reflects the legitimate expectations of the Australian community relating to privacy and cybersecurity.
The Assistance and Access Act also includes the safeguard that requests cannot require a communications provider to build, implement or not fix a systematic weakness.
In other words, they cannot be used to create backdoors which weaken protections for the general community.
The Inspector-General of Intelligence and Security, who has powers akin to those of a royal commission, inspects ASIO’s use of these powers to ensure our compliance with the law.
And in keeping with undertakings ASIO previously made to this Committee, we brief the office of the IGIS the first time we use a mechanism under the Assistance and Access Act and notify them on each occasion as required by the legislation. This makes sure the regular IGIS inspection program can take this into account.
While I will not give exact details in this forum, I can say that so far all ASIO’s engagement with industry under the industry assistance provisions of the Act have involved Technical Assistance Requests.
These are voluntary notices and allow the industry partner to negotiate with ASIO about how the work will be managed.
ASIO’s preference to use the voluntary process first does not mean the compulsory powers are not needed. There have been points where ASIO has come close to issuing a compulsory notice.
However, our preference will always be to engage as much as possible with industry partners, who have also been committed to helping keep Australia safe.
I note that Dr James Renwick, the third Independent National Security Legislation Monitor, recently presented his report on the legislation we are discussing.
While the final decision on the report is a matter for Government, I am happy to talk about the recommendations when we get to questions, if the Committee is interested in my thoughts.
While many of the legal and technical issues we are discussing today are complicated, the principle underpinning the Assistance and Access Act is, in my opinion, relatively straightforward.
With a warrant, ASIO can intercept a letter sent by one terrorist to another – and yes some do still use the mail!
With a warrant, ASIO can intercept a phone call from one terrorist to another.
So if ASIO is able to get a warrant, I believe we should be able to intercept an encrypted message sent by one terrorist to another.
Given the robust safeguards, I believe the Act in its current form represents a balanced and proportionate response to evolving national security threats.
The provisions of the Assistance and Access legislation are proportionate to the significant, ongoing security threats faced by Australia.
Thank you and I welcome questions from the Committee.