Is Australia's telco national security law compatible with human rights?

While the Australian government claims its new national security legislation for telecommunications carriers complies with international laws governing the right to privacy, the process by which it decides this is convoluted, questionable, and a conflict of interest.

The federal government on Friday released a second exposure draft of the Telecommunications and Other Legislation Amendment Bill, which will require telcos to increase network protection and provide greater oversight to government agencies to intervene for the purpose of "protecting national security".

"The security and resilience of telecommunications infrastructure is increasingly critical to the social and economic wellbeing of the nation," Attorney-General George Brandis and Minister for Communications Mitch Fifield said in a joint statement on Friday afternoon.

The government announced in June its intention to amend the Telecommunications Act with additional national security-related measures, which would force telcos to provide information about their networks and services to the Attorney-General's Department (AGD), or face injunctions, enforceable undertakings, and civil penalties such as fines.

The Bill vests an information-gathering power "to facilitate compliance monitoring and compliance investigation activity" with the secretary of the AGD; provides the attorney-general with the vaguely described power to direct a CSP "to do or not do a specified thing"; and outlines enforcement mechanisms and remedies for non-compliance.

While the latest exposure draft [PDF] has slightly narrowed the scope of the legislation, increased the threshold for the exercise of powers, made the process more transparent, and added safeguards after consulting with industry, the explanatory memorandum [PDF] recognises that the Bill engages the right to privacy, contained within Article 17 of the International Covenant on Civil and Political Rights (ICCPR).

Article 17 of the ICCPR, which was implemented by Parliament within the Privacy Act 1988, states that: "No one shall be subjected to arbitrary or unlawful interference with his privacy, family, home, or correspondence". In addition, "Everyone has the right to the protection of the law against such interference or attacks."

Specifically, this international human right to privacy is engaged by Sections 313(1A), 313(2A), and 315C in the draft telco legislation.

Sections 313(1A) and (2A) provide that carriers, service providers, and service intermediaries must do their "best" to guard their networks against unauthorised access and interference in order to guarantee the confidentiality and integrity of communications.

According to the explanatory memorandum, this requirement in and of itself will promote human rights by ensuring the protection against "unlawful interferences with privacy" from entities that the government deems a national security threat -- with the problem being, of course, that the government does not think of itself as the entity carrying out arbitrary and unlawful interferences.

The explanatory memorandum also claims that s313 will enhance privacy across communications by requiring stronger security of the data retained under the data-retention legislation that recently came into force.

"The new obligations will complement the data-retention regime by improving the security of networks as a whole, thereby providing an additional layer of protection for retained telecommunications data," it says, while skimming over the more relevant matter that a combination of data retention and telco national security laws would lead to a honey pot for would-be hackers.

Section 315C, meanwhile, provides the compliance and enforcement mechanisms for s313(1A) and s313(2A) by making it possible for information and documents from carriers, service providers, and intermediaries to be obtained if the secretary of the AGD has "reason to believe" that the information is relevant for assessing compliance with the law.

Once the attorney-general's secretary has given notice to a carrier, provider, or intermediary, the information must be handed over in the specified manner and period of time under the threat of civil penalties as described under s68 of the Telecommunications Act and pecuniary penalties under s570, with Sections 137.1 and 137.2 of the Criminal Code also threatening imprisonment for 12 months for those that provide false or misleading information or documents to the government.

Section 315E gives the attorney-general's secretary the power to inspect these documents and make and retain copies of them, and s315F states that the secretary "may take and retain for as long as is necessary" any documents procured under s315C.

Once again, the wording of these powers is vague, and places all power directly in the government's hands to exclusively deem what is "necessary".

These documents can then be shared around, with the AG secretary able to delegate any of their powers to obtain documents to the Australian Security Intelligence Organisation (ASIO) director-general of security under s315G -- "This delegation power is necessary to facilitate more efficient implementation of the regime" -- and both of these entities, under s315H, are permitted to distribute any information or documents "to another person" in order to assess risk or security.

It is only when the document contains identifying information that it must not be provided "to a person who is not a Commonwealth officer". This wide-ranging category includes those employed by the Commonwealth within Australia, those who perform the duties of any office established by a Commonwealth law, members of the Australian Defence Force, employees of the Australian Federal Police (AFP), AFP special members, and AFP special protective service officers.

The explanatory memorandum flags that these documents "may include personal information", and, as such, will limit the right to privacy. Once again, though, it is a "necessary" power, the government claims.

"It is necessary that the secretary be able to consult with officials in the department and ASIO, and other relevant government agencies such as the Department of Communications and the Arts and the Australian Signals Directorate where technical expertise or assistance is required to assess risks to security. It may also be necessary to disclose information obtained under section 315C to the attorney-general or other relevant ministers for the purpose of exercising the attorney-general's directions power," the document says.

So really, there are no limits on what government agencies can be made privy to these documents, as long as they are seeing them for the primary purpose of security, as defined under s4 of the ASIO Act -- for the protection of the people of the Commonwealth, states, and territories from espionage, sabotage, politically motivated violence, promotion of communal violence, attacks on Australia's defence system, or acts of foreign interference, as well as the protection of Australia's "territorial and border integrity from serious threats".

"The information sought under new section 315C will primarily be of a commercial nature and unlikely to interfere with the privacy of telecommunications customers in most cases," the explanatory memorandum argues.

"This information may include procurement plans, network or service design plans, tender documentation, contracts, and other documents specifying business and service delivery models and network layouts.

"Information collected of a personal nature will be minimal and purely incidental to the key objective of assessing compliance. Information about end users will be similarly incidental to the collection of commercial information under section 315C, and, in any event, section 315C is not intended to target end users."

Whether it is intended to target customers or not, the government admits that personal info will be caught in its wide national security net, with the aforementioned possibility of it then being shared around to any and all Commonwealth employees.

"To the extent that new section 315C may result in the incidental collection of personal information, it will limit the right to privacy in Article 17," the government concedes.

"However, any collection of personal information would be lawful, not be arbitrary, and be reasonable, necessary, and proportionate to achieving a legitimate objective."

It seems to be somewhat of a conflict of interest for the law-making body to be deciding whether its conduct is permitted by its own law.

And as to whether it is arbitrary, proportionate, and reasonable, the threshold is rather low in the draft legislation, requiring only the secretary of the AGD to personally have a "reason to believe" that the documents in question are relevant for national security -- and then keep those documents "for as long as he or she deems necessary".

Where is the accountability? Why is only one person involved in the entire decision-making process?

Indeed, should the secretary not feel like procuring documents that day, he or she could simply wave a careless hand and the s315 powers all pass to the ASIO director-general, who then also has the ability to share information with fellow government workers.

Does that seem reasonable and proportionate?

"The power in new section 315C is reasonable and proportionate, as it is limited to the collection of information or documents that are relevant to the duties imposed on C/CSPs under new sections 313(1A) and (2A) to do their best to prevent their networks and facilities from unauthorised access and interference," the explanatory memorandum justifies by way of circular logic.

The government argued that any personal information obtained will also be subject to the Australian Privacy Principles (APPs) -- specifically, APP 6, which governs the use of the information, and APP 11, which states that the entity must take reasonable steps to protect the information from misuse, loss, interference, and unauthorised access, disclosure, and modification. When they are done with the information, they must also de-identify it while destroying it.

Considering the track record of government bodies in protecting personal information, leaving the AGD secretary, ASIO director-general, Defence Force employees, AFP workers, Department of Communications staff, Australian Signals Directorate members, and ministers et al to store and destroy documents in a secure manner is fraught with risks.

And with seemingly innumerable people able to gain access to copies of documents, the risk of human error multiplies considerably.

A Federal Court case looking into the data breach in the Department of Immigration and Border Protection, which occurred as a result of human error, found that for the department to be assessing whether its own conduct had been wrongful was a conflict of interest -- which is exactly what is already occurring with the government's human rights risk analysis of its own telco national security legislation.

The explanatory memorandum summarises its entire assessment with a sweeping statement saying that every human right ever is, in fact, protected by the draft legislation.

"The Bill is compatible with human rights, because it will promote rights and, to the extent that the Bill may also limit rights, those limitations are reasonable, necessary, and proportionate to the objective of ensuring telecommunication networks and facilities are appropriately protected," the document hurriedly concludes.

Of course, as was the case with the data-retention laws and the ASIO Act, it is entirely probable that the telco national security legislation will be passed with minimal debate into just how far the government is willing to take its bid to rescue national security at the expense of the internationally enshrined human right to privacy.