Yesterday, the Australian parliament passed the Foreign Fighters bill, the second of Australia’s dangerous new “terror laws”: three pieces of legislation that are expected to form a broad surveillance framework that would grant the Australian government even greater authority to spy on users around the world. In addition to the Foreign Fighters bill that passed the Senate yesterday and is expected to pass the House of Representatives today, the terror laws also encompass the National Security Legislation Amendment as well as a third bill introduced today, the Telecommunications (Interception and Access) Amendment (Data Retention) Bill 2014, which creates a data retention mandate for telcos.
Human rights advocates have demonstrated the dangers of these overbroad new proposals. In addition to the proposed data retention mandate, the other laws that have already passed allow for limitless internet warrants and increased surveillance outside of Australia. Together, these provisions would place broad new limits on the rights to privacy, expression, and association. The new bills authorize increased surveillance globally, infringing not only rights of Australians, but non-Australians living elsewhere as well. However, Parliamentarians have so far largely ignored these warnings, and the first two bills have passed with minimal public debate. With the third bill set for debate, Australians can condemn the seeming indifference of their representatives and demand consideration of the human rights implications of the already-passed provisions, and pushing for Parliament to halt consideration of the final bill until additional protections are implemented.
Part one: a case study on imprecision
The National Security Legislation Amendment, passed earlier this month, was the first of the new terror laws. It grants the Australian Security Intelligence Organization (ASIO) sweeping new authority to conduct communications surveillance. Most strikingly, it expands the statutory definition of “computer” to include an entire computer network. While the new law requires that a warrant must name a particular “computer,” there is no limitation on the size of any named network. Consequently, the entire internet could qualify as a “computer” in a broad reading of this law, creating the potential for a single warrant to permit limitless surveillance.
The new law also authorizes the “addition, deletion or alteration of data” stored on the targeted computer, so long as doing so does not interfere with the lawful use of the computer by other persons, unless such interference is necessary to effectuate the warrant. The language may be interpreted to authorize law enforcement to infect systems with malware or to remove content. Combined with the expansive new definition of “computer,” the Australian government may use the law to make sweeping changes to private hardware and software, risking the integrity of computer systems and putting users at risk.
The UN Special Rapporteur on Counter-Terrorism and Human Rights, Ben Emmerson, recently released a report in which he examined Article 17 of the International Covenant on Civil and Political Rights (“ICCPR”) on the right to privacy. In the report, Special Rapporteur Emmerson called for “clarity and precision” of domestic law to provide notice of how governments plan to use surveillance authorities. The need for clarity in law is also expressed in the the Legality principle of the International Principles on the Application of Human Rights to Communication Surveillance (“The Principles”), endorsed by Access and more than 400 other civil society groups. Australia’s new authority is a case-study on how to draft imprecise legal language that avoids these well-accepted standards. The authority to freely add, delete, or alter data in conjunction with potentially sweeping warrants also violates the Integrity of Communications and Systems Principle. As Access recently addressed with debate over smartphone encryption with the U.S., making systems weak for the purpose of law enforcement also makes systems weak for malicious actors, putting all users at risk.
Part two: going global
Today the Australian Senate passed the second terror law, the Foreign Fighters bill, formally the Counter-Terrorism Legislation Amendment. The law, among other things, outlaws speech that “advocat[es] terrorism” and prohibits entering a “declared area,” those deemed to be high in terrorist activity. “Advocating terrorism” is such a vague standard that some fear even “liking” certain comments on Facebook could lead to up to five years in jail.
The law also allows the ASIO to “use its powers to gather intelligence about criminal conduct overseas that is not associated with terrorism,” greatly expanding the ability of Australia to conduct global surveillance. And yet, the ICCPR binds countries to uphold the privacy rights of all people. According to Special Rapporteur Emmerson, “Asymmetrical privacy protection regimes are a clear violation of the requirements of the [ICCPR].”
Besides infringing on freedom of movement, the expansion of Australia’s overseas surveillance authorities could potentially lead to greater surveillance sharing with the other members of the Five Eyes, the secretive alliance through which Australia shares intelligence and coordinates communications surveillance with the U.S., U.K, Canada, and New Zealand. Such sharing between the Five Eyes has allowed each country to gain data on its own population that it couldn’t justify through its own surveillance laws, so a draconian new surveillance authority for Australia may well mean rights violations on an exceptionally large scale.
Part three: data retention and the price of surveillance
The Telecommunications (Interception and Access) Amendment (Data Retention) Bill would create a two-year data retention mandate, requiring telcos to hold both subscriber and location data. Mandatory data retention promotes violations of fundamental human rights by exposing user data to potential privacy breaches and by chilling free expression. Further, metadata can be extremely sensitive, capable of revealing more information than the content of communications. Pattern-based data mining can be used to draw connections between data in order to map relationships and to discover sensitive information about users. The more data that are available, the more previously secret information can be revealed, all without the user’s knowledge or consent. Based on the many harms and costs of retention mandates, courts worldwide are finding they violate international human rights law, and companies are pushing back.
In contrast to Australia’s permissive collection law, the Supreme Court of Canada recently held that telcos may not release customer’s names, addresses, or phone numbers without a warrant. The Canadian court is not alone. In fact, there is growing consensus that data retention mandates are tacitly disproportionate. In April, the Court of Justice of the European Union struck down the EU Data Retention Directive, holding that it violates the rights to privacy and the protection of personal data and is neither necessary nor proportionate in a democratic society.
Mandatory data retention imposes financial costs as well. The government has yet to disclose whether or not telcos will bear the costs of the new data retention mandate, though according to a speech by Minister for Communication Malcolm Turnbull, the government will provide a “substantial contribution.” Major Australian ISPs have claimed that data retention mandate could cost a single telco up to $200 million annually. However, Australian telcos like Telstra remain unworried, planning to pass on any surveillance cost left with the telco to users. In essence, users will be hit with a “surveillance tax”, effectively the government wants to force users to pay to be spied on.
We’ve also learned from a recent transparency report by Telstra of a unique authority that the Australian police are already using to warrantlessly access user data: a pre-warrant check. According to Telstra, “agencies can undertake pre-warrant checks to make sure they are targeting their warrants accurately,” but if the data retention mandate were to take effect then authorities would have access to huge amounts of data with no judicial oversight, potentially violating the principles of Competent Judicial Oversight and Due Process. Imagine law enforcement officers conducting pre-warrant check to find any user’s web surfing history and location before they show a judge they have met any kind of evidentiary standard.
Where we go from here
The sweeping new powers contained in the terror laws have the potential to violate privacy and expression rights of Australians and non-Australians and to “strike at the heart of press freedom.” The terror laws create a mutually reinforcing surveillance scheme, greatly restricting the spaces in which people are free to think and to act on and offline.
They also set a dangerous precedent for the politics of fear mongering. The bills show a hazardous new political reality: in the post-Snowden era, the fear of terrorism is still strong enough that political momentum can swing dramatically toward widely overbroad surveillance laws. Even the opposition Labor party has offered support for some of these draconian measures. Yet, all is not lost. At least one opposition leader, Bill Shorten, has just today asked for reviews of the surveillance laws. He expressed concern that the new surveillance authority will lead to the jailing of journalists. Though late, the move may be the spark to ignite widespread doubt about the terror laws.
Access calls on the Australian parliament to reject the data retention bill. The government should also clarify the scope of current surveillance authorities, identifying the limits of a “computer” and how broad foreign surveillance will be under the Foreign Fighters bill. Without action, Australia is setting a dangerous example by passing sweeping surveillance laws with little concern for user rights.