The public hearing of the Independent National Security Legislation Monitor (INSLM) on the TOLA Act inslm.gov.au/current-review… is about to start over here eavs.com.au/inslmhearing/
Program at inslm.gov.au/sites/default/… (PDF)
Program at inslm.gov.au/sites/default/… (PDF)
It has begin, with INSLM Dr James Renwick CSC SC giving his opening remarks.
Renwick is rejecting the binary opposites that dominate the TOLA debate, and quotes the Washington-based Encryption Working Group comments I cited here: zdnet.com/article/honest… This is shaping up to be an interesting hearing.
Renwick has seen the ASIO use of TOLA as well as law enforcement describe here zdnet.com/article/afp-an…. Has reviewed all uses, and says he’s seen nothing that even remotely suggests mass surveillance.
Note that INSLM is pronounced much like “insulin”.
Renwick is clearly going to go to the guts of the definitions of “systemic weakness” and the like, and why TOLA actions should require the same authorisations as any other intercepts. My feeling is that he’s going to be rather forensic about all this.
He’s now describing the independent “double-lock” system used in the UK. He’s spent time there, and says “It has been very well received”.
Renwick is now floating the idea that the AAT could be the independent body that does a double-lock on a TAN or TCN, and maybe even a TAR.
Sorry for all the acronyms and initialisms, but I’m tweeting this mainly for people familiar with the Act and for my notes. I’ll have a @zdnetaustralia story in due course.
Now up: Mike Burgess, director-general of ASIO. He says TOLA powers were used within 10 days of the Act being passed, and now systemic weaknesses or back doors were created. Says TOLA is not a significant change to ASIO’s powers.
Renwick says he’s read all of ASIO’s records in relation to TOLA work, “no matter how secret”. And now he’s asking Burgess about the “reasonable and proportionate” provisions.
Specifically, on the reasonable expectations of the Australian people for privacy and security, Renwick is asking Burgess what he thinks those interests are. Hell of an opening question.
Renwick is exploring how the public is meant to understand their own reasonable expectations of privacy when they don’t and can’t understand all the privacy implications of their phones and the “thousands of documents” of T&Cs. Will ASIO be developing guidelines...
Burgess bats it to Dept Home Affairs, because they do the policy. he talks about ASIO having “no intention” to break the internet or do other bad things.
After talking about some reporting aspects, Renwick is now asking whether ASIO will now go to TOLA first or to s313 Telco powers. Burgess says they use both Acts.
Burgess says he’d have no problem with telcos etc saying they have received no TOLA requests, or that they have received one and will be fighting it. He says he understands their need to serve their customers.
Discussion over whether section 34AAA of the ASIO Act would authorise detention to access a device. Burgess has Home Affairs says no it doesn’t and he agrees. (We’re all familiar with s34AAA, right?)
This is so much better than a Senate hearing because it’s not daft politicians trying to score points but a forensic examination of the evidence.
Next up, the NSW anti-corruption bodies, ICAC NSW and LECC NSW.
HAHAHAHA. ICAC is declared to be an interception agency under TOLA but not under Telco Act. Since they need a warrant under the latter before they can get access under the former, it doesn’t work. Quality work, Australian Parliament!
People keep using the term “encrypted metadata”, which is confusing me.
Exactly this. So I think it’s a slip of the tongue. Or shorthand for “the metadata of the encrypted communication”.
Because Renwick is now asking why TOLA powers are seen as essential, when metadata can reveal so much and can be accessed without a warrant.
It’s a good question, but I was interrupted at my end and didn’t hear the answer. (I will check the recording later.)
LECC NSW guy is now explaining how TOLA would have helped investigate a certain police officer posting racist abuse about a certain politician. TOLA would have allowed them to go straight to Facebook.
LECC NSW guy says the TOLA Act definition of designated communication provider (DCP) provides much more flexibility than just telcos under the Telco Act. Existing international requests are very slow.
He says a US CLOUD Act agreement would be “hugely beneficial” to investigations, because to much comms is now on social media and other over-the-top platforms.
He’s stumbling, however, over Renwick’s question on disagreements over “systemic weakness”. Says they take DCP’s word on whether it’s not technical feasible. (My terrible live paraphrase.)
Renwick explores what we’ve referred to as “dragooning employees” under TOLA. That’s being hosed down, no, we’d approach the nominated contact person for the DCP. (But obviously a sole trader can be a DCP.)
Some down-in-the-weeds stuff now about oversight agencies of a Commonwealth act for these state agencies. All bounced out as questions on notice.
As an aside, if you haven’t read s313 of the Telecommunications Act 1997 then you haven’t lived. austlii.edu.au/cgi-bin/viewdo…
Coffee break.
Has the INSLM hearing resumed? I’m not seeing the livestream moving.
I think the stream is broken, because the little “LIVE” badge isn’t showing.
For some reason the INSLM hearing stream is now over here and showing an 1130 start time. This does not match the program. I am confused.
OK we’re back on with HRC people, but they seem to be wrapping up. We’ve obviously missed a chunk of the livestream.
Yeah I missed that. Oh well. Internet Australia reps up now.
I didn’t tweet any of that, but towards to end there was some solid clarification of the issues IA was raising. Renwick seemed to get a lot out of it. Lunch break now, back at 1305 AEDT.
My first INSLM-related story at @zdnetaustralia for today: “Watchdog ponders tougher independent oversight for Australia’s encryption laws” zdnet.com/article/watchd…
Meanwhile, we’re back from lunch, with EFA up first.
Angus Murray is as expected slamming the process. Legislation rushed, “irresponsible”. Calls for TOLA to be scrapped until Australia has a “legislated enforceable human rights framework”.
He’s outlining the breadth of the definition of designated communications provider (DCP) and the like.
Murray is explaining how TOLA can lead to mass surveillance. Renwick is probing into that, because he’d previously expressed doubt about that.
Renwick is clearly not convinced by the argument, citing sections of TOLA that are intended to impose limits.
That said, as the discussion continues, Renwick is clearly taking Murray’s comments on board. His interjections are to obtain clarifications. Murray done.
Atlassian’s people up now.
A series of motherhood statements ensue.
Zhang is now saying the lack of use of TOLA powers so far doesn’t mollify their concerns. Some of the details are secret, and it’s still early days.
Renwick is saying he agrees with Atlassian that there should be clear examples in the legislation, not just in explanatory memorandums, and he will so recommend.
Zhang says Labor’s repair act is good where it outlines specific prohibited effects. Lots of discussion now about the “circular definition” of “systemic weakness”. Renwick demonstrating that he’s got a good handle on the subtleties here imo.
Renwick understands that banning something that “may” create the risk of exposure in the future is silly. How can you say, in the computer world, that something won’t create a risk?
Oops, my pipe is getting wobbly.
Or rather, I think the uplink from the hearing room is dodgy.
While my link was dodgy, we moved on to Lucie Krahulcova from Access Now. She is citing a Bruce Schneier paper but I don’t know which one.
I’ve seen Krahulcova’s arguments before, and it’s quite a rights-based approach. Renwick gets it. If you give someone an immunity from prosecution, you’re taking away someone else’s rights.
Krahulcova argues that anyone who is surveilled should eventually be notified, told how they have been surveilled, by whom, and for how long. Renwick wants to know which country does this. Krahulcova can’t name one.
Renwick clarifies, asking if 50 people received some small surveillance so that 49 could be eliminated from enquiries, would those 409 be notified? Krahulcova says yes.
Krahulcova: “I think fundamentally TCNs are not compatible with human rights law.” Renwick counters by saying companies already do this themselves to monetise us. Is this also a breach of human rights? Krahulcova says yes.
Krahulcova says this is reflected in Access Now’s work. Private companies are doing the state’s surveillance for them, with the state empowering them to do that.
We’re down in the weeks of approval mechanisms again.
Krahulcova refers to GCHQ’s Equities Process for “decisions ... on the handling of vulnerabilities found in technology”. gchq.gov.uk/information/eq…
ASD has described theirs too. zdnet.com/article/asd-re…
ASD has described theirs too. zdnet.com/article/asd-re…
Renwick acknowledges that TCNs requiring both Attorney-General and Comms Minister’s approval is NOT a UK-style double lock, because they're both members of the same Cabinet.
Next up, Martin Thomson, Distinguished Engineer with Mozilla Corporation. He begins by saying he’s an engineer, so please can they go easy on him. Audience chuckles.
That was a solid discussion of TCNs and “systemic weakness” and all that stuff. Renwick has said it was a lot of food for thought. I think his report on 30 April will be very interesting indeed.
Important background activities taking place.
And... afternoon tea time. Renwick was continuing to engage deeply with Thomson’s arguments. He seems far more impressed with specific examples and the like rather than hand-waving.
There’s something annoying about the way the INSLM livestream has been set up. It switches to a different URL after each break, as YouTube ends each recording, but then this isn’t being reflected in the website(s). Somewhat grrr.
Still no livestream. Giving up.
I should wrap this neatly. That’s all for me from the INSLM hearing for now. I may look at the video of the final session later. But there’s more tomorrow from 0845 AEDT.
