Comprehensive revision of the Telecommunications (Interception and Access) Act 1979 Submission 32

Submission to Senate Legal and Constitutional Affairs Standing Committee Inquiry on Comprehensive Revision of Telecommunications (Interception and Access) Act 1979
This submission is based entirely upon publicly available sources. The list of appendices at the back does not appear in order of mention. Appendices are accessible via control/click from the text. Some surveillance programs are not named but shown as eg. A-redact

Comprehensive revision of the Telecommunications (Interception and Access) Act 1979 Submission 32

Contents Introduction ..............................................................................................................4 Programs ...................................................................................................................8 Operating bases in Australia ...................................................................................8 National legislation on surveillance ............................................................................8 UKUSA and people ..................................................................................................9 Monitoring agencies in Australia which have an impact on human rights and privacy .....................................................................................................................11 Queries to our watchdogs ......................................................................................11 Emanation security ................................................................................................11 Legislative protections for citizens ...........................................................................11 Ability to interfere with key financial indicators ................................................13 Questionable targets...............................................................................................13 Recommendations on the issue from overseas sources .......................................13 Recommendations ..................................................................................................14 Further appendices ................................................................................................15 Conclusion ...............................................................................................................17 List of appendices ...................................................................................................18 Appendix 1 Telecommunications Interception Act protections of privacy .............18 Appendix 2 ASIO Protections of Privacy ............................................................18 Appendix 3 Privacy protections re ASIS, ASD and DIGO .................................29 Appendix 4 Correspondence with Telstra on privacy..........................................36 Appendix 5 Correspondence with IGIS on the Snowden information about bulk surveillance ..........................................................................................................39 Appendix 6 Correspondence with OAIC (Privacy Commissioner) on bulk surveillance ..........................................................................................................40 Appendix 7 The Philip Flood report on intelligence collection pre the Iraq war ...46 Appendix 8 Ian Carnell, IGIS 2005 Report on the Parkin matter .......................49 Appendix 9 UN votes on privacy.............................................................................50 Appendix 10 Edward Snowden alternative Christmas message Channel 4 25 December 2013 ........................................................................................................50 Appendix 11 Legislation, governance and accountability of ASD..........................51 Appendix 12 Fred Kaplan, US Council on Foreign Relations.................................53 Appendix 13 Nicky Hager, NZ author on the Echelon electronic eavesdropping system, address to the European Parliament in 2001...............................................53 Appendix 14 An interesting Wikipedia summary of the warrantless surveillance controversy...........................................................................................................53 Appendix 15 ASIO and ASIS Mission and Values .................................................54 Appendix 16 EU Parliament Report ........................................................................55 Appendix 17 NSA Tailored Access Operations (TAO)...........................................55 Appendix 18 Response of IGIS to Inquiry about the Snowden Disclosures ...........56 Appendix 19 Previous IGIS attitudes......................................................................57 Appendix 20 BBC 1999 on Echelon ........................................................................59 Appendix 21 From NZ SIS website .........................................................................59 Appendix 22 Report to the President of the US - Liberty and Security in a Changing World .......................................................................................................59 Appendix 23 - Telecoms privacy provisions ...........................................................60 Telstra...................................................................................................................60 Optus ....................................................................................................................60

2

Comprehensive revision of the Telecommunications (Interception and Access) Act 1979 Submission 32

Vodaphone ...........................................................................................................61 Virgin ...................................................................................................................62 iinet.......................................................................................................................65 Appendix 24 ITU Agreement...................................................................................65 Appendix 25 Security agency codes and values - ASIS ..........................................71 Appendix 26 A reported earlier Echelon dictionary of signal words which would trigger collection of a communication .....................................................................71 Appendix 27 OECD privacy principles ...................................................................74 Appendix 28 Re telecoms cooperation with security authorities.............................78 Appendix 29 Privacy International Calls on OECD to Investigate Telecoms Relationships with GCHQ............................................................................................78 Appendix 30 Privacy principles and encryption from a barrister ............................78 Appendix 31 Statewatch briefing, mandatory data retention in the EU ..................78 Appendix 32 Echelon timeline.................................................................................78 Appendix 33 From the ACLU re the "safeguard" Clipper Chip held in escrow......78 Appendix 34 Bipartisan, bicameral USA FREEDOM Act ......................................78 Appendix 35 Communications Assistance for Law Enforcement Act (CALEA) 1994..........................................................................................................................78 Appendix 36 Australian Communications Department critical infrastructure resilience ..................................................................................................................79 Appendix 37 Useful summary as of 2000 of interception capabilities ....................79 Appendix 38 10 NSA myths debunked from tom.dispatch .....................................79 Appendix 39 Report January 2014 from the US Privacy and Civil Liberties Oversight Board .......................................................................................................80 Appendix 40 Geoffrey Robertson QC on legality....................................................80 Appendix 41 Unilateral spying on Australia considered by NSA ...........................80 Appendix 42 New Zealand events pertinent to Australia ........................................80 Appendix 43 2012 Report of the UK Intelligence Services Commissioner ............82 Appendix 44 Bridging the Gap ................................................................................82 Appendix 45 IIRAC 2008 ........................................................................................82 Appendix 46 Tapping into smartphone apps ...........................................................82 Appendix 47 Glenn Greenwald's response to President Obama's response............82 Appendix 48 Debating bulk data collection in the UK ...........................................83 Appendix 49 Transparency lawsuit launched by the American Civil Liberties Union........................................................................................................................83 Appendix 50 President Obama's response to review committee .............................83 Appendix 51 US NSA - would it target Five Eyes partners ....................................83 Appendix 52 Has bulk data collection worked? ......................................................83 Appendix 53 Legal opinion on some GCHQ surveillance.......................................83 Appendix 54 US DHS Privacy and civil liberties memorandum.............................83

3

Comprehensive revision of the Telecommunications (Interception and Access) Act 1979 Submission 32

I quote from the RSL building in Perth: prepared to defend it." Introduction

"They only deserve freedom who are

As there will be plentiful input from elsewhere on the security and law enforcement aspect of the relevant Australian laws on electronic interception, this submission will focus on the civil liberties and privacy aspect. It is also worth noting that unlike in the US, sensible public discussion about the broad parameters of surveillance versus individual liberties in Australia and the UK has been very difficult due to an unwillingness by both governments to engage with the public. In the US accountability of the security services to the elected Congress has been compromised by Congress being given false information about bulk surveillance. Thomas, Hartree and Aiken are among those quoted as saying the world would only ever need a few computers. This failed to see the development of the PC and mobile devices. With Berners-Lee's coupling of the computer with the internet, the stage was set for mass data collection and surveillance or God-like omniscience, centred on Fort Meade and soon Bluffdale, Utah, ironically the US state associated with latter day saints. A closely linked facility sits in Cheltenham in the UK, GCHQ. And there is a new black building in Canberra with similar associations. The US NSA reportedly has access to a large number of sigint stations round the world with up to 50,000 "insertion" points. That is twice the total number of plutonium "pits" (nuclear bomb triggers) the US currently has, as part of another key US form of security, now controlled by the NNSA, the National Nuclear Security Administration. Sixty seven years to the day after D-Day, it was revealed that that total surveillance state had come to pass. On June 6, 2013, Edward Snowden, an NSA contractor's employee, whistleblew on what appears to be widespread extralegal and extrajudicial surveillance of people anywhere in the world. Snowden may well have been responding to reports that the US President was about to meet his Chinese counterpart in California to lecture him on state sponsored cyber hacking. Some information about an operations HQ in Shanghai for hacking by China had been given in an ABC program earlier in the year. As an aside, the US and China apparently used to have a joint station to spy on Russia in Henan province associated with the PLA University of Foreign Languages. Edward Snowden's actions had been preceded by a film based around pre optic fibre surveillance. Echelon Conspiracy, inspired by the surveillance system ECHELON, is a 2009 action thriller film directed by Greg Marcks. It tells the story of Max Peterson (Shane West), an American computer specialist who attempts to uncover a secret plot to turn the world into a global police state. After being chased down by NSA agent Raymond Burke (Martin Sheen), Peterson decides to flee to Moscow. See https://en.wikipedia.org/wiki/ECHELON The primary issue is whether governments, including our own, have the right to collect and analyse information on every individual and organisation, even though that person or organisation is acting lawfully in the way they live their lives or

4

Comprehensive revision of the Telecommunications (Interception and Access) Act 1979 Submission 32

conduct their business affairs, and there is no suspicion of anything to the contrary. The UN Declaration of Human Rights (1948) supports that view as does Article 17 of the International Covenant on Civil and Political Rights (ICCPR). Such privacy concerns are reflected in the protections of privacy supposedly provided by the acts of Parliament reflected in Appendix 1, Appendix 2, and Appendix 3. Article 19 of the ICCPR re freedom of expression is of little value if people are spied on simply for having values, views or opinions which are expressed peacefully and would be implemented in a way designed to ensure a peaceful change in public policy. People going about lawful activities online or onphone even eg. a Skype conversation with a family member or friend should not have that digital data collected and stored. UN views on the matter have recently been reiterated (see Appendix 9) (it is noted that offices of some ambassadors to the UN have reportedly been tapped by the US). The Carnell IGIS Report on a Mr Parkin some years ago (Appendix 8) was straight out of Kafka in denying Mr Parkin any basis on which to challenge a security assessment, something some refugees in Australia face right now. Barack Obama had said in 2007 on surveillance: “I will provide our intelligence and law enforcement agencies with the tools they need to track and take out the terrorists without undermining our Constitution and our freedom. That means no more illegal wiretapping of American citizens. No more national security letters to spy on citizens who are not suspected of a crime. No more tracking citizens who do nothing more than protest a misguided war. No more ignoring the law when it is inconvenient. That is not who we are. And it is not what is necessary to defeat the terrorists. The FISA court works. The separation of powers works. Our Constitution works. We will again set an example for the world that the law is not subject to the whims of stubborn rulers, and that justice is not arbitrary.” Further in 2005 Obama said: “…And if someone wants to know why their own government has decided to go on a fishing expedition through every personal record or private document – through library books they’ve read and phone calls they’ve made – this legislation gives people no rights to appeal the need for such a search in a court of law. No judge will hear their plea, no jury will hear their case. This is just plain wrong. Giving law enforcement the tools they need to investigate suspicious activity is one thing – and it’s the right thing – but doing it without any real oversight seriously jeopardizes the rights of all Americans and the ideals America stands for.” Barack Obama, Speech on the Senate Floor, December 15''. His actions as President have yet to fully reflect these views. Australia is part of the Five Eyes (UKUSA) agreement with Canada, New Zealand, the UK, and the US for Anglosphere spying on the themselves and on the rest of the world. The followed the 1943 BRUSA Agreement. A book called Rooted in Secrecy by Coxsedge et al outlined some of the abuses of surveillance in Australia up until they were examined by the first Hope Royal Commission in 1974-7. The Samuels and Codd Royal Commission 1994-5 looked at whether ASIS held tens of thousands of files on Australian citizens. This was denied by the Commissioners but the Minister did acknowledge ASIS held files. It is not possible to consider changes to the Telecommunications Interception Act in isolation; we must consider other key Acts and the Ministerial obligations and

5

Comprehensive revision of the Telecommunications (Interception and Access) Act 1979 Submission 32

discretions which exist under those Acts (Appendix 2, Appendix 3). We must also consider the sanctions or lack of them for key parties who breach the acts. For instance the Australian Information Commissioner apparently has no power to impose penalties for breaches of privacy. The following comes from rense, Echelon & Related Data Interception Capabilities 2000. See http://rense.com/general/data.htm "4. A second area of apparent conflict concerns states' desires to provide communications interception for legitimate law enforcement purposes. The technical and legal processes involved in providing interception for law enforcement purpose differ fundamentally from those used in communications intelligence. Partly because of the lack of parliamentary and public awareness of Comint activities, this distinction is often glossed over, particularly by states that invest heavily in Comint. Any failure to distinguish between legitimate law enforcement interception requirements and interception for clandestine intelligence purposes raises grave issues for civil liberties. A clear boundary between law enforcement and "national security" interception activity is essential to the protection of human rights and fundamental freedoms." Personally, I understood how easy it was for satellite communications and even copper wire communications to be tapped, as they probably have been for years from places like Pine Gap and Nurrungar, as well as an ASD station in WA's midwest (see report in the Weekend West, http://au.news.yahoo.com/thewest/a/19383004/spy-basein-our-backyard/ ). But I wondered about fibre optic cable, until now I realise that governments and their security services have reportedly insisted on communications companies compromising their ethical relationship with their customers by actively splitting the signal stream using beam splitters (eg. the Telstra/Reach STATEROOM operation with the NSA - see Appendix 4), and maybe even capturing particular signals such financial, economic and stock indices and interfering with them before on-sending. A-redact, B-redact and C-redact, D-redact and E-redact as detailed in Der Spiegel on 29 th December 2013, would allow this. Among the EU Parliament LIBE Committee's findings in its draft report of 8th January 2014 (see Appendix 16) were: "[Information] Points specifically to US NSA intelligence programmes allowing for the mass surveillance of EU citizens through direct access to the central servers of leading US internet companies (PRISM programme), the it analysis of content and metadata (Xkeyscore programme), the circumvention of online encryption (F-redact), access to computer and telephone networks and access to location data, as well as to systems of the UK intelligence agency GCHQ such as its upstream surveillance activity (Tempora programme) and decryption programme (G-redact); believes that the existence of programmes of a similar nature, even if on a more limited scale, is likely in other EU countries such as France (DGSE), Germany (BND) and Sweden (FRA)." In 2008 James Bamford in his book The Shadow Factory discussed the splitter which siphons off information from an optic fibre cable. Nicky Hager had also written of it in his book (see Appendix 13) about New Zealand. It is now clear that deliberately building vulnerabilities into digital telecommunications facilities at the design stage to allow legitimate law enforcement 6

Comprehensive revision of the Telecommunications (Interception and Access) Act 1979 Submission 32

access was agreed upon through the ILET Seminar at the International Telecommunication Union in the 1990s and one key meeting in 1995 was held in Canberra. The standard was IUR or 1.0 or Enfopol 98 (see Appendix 24), adopted by Australia and other countries including China. So recent allegations of deals in the US by the government to deliberately weaken encryption in eg. security dongles do have a history. Julie Bishop who is responsible for ASIS, and George Brandis who is responsible for ASIO won't even discuss the policy issues attaching to this debate. Normally lack of discussion of security is limited to operational issues. If there can be no public debate about security policy versus human rights and privacy, then the matter has moved out of democratic control, and so of answerability to the electorate. Julie Bishop's commentary on a visit to the US in late January 2014 was to the effect that Eric Snowden who had called the US Government to account for flouting the US Constitution was a traitor, but apparently not those who had flouted the Constitution. Under the Five Eyes policy, it is possible that it is unclear to who it is that the Australian, NZ, Canadian and UK security agencies actually answer to. Forty years ago this year, when ASIS reportedly assisted in the overthrow of a democratically elected government in Chile, followed by the death of President Salvador Allende, and then the Pinochet regime under which people were "disappeared", was ASIS acting with the knowledge or approval of the Whitlam Labor government? Or was ASIS acting on its own based on a link with a foreign government? If so, has that changed in those forty years? A few years ago ASIS apparently lost six agents in Egypt, yet it is not clear what threat Egypt posed to Australia that required the Australian public to pay for ASIS operations in Egypt. Does our federal government support unrestricted offtake under PRISM by the US NSA of the communications of Australians, and further, referral of that material to Australian agencies? Australians are entitled to know what the policy is. And the policy can't be made by Nick Warner of ASIS, or David Irvine of ASIO, or Dr Paul Taloni in charge of ASD, but by the elected government. There are also suggestions that Australia offered to capture information for other Five Eyes partners which they might not legally have been allowed to capture themselves. See Appendix 42. The issue of ultimate loyalty to the democratic government of the day came up many years ago when Harold Salisbury was police commissioner in South Australia under Premier Don Dunstan and considered his ultimate duty was to someone other than the elected Premier in regard to the activities of the police special branch. Very little of the US discussion on the current issues has seemed to be about protections built into surveillance of non-US citizens, although see the December 2013 report to the President, see Appendix 22. It would be quite easy to circumvent laws in one UKUSA country protecting the privacy of its citizens by having another UKUSA country collect the intelligence and share it, as ASD apparently offered to do in 2008 (see Appendix 41) at a meeting in GCHQ Cheltenham. This possibility has also been recognised in the draft EU Parliament report (Appendix 16).

7

Comprehensive revision of the Telecommunications (Interception and Access) Act 1979 Submission 32

Programs Some of the espionage programs are listed here. This does not include the targeted access operations (TAO) programs; see Appendix 17. Earlier Echelon Advanced Rhyolite Current Stellar Wind PRISM Tempora Boundless Informant (says it all really about bulk surveillance), using eg. PRISM and Tempora Stateroom Operating bases in Australia The surveillance bases in Australia include: Kojarena, WA, a "Dictionary" base - see Appendix 26 re a previous keyword list Wagga, NSW Pine Gap and Nurrungar, NT Many of us are familiar with the fate of the Whitlam Labor government in 1975 which had tried to exercise appropriate sovereign participation in control over the central Australian bases. National legislation on surveillance The Telecommunications (Interception and Access) Act 1979 must be considered in the context of a number of other acts including the Australian Security Intelligence Organisation Act 1979, the Intelligence Services Act 2001, the Office of National Assessments Act 1977, the Privacy Act 1988, and the Australian Human Rights Commission Act 1986. Bulk surveillance, warrantless surveillance, targeted access operations, metadata and digital data collection and storage, implanted chips, emanation detection, deliberately insecure encryption, optical beam splitting, nation to nation secret data swaps, website capture and replacement, alterations of data streams, and respective rights of citizens, residents and aliens need to be set against this legislative background. The Australian Security Intelligence Organisation Act 1979 provides the legislative basis for the work of ASIO. The Intelligence Services Act 2001 ('the Act') provides the legislative basis for the work of ASIS (primarily humint), DIGO and ASD (primarily comint).

8

Comprehensive revision of the Telecommunications (Interception and Access) Act 1979 Submission 32

The Telecommunications (Interception and Access) Act 1979 provides for general control of the activities of a number of Australian agencies. The Office of National Assessments Act 1977 provides for high level security and intelligence integration and assessment. The Government describes the overarching relationships as follows: "The Inspector-General of Intelligence and Security provides the independent assurance that AIC agencies conduct their activities within the law, behave with propriety and comply with ministerial guidelines and directives . The National Security Committee of Cabinet (NSC) is the peak ministerial decision making body on national security matters, and the Secretaries Committee on National Security the peak officials level committee considering national security matters. The National Intelligence Coordination Committee, chaired by the National Security Adviser, ensures the broad national intelligence effort is fully and effectively integrated. Parliamentary oversight of the administration and expenditure of the Australian Intelligence Community is the responsibility of the Parliamentary Joint Committee on Intelligence and Security." Ministers are also required to issue directions and guidelines to most of the security agencies. ONA is an exception it seems, but has been given them anyway. As to the requirements set out in Appendix 2, here are the Minister's Guidelines for ASIO: http://www.asio.gov.au/img/files/AttorneyGeneralsGuidelines.pdf As to the requirements set out in Appendix 3, here are the Minister's Rules and Guidelines: http://www.asis.gov.au/Privacy-rules.html http://www.asd.gov.au/publications/dsdbroadcast/20121002-privacy-rules.htm http://www.defence.gov.au/digo/library/digo-privacy-rules.pdf http://www.ona.gov.au/media/10288/privacy-guidelines.pdf UKUSA and people New Zealand is a member of the UKUSA Agreement along with the four following agencies:
 

Communications Security Establishment Canada (CSEC) Australian Signals Directorate (ASD), Australia 9

Comprehensive revision of the Telecommunications (Interception and Access) Act 1979 Submission 32

 

Government Communications Headquarters (GCHQ), United Kingdom National Security Agency (NSA), United States

Here are some current key figures who play a part in the Five Eyes arrangement and associated security, human rights and privacy issues. They have in practice considerable discretions which from an accountability perspective, are hard to publicly check. There is a somewhat wider grouping who meet in an IIRAC seminar every couple of years (Appendix 45). Australia Dr Margot McCarthy Australian National Security Adviser David Irvine, ASIO Nick Warner, ASIS Dr Paul Taloni, ASD Tony Negus, AFP Committee on Intelligence and Security National Security Committee of Cabinet (see also Monitoring Agencies below) Canada Michel Coulombe Canadian SIS John Forster, Chief Canadian CSEC Warren Tucker, Director NZ SIS (plus monitors) NZ Ian Fletcher, Director NZ GCSB UK Sir Malcolm Rifkind, Chairman, UK Intelligence and Security Committee (ISC). Sir Iain Lobban, Director, UK GCHQ (retg) Andrew Parker, Director General, UK Security Service Sir John Sawers, Chief, UK Secret Intelligence Service Andrew Parker, Chief, MI5 Sir Mark Waller, Intelligence Services Commissioner Sir Anthony May, Interception of Communications Commissioner Theresa May, Home Secretary William Hague, Foreign Secretary US Susan Rice National Security Adviser, James Clapper, Director National Intelligence Vice-Adm. Mike Rogers, Director NSA, Head US CyberCommand James B. Comey, Director FBI John O. Brennan, Director CIA

10

Comprehensive revision of the Telecommunications (Interception and Access) Act 1979 Submission 32

Reggie Walton, head judge Foreign Intelligence Surveillance Court (FISC) Monitoring agencies in Australia which have an impact on human rights and privacy In Australia controls on surveillance and surveillance practices include: Dr Vivienne Thom, Inspector General of Intelligence and Security (IGIS) Stephen Sedgwick, Public Service Commissioner (APSC) Tim Pilgrim, Australian Privacy Commissioner (APC) Prof. John McMillan, Australian Information Commissioner (AIC) Colin Neave, Ombudsman Prof. Gillian Triggs (retg.), head AHRC. Bret Walker SC, Independent National Security Legislation Monitor (INSLM) Parliamentary Joint Committee on Intelligence and Security (PJCIS) The Attorney General, Minister for Foreign Affairs and Defence Minister Queries to our watchdogs I asked the IGIS Dr Vivienne Thom and the Information Commissioner Tim Pilgrim about their investigations of the issue of bulk warrantless surveillance of Australians. The replies are shown in Appendix 5, Appendix 6 and Appendix 18. Such surveillance is illegal under the three enabling Acts, the IS Act, the ASIO Act and the T (I and A) Act, except in certain defined circumstances involving full ministerial oversight. There are also restrictions on the collection and analysis of communications of non-Australians, particularly if it can affect an Australian. Appendix 7 is included because it looks at intelligence agency accountability and oversight, as it was seen by Philip Flood in investigating how Australia ended up attacking Iraq in 2003. Appendix 4 shows the correspondence with Telstra about its response to the report that Telstra/Reach allows bulk surveillance access to its overseas cables. Emanation security The ASD assists government and private agencies on preventing loss of data due to radiation emanations from their facilities through by issuing a list of approved consultants. See http://www.asd.gov.au/infosec/emsec.htm This on the other hand could make it harder to employ equipment such as that for Lredact to pick up these emanations. Legislative protections for citizens These are set out in national law as well as ultranational legislation, such as the ICCPR which is used as a basis for AHRC decision making. National law The Telecommunications (Interception) Act 1979 (See Appendix 1)

11

Comprehensive revision of the Telecommunications (Interception and Access) Act 1979 Submission 32

SS. 8A, 25A to 26C of the Australian Security Intelligence Organisation Act 1979 (see Appendix 2). SS. 6, 8-14 and 35 of the Intelligence Services Act 2001 (see Appendix 3). Ultranational legislation - ICCPR Articles 17 and 19 Article 17 1. No one shall be subjected to arbitrary or unlawful interference with his privacy, family, home or correspondence, nor to unlawful attacks on his honour and reputation. 2. Everyone has the right to the protection of the law against such interference or attacks. UNHRC General comment 16 on Article 17 (1988) http://www.refworld.org/docid/453883f922.html Article 19 1. Everyone shall have the right to hold opinions without interference. 2. Everyone shall have the right to freedom of expression; this right shall include freedom to seek, receive and impart information and ideas of all kinds, regardless of frontiers, either orally, in writing or in print, in the form of art, or through any other media of his choice. 3. The exercise of the rights provided for in paragraph 2 of this article carries with it special duties and responsibilities. It may therefore be subject to certain restrictions, but these shall only be such as are provided by law and are necessary: (a) For respect of the rights or reputations of others; (b) For the protection of national security or of public order (ordre public), or of public health or morals. General Comment 34 by UN HRC on Article 19 http://www2.ohchr.org/english/bodies/hrc/docs/CCPR-C-GC-34.doc Here is the view from the UNHCR on terrorism and human rights http://www2.ohchr.org/english/bodies/hrcouncil/docs/13session/A-HRC-13-37.pdf

12

Comprehensive revision of the Telecommunications (Interception and Access) Act 1979 Submission 32

Ability to interfere with key financial indicators Part of the reason for access to private data is stated to be to safeguard the economic security of the spying country. If this data can be altered enroute as it could be in the case of key bank indices such as Libor or Euribor (which have already been the subject of recent fraud), because that was deemed to be in the major banks' and hence the nation's interest, what is to stop it happening? Note that the EU Parliament LIBE Committee (Appendix 16) in its visit to the US was unsatisfied about US Treasury answers on access to the SWIFT international money transfer system by US surveillance agencies. Questionable targets Some of the questionable targets which were allegedly subject to electronic espionage which has been revealed in the last six months of 2013 include: Medecins du Monde, an aid organisation UNICEF Angela Merkel, Chancellor of Germany Herawati Kristiani, wife of SBY, the Indonesian President The Timor Leste Cabinet The Copenhagen climate change conference (raising the possibility of important agreements being set aside because they were obtained by unfair advantage) UN HQ IAEA, Vienna OPEC Those in the list above who were spied upon do not appear to be threats to the world, although OPEC has in the past had a sudden economic impact. Recommendations on the issue from overseas sources Here are four, one from the US (1), one from the UK(2), several (EU, OECD, NZ, US)(3) and two from Canada(4). 1. US President's Committee late 2013 Recommendation 14, see Appendix 22. We recommend that, in the absence of a specific and compelling showing, the US Government should follow the model of the Department of Homeland Security, and apply the Privacy Act of 1974 in the same way to both US persons and non-US persons. See Appendix 54. 2. Sir Mark Waller, 2012 UK ISC Report: "Based on my scrutiny of GCHQ warrants and authorisations, it is my belief that the activity that GCHQ undertakes is carried out under appropriate authorisation and is necessary for GCHQ’s statutory purposes. In addition, I have sought, and received, assurances that considerations of the proportionality of any operations includes an

13

Comprehensive revision of the Telecommunications (Interception and Access) Act 1979 Submission 32

assessment of whether the expected intelligence gained justifies the level of intrusion into privacy. During my December visit I agreed with GCHQ how this privacy element of proportionality could be more clearly set out in the formal submissions for warrants and authorisations." I note that GCHQ has recently been accused of participation in murder by playing a part in defining targets for US drones. In the court case the judge ruled against finding GCHQ culpable on the grounds that this would criticise the actions of a foreign state, in this case the US. I also note that in late January 2014, Jemima Stratford, QC a lawyer retained to give an opinion, has said that some of the GCHQ activity is probably illegal (Appendix 53). 3. See Appendix 16 particularly pp. 40-41, Appendix 27 viz. The Privacy Principles, Appendix 39 Pts. 7, 8, 9, Appendix 42 - see changes to TICS Bill, Appendix 43 esp. Openness p.3 and on p.11 "During my December visit I agreed with GCHQ how this privacy element of proportionality could be more clearly set out in the formal submissions for warrants and authorisations", Appendix 44, pp. 17, 19, 20, 21, 23, 26, 35, 36. Recommendations 1.That the INSLM review the three Australian acts cited in the light of what is now known and develop new legislative proposals, taking into account Australian privacy and civil liberties legislation, and since the UKUSA partner the UK is part of the EU, EU legislation in that category. 2. That as the ICCPR has worldwide coverage, there be no distinction in the legislation in regards to the rights of Australian and non Australians. 3. That legislation requires Australian security authorities not to act in a way which allows cognate agencies to bypass the privacy and civil liberties guarantees of their own countries. 4. That legislation requires our agencies not to cooperate in commercial espionage unless it involves suspected fraud, money laundering or other criminal activities. 5. Give the PJCIS the power to undertake own motion investigations. 6. Act on the Information Commissioner's recently expressed views on extending FOI coverage. 7. Review whether the new Perth Singapore cable contract mandates installation of beam splitters, and if so, whether access to data carried on overseas optic fibre cables in general should be controlled via CALEA type provisions. This would hold any necessary cryptography access methodology in escrow and be subject to stringent access provisions. See Appendix 33 and Appendix 35.

14

Comprehensive revision of the Telecommunications (Interception and Access) Act 1979 Submission 32

Further appendices Some more appendices are noted below, which in view provide a useful context in which to consider the correct balance between surveillance and privacy in Australia. They might be considered as the type of thing the Senate committee would produce as part of a discussion paper of the issue. Those not shown here have been mentioned earlier, but some earlier items are retained to include description or comment. Appendix 8 looks at the inquiry by the IGIS Ian Carnell in 2005 into an adverse security report on a Mr Parkin, which could not, a la Kafka in his book The Trial, be accessed by Mr Parkin, a situation quite a number of refugees face here today. The issue here is that Mr Carnell stated that national security (as perceived by the national security bodies), must prevail over the legal principle of natural justice. Appendix 10 refers to a Christmas 2013 message US whistleblower Edward Snowden gave broadcast on Channel 4. Appendix 11 gives information on ASD's enabling legislation, accountability and governance. In Appendix 12 Fred Kaplan of the US Council on Foreign Relations gives details of the answers US Director of National Intelligence James Clapper gave to the US Congress on 12 March 2013 about bulk data collection by the US NSA, with whom Australia has an agreement. Appendix 14 gives the link to a Wikipedia summary of the warrantless surveillance controversy. Appendix 15 gives ASIO's mission and values. Appendix 16 refers to the draft report on bulk surveillance by the LIBE Committee to the EU Parliament on 8 January 2014, rapporteur an MEP for London, Claude Moraes. That democratic parliament is elected by 500m electors, second to India but transnational. A link to the full draft was provided to the Australian Senate Committee on 10 January 2014. This excerpt deals with attempted extraterritorial application of US law. Appendix 17 gives some indication of some issues involved with targeted access operations (TAOs) by the Five Eyes agencies. Appendix 19 covers a 2008 view of the IGIS on whistleblowing given to the House of Representatives Standing Committee on Legal and Constitutional Affairs. Appendix 20 provides information from a BBC report on bulk data collection through project Echelon in places like Menwith Hall, Pine Gap, and Waihopai. Echelon is now possibly superseded by Boundless Informant using the US NSA's PRISM and UK GCHQ's Tempora and Q-redact. Appendix 21 describes our NZ Five Eyes (UKUSA) partner in its own words. It has reportedly had to apologise for warrantless spying on 85 of its own citizens. Appendix 22 provides a link to the report of 12 December prepared for the US President on (bulk) warrantless surveillance, to which he responded on 17 January 2014. Appendix 23 contains the privacy policies of some Australian telecom providers, but these may be affected by participation in the STATEROOM bulk surveillance on overseas cables and by built in vulnerabilities in encryption software designed for use only with a warrant under the International Telecommunication Union IUR 1.0. Appendix 25 contains some comments on ASIS and privacy from the 2010-11 IGIS Report.

15

Comprehensive revision of the Telecommunications (Interception and Access) Act 1979 Submission 32

Appendix 26 contains some reported search terms used by the Echelon "Dictionary" interception stations to sort communications for further analysis. While many inclusions appear to be logically connected with national security, some do not. eg. redheads, porno, sex, which seem more consistent with straightforward personal intrusion which could be used to intimidate individuals. And "veggies"??? It is doubtful that a "dictionary" base used to sort wheat from chaff would be needed for warranted targets as opposed to bulk surveillance. Appendix 27 refers to the privacy guidelines of the OECD of which Australia is a member. Appendix 28 is about telecoms cooperation in surveillance and a legal challenge to that by the Electronic Frontiers Foundation. Appendix 29 is about the OECD and the telecoms relationship with the UK GCHQ. Appendix 30 is about privacy principles and encryption from an Australian barrister Appendix 31 is about mandatory data retention in the EU. Appendix 32 gives a timeline on the development of Echelon. Appendix 33 is from the American Civil Liberties Union about a method developed under the Clinton administration to give access to encrypted data by law enforcement authorities, using passwords held in escrow. Appendix 34 is about the proposed bipartisan bilateral bill to strike a balance in the US on surveillance. Appendix 35 is about the act introduced in the US in the nineties to deal with surveillance of digital telephony, the Communications Assistance for Law Enforcement Act. Appendix 36 is about protecting critical IT infrastructure in Australia from cyberattack. Appendix 37 is a useful summary as of 2000 of interception capabilities. Appendix 38 is setting the record straight on some misinformation about the NSA. Appendix 39 is about the recent report of the US Privacy and Civil Liberties Oversight Board (PCLOB) Appendix 40 is about Geoffrey Robertson QC's views on the legality of some Australian surveillance. Appendix 41 is about consideration of unilateral spying by the US NSA on Australia Appendix 42 is about offers by ASD to share data with overseas agencies and recent NZ amendments in its Telecommunications (Interception Capability and Security) Bill. Appendix 43 is the 2012 report of the UK Intelligence Services Commissioner, and details his methods of checking on the spy agencies.. Appendix 44 is the full report of the Canadian Security Intelligence Review (SIRC) Committee for 2012-3. In the summary table at the back it says:" SIRC also recommends that CSIS develop a legal framework outlining acceptable and prohibited activities, including the corresponding levels of approval within and outside the Service." On Information Sharing in page 17 it says: '' Although ministerial direction to CSIS and associated Service policies are designed to prevent the misuse/abuse of information, both from a security and human rights perspective, it is not clear how CSIS can comply with ministerial direction stipulating that caveats must be used when sharing information with domestic and foreign recipients, when SIGINT collection and dissemination functions run contrary to this expectation." Appendix 45 is a speech in Auckland in 2008 at the International Intelligence Review Agencies Conference about some key principles for a surveillance organisation given

16

Comprehensive revision of the Telecommunications (Interception and Access) Act 1979 Submission 32

by the Canadian Communications Security Establishment Commissioner, the Honourable Charles D. Gonthier. Appendix 46 is about collecting personal data by tapping into smartphone apps. Appendix 47 is about reporter Glenn Greenwald's response to President Obama's response to the late 2013 report of his security review committee. Greenwald has written much about the Snowden information. Appendix 48 is about the difficulties of debating bulk data collection in the UK such as that done under Q-redact. Appendix 49 is about withholding documents related to the bulk collection of Americans’ data from a transparency lawsuit launched by the American Civil Liberties Union. Appendix 50 is about President Obama's response in January 2013 to the report of his review committee on bulk surveillance. Appendix 51 is about whether the US NSA would secretly target UKUSA Five Eyes partner countries. Appendix 52 is about whether bulk data collection has played an effective role in preventing known terrorist events. Appendix 53 is about a current legal opinion on UK GCHQ bulk surveillance given to a UK parliamentary committee. Appendix 54 is about the US DHS Privacy and civil liberties memorandum Conclusion I will finish with a quote from Edward Snowden's Christmas message 2013: "A child born today will grow up with no conception of privacy at all. They'll never know what it means to have a private moment to themselves an unrecorded, unanalysed thought. And that's a problem because privacy matters; privacy is what allows us to determine who we are and who we want to be." That is unless democratically elected bodies do what they are supposed to do, which is to fully study the issue in consultation with the people who elected them, and take appropriate steps to balance any necessary surveillance for security, economic stability and prevention and detection of crime against privacy, political freedoms free of covert and overt intimidation, and freedom of expression (within publicly agreed limits). I look forward to the Inquiry formulating an effective legislative response to some of the issues raised.

17

Comprehensive revision of the Telecommunications (Interception and Access) Act 1979 Submission 32 - Attachment 1

List of appendices Appendix 1 Telecommunications Interception Act protections of privacy Telecommunications Interception and Access Act 1979 PART 2-1--PROHIBITION ON INTERCEPTION OF TELECOMMUNICATIONS 7. Telecommunications not to be intercepted

PART 2-2--WARRANTS AUTHORISING THE ORGANISATION TO INTERCEPT TELECOMMUNICATIONS 9. Issue of telecommunications service warrants by Attorney-General 9A. Issue of named person warrants by Attorney-General 9B. Provisions applying to warrants issued under section 9 or 9A 10. Issue of warrant by Director-General of Security in emergency for Organisation to intercept telecommunications 11A. Telecommunications service warrant for collection of foreign intelligence 11B. Named person warrant for collection of foreign intelligence 11C. Foreign communications warrant for collection of foreign intelligence 11D. Provisions applying to foreign intelligence warrants 12. Persons authorised to intercept communications for Organisation 13. Discontinuance of interception before expiration of warrant 14. Certain records retained by Organisation to be destroyed 15. How warrants etc. to be dealt with 16. Additional requirements for named person warrants 17. Reports to be made to Attorney-General on results of interception 18. Evidentiary certificates

Appendix 2 ASIO Protections of Privacy

ASIO Act 1979 8A Guidelines (1) The Minister may, from time to time, by written notice given to the Director-General, give to the Director-General guidelines to be observed: (a) in the performance by the Organisation of its functions or the exercise of its powers; or (b) in the exercise by the Director-General of his or her powers under sections 85 and 86. (2) The Minister shall, as soon as practicable after the commencement of this section, by notice in writing given to the Director-General, give to the Director-General guidelines to be observed in relation to the performance of that part of the Organisation’s functions that relates to politically 18

Comprehensive revision of the Telecommunications (Interception and Access) Act 1979 Submission 32 - Attachment 1

motivated violence, and may, from time to time, vary or replace guidelines so given. (3) Subject to subsection (4), the Minister shall cause a copy of any guidelines given under subsection (1) or (2) to be laid before each House of the Parliament within 15 sitting days of that House after the guidelines were given. (4) Where the laying of a copy of guidelines before the Parliament in accordance with subsection (3) would result in the disclosure of information that would, in the opinion of the Minister, be contrary to the public interest by reason that it would prejudice security, the defence of the Commonwealth, the conduct of the Commonwealth’s international affairs or the privacy of individuals, the Minister may cause a copy of the guidelines to be laid before each House of the Parliament with such deletions as the Minister thinks necessary to avoid that result or decline to cause a copy to be laid before each House of the Parliament. (5) The Minister shall, in accordance with arrangements made between the Minister and the Leader of the Opposition in the House of Representatives, make available to the Leader of the Opposition a copy of any guidelines given under subsection (1) or (2), but it is the duty of the Leader of the Opposition to treat as secret any part of those guidelines that has not been laid before a House of the Parliament. (6) The Minister shall, as soon as practicable after guidelines under subsection (1) or (2) are given to the Director-General, give a copy of the guidelines to the Inspector-General of Intelligence and Security and, unless the Minister considers it inappropriate to do so, to the Committee on Intelligence and Security. AUSTRALIAN SECURITY INTELLIGENCE ORGANISATION ACT 1979 SECT 17A Act not concerned with lawful dissent etc. This Act shall not limit the right of persons to engage in lawful advocacy, protest or dissent and the exercise of that right shall not, by itself, be regarded as prejudicial to security, and the functions of the Organisation shall be construed accordingly. SS.25A to 26C of the Australian Security Intelligence Organisation Act 1979

25A Computer access warrant Issue of computer access warrant (1) If the Director-General requests the Minister to do so, and the Minister is satisfied as mentioned in subsection (2), the Minister may issue a warrant in accordance with this section. 19

Comprehensive revision of the Telecommunications (Interception and Access) Act 1979 Submission 32 - Attachment 1

Test for issue of warrant (2) The Minister is only to issue the warrant if he or she is satisfied that there are reasonable grounds for believing that access by the Organisation to data held in a particular computer (the target computer) will substantially assist the collection of intelligence in accordance with this Act in respect of a matter (the security matter) that is important in relation to security. Authorisation in warrant (3) The warrant must be signed by the Minister and must authorise the Organisation to do specified things, subject to any restrictions or conditions specified in the warrant, in relation to the target computer, which must also be specified in the warrant. Things that may be authorised in warrant (4) The things that may be specified are any of the following that the Minister considers appropriate in the circumstances: (aa) entering specified premises for the purposes of doing the things mentioned in this subsection; (a) using: (i) a computer; or (ii) a telecommunications facility operated or provided by the Commonwealth or a carrier; or (iii) any other electronic equipment; or (iv) a data storage device; for the purpose of obtaining access to data that is relevant to the security matter and is held in the target computer at any time while the warrant is in force and, if necessary to achieve that purpose, adding, deleting or altering other data in the target computer; (b) copying any data to which access has been obtained, that appears to be relevant to the collection of intelligence by the Organisation in accordance with this Act; (c) any thing reasonably necessary to conceal the fact that any thing has been done under the warrant; (d) any other thing reasonably incidental to any of the above. Note: As a result of the warrant, an ASIO officer who, by means of a telecommunications facility, obtains access to data stored in the target computer etc. will not commit an offence under Part 10-7 of the Criminal Code or equivalent State or Territory laws (provided that the ASIO officer acts within the authority of the warrant). Certain acts not authorised (5) Subsection (4) does not authorise the addition, deletion or alteration of data, or the doing of any thing, that interferes with, interrupts or obstructs the lawful use of the target computer by other persons, or that causes any loss or damage to other persons lawfully using the target computer.

20

Comprehensive revision of the Telecommunications (Interception and Access) Act 1979 Submission 32 - Attachment 1

Authorisation of entry measures (5A) The warrant must: (a) authorise the use of any force that is necessary and reasonable to do the things specified in the warrant; and (b) state whether entry is authorised to be made at any time of the day or night or during stated hours of the day or night. Duration of warrant (6) The warrant must specify the period during which it is to remain in force. The period must not be more than 6 months, although the Minister may revoke the warrant before the period has expired. Issue of further warrants not prevented (7) Subsection (6) does not prevent the issue of any further warrant. 26 Use of listening devices (1) It is unlawful for an officer, employee or agent of the Organisation, for the purposes of the Organisation, to use a listening device for the purpose of listening to or recording words, images, sounds or signals being communicated by another person (in this subsection referred to as the communicator) unless: (a) the communicator intends, or should reasonably expect, those words, images, sounds or signals to be communicated to the first-mentioned person or to a class or group of persons in which the first-mentioned person is included; (b) the first-mentioned person does so with the consent of the communicator; or (c) the first-mentioned person does so in accordance with a warrant issued under this Division; and it is the duty of the Director-General to take all reasonable steps to ensure that this subsection is not contravened. (2) Notwithstanding any law of a State or Territory, an officer, employee or agent of the Organisation, acting on behalf of the Organisation, does not act unlawfully by reason only of using a listening device as referred to in subsection (1) in circumstances in which paragraph (a), (b) or (c) of that subsection is applicable. (3) Where, upon receipt by the Minister of a request by the Director-General for the issue of a warrant under this section authorizing the use of a listening device in relation to a particular person, the Minister is satisfied that: (a) that person is engaged in, or is reasonably suspected by the Director-General of being engaged in, or of being likely to engage in, activities prejudicial to security; and (b) the use by the Organisation of a listening device to listen to or record words, images, sounds or signals communicated by or to that person

21

Comprehensive revision of the Telecommunications (Interception and Access) Act 1979 Submission 32 - Attachment 1

will, or is likely to, assist the Organisation in carrying out its function of obtaining intelligence relevant to security; the Minister may, by warrant signed by the Minister, authorize the Organisation, subject to any conditions or restrictions that are specified in the warrant, to use a listening device for the purpose of listening to or recording words, images, sounds or signals communicated by or to that person and such a warrant may authorize the Organisation to enter any premises in which that person is, or is likely to be, or any other premises specified in the warrant from which words, images, sounds or signals communicated by or to that person while that person is in those first-mentioned premises can be listened to or recorded with the use of a listening device, for the purpose of installing, maintaining or using a listening device. (4) Where, upon receipt by the Minister of a request by the Director-General for the issue of a warrant under this section authorizing the use of a listening device to listen to or record words, images, sounds or signals communicated from or to particular premises, the Minister is satisfied that: (a) those premises are used, likely to be used or frequented by a person engaged in, or reasonably suspected by the Director-General of being engaged in or of being likely to engage in, activities prejudicial to security; and (b) the use on behalf of the Organisation of a listening device to listen to or record words, images, sounds or signals communicated by or to persons in those premises will, or is likely to, assist the Organisation in carrying out its function of obtaining intelligence relevant to security; the Minister may, by warrant signed by the Minister, authorize the Organisation, subject to any conditions or restrictions that are specified in the warrant, to use a listening device for the purpose of listening to or recording words, images, sounds or signals communicated by or to any person while the person is in those premises and such a warrant may authorize the Organisation to enter those premises, or any other premises specified in the warrant from which words, images, sounds or signals communicated by or to any person while the person is in those first-mentioned premises can be listened to or recorded with the use of a listening device, for the purpose of installing, maintaining or using a listening device. (5) The warrant must: (a) authorise the use of any force that is necessary and reasonable to do the things mentioned in subsections (3) and (4); and (b) state whether entry is authorised to be made at any time of the day or night or during stated hours of the day or night. (6) A warrant under this section shall specify the period for which it is to remain in force, being a period not exceeding 6 months, but may be revoked by the Minister at any time before the expiration of the period so specified.

22

Comprehensive revision of the Telecommunications (Interception and Access) Act 1979 Submission 32 - Attachment 1

(6A) If a listening device is installed in accordance with the warrant, the Organisation is authorised to do any of the following: (a) enter any premises for the purpose of recovering the listening device; (b) recover the listening device; (c) use any force that is necessary and reasonable to do either of the above; at the following time: (d) at any time while the warrant is in force or within 28 days after it ceases to be in force; (e) if the listening device is not recovered at a time mentioned in paragraph (d)—at the earliest time, after the 28 days mentioned in that paragraph, at which it is reasonably practicable to do the things concerned. (7) Subsection (6) shall not be construed as preventing the issue of any further warrant. (8) Nothing in this section, or in a warrant under this section, applies to or in relation to the use of a listening device for a purpose that would, for the purposes of the Telecommunications (Interception and Access) Act 1979, constitute the interception of a communication passing over a telecommunications system operated by a carrier or a carriage service provider. 26A Unlawful and lawful uses of tracking devices Unlawful use of tracking devices (1) Subject to subsection (2), it is unlawful for an officer, employee or agent of the Organisation to use a tracking device for the purpose of tracking a person or an object. It is the duty of the Director-General to take all reasonable steps to ensure that this subsection is not contravened. Note: Tracking device, track and object are defined in subsection (3). Lawful use of tracking device (2) Despite any law of a State or Territory, an officer, employee or agent of the Organisation does not act unlawfully, by using, for the purposes of the Organisation, a tracking device for the purpose of tracking a person or an object if: (a) the person, or the person using the object, consents to it being done; or (b) the officer, employee or agent of the Organisation does so in accordance with a warrant issued under section 26B or 26C. Definitions (3) In this section: apply includes attach to or place on or in. object means: 23

Comprehensive revision of the Telecommunications (Interception and Access) Act 1979 Submission 32 - Attachment 1

(a) a vehicle, aircraft, vessel or other means of transportation; or (b) clothing or any other thing worn; or (c) any other thing. track an object or person means be aware of the movement of the object or person from place to place. tracking device means a device or substance that, when applied to an object, enables a person to track the object or a person using or wearing the object. 26B Tracking device warrants relating to persons Issue of warrant (1) If the Director-General requests the Minister to do so, and the Minister is satisfied as mentioned in subsection (2), the Minister may issue a warrant in accordance with this section. Test for issue of warrant (2) The Minister is only to issue the warrant if he or she is satisfied that: (a) a person (the subject) is engaged in, or reasonably suspected by the Director-General of being engaged in or of being likely to engage in, activities prejudicial to security; and (b) the use by the Organisation of a tracking device applied to any object (a target object) used or worn, or likely to be used or worn, by the subject to enable the Organisation to track the subject will, or is likely to, assist the Organisation in carrying out its function of obtaining intelligence relevant to security. Note: Tracking device, track, object and apply are defined in subsection 26A(3). Authorisation in warrant (3) The warrant: (a) must be signed by the Minister; and (b) must authorise the Organisation, subject to any restrictions or conditions specified in the warrant, to use a tracking device applied to a target object for the purpose of tracking the subject, who must be specified in the warrant; and (c) may authorise the Organisation to: (i) enter any premises in which a target object is or is likely to be found, for the purpose of applying a tracking device to the target object, or using or maintaining a tracking device so applied; and (ii) enter or alter a target object, for the purpose of applying, using or maintaining a tracking device; and (iii) apply a tracking device to a target object; and (iv) maintain a tracking device applied to a target object; and (v) any other thing reasonably incidental to any of the above.

24

Comprehensive revision of the Telecommunications (Interception and Access) Act 1979 Submission 32 - Attachment 1

Authorisation of entry measures (4) The warrant must: (a) authorise the use of any force that is necessary and reasonable to do the things specified in the warrant; and (b) state whether entry is authorised to be made at any time of the day or night or during stated hours of the day or night. Duration of warrant (5) The warrant must specify the period during which it is to remain in force. The period must not be more than 6 months, although the Minister may revoke the warrant before the period has expired. Issue of further warrants not prevented (6) Subsection (5) does not prevent the issue of any further warrant. Tracking device may be recovered (7) If a tracking device is applied to a target object in accordance with the warrant, the Organisation is authorised to do any of the following: (a) enter any premises in which the target object is or is likely to be found, for the purpose of recovering the tracking device; (b) enter or alter the target object for the purpose of recovering the tracking device; (c) recover the tracking device; (d) use any force that is necessary and reasonable to do any of the above; at the following time: (e) at any time while the warrant is in force or within 28 days after it ceases to be in force; (f) if the tracking device is not recovered at a time mentioned in paragraph (e)—at the earliest time, after the 28 days mentioned in that paragraph, at which it is reasonably practicable to do the things concerned. Interpretation (8) Expressions used in this section that are also used in section 26A have the same meanings as in that section. 26C Tracking device warrants relating to objects Issue of warrant (1) If the Director-General requests the Minister to do so, and the Minister is satisfied as mentioned in subsection (2), the Minister may issue a warrant in accordance with this section.

25

Comprehensive revision of the Telecommunications (Interception and Access) Act 1979 Submission 32 - Attachment 1

Test for issue of warrant (2) The Minister is only to issue the warrant if he or she is satisfied that: (a) an object (the target object) is used or worn, or likely to be used or worn by a person (whether or not his or her identity is known) engaged in or reasonably suspected by the Director-General of being engaged in or of being likely to engage in, activities prejudicial to security; and (b) the use by the Organisation of a tracking device applied to the target object to enable the Organisation to track the target object will, or is likely to, assist the Organisation in carrying out its function of obtaining intelligence relevant to security. Note: Tracking device, track, object and apply are defined in subsection 26A(3). Authorisation in warrant (3) The warrant: (a) must be signed by the Minister; and (b) must authorise the Organisation, subject to any restrictions or conditions specified in the warrant, to use a tracking device applied to the target object for the purpose of tracking the target object which must be specified in the warrant; and (c) may authorise the Organisation to: (i) enter any premises specified in the warrant in which the target object is, or is likely to be, found, for the purpose of applying a tracking device to the target object, or maintaining or using a tracking device so applied; and (ii) enter or alter the target object, for the purpose of applying, maintaining or using a tracking device; and (iii) apply a tracking device to the target object; and (iv) maintain a tracking device applied to the target object; and (v) any other thing reasonably incidental to any of the above. Authorisation of entry measures (4) The warrant must: (a) authorise the use of any force that is necessary and reasonable to do the things specified in the warrant; and (b) state whether entry is authorised to be made at any time of the day or night or during stated hours of the day or night. Duration of warrant (5) The warrant must specify the period during which it is to remain in force. The period must not be more than 6 months, although the Minister may revoke the warrant before the period has expired. Issue of further warrants not prevented (6) Subsection (5) does not prevent the issue of any further warrant. 26

Comprehensive revision of the Telecommunications (Interception and Access) Act 1979 Submission 32 - Attachment 1

Tracking device may be recovered (7) If a tracking device is applied to a target object in accordance with the warrant, the Organisation is authorised to do any of the following: (a) enter any premises in which the target object is or is likely to be found, for the purpose of recovering the tracking device; (b) enter or alter the target object for the purpose of recovering the tracking device; (c) recover the tracking device; (d) use any force that is necessary and reasonable to do any of the above; at the following time: (e) at any time while the warrant is in force or within 28 days after it ceases to be in force; (f) if the tracking device is not recovered at a time mentioned in paragraph (e)—at the earliest time, after the 28 days mentioned in that paragraph, at which it is reasonably practicable to do the things concerned. Interpretation (8) Expressions used in this section that are also used in section 26A have the same meanings as in that section. 27 Inspection of postal articles (1) It is unlawful: (a) for a person, being an officer, employee or agent of the Organisation acting in his or her capacity as such, to seek from the Australian Postal Corporation or from an employee or agent of that Corporation; or (b) for that Corporation or an employee or agent of that Corporation to provide to such a person; access to a postal article that is in the course of the post or information concerning the contents or cover of any postal article except in pursuance of, or for the purposes of, a warrant under this section or section 27A, and it is the duty of the Director-General to take all reasonable steps to ensure that this subsection is not contravened. (2) Where, upon receipt by the Minister of a request by the Director-General for the issue of a warrant under this section in relation to a person, the Minister is satisfied that: (a) that person is engaged in or is reasonably suspected by the Director-General of being engaged in, or of being likely to engage in, activities prejudicial to security; and (b) access by the Organisation to postal articles posted by or on behalf of, addressed to or intended to be received by, that person, while the articles are in the course of the post, will, or is likely to, assist the Organisation in carrying out its function of obtaining intelligence relevant to security; 27

Comprehensive revision of the Telecommunications (Interception and Access) Act 1979 Submission 32 - Attachment 1

the Minister may, by warrant under his or her hand, authorize the Organisation to do such of the following acts and things as the Minister considers appropriate in the circumstances, namely, with respect to postal articles in the course of the post that were posted by or on behalf of, or are addressed to, that person or are reasonably suspected by a person authorized to exercise the authority of the Organisation under the warrant to be intended to be received by that person, to inspect, and make copies of, or of the covers of, the articles, and to open the articles and inspect and make copies of the contents of any such article. (3) Where, upon receipt by the Minister of a request by the Director-General for the issue of a warrant under this section in relation to an address, the Minister is satisfied that: (a) some or all of the postal articles that are being, or are likely to be, sent by post to that address are or will be intended to be received by a person (whether of known identity or not) engaged in, or reasonably suspected by the Director-General of being engaged in, or of being likely to engage in, activities prejudicial to security; and (b) access by the Organisation to postal articles posted to that address and intended to be received by the person referred to in paragraph (a) will, or is likely to, assist the Organisation in carrying out its function of obtaining intelligence relevant to security; the Minister may, by warrant under his or her hand, authorize the Organisation to do such of the following acts and things as the Minister considers appropriate in the circumstances, namely, with respect to postal articles in the course of the post that are addressed to that address and appear on their face to be, or are reasonably suspected by a person authorized to exercise the authority of the Organisation under the warrant to be, intended to be received by the person referred to in paragraph (a), to inspect, and make copies of, or of the covers of, the articles and to open the articles and inspect and make copies of the contents of any such article. (4) A warrant under this section shall specify the period for which it is to remain in force, being a period not exceeding 6 months, but may be revoked by the Minister at any time before the expiration of the period so specified. (5) Subsection (4) shall not be construed as preventing the issue of any further warrant. (6) Where the Director-General is informed under section 32 of the issue of a warrant under this section, the Director-General must: (a) cause the Australian Postal Corporation to be informed of the issue of the warrant without delay; and (b) where, under section 32, the Director-General receives the warrant— cause a certified copy of the warrant to be given to the Australian Postal Corporation as soon as practicable. (6A) Where:

28

Comprehensive revision of the Telecommunications (Interception and Access) Act 1979 Submission 32 - Attachment 1

(a) the Director-General has been informed under section 32 of the issue of a warrant under this section; and (b) the Director-General is informed under that section that the warrant has been revoked; the Director-General must: (c) cause the Australian Postal Corporation to be informed of the revocation without delay; and (d) where, under section 32, the Director-General receives the instrument of revocation—cause a certified copy of the instrument of revocation to be given to the Australian Postal Corporation as soon as practicable. (7) The Australian Postal Corporation shall give to a person acting in pursuance of a warrant under this section all reasonable assistance. (8) Nothing in Part VIIA of the Crimes Act 1914 or the Australian Postal Corporation Act 1989 shall be taken to prohibit the doing of anything in pursuance of, or for the purposes of, a warrant under this section. (9) Nothing in subsection (1) applies in relation to a postal article addressed to, or appearing to be intended to be received by or on behalf of, the Organisation. (10) In this section: address means any premises or place (including a post office box or bag service) to which postal articles may be addressed. agent, in relation to the Australian Postal Corporation, includes any person performing services for that Corporation otherwise than under a contract of service and an employee of such a person.

Appendix 3 Privacy protections re ASIS, ASD and DIGO Intelligence Services Act 2001 8 Ministerial directions (1) The responsible Minister in relation to ASIS, the responsible Minister in relation to DIGO and the responsible Minister in relation to DSD, must issue a written direction under this subsection to the relevant agency head. The direction must: (a) require the agency to obtain an authorisation under section 9 from the Minister before: (i) undertaking an activity, or a series of activities, for the specific purpose, or for purposes which include the specific purpose, of producing intelligence on an Australian person; or (ii) undertaking, in accordance with a direction under paragraph 6(1)(e), an activity, or a series of activities, that will, or is likely to, have a direct effect on an Australian person; and

29

Comprehensive revision of the Telecommunications (Interception and Access) Act 1979 Submission 32 - Attachment 1

(b) specify the circumstances in which the agency must, before undertaking other activities or classes of activities, obtain an authorisation under section 9 from the Minister. (2) The responsible Minister may give written directions to be observed: (a) in the performance by the relevant agency of its functions; or (b) in the case of ASIS—in the exercise of the powers of the Director-General under section 33 or 34. (3) Each agency head must ensure that the agency complies with any direction given by the responsible Minister under this section. (4) Directions under paragraph (2)(b) must not relate to a specific staff member. Note: The Inspector-General of Intelligence and Security has oversight powers in relation to Ministerial directions and authorisations given under this Act. See in particular section 32B of the Inspector-General of Intelligence and Security Act 1986 (which requires the Minister to give a copy of a direction under this section to the Inspector-General of Intelligence and Security as soon as practicable after the direction is given). 9 Ministerial authorisation (1) Before a Minister gives an authorisation under this section, the Minister must be satisfied that: (a) any activities which may be done in reliance on the authorisation will be necessary for the proper performance of a function of the agency concerned; and (b) there are satisfactory arrangements in place to ensure that nothing will be done in reliance on the authorisation beyond what is necessary for the proper performance of a function of the agency; and (c) there are satisfactory arrangements in place to ensure that the nature and consequences of acts done in reliance on the authorisation will be reasonable, having regard to the purposes for which they are carried out. (1A) Before a Minister gives an authorisation under this section for an activity, or a series of activities, of a kind mentioned in subparagraph 8(1)(a)(i) or (ii), the Minister must also: (a) be satisfied that the Australian person mentioned in that subparagraph is, or is likely to be, involved in one or more of the following activities: (i) activities that present a significant risk to a person’s safety; (ii) acting for, or on behalf of, a foreign power; (iii) activities that are, or are likely to be, a threat to security; (iv) activities related to the proliferation of weapons of mass destruction or the movement of goods listed from time to time in the Defence and Strategic Goods List (within the meaning of regulation 13E of the Customs (Prohibited Exports) Regulations 1958); 30

Comprehensive revision of the Telecommunications (Interception and Access) Act 1979 Submission 32 - Attachment 1

(v) committing a serious crime by moving money, goods or people; (vi) committing a serious crime by using or transferring intellectual property; (vii) committing a serious crime by transmitting data or signals by means of guided and/or unguided electromagnetic energy; and (b) if the Australian person is, or is likely to be, involved in an activity or activities that are, or are likely to be, a threat to security (whether or not covered by another subparagraph of paragraph (a) in addition to subparagraph (a)(iii))—obtain the agreement of the Minister responsible for administering the Australian Security Intelligence Organisation Act 1979. (1B) In subsection (1A): security has the same meaning as in the Australian Security Intelligence Organisation Act 1979. Note: For serious crime see section 3. (2) The Minister may give an authorisation in relation to: (a) an activity, or class of activities, specified in the authorisation; or (b) acts of a staff member or agent, or a class of staff members or agents, specified (whether by name or otherwise) in the authorisation; or (c) activities done for a particular purpose connected with the agency’s functions. (3) An authorisation is subject to any conditions specified in it. (4) An authorisation must be in writing and must specify how long it will have effect. The period of effect specified in an authorisation for an activity, or a series of activities, of a kind mentioned in subparagraph 8(1)(a)(i) or (ii), must not exceed 6 months. (5) If a Minister gives an authorisation under this section in relation to an agency, the relevant agency head must ensure that a copy of the authorisation is kept by the agency and is available for inspection on request by the Inspector-General of Intelligence and Security. 9A Authorisations in an emergency Despite subsections 8(1) to (4) and any direction given under subsection 8(1), if: (a) an emergency situation arises in which an agency head considers it necessary or desirable to undertake an activity or a series of activities; and (b) a direction under subsection 8(1) requires the agency to obtain an authorisation under section 9 before undertaking that activity or series of activities; and (c) the Minister referred to in the direction is not readily available or contactable;

31

Comprehensive revision of the Telecommunications (Interception and Access) Act 1979 Submission 32 - Attachment 1

the Prime Minister, the Minister for Defence, the Minister for Foreign Affairs or the Attorney-General may, subject to the requirements of section 9, issue an authorisation under that section in respect of that activity or series of activities. 10 Period during which authorisation has effect etc. (1) The Minister may, at any time before the day on which an authorisation would cease to have effect, renew it for the length of time specified in the renewal. However, the authorisation must not be renewed unless the Minister is satisfied that it is necessary, for the purpose for which the authorisation was given, for the authorisation to continue to have effect. (1A) The renewal (or any subsequent renewal) of an authorisation for an activity, or a series of activities, of a kind mentioned in subparagraph 8(1)(a)(i) or (ii), must be for a period not exceeding 6 months. (2) The Minister may vary or cancel an authorisation at any time. (2A) If, before an authorisation is cancelled under subsection (2) or otherwise ceases to have effect, the relevant agency head is satisfied that the grounds on which the authorisation was issued have ceased to exist: (a) the agency head must inform the Minister accordingly, and must take the steps necessary to ensure that activities under the authorisation are discontinued; and (b) as soon as practicable after being so informed, the Minister must consider cancelling the authorisation under subsection (2). (3) A renewal, variation or cancellation of an authorisation must be in writing. 10A Agency heads must report on authorised activities (1) An agency head must give to the responsible Minister in relation to the agency a written report in respect of each activity, or series of activities, carried out by the agency in reliance on an authorisation under section 9. (2) The report must be provided to the Minister within 3 months of the day on which the relevant authorisation ceased to have effect. 11 Limits on agencies’ functions (1) The functions of the agencies are to be performed only in the interests of Australia’s national security, Australia’s foreign relations or Australia’s national economic well-being and only to the extent that those matters are affected by the capabilities, intentions or activities of people or organisations outside Australia. (2) The agencies’ functions do not include: (a) the carrying out of police functions; or (b) any other responsibility for the enforcement of the law. However, this does not prevent the agencies from:

32

Comprehensive revision of the Telecommunications (Interception and Access) Act 1979 Submission 32 - Attachment 1

(c) obtaining intelligence under paragraph 6(1)(a), 6B(a), (b), or (c) or 7(a) and communicating any such intelligence that is relevant to serious crime to the appropriate law enforcement authorities; or (d) in the case of ASIS—providing assistance as mentioned in subsection 6(7); or (e) in the case of DIGO—performing the functions set out in paragraph 6B(e); or (f) in the case of DSD—performing the functions set out in paragraph 7(e). Note: For police functions and serious crime see section 3. (2AA) An agency may communicate incidentally obtained intelligence to appropriate Commonwealth or State authorities or to authorities of other countries approved under paragraph 13(1)(c) if the intelligence relates to the involvement, or likely involvement, by a person in one or more of the following activities: (a) activities that present a significant risk to a person’s safety; (b) acting for, or on behalf of, a foreign power; (c) activities that are a threat to security; (d) activities related to the proliferation of weapons of mass destruction or the movement of goods listed from time to time in the Defence and Strategic Goods List (within the meaning of regulation 13E of the Customs (Prohibited Exports) Regulations 1958); (e) committing a serious crime. (2A) The agencies’ functions do not include undertaking any activity for the purpose of furthering the interests of an Australian political party or other Australian political organisation. (3) Subsection (1) does not apply to the functions described in paragraphs 6B(b), (c), (d) and (e) and 7(c), (d) and (e). 12 Limits on agencies’ activities An agency must not undertake any activity unless the activity is: (a) necessary for the proper performance of its functions; or (b) authorised or required by or under another Act. 12A Special responsibilities of Directors and Director-General The Director of DIGO, the Director of DSD and the Director-General must take all reasonable steps to ensure that: (a) his or her agency is kept free from any influences or considerations not relevant to the undertaking of activities as mentioned in paragraph 12(a) or (b); and (b) nothing is done that might lend colour to any suggestion that his or her agency is concerned to further or protect the interests of any particular section of the community, or with undertaking any activities other than those mentioned in paragraph 12(a) or (b).

33

Comprehensive revision of the Telecommunications (Interception and Access) Act 1979 Submission 32 - Attachment 1

13 Co-operation with other authorities (1) Subject to any arrangements made or directions given by the responsible Minister, an agency may cooperate with: (a) Commonwealth authorities; and (b) State authorities; and (c) authorities of other countries approved by the Minister as being capable of assisting the agency in the performance of its functions; so far as is necessary for the agency to perform its functions, or so far as facilitates the performance by the agency of its functions. Note: For Commonwealth authority and State authority see section 3. (1A) However, an approval under paragraph (1)(c) does not enable ASIS to cooperate with an authority of another country in planning or undertaking activities covered by paragraphs 6(4)(a) to (c) unless, before giving the approval, the Minister consults with the Prime Minister and the Attorney-General. (2) An approval under paragraph (1)(c) must be in writing. (3) Each agency head must ensure that a copy of any approval given by the relevant responsible Minister is kept by the agency and is available on request by the Inspector-General of Intelligence and Security. 14 Liability for certain acts (1) A staff member or agent of an agency is not subject to any civil or criminal liability for any act done outside Australia if the act is done in the proper performance of a function of the agency. (2) A person is not subject to any civil or criminal liability for any act done inside Australia if: (a) the act is preparatory to, in support of, or otherwise directly connected with, overseas activities of the agency concerned; and (b) the act: (i) taken together with an act, event, circumstance or result that took place, or was intended to take place, outside Australia, could amount to an offence; but (ii) in the absence of that other act, event, circumstance or result, would not amount to an offence; and (c) the act is done in the proper performance of a function of the agency. (2A) Subsection (2) is not intended to permit any act in relation to premises, persons, computers, things, or telecommunications services in Australia, being: (a) an act that ASIO could not do without a Minister authorising it by warrant issued under Division 2 of Part III of the Australian Security Intelligence Organisation Act 1979 or under Part 2-2 of the Telecommunications (Interception and Access) Act 1979; or

34

Comprehensive revision of the Telecommunications (Interception and Access) Act 1979 Submission 32 - Attachment 1

(b) an act to obtain information that ASIO could not obtain other than in accordance with Division 3 of Part 4-1 of the Telecommunications (Interception and Access) Act 1979. (2B) The Inspector-General of Intelligence and Security may give a certificate in writing certifying any fact relevant to the question of whether an act was done in the proper performance of a function of an agency. (2C) In any proceedings, a certificate given under subsection (2B) is prima facie evidence of the facts certified. (3) In this section: act includes omission. staff member includes the Director of DIGO, the Director of DSD and the Director-General. 15 Rules to protect privacy of Australians (1) The responsible Minister in relation to ASIS, the responsible Minister in relation to DIGO and the responsible Minister in relation to DSD, must make written rules regulating the communication and retention by the relevant agency of intelligence information concerning Australian persons. (2) In making the rules, the Minister must have regard to the need to ensure that the privacy of Australian persons is preserved as far as is consistent with the proper performance by the agencies of their functions. Note: For Australian person see section 3. (3) Before making the rules, the Minister must consult with: (a) in the case of ASIS—the Director-General; and (ab) in the case of DIGO—the Director of DIGO; and (b) in the case of DSD—the Director of DSD; and (c) in any case—the Inspector-General of Intelligence and Security and the Attorney-General. (4) For the purpose of consultations under paragraph (3)(c), the Minister must provide a copy of the rules the Minister is proposing to make to the Inspector-General of Intelligence and Security and to the Attorney-General. (5) The agencies must not communicate intelligence information concerning Australian persons, except in accordance with the rules. Note: For intelligence information see section 3. (6) The Inspector-General of Intelligence and Security must brief the Committee on the content and effect of the rules if: (a) the Committee requests the Inspector-General of Intelligence and Security to do so; or (b) the rules change. Note: For Committee see section 3. 35

Comprehensive revision of the Telecommunications (Interception and Access) Act 1979 Submission 32 - Attachment 1

(7) Rules made under subsection (1) are not legislative instruments.

Appendix 4 Correspondence with Telstra on privacy 1. 5th August to Telstra privacy section Telstra Can you please confirm: (a) that you allow no PRISM type beam splitters anywhere on your communications network. (b) that you have not been asked to provide such facilities. My questions are asked in line with your policy below. Thank you X Privacy at Telstra Telstra is serious about its commitment to protect the privacy of its customers, including the information that they provide to Telstra. Telstra has adopted a policy and a set of privacy principles in accordance with the Commonwealth Privacy Act 1988 and Telecommunication Act 1997, which set out Telstra’s commitment to the protection of its customers’ personal information. They outline the ways Telstra protects customer personal information, how and why Telstra collects it, how Telstra may use and disclose it, how Telstra keeps it secure and accurate, as well as how customers may access it. Telstra’s Privacy Statement, which it gives to its customers, also describes how Telstra collects, uses, discloses and secures the personal information it collects from individuals. Further information on Privacy at Telstra is available in the sustainability reporting included in Telstra’s 2012 Annual Report and at this link (including copies of Telstra’s Privacy Policy, Privacy Principles and Privacy Statement). 2. On 22/08/2013, at 10:12, "The BigPond Team" <thebigpondteam@bigpondmail.custhelp.com> wrote: > Dear X, >

36

Comprehensive revision of the Telecommunications (Interception and Access) Act 1979 Submission 32 - Attachment 1

> Thank you for your email, my name is . Firstly, I apologise for the delay in responding to your query regarding to your privacy enquiry and for any inconvenience that has resulted from the issue you've outlined. > > I am happy to provide further assistance to you today. > > To ensure that we fulfil our legal and privacy obligations we must verify your identity on each new series of emails, live chat and phone contact. > > I can assure you that BigPond® and Telstra take its legal responsibility when dealing with personal details very seriously and as such are unable to provide details to any third party/non authorised representatives without first obtaining the account holder's consent to do so. > > For a more detailed explanation on the protection of personal information, you can view our privacy statement at: > > http://www.telstra.com.au/privacy/privacy_statement.html > > I hope this information has been of assistance to you. > > Thank you and have a great day. > > Best Regards, > > > Telstra Digital Sales and Service > www.bigpond.com 3. 22nd August You have not answered my question about whether Telstra has lent itself to breaching my telephone and data privacy, contrary to its stated policy on privacy. X 4. 22nd August Dear X, Thank you for your response. I apologise if I have not answered your enquiry. But I assure you that Telstra does not allow customers information to be given to just anyone we always verify the identity

37

Comprehensive revision of the Telecommunications (Interception and Access) Act 1979 Submission 32 - Attachment 1

of the customer who enquires for it. If you can site a particular scenario and proof that your privacy has been breach please let me know and I will escalate it to my supervisor to take proper actions for you. Thank you and have a great day. Best Regards, Telstra Digital Sales and Service www.bigpond.com5. 22nd August OK, , how do you want to verify my identity? I did not say you were breaching my privacy, I asked if you were breaching my privacy by being connected to PRISM or PRISM-like devices? Thank you X 6. 29th August Hi X, I just received your email about your PRISM concern. BigPond users takes its privacy obligations very seriously. In accordance with the Member Agreement, On Australia (On Australia) will only provide desegregated customer information to its parent company, Telstra Corporation Limited. This disclosure is subject to and in accordance with the Telecommunications Act and applicable industry codes of conduct. BigPond is committed to the protection of personal privacy. To meet this commitment, BigPond has adopted a set of principles, policies and procedures to protect the privacy of customers. These have been developed in consultation with the Telecommunications Industry Ombudsman (TIO) and the Privacy Commissioner. Both BigPond and OA operate in accordance with the same set of privacy principles, which tightly restrict the uses to which customer information can be put and ensure that such uses comply with all privacy laws and codes of conduct. BigPond would never provide individual customer information to any other person unless required by law. Aggregated information is information about the customer base generally, and is not information from which anyone could identify individual customers.

38

Comprehensive revision of the Telecommunications (Interception and Access) Act 1979 Submission 32 - Attachment 1

On Australia is not able to deal with different terms and conditions for individual customers. The On Australia Member Agreement is the only basis on which we can provide the BigPond Internet Access. We are unable to accept requests from customers for exceptions from standard terms and conditions. If you have any other questions, please visit our Help Centre at go.telstra.com.au/helpandsupport. The Help Centre is a handy resource for our members which includes things such as our Frequently Asked Questions and our new Email Troubleshooter which has been set up to help you solve all your email problems. Thank you for choosing BigPond. Kind regards, The BigPond Team www.bigpond.com 6. 31st August What is the situation with access to the data carried by other providers of communications using Telstra lines or cables? Thank you X Appendix 5 Correspondence with IGIS on the Snowden information about bulk surveillance From: X Date: 11 June 2013 7:50:15 AM AWST To: "info@igis.gov.au" <info@igis.gov.au> Subject: Possible use of PRISM material by Australian authorities It has been reliably reported that UK security authorities have received nearly 200 referrals of material from the US NSA obtained under the PRISM or phone metadata programs, a process which circumvents UK surveillance laws. Are similar referrals being received by our authorities, which would circumvent our Telecommunications Interception Act? Thank you X 4.11.13

39

Comprehensive revision of the Telecommunications (Interception and Access) Act 1979 Submission 32 - Attachment 1

Do you think it would be useful to conduct an investigation, in the light of five months of public information, about bulk collection of data for surveillance through taps on optical fibre links? This includes reported taps in Australia. I don't know if the Flood report recommendations nine years ago were adopted, but in any case technology and its capabilities has moved on considerably since then. Also I have some doubts, given the reports, about whether the protections for citizens under the ministerial and IGIS approvals regime in the Intelligence Services Act are being adhered to. Thank you X

11.6.13 4.11.13 Thank you for contacting the Inspector-General of Intelligence and Security. Office hours are Monday to Friday 8.30am – 5pm. Your email will be considered on the first business day after receipt. Responses will generally be received within 5 working days. Should you wish to phone, the number for general inquiries is 02 6271 5692. *Please note the office is closed on public holidays and each year between Christmas and New Year (25 December – 1 January inclusive). Appendix 6 Correspondence with OAIC (Privacy Commissioner) on bulk surveillance 1.12.13

I note the following APP to apply from March next year: "Australian Privacy Principle 8 — cross-border disclosure of personal information 8.1 Before an APP entity discloses personal information about an individual to a person (the overseas recipient): (a) who is not in Australia or an external Territory; and (b) who is not the entity or the individual; the entity must take such steps as are reasonable in the circumstances to ensure that the overseas recipient does not breach the Australian Privacy Principles (other than Australian Privacy Principle 1) in relation to the information. Note: In certain circumstances, an act done, or a practice engaged in, by the overseas recipient is taken, under section 16C, to have been done, or engaged in, by the APP entity and to be a breach of the Australian Privacy Principles.

40

Comprehensive revision of the Telecommunications (Interception and Access) Act 1979 Submission 32 - Attachment 1

8.2 Subclause 8.1 does not apply to the disclosure of personal information about an individual by an APP entity to the overseas recipient if: (a) the entity reasonably believes that: (i) the recipient of the information is subject to a law, or binding scheme, that has the effect of protecting the information in a way that, overall, is at least substantially similar to the way in which the Australian Privacy Principles protect the information; and (ii) there are mechanisms that the individual can access to take action to enforce that protection of the law or binding scheme; or (b) both of the following apply: (i) the entity expressly informs the individual that if he or she consents to the disclosure of the information, subclause 8.1 will not apply to the disclosure; (ii) after being so informed, the individual consents to the disclosure; or (c) the disclosure of the information is required or authorised by or under an Australian law or a court/tribunal order; or (d) a permitted general situation (other than the situation referred to in item 4 or 5 of the table in subsection 16A(1)) exists in relation to the disclosure of the information by the APP entity; or (e) the entity is an agency and the disclosure of the information is required or authorised by or under an international agreement relating to information sharing to which Australia is a party; or (f) the entity is an agency and both of the following apply: (i) the entity reasonably believes that the disclosure of the information is reasonably necessary for one or more enforcement related activities conducted by, or on behalf of, an enforcement body; (ii) the recipient is a body that performs functions, or exercises powers, that are similar to those performed or exercised by an enforcement body. Note: For permitted general situation, see section 16A." When information about "Stateroom", providing access by US government authorities to bulk traffic on a Telstra/Reach cable, became public, I asked Telstra twice for clarification. The replies failed to understand the import of my question. Is providing such access to bulk data traffic by an Australian corporation a breach of the privacy legislation? Thank you, X 41

Comprehensive revision of the Telecommunications (Interception and Access) Act 1979 Submission 32 - Attachment 1

2.12.13 Our reference: EN13/17960 Dear X Thank you for your enquiry. The Office of the Australian Information Commissioner (OAIC) receives a large quantity of written enquiries each day. An Enquiries Officer will be assigned to your enquiry and will be in contact soon. We aim to respond to all written enquiries within ten working days. If your enquiry is urgent and requires an immediate response, please telephone us on 1300 363 992 and quote your reference number. More complex phone enquiries may require a written response and may still take some time. Please do not forward any further information. Any questions or additional information you have can be discussed with the officer who responds to your enquiry. You can also find additional information on our website www.oaic.gov.au Yours sincerely Office of the Australian Information Commissioner 16.12.13 Is providing such access to bulk data traffic (not a careful section of traffic based on need using the proportionality principle) by an Australian corporation a breach of the privacy legislation? As you can see I have asked Telstra twice and it either deliberately or otherwise failed to answer my question. Thank you X 16.12.13 Dear X Thank you for your enquiry. The Office of the Australian Information Commissioner (the OAIC) regulates the Privacy Act 1988 (Cth) (the Act) which sets out the manner in which Australian, ACT and Norfolk Island government agencies, and many private sector organisations, are to handle personal information.

42

Comprehensive revision of the Telecommunications (Interception and Access) Act 1979 Submission 32 - Attachment 1

The 10 National Privacy Principles (NPPs) in the Act regulate the collection, security, use and disclosure of personal information handled by many private sector organisations. The NPPs apply to all private sector organisations in Australia with an annual turnover of more than $3 million, and to all private health service providers irrespective of turnover. Further information on the coverage of, and exemptions from, the NPPs is available in our published Information Sheet 12. The Privacy Act includes limited exceptions that allow government agencies and private sector organisations covered by the Act to use and disclose personal information for the enforcement of criminal laws, or where the use or disclosure is required or authorised by or under Australian law. Additionally, the Privacy Act can extend to an act or practice that occurs outside Australia in certain circumstances. However, the Act also provides that an act or practice of an organisation done outside Australia does not breach the Privacy Act if it is required by an overseas law. If you consider that an organisation has mishandled your personal information, you may wish to lodge a complaint with the OAIC by following the below process.    You need to complain to the organisation in the first instance, outlining your privacy concerns, and allow it 30 days to respond If you do not receive a response after 30 days, or you are dissatisfied with the response, you can make a written complaint to this office You can submit a complaint to the OAIC by using our online complaint form

I hope this information has been useful. If you have any further enquiries, please contact the OAIC Enquiries line on 1300 363 992. Yours sincerely Enquiries Officer Office of the Australian Information Commissioner 17.12.13 I would also note that the OAIC can conduct an own motion investigation. See eg. http://www.oaic.gov.au/privacy/applying-privacy-law/privacy-omi-reports/aapt-andmelbourne-it-own-motion-investigation-report In that case private data from AAPT was captured. Stateroom appears to allow capture of similar personal data from Telstra. I would also refer to the latest US court finding on bulk collection of metadata by Judge Richard Leon, finding it unconstitutional. While that may only apply to Americans, similar considerations should apply to us. Regards,X

43

Comprehensive revision of the Telecommunications (Interception and Access) Act 1979 Submission 32 - Attachment 1

17.12.13 Our reference: EN13/18674 Dear X Thank you for your enquiry. The Office of the Australian Information Commissioner (OAIC) receives a large quantity of written enquiries each day. An Enquiries Officer will be assigned to your enquiry and will be in contact soon. We aim to respond to all written enquiries within ten working days. If your enquiry is urgent and requires an immediate response, please telephone us on 1300 363 992 and quote your reference number. More complex phone enquiries may require a written response and may still take some time. Please do not forward any further information. Any questions or additional information you have can be discussed with the officer who responds to your enquiry. You can also find additional information on our website www.oaic.gov.au Yours sincerely Office of the Australian Information Commissioner 23.12.13 Dear X Thank you for your enquiry. Disclosing a large volume of personal information is not in and of itself an act that would considered an interference with the privacy of individuals. However, any disclosure of personal information needs to be permitted by the Act. NPP 2.1 permits an organisation to use and disclose an individual’s personal information when it is done for the same purpose for which the information was collected. Use or disclosure for another purpose (a secondary purpose) is only permitted when one of the exceptions to NPP 2.1 applies. These exceptions include, but are not limited to, where:  The individual has consented to the use or disclosure for that other purpose  The use or disclosure is required or authorised by or under law  The disclosure is necessary for the protection of the life, health or safety of an individual.

44

Comprehensive revision of the Telecommunications (Interception and Access) Act 1979 Submission 32 - Attachment 1

Please note, the OAIC is unable to form a definitive view in regards to applicability of the Privacy Act during a general enquiry. Generally the OAIC will only form a view in the context of a complaint. As previously outlined. If you consider that an organisation has mishandled your personal information, you may wish to lodge a complaint with the OAIC by following the below process.  You need to complain to the organisation in the first instance, outlining your privacy concerns, and allow it 30 days to respond   If you do not receive a response after 30 days, or you are dissatisfied with the response, you can make a written complaint to this office You can submit a complaint to the OAIC by using our online complaint form

I hope this information has been useful. If you have any further enquiries, please contact the OAIC Enquiries line on 1300 363 992. Yours sincerely Enquiries Officer Office of the Australian Information Commissioner 23.12.13 Dear X Thank you for your correspondence. The Office of the Australian Information Commissioner (the OAIC) regulates the Privacy Act 1988 (Cth) (the Act) which sets out the manner in which Australian, ACT and Norfolk Island government agencies, and many private sector organisations, are to handle personal information. Please note, the OAIC regulates the Privacy Act as it stands, and does not have a function to change or amend the legislation. If you wish to see changes made to the current law, you would need to raise your concerns with your local member for parliament. The Privacy Commissioner has the authority, under s 40(2) of the Act, to conduct an ‘own motion investigation’ in such circumstances where he believes it is appropriate to do so. The OAIC’s Annual Report 2011-12 outlines the risk assessment criteria used to determine whether to investigate a matter on its own motion. These criteria include:    the number of people affected and the possible consequences for those individuals the sensitivity of the personal information involved the progress of an agency’s or organisation’s own investigation into the matter and consideration of the actions taken by the entity in response

45

Comprehensive revision of the Telecommunications (Interception and Access) Act 1979 Submission 32 - Attachment 1

the likelihood that the investigation will reveal acts or practices that involve systemic interferences with privacy and/or that are unidentified.

As the Act requires that the Commissioner to conduct investigations in private, it is unlikely that we would be in a position to advise you of any outcome to an ‘own motion investigation’ that they OAIC may conduct. Thank you for bringing this matter to our attention. Yours sincerely Enquiries Officer Office of the Australian Information Commissioner Appendix 7 The Philip Flood report on intelligence collection pre the Iraq war http://www.dpmc.gov.au/publications/intelligence_inquiry/docs/chapter 4.pdf Quote: "Prime amongst these is the Parliamentary Joint Committee on ASIO, ASIS and DSD (PJCAAD). With the intelligence agencies unable to report to the parliament in the normal way, some system of scrutiny by parliamentarians forms a crucial part of the oversight system. The forerunner of the PJCAAD was the Parliamentary Joint Committee on ASIO, established in 1988 under the Hawke Government. The expansion of the mandate of the Committee in 2001 to embrace ASIS and DSD represents a major step forward in the accountability of the agencies. The activities of the Committee have provided a significant parliamentary insight into the intelligence community, as well as opportunities for the agencies to benefit from the perspectives of experienced parliamentarians. Further, in the case of Iraq WMD, the Committee provided independent scrutiny of a particular issue of considerable community concern, without jeopardising the confidentiality required for the work of the agencies. The Committee’s mandate has two key limits: its terms of reference extend only to the budget and administration of the agencies, not policy and operational activities; and its coverage is of ASIO, ASIS and DSD only—not DIGO, ONA and DIO. Another accountability mechanism designed specifically for the intelligence community is the Inspector-General of Intelligence and Security (IGIS). With strong legislative backing (powers akin to those of a standing Royal Commission), the Inspector-General helps to provide independent assurance that agencies act legally, with propriety, under ministerial direction, and with regard to human rights. The Inspector-General’s functions vary: they are broadest in relation to ASIO, almost as wide in relation to the two other collection agencies (ASIS and DSD)

46

Comprehensive revision of the Telecommunications (Interception and Access) Act 1979 Submission 32 - Attachment 1

and more limited for ONA and DIO. The Inspector-General can conduct an inquiry in response to a request by the Prime Minister, a minister responsible for an agency or, in relation to some agencies, without any specific direction from ministers. In certain circumstances, the Inspector-General can make inquiries in response to a complaint. The Inspector-General’s authority includes complete access to agency records and strong powers to require evidence. There are, however, a number of deficiencies in current arrangements that warrant attention. First, it is anomalous that DIGO does not come under the purview of the Intelligence Services Act. As a collector of intelligence, it has the capability to impinge on the privacy of Australians and, possibly, its actions could breach Australian laws. It is therefore appropriate that, like ASIS and DSD, DIGO’s mandate be set out in legislation, so that the community can have confidence about what its functions do, and do not, involve. Similarly, it is appropriate that DIGO come within the purview of the Parliamentary Joint Committee in the same way that ASIS and DSD do. Further, the mandate of the Parliamentary Joint Committee should be expanded to encompass ONA and DIO, as well as DIGO. This reform would widen the scope of parliamentary oversight to provide comprehensive coverage of Australia’s intelligence agencies. In turn, that would enhance confidence in the parliament and the public that the full range of intelligence agencies is accountable to a senior group of parliamentarians. The extension of the Committee’s mandate will contribute to the better understanding of the agencies in the parliament and the broader community. As is the case for ASIO, ASIS and DSD, parliamentary scrutiny of ONA and DIO should only extend to budgetary and administrative matters. It should not include the content of the assessments that they produce for government. Just as the advice that officials provide to ministers is not disclosed in Senate Legislation Committee hearings, the judgments of assessment agencies should not be subject to parliamentary scrutiny. Opening assessments to scrutiny by parliament would also weaken the instinct amongst assessors to provide forthright advice for government, which is vital for good assessment. However, the processes by which ONA and DIO produce their assessments is an area which could be open to parliamentary scrutiny. In recommending that DIO and ONA become subject to the Parliamentary Joint Committee, the Inquiry is conscious that some of the factors which make it appropriate for ASIO, ASIS and DSD to be subject to the Committee are not relevant to DIO and ONA. As assessment agencies, they do not undertake acts that might, without specific legislation, be illegal. Nor do ONA and DIO impinge on the privacy of Australian citizens. However, the functioning of Australia’s intelligence agencies is a matter of greater public interest and scrutiny than it has been in the past; and that interest is now strong in relation to assessment agencies as well as collection agencies. In these circumstances, it is appropriate that the parliament and, through it, the public should enjoy greater confidence in the activities of the assessment agencies. Moreover, ONA in particular, as the agency at the peak of the foreign intelligence structure, and which has an oversight role, should be subject to scrutiny in the way that other agencies are.

47

Comprehensive revision of the Telecommunications (Interception and Access) Act 1979 Submission 32 - Attachment 1

RECOMMENDATION: The mandate of the Parliamentary Joint Committee on ASIO, ASIS and DSD (PJCAAD) should be extended to all of Australia’s intelligence agencies—that is, it should cover also ONA, DIO and DIGO on the same basis as it at present covers ASIO, ASIS and DSD. The parliament may consider renaming the committee as the Parliamentary Joint Committee on Intelligence and Security (PJCIS). The Inquiry found that the Inspector-General of Intelligence and Security performs an important function in the system of accountability of the agencies. Most valuable among the roles of the Inspector-General is the power to investigate deeply into the conduct of the agencies. The penetrating character of those powers is a strong feature of Australia’s accountability systems. However, the Inquiry found that the power of the Inspector-General is not sufficiently broad. In particular, it is anomalous that the most recent addition to the intelligence community, DIGO, is not covered in the legislation governing the Inspector-General’s activities. Although an informal arrangement has been settled that allows the Inspector-General to monitor DIGO, formal coverage of DIGO (comparable to the coverage of ASIS and DSD) should be provided by legislation. Further, the Inquiry recommends that the Inspector-General should have the authority to initiate inquiries into ONA and DIO without ministerial referral. Currently, the Inspector-General needs the approval of the appropriate minister before undertaking inquiries into these agencies. While it is fully understood that assessment agencies do not have the capacity to infringe the liberties of individuals in the way that collection agencies do, it is still appropriate for the Inspector-General to have authority in relation to ONA and DIO. There is significant public interest in the activities of the assessment agencies, and recent cases have highlighted the questions that can arise about the propriety of the assessment agencies’ activities, particularly from within their own ranks. It would be difficult for these questions to be dealt with by the normal public service processes, in view of the sensitivity and security issues involved. It is therefore appropriate for a mechanism to be in place for the Inspector-General to initiate his own inquiries into the work of DIO and ONA, on a similar basis to his role in relation to the collection agencies. The mandate of the Inspector-General should, however, relate to the propriety and legality of ONA and DIO’s activities; and should not extend to judgments about the accuracy of their assessments. RECOMMENDATIONS: The functions and ministerial accountabilities of DIGO should be formalised in legislation by amendments to the Intelligence Services Act 2001. Similarly, the Inspector-General of Intelligence and Security Act 1986 should be amended to include scrutiny of DIGO on a basis comparable with that which applies to DSD and ASIS. The mandate of the Inspector-General of Intelligence and Security should be extended to allow IGIS to initiate inquiries at his or her own discretion into matters relating to ONA and DIO without ministerial referral, consistent with the IGIS jurisdiction in respect of ASIO, ASIS and DSD. In the Australian system, ministers direct their individual agencies. ONA is responsible for coordination, and for identifying areas of improvement in the intelligence community. ONA’s responsibility is an important one. Ministers, with other heavy responsibilities, cannot be expected to exercise

48

Comprehensive revision of the Telecommunications (Interception and Access) Act 1979 Submission 32 - Attachment 1

comprehensive daily oversight of their agencies: ONA’s deep understanding of the foreign intelligence community provides a useful tool to assist ministers. For a range of reasons, but not least for scarcity of resources, ONA’s coordination role has not been fulfilled optimally in recent years. In Chapter 7 the Inquiry recommends an expansion of funding for ONA. That is principally to strengthen its role in assessments, but additional resourcing is also required to ensure that ONA properly acquits its oversight role. ONA’s oversight role also needs to be clearer, and its coordination mandate stronger. The wording of section 5(1)(d) of the ONA Act is obscure and does not clearly articulate ONA’s responsibility for monitoring and reporting on the agencies’ performance. Further, the Act does not provide ONA with the strong mandate for community coordination that it needs. Given the complex character of the coordination task and the key role that ONA needs to play in supporting the management of the intelligence community by ministers, a stronger coordination mandate is required. RECOMMENDATION: The intelligence community should be subject to periodic external review every five to seven years." Unquote Appendix 8 Ian Carnell, IGIS 2005 Report on the Parkin matter Methodology 17. I scrutinised all relevant records in ASIO, interviewed officers including two interviews under oath or affirmation as provided for in section 18 of the IGIS Act, viewed open-source material and spoke with the Commissioner of the AFP. 18. One of the difficulties of inquiring into intelligence and security matters and reporting outcomes is that much material is, by its nature, very sensitive. The protection of collection methodologies and various sources means that there are appropriately circumstances in which disclosure cannot be made. In balancing security aspects against natural justice considerations, there are circumstances where it has traditionally been accepted that it is in the overall public interest for security considerations to be given precedence. The current situation is one such occasion. 19. While the precepts of natural justice would point to providing Mr Parkin with the details of the security assessment and allowing him to respond and suggest ways in which the evidence and considerations might be tested, security considerations of the kind described above would appear to reasonably preclude this. Even to attempt to allude in general terms to the elements of the security assessment would be problematic in this way. 20. I appreciate that Mr Parkin and others with doubts about his treatment will most likely find this vexing, but it is inevitable given the nature of the matter being examined.

49

Comprehensive revision of the Telecommunications (Interception and Access) Act 1979 Submission 32 - Attachment 1

Appendix 9 UN votes on privacy https://dl.dropboxusercontent.com/u/38850305/The%20FBX%20Blog%2015%20Oct ober%202013.docx Freeport The UN general assembly unanimously voted last week to adopt a resolution, introduced by Germany and Brazil, stating that "the same rights that people have offline must also be protected online, including the right to privacy". Brazil's president, Dilma Rousseff, and the German chancellor, Angela Merkel, were among those spied on, according to the documents leaked by Snowden. The resolution called on the 193 UN member states "to review their procedures, practices and legislation regarding the surveillance of communications, their interception and collection of personal data, with a view to upholding the right to privacy of all their obligations under international human rights law". It also directed Pillay to publish a report on the protection and promotion of privacy "in the context of domestic and extraterritorial surveillance ... including on a mass scale". She told Berners-Lee it was "very important that governments now want to discuss the matters of mass surveillance and right to privacy in a serious way". Appendix 10 Edward Snowden alternative Christmas message Channel 4 25 December 2013 Snowden said George Orwell "warned us of the danger of this kind of information" in his dystopian novel, 1984. Snowden said: "The types of collection in the book – microphones and video cameras, TVs that watch us – are nothing compared to what we have available today. We have sensors in our pockets that track us everywhere we go. Think about what this means for the privacy of the average person. "A child born today will grow up with no conception of privacy at all. They'll never know what it means to have a private moment to themselves an unrecorded, unanalysed thought. And that's a problem because privacy matters; privacy is what allows us to determine who we are and who we want to be." Snowden notes the political changes that have taken place since his leaked the cache documents to newspapers including the Guardian. He highlights a review of the NSA's power that recommended it be no longer permitted to collect phone records in bulk or undermine internet security, findings endorsed in part by Barack Obama, and a federal judge's ruling that bulk phone record collection is likely to violate the US constitution. Snowden says: "The conversation occurring today will determine the amount of trust we can place both in the technology that surrounds us and the government that regulates it. Together we can find a better balance, end mass surveillance and remind the government that if it really wants to know how we feel, asking is always cheaper than spying."

50

Comprehensive revision of the Telecommunications (Interception and Access) Act 1979 Submission 32 - Attachment 1

The latter comment echoes a sentiment expressed by Snowden during a series of interviews in Moscow with the Washington Post, another paper that has carried revelations based on documents leaked by him. In this, Snowden said the effect of his actions had meant that "the mission's already accomplished". In the newspaper interview, he added: "I already won. As soon as the journalists were able to work, everything that I had been trying to do was validated. Because, remember, I didn't want to change society. I wanted to give society a chance to determine if it should change itself. "All I wanted was for the public to be able to have a say in how they are governed." Appendix 11 Legislation, governance and accountability of ASD The principal legislation governing the Australian Signals Directorate’s (ASD) activities is the Intelligence Services Act 2001, which covers the operations of ASD, the Australian Geospatial-Intelligence Agency and the Australian Secret Intelligence Service. ASD was formerly known as the Defence Signals Directorate (DSD). We were renamed in May 2013 to reflect our national role in cyber security, disaster response and national security. The renaming did not affect our functions, powers or accountability. All references in legislation to DSD should be taken to be references to ASD. ASD’s functions, as set out in the Intelligence Services Act, are to:
  

obtain signals intelligence about the capabilities, intentions or activities of people or organisations outside of Australia communicate such intelligence in accordance with the Australian Government’s requirements provide material, advice and other assistance to Commonwealth and State authorities on matters relating to the security and integrity of information that is processed, stored or communicated by electronic or similar means provide assistance to the Australian Defence Force in support of military operations and to cooperate with the Australian Defence Force on intelligence matters provide assistance to Commonwealth and State authorities in relation to cryptography, computer and communications technologies, other specialised technologies acquired in connection with the performance of its functions, and the performance of search and rescue functions by Commonwealth and State authorities.

The Act requires the minister responsible for ASD to issue written directions to Director ASD, which must require the agency to seek authorisation from the minister before undertaking certain activities. The minister responsible for ASD is also required to make written privacy rules on how ASD is to protect the privacy of Australians. 51

Comprehensive revision of the Telecommunications (Interception and Access) Act 1979 Submission 32 - Attachment 1

There are a range of other Commonwealth Acts that impact on ASD’s operations. As part of the Department of Defence, ASD also complies with the Public Service Act 1999, Financial Management and Accountability Act 1997 and all other legislation regulating the Australian Public Service. The Inspector-General of Intelligence and Security is responsible for overseeing ASD’s operations, including compliance with legislation. The Parliamentary Joint Committee on Intelligence and Security functions, as described under the Intelligence Services Act, are to review the administration and expenditure of the intelligence agencies and review matters related to the intelligence agencies referred by the responsible minister or the Parliament. Governance The Australian Signals Directorate (ASD) is governed by Australian law and the Australian Government. ASD was formerly known as the Defence Signals Directorate (DSD). We were renamed in May 2013 to reflect our national role in cyber security, disaster response and national security. The renaming did not affect our functions, powers or accountability. All references in legislation to DSD should be taken to be references to ASD.
   

Intelligence Services Act 2001 defines our role and functions National Security Committee of Cabinet, chaired by the Prime Minister, sets our priorities Minister for Defence authorises the conduct of specific activities and makes privacy rules to protect the privacy of Australians Department of Defence, comprising the Australian Defence Force and supporting Australian Public Service agencies, works to defend Australia and Australia’s national interests  ASD is part of the Defence Intelligence and Security Group  ASD contributes to achieving intelligence goals detailed in the Defence White Paper

Accountability The Australian Signals Directorate (ASD) is accountable to the Department of Defence, the Australian Government and the independent Inspector-General of Intelligence and Security. ASD was formerly known as the Defence Signals Directorate (DSD). We were renamed in May 2013 to reflect our national role in cyber security, disaster response and national security. The renaming did not affect our functions, powers or accountability. All references in legislation to DSD should be taken to be references to ASD.

52

Comprehensive revision of the Telecommunications (Interception and Access) Act 1979 Submission 32 - Attachment 1

 

ASD is responsible to the Chief of the Defence Force and Secretary of the Department of Defence through the Deputy Secretary for Intelligence and Security ASD contributes to the Defence Annual Report as a member of the Defence Intelligence and Security Group ASD produces a highly classified annual report for the Minister for Defence, Chief of the Defence Force and Secretary of the Department of Defence Parliamentary Joint Committee on Intelligence and Security reviews the administration and expenditure of Australian Intelligence Community agencies and matters referred to it by the Minister or Parliament Inspector-General of Intelligence and Security provides independent assurance that Australia’s intelligence and security agencies act legally and with propriety. The Inspector-General’s authority includes complete access to agency records and powers to require evidence

Appendix 12 Fred Kaplan, US Council on Foreign Relations Back at an open congressional hearing on March 12 [2013], Sen. Ron Wyden (DOre.) asked Clapper, “Does the NSA collect any type of data at all on millions or hundreds of millions of Americans?” Clapper replied, “No sir … not wittingly.” As we all now know, he was lying. We also now know that Clapper knew he was lying. In an interview with NBC’s Andrea Mitchell that aired this past Sunday, Clapper was asked why he answered Wyden the way he did. He replied: “I thought, though in retrospect, I was asked [a] ‘when are you going to … stop beating your wife’ kind of question, which is … not answerable necessarily by a simple yes or no. So I responded in what I thought was the most truthful, or least untruthful, manner by saying, ‘No.’ ” Let’s parse this passage. As a member of the Senate Intelligence Committee, Wyden had been briefed on the top-secret-plus programs that we now all know about. That is, he knew that he was putting Clapper in a box; He knew that the true answer to his question was “Yes,” but he also knew that Clapper would have a hard time saying so without making headlines. Appendix 13 Nicky Hager, NZ author on the Echelon electronic eavesdropping system, address to the European Parliament in 2001 http://cryptome.org/echelon-nh.htm Appendix 14 An interesting Wikipedia summary of the warrantless surveillance controversy. https://en.wikipedia.org/wiki/NSA_warrantless_surveillance_controversy

53

Comprehensive revision of the Telecommunications (Interception and Access) Act 1979 Submission 32 - Attachment 1

Appendix 15 ASIO and ASIS Mission and Values Mission and Values ASIO plays a vital role in the Australian community. Our Vision The intelligence edge for a secure Australia Our Mission To identify and investigate threats to security and provide advice to protect Australia, its people and its interests Our Values Excellence

Integrity

producing high quality, relevant and timely advice

being ethical and working without bias

displaying strong leadership and professionalism

maintaining the confidentiality and security of our work respecting others and valuing diversity

improving through innovation and  learning

Cooperation

Accountability

building a common sense of purpose and mutual support

being responsible for what we do and for our outcomes

using appropriate communication in all our relationships

being accountable to the Australian community through the Government and the Parliament

fostering and maintaining productive partnerships

54

Comprehensive revision of the Telecommunications (Interception and Access) Act 1979 Submission 32 - Attachment 1

For ASIS see http://www.asis.gov.au/About-Us/Mission-and-Values.html This includes "We abide by Australian law and community standards and are accountable for our actions." Appendix 16 EU Parliament Report This is the January 2014 draft report of the Committee overseeing privacy issues in the Parliament representing the largest transnational democratic electorate in world history. It includes nations like Germany, Austria, Rumania, the Czech Republic, Slovakia, Poland, Bulgaria, and Hungary which have had experience of extensive state eavesdropping. http://www.europarl.europa.eu/sides/getDoc.do?pubRef=%2f%2fEP%2f%2fNONSGML%2bCOMPARL%2bPE526.085%2b02%2bDOC%2bWORD%2bV0%2f%2fEN Quote: "Extra-territoriality Q. whereas the extra-territorial application by a third country of its laws, regulations and other legislative or executive instruments in situations falling under the jurisdiction of the EU or its Member States may impact on the established legal order and the rule of law, or even violate international or EU law, including the rights of natural and legal persons, taking into account the extent and the declared or actual aim of such an application; whereas, in these exceptional circumstances, it is necessary to take action at the EU level to ensure that the rule of law, and the rights of natural and legal persons are respected within the EU, in particular by removing, neutralising, blocking or otherwise countering the effects of the foreign legislation concerned;"" Unquote

Appendix 17 NSA Tailored Access Operations (TAO) See Jacob Appelbaum at the 30c3Seminar in January 2014, http://www.youtube.com/watch?v=b0w36GAyZIA The US NSA is supposed to operate in accordance with the FIS Act and the FISAA Act. NSA programs like H-redact and I-redact can apparently tamper with a computer in the mail (or perhaps it is done before despatch) and insert a hardware implant. L-redact in a mobile unit apparently allows targeting of the kernel of a computer from up to 12 km away. M-redact connects a websurfer to a false version of the website because NSA or GCHQ can access the mainlines between major servers and impersonate Yahoo for example, so this could be used for all sorts of disruption, such as sending false financial signals or indices, eg. Libor or Euribor. There are reported agreements for payment between the US government and private firms so that backdoors are left open for access to ''secure" elliptical code encryption on tokens such as those used by banks and credit card firms.

55

Comprehensive revision of the Telecommunications (Interception and Access) Act 1979 Submission 32 - Attachment 1

There are reputed to be information diversion chips such as N-redact, O-redact and Predact. There are reportedly programs to enter iPhones, and computer cables which transmit keyboard strokes. Programs include: P-redact - reputedly used to hack Belgacom, can corrupt file downloads and kill the anonymity system. Belgacom would presumably be a target because it carries EU traffic to and from the central node of the EU in Brussels. E-Redact - reputedly used to hack Belgacom A-redact - collect B-redact - infect (27 others also redacted) Appendix 18 Response of IGIS to Inquiry about the Snowden Disclosures IGIS File No: 2013/59 IGIS Correspondence No: 2014/10 Dear X You recently enquired whether it would be useful for this office to conduct an investigation into the purported bulk collection of data by agencies for which this office has oversight responsibilities. Please accept my apologies for not responding to you sooner. I have now had the opportunity to review the issues you have raised and to also discuss your concerns with the Inspector-General of Intelligence and Security (IGIS). As an overarching comment, the IGIS is required by law to conduct inquiries in private, and in keeping with long established government practice does not generally comment on specific intelligence matters. The IGIS’s oversight of the agencies which comprise the Australian intelligence community is described at www.igis.gov.au. Although not specifically referenced in your email contacts with this office, your concerns seem to relate to the work of the Australian Signals Directorate (ASD). ASD was known until recently as the Defence Signals Directorate. Some general comments about the IGIS oversight of ASD are set out below. IGIS staff have ongoing visibility of all of ASD’s activities. They are briefed on sensitive operations and receive intelligence product. IGIS staff have access to ASD’s systems and records and undertake regular inspections of a range of ASD activities. Our particular focus is on how ASD protects the privacy of Australians but we also

56

Comprehensive revision of the Telecommunications (Interception and Access) Act 1979 Submission 32 - Attachment 1

have regard to the legality and propriety of other ASD activities and whether the activities are consistent with human rights. The Intelligence Service Act 2001 sets out ASD’s functions. ASD is required to obtain intelligence about the capabilities, intentions or activities of people or organisations outside Australia for the purpose of meeting the requirement of the government for such intelligence. The limits of ASD’s functions are also set out in that Act. Certain activities, including any activity to produce intelligence on an Australian person, require the prior authorisation of the Minister. The requests for these authorisations detail the reasons why permission is being sought to produce intelligence on a particular Australian. Currently, each of these submissions is reviewed by IGIS staff. ASD can only cooperate with an authority of another country to the extent authorised by the Minister for Defence. The exchange of information with foreign authorities is reviewed by IGIS staff to ensure that it is within the limits of this authorisation. There are also particular rules regulating the communication and retention by ASD of intelligence information concerning Australian persons. These rules are publicly available on the ASD website at http://www.asd.gov.au/publications/dsdbroadcast/20121002-privacy-rules.htm The legality of any particular ASD activity is assessed by reference to whether the purpose was consistent with a function of ASD, whether it was within the limits set out in relevant legislation, and whether the activity had an appropriate level of approval. If the Inspector-General identifies any breaches of the legislation or of any directions or authorisations given by the Minister under legislation, they are described in general terms in her annual report (available at www.igis.gov.au). National security considerations usually prevent specific details being given in a public report. If the Inspector-General had concerns about her level of access to ASD information or ASD’s internal compliance arrangements these would also be noted in the annual report. Yours sincerely

I Principal Investigation Officer Office of the Inspector-General of Intelligence and Security Appendix 19 Previous IGIS attitudes IGIS SUBMISSION TO THE HOUSE OF REPRESENTATIVES STANDING COMMITTEE ON LEGAL AND CONSTITUTIONAL AFFAIRS INQUIRY INTO WHISTLEBLOWING PROTECTIONS WITHIN THE AUSTRALIAN GOVERNMENT PUBLIC SECTOR Thank you for your invitation of 14 July 2008 to make a submission to the abovementioned inquiry.

57

Comprehensive revision of the Telecommunications (Interception and Access) Act 1979 Submission 32 - Attachment 1

2. I thought that I could best assist the Committee if I commented on three practical areas relating to the Terms of Reference (ToR) for this inquiry, based on my experience to date with staff from the intelligence agencies occasionally approaching my Office on a confidential basis. 3. However, first I should briefly outline the role of the Inspector-General of Intelligence and Security (IGIS). 4. The position of IGIS was created by the Inspector-General of Intelligence and Security Act 1986 (IGIS Act). The IGIS is an independent statutory position which, with the assistance of his or her Office, reviews the six agencies referred to as the Australian Intelligence Community (AIC), namely: (a) Australian Security Intelligence Organisation (ASIO) (b) Australian Secret Intelligence Service (ASIS) (c) Defence Intelligence Organisation (DIO) (d) Defence Imagery and Geospatial Organisation (DIGO) (e) Defence Signals Directorate (DSD), and (f) Office of National Assessments (ONA) 5. The purpose of this review is to hold the AIC agencies accountable in respect of compliance with Australian law and with ministerial directions, the propriety of their activities and respect for human rights. It is done by: (a) undertaking a range of inspections of selected AIC activities (akin to compliance audits) (b) receiving complaints about AIC activities, and (c) either in response to a complaint, a ministerial referral or of the InspectorGeneral’s own motion, undertaking formal inquiries. 6. When conducting formal inquiries the IGIS has access to coercive powers and protections broadly similar to those of a Royal Commission. 7. All staff in the Office of the IGIS have Top Secret (Positive Vet) security clearances and have both familiarity with the activities of the AIC agencies and effective investigative skills. Procedures in Relation to Protected Disclosures 8. Having regard to the above, I believe that my Office is currently, and should continue to be, the appropriate external recipient of whistleblower reports concerning the AIC. 9. In developing new processes to facilitate protected disclosures, I would hope that whistleblowers continue to be provided with the opportunity to approach my Office directly. However, I would also be supportive of providing whistleblowers with a second option, whereby they could make public interest disclosures though an internal agency process, with the agency being obliged to report such instances to me. 10. The Committee’s ToR 5(d) raises the issue of whether disclosure to a third party might be appropriate in circumstances where all available mechanisms for raising a matter with Government have been exhausted. The ongoing secrecy obligations that apply under the law to persons who are, or have been, provided access to national security classified material argue against this being appropriate for AIC employees and ex-employees.

58

Comprehensive revision of the Telecommunications (Interception and Access) Act 1979 Submission 32 - Attachment 1

Appendix 20 BBC 1999 on Echelon The network is so secret that the British and American Governments refuse to admit that Echelon even exists. But another ally, Australia, has decided not to be so coy. The man who oversees Australia's security services, Inspector General of Intelligence and Security Bill Blick, has confirmed to the BBC that their Defence Signals Directorate (DSD) does form part of the network. "As you would expect there are a large amount of radio communications floating around in the atmosphere, and agencies such as DSD collect those communications in the interests of their national security", he said. Asked if they are then passed on to countries like Britain and America, he said: "They might be in certain circumstances." But the system is so widespread all sorts of private communications, often of a sensitive commercial nature, are hoovered up and analysed. Journalist Duncan Campbell has spent much of his life investigating Echelon. In a report commissioned by the European Parliament he produced evidence that the NSA snooped on phone calls from a French firm bidding for a contract in Brazil. They passed the information on to an American competitor, which won the contract. "There's no safeguards, no remedies, " he said, "There's nowhere you can go to say that they've been snooping on your international communications. Its a totally lawless world." Appendix 21 From NZ SIS website Until a few years ago the NZSIS was very reluctant to release information either under the Privacy Act or the Official Information Act. However it has now adopted a much more open policy: individuals who apply for their files will be given extensive information, with only certain sensitive details (such as details of sources or information provided by overseas agencies) removed. In certain respects the SIS still fails to meet its obligations under the Privacy Act but in these cases there is a right of appeal to the Privacy Commissioner. The Privacy Act does not cover dead people but their files are available under the Official Information Act. The service is also required to release other information such as files on organisations but the service is reluctant to do so, citing the extensive research it allegedly has to carry out in order to provide this information. A simple letter to the Director is all that is required in order to obtain information. Appendix 22 Report to the President of the US - Liberty and Security in a Changing World See http://www.whitehouse.gov/sites/default/files/docs/2013-1212_rg_final_report.pdf Homeland Security Privacy Policy 59

Comprehensive revision of the Telecommunications (Interception and Access) Act 1979 Submission 32 - Attachment 1

See http://www.dhs.gov/xlibrary/assets/privacy/privacy_policyguide_2008-01.pdf Appendix 23 - Telecoms privacy provisions Telstra - part In addition, we may disclose your personal information to:
      

 

your authorised representatives or your legal advisers (e.g. when requested by you to do so); credit-reporting and fraud-checking agencies; credit providers (for credit related purposes such as credit-worthiness, credit rating, credit provision and financing); our dealers; our related companies; our professional advisers, including our accountants, auditors and lawyers; other telecommunication and information service providers (for example, if you obtain services from other providers, we may need to disclose your personal information for billing purposes); the manager of the Integrated Public Number Database. For more information on the Integrated Public Number Database please read Telstra's Privacy Information; government and regulatory authorities and other organisations, as required or authorised by law; and organisations who manage our business and corporate strategies, including those involved in a transfer/sale of all or part of our assets or business (including accounts and trade receivables) and those involved in managing our corporate risk and funding functions (e.g. securitisation).

Optus - part 3. Will personal information be given to anyone else? Personal information collected at this site will only be disclosed to third parties in accordance with this Privacy Statement and with the terms and conditions of any relevant service. You should check the terms and conditions of individual products and services for information about disclosures. Information collected at this site may be disclosed to third parties where functions are being outsourced. Optus may also disclose personal information to law enforcement agencies, government agencies, courts or external advisors where permitted or required by law.

60

Comprehensive revision of the Telecommunications (Interception and Access) Act 1979 Submission 32 - Attachment 1

Vodaphone Who may we provide your personal information? [meaning "to whom may we provide your personal information"] Vodafone may disclose your personal information both within and outside Australia to:
        

 

Credit providers or credit reporting agencies for the purposes permitted under the Privacy Act and credit reporting legislation; Our service and content providers, dealers and agents, contractors and advisers; Our mobile phone manufacturers and repairers; Vodafone Hutchison Australia and other companies in the Vodafone group; Your authorised representatives or legal advisors; Our professional advisors including lawyers, accountants, tax advisors and auditors; Debt collection agencies and other parties that assist with debt-recovery functions; Law enforcement bodies to assist in their functions, Courts of law or as otherwise required or authorised by law; Regulatory or government bodies for the purposes of resolving customer complaints or disputes both internally and externally or to comply with any investigation by one of those bodies Other telecommunications services providers for the purposes of both unwelcome calls and mobile number portability issues; and Any other person or for any other purposes that would be reasonably expected.

We are required by law to disclose certain personal information about you (including your name, address, telephone number and address) to the operator of the Integrated Public Number Database (IPND). Personal information in the IPND is used to assist emergency services and safeguard national security. If you consent, information from the IPND may also be published in public directories or used by directory assistance.

Feb. 16 2011 A further report, published in late January, revealed Vodafone dealer CommsDirect had been misusing customer information and forwarding call records on to people outside the company. The revelations, which led to CommsDirect shutting down, also formed part of the Privacy Commissioner's investigation. Read more: http://www.smh.com.au/technology/security/vodafone-breached-privacylaws-privacy-commissioner-20110216-1avsj.html#ixzz2p66NLn8m (the Privacy Act provides no penalties).

61

Comprehensive revision of the Telecommunications (Interception and Access) Act 1979 Submission 32 - Attachment 1

Virgin - part 1. We will only collect Personal Information where it is necessary for us to perform one or more of our functions or activities. In this context, "collect" means to obtain by any means, information where the individual is identifiable or identified. 2. a. b. c. d. them; e. that individuals (including the general public) should contact us if they wish to access or correct Personal Information collected by us or have any concerns in relation to Personal Information; f. g. h. the organisations or types of organisations to whom we usually disclose the Personal Information; any law that requires the Personal Information to be collected; the consequences (if any) for the individual if all or part of the Personal Information is not provided to us. We will notify our customers and the general public of the below before collecting any Personal Information: the main reason that we are collecting Personal Information (Primary Purpose); other related Uses or Disclosures that we may make of the Personal Information (Secondary Purposes); our identity and how individuals can contact us, if this is not obvious; that individuals can access the Personal Information we hold about

13. We may use Personal Information to avoid an imminent threat to a person's life or to public safety, and for reasons related to law enforcement or internal investigations into unlawful activities

62

Comprehensive revision of the Telecommunications (Interception and Access) Act 1979 Submission 32 - Attachment 1

Disclosure

1.

We may Disclose Personal Information to related or unrelated third parties if consent has been obtained from the individual, including consent for Disclosures made under the credit reporting requirements of the Privacy Act.

2.

We may Disclose Personal Information if a payment is substantially overdue and the customer has not reached an agreement for its repayment. In these instances, we may have no choice but to refer the bad debt to a collection agency, to commence legal action, or to sell or transfer the bad debt to a third party. For its repayment, we will need to pass on Personal Information, including the name, address and the amount of the debt for the purposes of enforcement action or the sale or transfer of the bad debt to a third party. In the event of payment difficulties amounting to unpaid debt, we may have no choice but to disclose a customer’s Personal Information, including their unpaid debt, to a third party involved in the sale or transfer of that bad debt.

3.

We may Disclose Personal Information between Related Bodies Corporate, in which case that Related Body Corporate is bound by the original Primary Purpose for which the information was collected.

4.

We may Disclose Personal Information to unrelated third parties to enable outsourcing of functions (such as billing), for a related Secondary Purpose, in which case the individuals will be notified of our usual Disclosures via the 63

Comprehensive revision of the Telecommunications (Interception and Access) Act 1979 Submission 32 - Attachment 1

Collection Information, as outlined in 3, or where such Disclosure is within the individual's Reasonable Expectations. 5. We will take reasonable steps to ensure that our contracts with third parties include requirements for them to comply with the Use and Disclosure requirements of the Privacy Act. 6. We may Disclose Personal Information to law enforcement agencies, government agencies, courts or external advisers where permitted or required by law. 7. We may Disclose Personal Information to avoid an imminent threat to a person's life or to public safety. 8. If a Disclosure is not for a Primary or Secondary Purpose, or upfront consent has not been obtained, we will only Disclose Personal Information as per the exceptions set out at 16 to 21 above. 9. We do not generally sell or share customer lists on a commercial basis with third parties but if we did, we would ensure we had the appropriate consent of the individual involved. If the consent provided is conditional, we will take steps to ensure (by contract) that the use of its customer list by third parties does not exceed the scope of the consent.

64

Comprehensive revision of the Telecommunications (Interception and Access) Act 1979 Submission 32 - Attachment 1

iinet This is our Privacy Policy, a document which outlines our guarantee on your use of our products.
1. i. ii. iii. iv. 2. 3. We use and may disclose your personal information in order to: Provide services to you; Research, develop, administer, protect and improve our services; Check your credit worthiness with a Credit Reporting Agency; and Comply with a legislative instrument such as a request for information by a regulatory body or a Court Order. Excluding the requirements in Clause 1, we will not disclose any information you give to us to any other entity without your express permission. Customers may request access to personal information collected by iiNet in relation to themselves and the use of their account. We work to ensure these details are always correct and up-todate and will amend any inaccuracies or make changes to details upon request. By law, we must retain some customer information for a minimum of five years. However, we do not retain clients' personal information longer than is necessary for the purposes of compliance with the law and routine administration. 5. 6. If iiNet is ever sold to another organisation, the new owners will also be required to comply with this privacy policy. We keep customer information on controlled facilities, secure against unauthorised access. Proof of identity is always required before information gets released to any person, including the customer. We typically communicate with customers by email and send all customers a newsletter approximately once per month. In exceptional circumstances, urgent notifications may also be sent out by email. 8. We are constantly improving and enhancing our services and may update this privacy policy from time to time. Any changes to the policy will be advised to customers in our regular newsletter and by updating this page on the website. If you have any queries or comments concerning our privacy policy, please contact us.

4.

7.

9.

Dated the 27th day of November 2009. Appendix 24 ITU Agreement
INTERNATIONAL TELECOMMUNICATION UNION Document C97/135-E

COUNCIL
GENEVA — 1997 SESSION — (18 - 27 JUNE)

27 June 1997 Original: English

65

Comprehensive revision of the Telecommunications (Interception and Access) Act 1979 Submission 32 - Attachment 1

RESOLUTION 1115 (approved at the tenth Plenary Meeting) International Harmonization of Technical Requirements for Legal Interception of Telecommunications

The Council, noting a) that many Member countries of the ITU permit their law enforcement and national security agencies, under controlled conditions, to intercept telecommunications services; b) that the law enforcement and national security agencies of a significant number of ITU member countries have agreed on a generic set of requirements for legal interception (the International Requirements for Interception, IUR); c) that the costs of legal interception capability and associated disruptions can be lessened by providing for the capability at the design stage; and d) that such reduction of costs and disruptions could lead to more efficient provision and development of telecommunications infrastructure. considering a) that the provision of a technical capability for interception in relevant standards would not intrude on the sovereign right of countries to decide whether and under what conditions they will permit legal interception; and b) that the consideration of requirements for legal interception could fall within the responsibility of both the ITU-R and the ITU-T. further noting that some countries are in urgent need of results in this area, requests the ITU-R and the ITU-T to give priority to questions on the subject which administrations request them to study.*

* It is understood that all ITU-T and ITU-R studies will be based on contributions by administrations. Ref.: Document C97/58

http://www.heise.de/tp/artikel/6/6398/1.html SPECIAL INVESTIGATION: ILETS AND THE ENFOPOL 98 AFFAIR 66

Comprehensive revision of the Telecommunications (Interception and Access) Act 1979 Submission 32 - Attachment 1

Duncan Campbell 29.04.1999 America's guiding hand revealed - the secret international organisation behind Europe's controversial plans for Internet surveillance Europe's 21st century tapping plans were born in an unlikely location. Fifty kilometres south of Washington DC, on the swampy western boundaries of the Potomac river is Quantico, Virginia. Here, on a large military reservation, is the FBI's training academy and research and development centre. Members of the public have no access to the high security site. Between 1990 and 1992, the FBI had tried repeatedly to get the US Congress to pass new laws for telephone tapping. The agency was worried that new digital telephone systems did not allow them easy access to track and intercept their targets. Their goal was to turn every type of modern communications systems into a national and, ultimately, global surveillance network which would give them "real time, full time" access to those whom they wanted to watch. The FBI experts ignored the costs imposed by their demands. They wanted manufacturers and network operators to provide systems at their own expense. Nor were they interested in the checks and balances of laws intended to control monitoring and protect privacy. Lawyers were not invited. Civil society would have to pay its own costs. Seen in retrospect, the title "seminar" is a black joke. Anzeige

Faced with the roadblocks in Congress, early in 1993 the FBI tried a new approach. They invited US allies to come to Quantico. Law enforcement and security agency representatives met there, calling themselves the "International Law Enforcement Telecommunications Seminar". Seen in retrospect, the title "seminar" is a black joke. Acting in secret and without parliamentary knowledge or government supervision, the FBI through ILETS has since 1993 steered government and communications industry policy across the world. In the shadows behind the FBI stood the NSA (National Security Agency), whose global surveillance operations could only benefit if, around the world, users were systematically to be denied telecommunications privacy in the information age.

67

Comprehensive revision of the Telecommunications (Interception and Access) Act 1979 Submission 32 - Attachment 1

The countries who came to Quantico in 1993 were traditional US intelligence allies like Canada, the UK and Australia. There was also a core Euro group interested in developing extended surveillance systems - Germany, France, the Netherlands, Sweden (and the UK). Other representatives came from Norway, Denmark, Spain and even Hong Kong. The FBI tabled a document called "Law Enforcement Requirements for the Surveillance of Electronic Communications", written in July 1992. In June 1993, EU ministers meeting in Copenhagen agreed to poll member states on the issues raised by the FBI and by ILETS. After discussions in Europe later in 1993, ILETS met in Bonn early in 1994. By now Austria, Belgium, Finland, Portugal and Spain had joined the 19 member group. "International User Requirements" At their Bonn meeting, ILETS agreed joint policy in a document called "International Requirements for Interception". This said that "law enforcement representatives and government telecommunications experts from a number of countries that attended an international workshop on interception and advanced telecommunications technologies identified the need for this document". It was their "common requirements". Attached to the two page ILETS policy paper was a detailed, four page set of monitoring requirements and a glossary. This list of "International User Requirements" was identified as "IUR 1.0" or "IUR95". The ILETS meeting in Bonn also instigated two new policies. ILETS wanted international standards bodies such as the ITU (International Telecommunications Union) and ISO (International Standards Organisation) to build in tapping requirements to new system specifications. ILETS also wanted governments to agree on monitoring across international boundaries, so that one agency could intercept communications in another country. In March 1994, the Dutch government proposed that Europe adopt IUR 1.0. But ministers were not told that the document had been written by ILETS. Instead, it was identified as an ENFOPOL document, eventually being called ENFOPOL 90. (ENFOPOL is a standard European Commission classification for documents concerned with Law Enforcement/Police matters.) European Ministers never discussed ENFOPOL 90. It was agreed by a "written procedure", by exchange of telexes. It remained completely secret for nearly two years, and was not published in the Official Journal of European policy until November 1996. Meanwhile, European telecommunications operators were told to fall in line with its requirements. According to the British Home Office (Interior Ministry), for example, the resolution is "used as a basis for discussion with telecommunications operators in accordance with [UK monitoring legislation]". ILETS had also raised the problem of satellite-based mobile phone systems (such as Iridium). These phone systems link subscribers via satellites that are not under government control. This led to a British proposal to the European Commission: "Governments ... will have to create new regulations for international co-operation so that the necessary surveillance will be able to operate." 68

Comprehensive revision of the Telecommunications (Interception and Access) Act 1979 Submission 32 - Attachment 1

In a slightly modified form, IUR 1,0 became law in the United States in October 1994. Other European nations, and Australia, later incorporated it in their domestic legislation. Within two years from the first ILETS meeting, the IUR had, unacknowledged and word for word, become the secret official policy of the EU and law around the world. Sixteen Nations from ILETS met again in Canberra in 1995 and agreed to try and persuade international standards organisations to adopt the IUR "requirements". This would mean that manufacturers of new exchanges or communications systems would have to build in interception interfaces in order to meet the international standards, free of charge. If this ploy succeeded, then security and law enforcement agencies would save money and make tapping easier, since new networks would come with monitoring systems built in. "Some countries are in urgent need of results in this area." At their Canberra meeting "participating countries undertook to write to "relevant standards bodies and committees" informing them that their country along with other countries has adopted the IUR as a basis for its national and system-specific requirements .... ". Once again ILETS succeeded. In June 1997, the Australian government persuaded the International Telecommunications Union (ITU) to adopt the IUR requirements as a "priority". They told the ITU that "some countries are in urgent need of results in this area". During 1995 and 1996, through the European Commission, ILETS also effectively turned the IUR into an international treaty. The EU invited countries who had attended ILETS meetings to endorse the still-secret 1995 monitoring policy - that is, IUR 1.0. Non-EU ILETS members were told that "the Council considers that the lawful monitoring of telecommunications systems is an important tool in the prevention and detection of serious crimes and in safeguarding national security. ... The Member States of the European Union have been called upon to apply those Requirements to telecommunications operators and service providers... " Canada, Australia, Norway and the United States wrote back to the EU president, confirming their agreement By now, ILETS had spawned two sub committees, one re-designing the IUR and another (called STC, the Standards Technical Committee) working on technical standards. ILETS and its experts met again in Dublin in 1997. In 1998, they met in Rome, Vienna and Madrid. The IUR was not changed in 1997. But ILETS and its expert committees were at work, defining new requirements to cover the Internet and satellite based systems. They also wanted stringent new security requirements to be imposed on private telecommunications operators. But ILETS and its experts had become overconfident. The expert committees drew up new "requirements" to intercept the Internet. During July 1998, ILETS experts met in Rome to settle the new IUR and its attached "glossary". The result was ENFOPOL 98. In Vienna on 3 September 1998, the revised 69

Comprehensive revision of the Telecommunications (Interception and Access) Act 1979 Submission 32 - Attachment 1

IUR was presented to the Police Co-operation Working Group. The Austrian Presidency proposed that, as had happened in 1994, the new IUR be adopted verbatim as a Council Resolution on interception "in respect of new technology". Delegates were told that ENFOPOL 98's purpose was to "clarify the basic document (IUR 1.0) in a manner agreed by the law enforcement agencies as expressing their common requirement". But ILETS and its experts had become overconfident. IUR 1.0 had been four pages long. The new IUR (ENFOPOL 98) was 36 pages. The Austrian officials were told that this was politically inadvisable - perhaps that it would frighten ministers by its explicitness. Or, as the IUR experts were later told, "the wide range covered by ENFOPOL 98 was not conducive to ready comprehension". In October 1998, ILETS' IUR experts met in Vienna and Madrid and agreed a shorter, 14 page paper. Some of its more controversial provisions were put into other papers. European police delegates met in November to consider and agree the revised ENFOPOL 98 (rev 1). Suddenly, there was a new factor for the ILETS experts to consider. On 20 November, Telepolis broke the ENFOPOL 98 story, publishing the full text in German nine days later. The story became Internet news around the world. After this, and thanks to two further revisions by the German presidency, ENFOPOL 98 (now renamed ENFOPOL 19 - see news story) shrank to a mere 6 pages long. Its key provisions are being hidden elsewhere. The most chilling aspect of the ILETS and ENFOPOL story may not even be the way in which the US-led organisation has worked in the dark for more than 6 years to built snooping trapdoors into every new telecommunications system. Their determination to work in the dark, without industry involvement or legal advice, without parliamentary scrutiny or public discussion, has blinded them to the idea that not all "law enforcement" is a public good. Throughout its life, Hong Kong - now incorporated in the People's Republic of China - has been a member of ILETS. By planting its requirements on bodies like the ITU and ISO, the police and security agencies involved have effectively acted as an international treaty organisation. But they were blind to any interests other than their own narrow world-view. "In the name of law and order, the US is now pursuing an international accord that urges stronger surveillance capabilities in nations with appalling human-rights records" says Susan Landau, co-author of Privacy on the Line. By taking Hong Kong into their club, they have shared their advanced ideas on surveillance with the butchers of Tienanmen Square. By seeking the ITU's imprimatur on building surveillance into new communications systems, they have handed the vile butchers of the Kosovans and the Kurds the future tools to seek out and murder their opponents. The new IUR will be welcome news in Thailand and Singapore, and everywhere where enemies of liberty thrive.

70

Comprehensive revision of the Telecommunications (Interception and Access) Act 1979 Submission 32 - Attachment 1

Even if you are a conservative European or US politician, this can only be a source of shame. ILETS has thrown the vital principles of the European Convention and the US Constitution into the dustbin. That, above all, is why the secret processes of ENFOPOL 19, 98 and the rest should be brought to a halt. Democratic society requires nothing less than full and considered public discussion of these important issues. Telepolis > Magazin > Specials > Die Enfopol-Papiere Appendix 25 Security agency codes and values - ASIS From the ASIIS website: "So as to discharge its functions ASIS generally relies on human sources to collect relevant foreign intelligence. This intelligence information is then transformed into intelligence reports and related products which are then made available to key policy makers and select government agencies with a clear and established need to know. The foreign intelligence collection priorities for ASIS and other members of the AIC are established in a planning document that is endorsed and regularly reviewed by the National Security Committee of Cabinet." IGIS report 2010-2011 - Privacy rules As discussed in the General Matters chapter of this report, S. 15(1) of the Intelligence Services Act requires that written rules be made to regulate the communication and retention by ASIS of intelligence information concerning Australian persons. The extant ASIS privacy rules were approved by the then Minister for Foreign Affairs, the Hon Stephen Smith MP on 17 September 2008, but are almost identical to the first ASIS privacy rules which were endorsed in October 2001 to coincide with the commencement of the ISA. As the ASIS Privacy Rules have effectively been in place for nearly 10 years without significant revision or review, I was engaged during 2010–11 in a series of preliminary discussions with ASIS staff about possible changes to the rules. These discussions were ongoing as at 30 June 2011. During 2010–11 we identified very few irregularities in ASIS’s application of its extant privacy rules and found no significant underlying or systemic issues of concern. I am satisfied that ASIS takes its privacy obligations seriously and that appropriate resources are being spent to ensure that ASIS staff receive appropriate training and guidance on the application of the ASIS privacy rules. Appendix 26 A reported earlier Echelon dictionary of signal words which would trigger collection of a communication Waihopai, INFOSEC, Information Security, Information Warfare, IW, IS, Priavacy, Information Terrorism, Terrorism Defensive Information, Defense Information Warfare, Offensive Information, Offensive Information Warfare, National Information Infrastructure, InfoSec, Reno, Compsec, Computer Terrorism, Firewalls, Secure Internet Connections, ISS, Passwords, DefCon V, Hackers, Encryption,

71

Comprehensive revision of the Telecommunications (Interception and Access) Act 1979 Submission 32 - Attachment 1

Espionage, USDOJ, NSA, CIA, S/Key, SSL, FBI, Secert Service, USSS, Defcon, Military, White House, Undercover, NCCS, Mayfly, PGP, PEM, RSA, Perl-RSA, MSNBC, bet, AOL, AOL TOS, CIS, CBOT, AIMSX, STARLAN, 3B2, BITNET, COSMOS, DATTA, E911, FCIC, HTCIA, IACIS, UT/RUS, JANET, JICC, ReMOB, LEETAC, UTU, VNET, BRLO, BZ, CANSLO, CBNRC, CIDA, JAVA, Active X, Compsec 97, LLC, DERA, Mavricks, Meta-hackers, ^?, Steve Case, Tools, Telex, Military Intelligence, Scully, Flame, Infowar, Bubba, Freeh, Archives, Sundevil, jack, Investigation, ISACA, NCSA, spook words, Verisign, Secure, ASIO, Lebed, ICE, NRO, Lexis-Nexis, NSCT, SCIF, FLiR, Lacrosse, Flashbangs, HRT, DIA, USCOI, CID, BOP, FINCEN, FLETC, NIJ, ACC, AFSPC, BMDO, NAVWAN, NRL, RL, NAVWCWPNS, NSWC, USAFA, AHPCRC, ARPA, LABLINK, USACIL, USCG, NRC, ~, CDC, DOE, FMS, HPCC, NTIS, SEL, USCODE, CISE, SIRC, CIM, ISN, DJC, SGC, UNCPCJ, CFC, DREO, CDA, DRA, SHAPE, SACLANT, BECCA, DCJFTF, HALO, HAHO, FKS, 868, GCHQ, DITSA, SORT, AMEMB, NSG, HIC, EDI, SAS, SBS, UDT, GOE, DOE, GEO, Masuda, Forte, AT, GIGN, Exon Shell, CQB, CONUS, CTU, RCMP, GRU, SASR, GSG-9, 22nd SAS, GEOS, EADA, BBE, STEP, Echelon, Dictionary, MD2, MD4, MDA, MYK, 747,777, 767, MI5, 737, MI6, 757, Kh-11, Shayet-13, SADMS, Spetznaz, Recce, 707, CIO, NOCS, Halcon, Duress, RAID, Psyops, grom, D-11, SERT, VIP, ARC, S.E.T. Team, MP5k, DREC, DEVGRP, DF, DSD, FDM, GRU, LRTS, SIGDEV, NACSI, PSAC, PTT, RFI, SIGDASYS, TDM. SUKLO, SUSLO, TELINT, TEXTA. ELF, LF, MF, VHF, UHF, SHF, SASP, WANK, Colonel, domestic disruption, smuggle, 15kg, nitrate, Pretoria, M-14, enigma, Bletchley Park, Clandestine, nkvd, argus, afsatcom, CQB, NVD, Counter Terrorism Security, Rapid Reaction, Corporate Security, Police, sniper, PPS, ASIS, ASLET, TSCM, Security Consulting, High Security, Security Evaluation, Electronic Surveillance, MI-17, Counterterrorism, spies, eavesdropping, debugging, interception, COCOT, rhost, rhosts, SETA, Amherst, Broadside, Capricorn, Gamma, Gorizont, Guppy, Ionosphere, Mole, Keyhole, Kilderkin,Artichoke, Badger, Cornflower, Daisy, Egret, Iris, Hollyhock, Jasmine, Juile, Vinnell, B.D.M.,Sphinx,Stephanie, Reflection, Spoke, Talent, Trump, FX, FXR, IMF, POCSAG, Covert Video, Intiso, r00t, lock picking, Beyond Hope, csystems, passwd, 2600 Magazine, Competitor, EO, Chan, Alouette,executive, Event Security, Mace, Cap-Stun, stakeout, ninja, ASIS, ISA, EOD, Oscor, Merlin, NTT, SL-1, Rolm, TIE, Tie-fighter, PBX, SLI, NTT, MSCJ, MIT, 69, RIT, Time, MSEE, Cable & Wireless, CSE, Embassy, ETA, Porno, Fax, finks, Fax encryption, white noise, pink noise, CRA, M.P.R.I., top secret, Mossberg, 50BMG, Macintosh Security, Macintosh Internet Security, Macintosh Firewalls, Unix Security, VIP Protection, SIG, sweep, Medco, TRD, TDR, sweeping, TELINT, Audiotel, Harvard, 1080H, SWS, Asset, Satellite imagery, force, Cypherpunks, Coderpunks, TRW, remailers, replay, redheads, RX-7, explicit, FLAME, Pornstars, AVN,Playboy, Anonymous, Sex, chaining, codes, Nuclear, 20, subversives, SLIP, toad, fish, data havens, unix, c, a, b, d, the, Elvis, quiche, DES, 1*, NATIA, NATOA, sneakers, counterintelligence, industrial espionage, PI, TSCI, industrial intelligence, H.N.P., Juiliett Class Submarine, Locks, loch, Ingram Mac-10, sigvoice, ssa, E.O.D., SEMTEX, penrep, racal, OTP, OSS, Blowpipe, CCS, GSA, Kilo Class, squib, primacord, RSP, Becker, Nerd, fangs, Austin, Comirex, GPMG, Speakeasy,

72

Comprehensive revision of the Telecommunications (Interception and Access) Act 1979 Submission 32 - Attachment 1

humint, GEODSS, SORO, M5, ANC, zone, SBI, DSS, S.A.I.C., Minox, Keyhole, SAR, Rand Corporation, Wackenhutt, EO, Wackendude, mol, Hillal, GGL, CTU, botux, Virii, CCC, Blacklisted 411, Internet Underground, XS4ALL, Retinal Fetish, Fetish, Yobie, CTP, CATO, Phon-e, Chicago Posse, l0ck, spook keywords, PLA, TDYC, W3, CUD, CdC, Weekly World News, Zen, World Domination, Dead, GRU, M72750, Salsa, 7, Blowfish, Gorelick, Glock, Ft. Meade, press-release, Indigo,wire transfer, e-cash, Bubba the Love Sponge, Digicash, zip, SWAT, Ortega, PPP, crypto-anarchy, AT&T, SGI, SUN, MCI, Blacknet, Middleman, KLM, Blackbird, plutonium, Texas, jihad, SDI, Uzi, Fort Meade,supercomputer, bullion, 3, Blackmednet, Propaganda, ABC, Satellite phones, Planet-1, cryptanalysis, nuclear, FBI, Panama, fissionable, Sears Tower, NORAD, Delta Force, SEAL, virtual, Dolch, secure shell,screws, Black-Ops, Area51, SABC, basement, data-haven, black-bag, TEMPSET, Goodwin, rebels, ID, MD5, IDEA, garbage, market, beef, Stego, unclassified, utopia, orthodox, Alica, SHA, Global, gorilla,Bob, Pseudonyms, MITM, Gray Data, VLSI, mega, Leitrim, Yakima, Sugar Grove, Cowboy, Gist, 8182, Gatt, Platform, 1911, Geraldton, UKUSA, veggie, 3848, Morwenstow, Consul, Oratory, Pine Gap, Menwith, Mantis, DSD, BVD, 1984, Flintlock, cybercash, government, hate, speedbump, illuminati, president, freedom, cocaine, $, Roswell, ESN, COS, E.T., credit card, b9, fraud, assasinate, virus, anarchy, rogue, mailbomb, 888, Chelsea, 1997, Whitewater, MOD, York, plutonium, William Gates, clone, BATF, SGDN, Nike, Atlas, Delta, TWA, Kiwi, PGP 2.6.2., PGP 5.0i, PGP 5.1, siliconpimp, Lynch, 414, Face, Pixar, IRIDF, eternity server, Skytel, Yukon, Templeton, LUK, Cohiba, Soros, Standford, niche, 51, H&K, USP, ^, sardine,bank, EUB, USP, PCS, NRO, Red Cell, Glock 26, snuffle, Patel, package, ISI, INR, INS, IRS, GRU, RUOP, GSS, NSP, SRI, Ronco, Armani, BOSS, Chobetsu, FBIS, BND, SISDE, FSB, BfV, IB, froglegs, JITEM, SADF,advise, TUSA, HoHoCon, SISMI, FIS, MSW, Spyderco, UOP, SSCI, NIMA, MOIS, SVR, SIN, advisors, SAP, OAU, PFS, Aladdin, chameleon man, Hutsul, CESID, Bess, rail gun, Peering, 17, 312, NB, CBM, CTP, Sardine, SBIRS, SGDN, ADIU, DEADBEEF, IDP, IDF, Halibut, SONANGOL, Flu, &, Loin, PGP 5.53, EG&G, AIEWS, AMW, WORM, MP5K-SD, 1071, WINGS, cdi, DynCorp, UXO, Ti, THAAD, package, chosen, PRIME, SURVIAC,UFO Comment: The first is the NZ sigint station. Bubba the Love Sponge is a radio host who had a few problems with the US FCC. Gorizont are Russian satellites. Sex likely as a keyword to generate too many "marked for attention"s . And Roswell for outerspace creatures? Redhead - can't have been Julia Gillard in those days. Even the ampersand is there - &. As to explosives, Semtex, but no TATP back then. "Assassinate" may have actually been misspelt as shown, which might mean a few communications were overlooked. Imagine if Echelon had operated in the days of JFK in Dallas and "assassinate" had failed to trigger collection for having one too many esses compared to the Echelon dictionary version. Exon - one too few x's. rhost - remote host computer. Of course today, the Dictionary list would almost certainly include an Arabic component.

73

Comprehensive revision of the Telecommunications (Interception and Access) Act 1979 Submission 32 - Attachment 1

Appendix 27 OECD privacy principles http://oecdprivacy.org/ OECD Privacy Principles
 

  

Introduction The Privacy Principles 1. Collection Limitation Principle 2. Data Quality Principle 3. Purpose Specification Principle 4. Use Limitation Principle 5. Security Safeguards Principle 6. Openness Principle 7. Individual Participation Principle 8. Accountability Principle News OECD Privacy Resources Other Privacy Frameworks APEC Privacy Framework United States Department of Commerce Safe Harbor Privacy Principles o Generally Accepted Privacy Principles (GAPP) About This Site o Contact o Copyright o Version
o o

Introduction Privacy frameworks may be used as tools to help us think about and frame discussions about privacy, and understand privacy requirements. Internationally, the OECD Privacy Principles provide the most commonly used privacy framework, they are reflected in existing and emerging privacy and data protection laws, and serve as the basis for the creation of leading practice privacy programs and additional principles. The OECD Privacy Principles tie closely to European Union (EU) member nations' data protection legislation (and cultural expectations), which implement the European Commission (EC) Data Protection Directive (Directive 95/46/EC), and other "EUstyle" national privacy legislation. (The European Commission is the executive body of the European Union.) (For information about privacy principles utilized by United States government entities, see FairInformation.org)

74

Comprehensive revision of the Telecommunications (Interception and Access) Act 1979 Submission 32 - Attachment 1

The OECD Privacy Principles are part of the OECD Guidelines on the Protection of Privacy and Transborder Flows of Personal Data, which was developed in the late 1970s and adopted in 1980. The Organisation for Economic Co-operation and Development (OECD) is a forum for "countries committed to democracy and the market economy." "The Organisation provides a setting where governments compare policy experiences, seek answers to common problems, identify good practice and coordinate domestic and international policies." The Privacy Principles Numbered 1 thorough 8 below, these principles are found in Part Two, paragraphs 7 though 14 of Annex to the Recommendation of the Council of 23rd September 1980: Guidelines Governing The Protection of Privacy and Transborder Flows of Personal Data. Further discussion of the principles is in the accompanying Explanatory Memorandum, under section II, part B, paragraphs 50 through 62. 1. Collection Limitation Principle There should be limits to the collection of personal data and any such data should be obtained by lawful and fair means and, where appropriate, with the knowledge or consent of the data subject. 2. Data Quality Principle Personal data should be relevant to the purposes for which they are to be used, and, to the extent necessary for those purposes, should be accurate, complete and kept up-todate. 3. Purpose Specification Principle The purposes for which personal data are collected should be specified not later than at the time of data collection and the subsequent use limited to the fulfilment of those purposes or such others as are not incompatible with those purposes and as are specified on each occasion of change of purpose. 4. Use Limitation Principle Personal data should not be disclosed, made available or otherwise used for purposes other than those specified in accordance with Paragraph 9 except: a) with the consent of the data subject; or b) by the authority of law. 5. Security Safeguards Principle Personal data should be protected by reasonable security safeguards against such risks as loss or unauthorised access, destruction, use, modification or disclosure of data. 6. Openness Principle There should be a general policy of openness about developments, practices and policies with respect to personal data. Means should be readily available of establishing the existence and nature of personal data, and the main purposes of their use, as well as the identity and usual residence of the data controller. 7. Individual Participation Principle An individual should have the right: a) to obtain from a data controller, or otherwise, confirmation of whether or not the data controller has data relating to him; b) to have communicated to him, data relating to him

75

Comprehensive revision of the Telecommunications (Interception and Access) Act 1979 Submission 32 - Attachment 1

i) within a reasonable time; ii) at a charge, if any, that is not excessive; iii) in a reasonable manner; and iv) in a form that is readily intelligible to him; c) to be given reasons if a request made under subparagraphs (a) and (b) is denied, and to be able to challenge such denial; and d) to challenge data relating to him and, if the challenge is successful to have the data erased, rectified, completed or amended. 8. Accountability Principle A data controller should be accountable for complying with measures which give effect to the principles stated above. News
  

2010 is the 30th anniversary of the Guidelines on the Protection of Privacy and Transborder Flows of Personal Data OECD is preparing an anniversary report on the evolving privacy landscape There will be a review of the Guidelines beginning in 2011, per the Ministers in the Seoul Declaration for the Future of the Internet Economy.

OECD Privacy Resources
   

 

Working Party on Information Security and Privacy Protection of Privacy and Personal Data Privacy Online: OECD Guidance on Policy and Practice o Booklet OECD Guidelines on the Protection of Privacy and Transborder Flows of Personal Data o Booklet OECD Privacy Statement Generator Cross-Border Privacy Law Enforcement

Other Privacy Frameworks APEC Privacy Framework The Asia-Pacific Economic Cooperation (APEC) Privacy Framework overlaps with other frameworks; however, it concentrates on actual or potential harm as a result of disclosing information, rather than individuals' rights pertaining to their information. While the OECD Privacy Principles enjoy support amongst EU and other governments' legal regimes, the APEC Privacy Framework is not supported by law. The APEC Privacy Framework's major supporters have been certain global corporations. The Asia-Pacific Economic Cooperation (APEC) is a forum for facilitating economic growth, cooperation, trade and investment in the Asia-Pacific region. See APECprivacy.org for more information. Generally Accepted Privacy Principles (GAPP) The Generally Accepted Privacy Principles (GAPP) were developed by the American Institute of CPAs (AICPA) and the Canadian Institute of Chartered Accountants (CICA). Introduced in 2003 and updated in 2006 and 2009, they are similar to the OECD Privacy Principles, with a focus toward implementation.

76

Comprehensive revision of the Telecommunications (Interception and Access) Act 1979 Submission 32 - Attachment 1

According to the AICPA, "they are based on internationally known fair information practices included in many privacy laws and regulations of various jurisdictions around the world and recognized good privacy practices." The GAPP are popular among Canadian privacy practitioners. See www.cica.ca/privacy and www.aicpa.org/privacy for more information. About This Site The purpose of this site is to serve as a quickly and easily accessible reference on the OECD Privacy Principles. I frequently refer to these principles in presentations, lectures, workshops and discussions and found that it would be useful to have an easy to reference and consume web page about the OECD Privacy Principles. I hope you find this resource useful as well. United States Department of Commerce Safe Harbor Privacy Principles The United States Department of Commerce developed the Safe Harbor self certifying legal framework to allow US organizations to comply with the EC Data Protection Directive. Because of the purpose, the framework's principles follow closely with OECD's. Safe Harbor is one of several cross-border data transfer options for organizations in the US that conduct business in the EU. For an organization to employ Safe Harbor as a compliance mechanism, the organization must be subject to the Federal Trade Commission's (FTC) or Department of Transportation's (DoT) authority. Safe Harbor is a very popular option, particularly for handling customer data. Its use continues to grow, often serving as a starting point for many US organizations expanding their operations into the EU. See export.gov/safeharbor for more information. Other cross-border data transfer options can be applied for jurisdictions that do not meet the EU adequacy standard for privacy protection. These include Express Consent, Model Contracts and Binding Corporate Rules. The use of Express Consent is decreasing due to "drop out" rates (the number of individuals that will not consent) along with data protect authorities recognizing that the imbalance of power between employers and employees negates a consent being "freely given." However, Express Consent remains useful for some relatively simple transfers, such as those necessary to complete business-to-consumer on-line transactions. Model Contracts, while lacking the flexibility often required for data transfers that are part of normal business operations, remain a staple for incidental data transfer (e.g., transferring expatriates' human resource records). There is a notable trend, for multinational companies with mature privacy programs, toward utilizing Binding Corporate Rules. In October 2008 a mutual recognition agreement went into effect among several EU nations' data protection authorities that allows for easier implementation of Binding Corporate Rules. Over the last ten years, the EC has found Safe Harbor to be ineffective due to lack of enforcement and organizations' failure to comply with Safe Harbor requirements while continuing to self certify. Despite this, the EC has remained committed to Safe Harbor. The ineffectiveness of Safe Harbor has been raised to the forefront again recently. As the tenth anniversary of Safe Harbor approached, the Data Protection Authority of the German State of Schleswig-Holstein (the Unabhängiges Landeszentrum für Datenschutz Schleswig-Holstein or ULD) has called for the immediate termination of and/or revisions to Safe Harbor. Contact

77

Comprehensive revision of the Telecommunications (Interception and Access) Act 1979 Submission 32 - Attachment 1

The author and publisher of this site, Ben Gerber, can be contacted via privacy.us/contact. Additional contact information is available at privacy.tel. Copyright This web site, OECDprivacy.org, is © Ben Gerber 2009, 2010 and is licensed under a Creative Commons Attribution 3.0 Unported License. Excerpts from Annex to the Recommendation of the Council of 23rd September 1980: Guidelines Governing The Protection of Privacy and Transborder Flows of Personal Data are © OECD 1980. Version Version 1.0 2010/07/20: publication on OECDprivacy.org Version 1.1 2010/08/09: minor edits; added ULD's comment regarding Safe Harbor Appendix 28 Re telecoms cooperation with security authorities http://usatoday30.usatoday.com/news/washington/2006-02-05-nsatelecoms_x.htm?POE=NEWISVA https://en.wikipedia.org/wiki/Hepting_v._AT%26T From Wikipedia: July 2008, Congress passed,[10] and on July 10, 2008, President George Bush signed, the FISA Amendments Act, which granted retroactive immunity to telecommunications companies for past violations of FISA.[11] Before any Ninth Circuit decision, the case was returned to the District Court "[i]n light of the FISA Amendments Act of 2008."[12] In September 2008, Attorney General Michael Mukasey filed a certification[13] pursuant to Section 802 of the FISAAA and the government moved to dismiss the Hepting litigation. Appendix 29 Privacy International Calls on OECD to Investigate Telecoms Relationships with GCHQ http://www.infosecurity-magazine.com/view/35435/privacy-international-calls-onoecd-to-investigate-telecoms-relationships-with-gchq/ Appendix 30 Privacy principles and encryption from a barrister http://www.peteraclarke.com.au/2013/09/10/australian-privacy-principles-andencryption/ Appendix 31 Statewatch briefing, mandatory data retention in the EU http://www.access-info.org/documents/chris-mandret-draft.pdf Appendix 32 Echelon timeline http://worldinformation.org/wio/infostructure/100437611746/100438658902?opmode=contents Appendix 33 From the ACLU re the "safeguard" Clipper Chip held in escrow https://www.aclu.org/technology-and-liberty/big-brother-wires-wiretapping-digitalage#five Appendix 34 Bipartisan, bicameral USA FREEDOM Act http://www.leahy.senate.gov/download/usa-freedom-act-two-pager-final Appendix 35 Communications Assistance for Law Enforcement Act (CALEA) 1994 http://groups.csail.mit.edu/mac/classes/6.805/articles/crypto/digital-telephony.html 78

Comprehensive revision of the Telecommunications (Interception and Access) Act 1979 Submission 32 - Attachment 1

6.805/STS085: 1994: The Digital Telephony Act (CALEA) The Communications Assistance for Law Enforcement Act (CALEA), also known as the Digital Telephony Act, was passed by Congress in October, 1994. Earlier versions of the bill had been floating around Congress since 1992, but they did not gain much support until FBI Director Louis Freeh, who made this one of his top priorities, devoted considerable personal time to lobbying for the bill. CALEA requires telecommunications carriers to provide facilities "enabling the government, pursuant to a court order, to intercept all wire and electronic communications carried by the carrier." The 1994 bill called for $500 million in funding to reimburse telecommunications carriers for the cost of implementing its requirements. This funding was approved in 1996. Passage of CALEA was controversial, even within the Internet community. The Electronic Frontier Foundation strongly opposed the original version of the bill, but eventually participated in negotiations and added provisions that strengthened the bill's privacy protections, which led them to support the revised bill. The Electronic Privacy Information Center and the ACLU opposed the bill. CALEA does not explicitly address encryption, although Director Freeh was clear that the FBI would subsequently request additional legislation, should encryption become a hindrance to wiretaps. In addition, top secret documents (since declassified) show that there have been plans since the Bush Administration in 1991 to use Digital Telephony as a "beachhead we can exploit for the encryption fix". Text of the CALEA as enacted by Congress in 1994. Here are some items dealing with the passage of the bill and some subsequent developments. John Perry Barlow, "Decrypting the Puzzle Palace", from Communications of the ACM, July 1992. This consciousness-raiser by Barlow raised the issues of Digital Telephony and the NSA's involvement two years before this broke in a big way. The Electronic Privacy Information Center's archive on wiretapping, with information on CALEA and subsequent developments. The Electronic Frontier Foundation's archive on Digital Telephony, with extensive source material. Next section of this essay: 1994: Clipper (The Escrowed Encryption Standard) Appendix 36 Australian Communications Department critical infrastructure resilience http://www.communications.gov.au/online_safety_and_security/Communications_crit ical_infrastructure_resilience Appendix 37 Useful summary as of 2000 of interception capabilities http://www.cyber-rights.org/interception/stoa/ic2kreport.htm#Summary Appendix 38 10 NSA myths debunked from tom.dispatch http://www.commondreams.org/view/2014/01/13-0 Ten answers re NSA 13.1.14 tom.dispatch.com 'No, You Cannot Opt Out': 10 NSA Myths Debunked by Peter Van Buren

79

Comprehensive revision of the Telecommunications (Interception and Access) Act 1979 Submission 32 - Attachment 1

Appendix 39 Report January 2014 from the US Privacy and Civil Liberties Oversight Board http://www.theguardian.com/world/interactive/2014/jan/23/privacy-civil-libertiesboard-nsa-report-text Appendix 40 Geoffrey Robertson QC on legality http://www.theguardian.com/commentisfree/2013/dec/02/privacy-australianssurveillance-metadata Appendix 41 Unilateral spying on Australia considered by NSA http://www.theguardian.com/world/2013/dec/05/nsa-considered-spying-onaustralians-unilaterally-leaked-paper-reveals Appendix 42 New Zealand events pertinent to Australia
Kiwiblog December 3rd, 2013 at 6:03 am by David Farrar

NewstalkZB reports: The Prime Minister is playing down suggestions the public may have been targeted for data collection by domestic spy agencies. Fresh revelations by former NSA contractor Edward Snowden have shown the Australian Defence Signals Directorate offered in 2008 to share data collected on Australian citizens with its intelligence partners John Key called GCSB boss Ian Fletcher today to seek assurances that New Zealand had not done the same. “I wasn’t Prime Minister (at the time), but I rang the head of the agency and said ‘can you confirm for me that New Zealand didn’t collect wholesale metadata about our ordinary New Zealanders.’ “The answer was ‘we didn’t, and because we didn’t we couldn’t have shared it.’” The Australian offer was made in 2008, when Helen Clark was Prime Minister. So maybe someone should ask Helen Clark on the record if she ever authorised the collection of metadata from NZers, and the sharing of it with other countries. Maybe the NZ Labour Party can confirm that when they were in Government, this did not happen on their watch. Changes to TICS Bill , see http://www.beehive.govt.nz/sites/all/files/Comparison_Table_TICA%20and_TICS_B ill.pdf
October 15th, 2013 at 10:00 am by David Farrar

Amy Adams has announced:

80

Comprehensive revision of the Telecommunications (Interception and Access) Act 1979 Submission 32 - Attachment 1

Communications and Information Technology Minister Amy Adams has today tabled a Supplementary Order Paper (SOP) to make further improvements to the Telecommunications (Interception Capability and Security) Bill. … Clause 39 of the proposed Bill currently allows the responsible Minister to direct that a network operator must not resell an overseas telecommunications service in New Zealand where the interception capability, or lack of interception capability, raises a significant risk to law enforcement or national security. It is proposed to remove Clause 39 from the Bill altogether, and, instead, matters of non-compliance could be addressed through the compliance framework. Part 3 of the Bill deals with the partnership approach between the GCSB and network operators to protect network security. To ensure that this interaction occurs in a timely manner, it is proposed to introduce the ability for the Minister responsible for the GCSB to make regulations that require decisions to be made under specific timeframes, in the event that decisions are not being made in a sufficiently timely way. It is also proposed to narrow the scope of the matters that must be notified to the GCSB, reducing compliance costs for network operators. As a last resort, where network operators and the GCSB are unable to agree on how to respond to a network security risk, Clause 54 of the Bill currently provides that the responsible Minister may issue a direction. Before the GCSB can ask the Minister to make a direction, a further check and balance will be introduced. The Commissioner of Security Warrants will now be required to carry out an independent review of the material that informed the GCSB’s risk assessment, and report on whether, in their opinion, the risk amounts to a significant risk to national security. These looks like very welcome changes. The requirement for the Commissioner of Security Warrants (currently former Court of Appeal Judge Sir Bruce Robertson) to do an independent review in the very very unlikely event of the Government believing that what a network operator is planning could threaten national security, is sound. “Although public input has resulted in significant improvements to the Bill, some of the submissions received did not reflect an accurate understanding of what the Bill does and does not do,” Ms Adams says. “In particular, I would like to reassure people that this Bill does not change the authority of agencies to intercept telecommunications, it does not change existing privacy protections, and it does not require data to be stored or require stored data to be disclosed. The Bill only relates to real time interception. This is a key point that many have missed – it is about real-time interception. The major users of this ability are the Police for ongoing criminal investigations.

81

Comprehensive revision of the Telecommunications (Interception and Access) Act 1979 Submission 32 - Attachment 1

There’s also a comparison table between the current law (TIC Act) and this proposed law (TICS Bill). I think they show that in some areas the law change actually reduces compliance costs on ISPs. There is no expansion of powers in terms of surveillance. There is an expansion in terms of the GCSB’s role in syber-security where they can (ultimately) ask for a Government order if they believe a proposed action would be a threat to national security. Ironically that proposed power has its genesis in the opposition scaremongering over Huawei winning some contracts in New Zealand. They kept demanding the Government do something on the basis the Australian Government had excluded them from the NBN build there. The Government doesn’t believe there are any national security issues around Huawei, but it was the scaremongering that highlighted that even if there were, they actually had no power to exclude a company that did have national security issues. So a bit rich for opposition MPs to complain about a clause that their scaremongering created. There’s still some elements of the bill which I’m not enthusiastic on. I don’t think ISPs (or network operators) should have to register with the GCSB as it sets a bad precedent. As far as I know there’s never been an issue with locating an ISP, and its directors. I’d prefer that clause to be removed. As I said, a precedent of an ISP needing to register with the Government is not healthy – even if well intentioned. But the SOP by Amy Adams is a significant improvement to the bill, especially having the Commissioner of Security Warrants do an independent assessment if there is ever a stand off between the Government and an ISP over a proposed network build decision. Also a useful read are these two diagrams showing how the interception and network security processes will work. Appendix 43 2012 Report of the UK Intelligence Services Commissioner http://cryptome.org/2013/07/uk-spy-commish-2012.pdf Appendix 44 Bridging the Gap http://www.sirc-csars.gc.ca/pdfs/ar_2012-2013-eng.pdf Recalibrating the Machinery of Security Intelligence and Intelligence Review Appendix 45 IIRAC 2008 http://www.ocsec-bccst.gc.ca/media/speech/2008-10-07_e.php Appendix 46 Tapping into smartphone apps http://www.theguardian.com/world/2014/jan/27/nsa-gchq-smartphone-app-angrybirds-personal-data Appendix 47 Glenn Greenwald's response to President Obama's response http://www.theguardian.com/commentisfree/2014/jan/17/obama-nsa-reforms-bulksurveillance-remains

82

Comprehensive revision of the Telecommunications (Interception and Access) Act 1979 Submission 32 - Attachment 1

Appendix 48 Debating bulk data collection in the UK http://www.theguardian.com/commentisfree/2014/jan/17/nsa-dishfire-restrictivebritish-laws-surveillance Appendix 49 Transparency lawsuit launched by the American Civil Liberties Union. http://www.theguardian.com/world/2014/jan/21/us-withholding-fisa-court-orders-nsabulk-collection Appendix 50 President Obama's response to review committee http://www.theguardian.com/commentisfree/2014/jan/17/obama-nsa-speech-securityprivacy Appendix 51 US NSA - would it target Five Eyes partners http://www.theguardian.com/world/2013/dec/05/nsa-considered-spying-onaustralians-unilaterally-leaked-paper-reveals Appendix 52 Has bulk data collection worked? http://www.theguardian.com/world/2014/jan/14/nsa-review-panel-senate-phone-dataterrorism Appendix 53 Legal opinion on some GCHQ surveillance http://www.theguardian.com/uk-news/2014/jan/28/gchq-mass-surveillance-spyinglaw-lawyer Appendix 54 US DHS Privacy and civil liberties memorandum http://www.dhs.gov/xlibrary/assets/privacy/privacy_crcl_guidance_ise_2009-01.pdf Title page:
June 5, 2009 PRIVACY AND CIVIL LIBERTIES POLICY GUIDANCE MEMORANDUM Memorandum Number: 2009-01 MEMORANDUM FOR: DHS Directorate and Component Leadership FROM: Mary Ellen Callahan Chief Privacy Officer Timothy J. Keefer Acting Officer for Civil Rights and Civil Liberties SUBJECT: The Department of Homeland Security’s Federal Information Sharing Environment Privacy and Civil Liberties Protection Policy

83

Comprehensive revision of the Telecommunications (Interception and Access) Act 1979 Submission 32 - Supplementary Submission

Supplements to submission to Senate TI and A Act Inquiry.
No.1 Recent correspondence with the IGIS
This tends to indicate that even if the information is reliable about (a) possible expenditure of public money on activities outside those prescribed by law, or (b) use of inadvertently obtained information for purposes outside those in the Intelligence Services Act is apparently reliable, its provenance seemingly will determine whether or not it is investigated. Note too that the 2013 Australian federal whistleblower legislation only admits complaints from public officials or former public officials and exempts the security services. The Act: 11.(2AA) An agency may communicate incidentally obtained intelligence to appropriate Commonwealth or State authorities or to authorities of other countries approved under paragraph 13(1)(c) if the intelligence relates to the involvement, or likely involvement, by a person in one or more of the following activities: (a) activities that present a significant risk to a person's safety; (b) acting for, or on behalf of, a foreign power; (c) activities that are a threat to security; (d) activities related to the proliferation of weapons of mass destruction or the movement of goods listed from time to time in the Defence and Strategic Goods List (within the meaning of regulation 13E of the Customs (Prohibited Exports) Regulations 1958 ); (e) committing a serious crime. The correspondence:
Date: 21 February 2014 Correspondence reference: 2014/...www... File reference: ...zzz... Dear X Thank you for your emails. This office will not be commenting on media reporting of alleged activities of Australian intelligence community (AIC) agencies. In relation to a broken link on the Inspector-General’s website, located on the page found at http://www.igis.gov.au/annual_report/05-06/annex06.cfm, we confirm there is a coding error which will be corrected. In the meantime, you can access the DIO privacy guidelines through the second half of that link. Please note that the link refers to the 2005 guidelines that were current at the time the annual report was published. DIO’s current privacy rules can be accessed at http://www.defence.gov.au/dio/privacy-rules.shtml.

Comprehensive revision of the Telecommunications (Interception and Access) Act 1979 Submission 32 - Supplementary Submission

Thank you for bringing this matter to our attention. On behalf of Inspector-General of Intelligence and Security PO Box 6181 KINGSTON ACT 2604 | Phone 02 6271 5692 | Fax 02 6271 5696 www.igis.gov.au | info@igis.gov.au

From: Sent: 19 February 2014 To: Subject: Possible ultra vires activity

I note the following for the period covered by your 2012-3 annual report. "Throughout 2012-13, we continued to monitor DSD’s databases, including collection systems, for compliance with the ISA, Privacy Rules, and DSD compliance incidents and privacy incident notifications." I realise you can't oversight everything. However let us assume from recent press reports about the document "SUSLOC (Special US Liaison Office Canberra) Facilitates Sensitive DSD Reporting on Trade Talks" that the ASD offered the US information in early 2013 on a US lawyer's communications with the Indonesian government on the shrimp or clove cigarette trade. Wouldn't that fall outside S.11.2.AA of the Intelligence Services Act, assuming that the data collection was inadvertent which is when 2AA applies? If it was deliberate, it would appear to be ultra vires the legislated remit of surveillance. The purposes as I understand them are to counter serious crime including child abuse, ensure our economic wellbeing, combat terrorism, and ensure national security. Thank you X

No.2 Telstra data handover agreement
The Telstra Reach PCCW agreement signed in 2001 giving access on the request of a designated US person to stored Telstra data for US FBI, DOJ, DHS, Defense and sometimes Treasury purposes. The agreement does not appear to cover US NSA bulk surveillance using a beam splitter. Spreadsheet of agreements http://publicintelligence.net/us-nsas/ Actual agreement http://media.crikey.com.au/wp-content/uploads/2013/07/US-NSAs-Telstra.pdf

Comprehensive revision of the Telecommunications (Interception and Access) Act 1979 Submission 32 - Supplementary Submission

No.3 Are embassies to be used for comint?
Re uses to which Australian diplomatic missions are permitted to be put. Vienna Diplomatic Convention http://legal.un.org/ilc/texts/instruments/english/conventions/9_1_1961.pdf
Article 41 1.Without prejudice to their privileges and immunities, it is the duty of all persons enjoying such privileges and immunities to respect the laws and regulations of the receiving State. They also have a duty not to interfere in the internal affairs of that State. 2.All official business with the receiving State entrusted to the mission by the sending State shall be conducted with or through the Ministry for Foreign Affairs of the receiving State or such other ministry as may be agreed. 3.The premises of the mission must not be used in any manner incompatible with the functions of the mission as laid down in the present Convention or by other rules of general international law or by any special agreements in force between the sending and the receiving State. and see Art 3.1(d) re functions of mission.

No. 4 The US NSA's director on transparency
The US NSA's James Clapper finally after nearly eight months takes on board the idea of democratic government of the people by the people for the people. From The Daily Beast 17 February 2013.

"In an exclusive interview with The Daily Beast, Clapper said the problems facing the U.S. intelligence community over its collection of phone records could have been avoided. “I probably shouldn’t say this, but I will. Had we been transparent about this from the outset right after 9/11—which is the genesis of the 215 program—and said both to the American people and to their elected representatives, we need to cover this gap, we need to make sure this never happens to us again, so here is what we are going to set up, here is how it’s going to work, and why we have to do it, and here are the safeguards… We wouldn’t have had the problem we had,” Clapper said. “What did us in here, what worked against us was this shocking revelation,” he said, referring to the first disclosures from Snowden. If the program had been publicly introduced in the wake of the 9/11 attacks, most Americans would probably have supported it. “I don’t think it would be of any greater concern to most Americans than fingerprints. Well people kind of accept that because they know about it. But had we been transparent about it and say here’s one more thing we have to do as citizens for the common good, just like we have to go to airports two hours early and take our shoes off, all the other things we do for the common good, this is one more thing.”"

Comprehensive revision of the Telecommunications (Interception and Access) Act 1979 Submission 32 - Supplementary Submission

No. 5 Statement by Edward Snowden on being made Glasgow university rector in February 2014, from The Guardian
"Snowden, in his statement, said: "I am humbled by and grateful to the students of Glasgow University for this historic statement in defence of our shared values. "We are reminded by this bold decision that the foundation of all learning is daring: the courage to investigate, to experiment, to inquire." He added: "If we do not contest the violation of the fundamental right of free people to be left unmolested in their thoughts, associations, and communications - to be free from suspicion without cause - we will have lost the foundation of our thinking society. The defence of this fundamental freedom is the challenge of our generation, a work that requires constructing new controls and protections to limit the extraordinary powers of states over the domain of human communication." http://www.theguardian.com/world/2014/feb/18/edward-snowden-nsa-whistleblowerglasgow-university-rector

Comprehensive revision of the Telecommunications (Interception and Access) Act 1979 Submission 32 - Supplementary Submission

Supplementary Submission 1. Although it is after the closing date of 27 February, news has come to hand that has significant ramifications for any debate about the intersection of the IS Act, the TI and A Act and the ALRC For Your Information: Australian Privacy Law and Practice report. It has been reported that the UK GCHQ, an AIC partner, has collected up to 1.8m private webcam records, in a program called Optic Nerve. However there must be concerns about its relationship to national security, when it is also reported that it is running flesh recognition software across the files. This software is apparently being confused when it finds faces, because it sees these as naked flesh, which of course it is. The GCHQ activity reportedly includes capture of consensual cybersex. The question then is, which naked flesh is it seeking out, and why? What would be its relevance to national security? Another question is whether the UK Intelligence Services Commissioner and the UK Information Commissioner have given their imprimatur to this kind of surveillance. What kind of information exchange on this material if any takes palace with the AIC? Does any part of the AIC run similar software when tapping telecommunications? 2. It has now been reported that one of our intelligence partners, the CIA, has apparently misused its powers in order to spy on the research staff of the US Senate intelligence oversight committee carrying out work investigating the CIA over torture, according to senior Senator Mark Udall. The matter has been referred to the US DOJ for criminal investigation. It is to be hoped that similar temptations do not exist in Australia.

Sign up to vote on this title
UsefulNot useful