We also need “a broader societal discussion about privacy”, he said. Speaking at a seminar organised by the Australian Strategic Policy Institute (ASPI) on Thursday, Pezzullo described the surveillance law reforms now under way as more of a rebuild, not just a renovation. “I’d like to get to a point if we can design the legislation almost as if we are… not just renovating an existing structure, but literally clearing a site, levelling it, understanding what’s in the ground, what all the different conditions are in relation to that site, and building the new structure together,” he said. Pezzullo wants “everyday Australians” to have the confidence that it would be “highly unusual for any of their data, any of their devices, or indeed any of their engagement through their devices with data, to be the subject of surveillance or interception”. He wants to “move hopefully away from a notion, which has crept into the discussion around surveillance, of the mass ingestion of data almost for a ‘store and use it later’ basis”. Dennis Richardson’s 1,300-page review of the national intelligence community’s legislative framework, released in December 2020, recommended a whole new electronic surveillance Act. The aim would be to clean up what has, over four decades, become a tangled mess of laws. The government agreed, and last month the Department of Home Affairs released a discussion paper outlining this goal: “A consistent approach in terms of thresholds, purposes, safeguards, or accountability” with better privacy protections, and a consistent approach to different communications and data technologies into the future. “[We would like to engage] in a very genuine, deep, consultative process. We really want to hear from experts in the field about the challenges that are discussed in the discussion paper,” Pezzullo said. “How do you get these balances right, almost at a philosophical level, between security and liberty?”
Spies will always be “much more restricted” than surveillance capitalism
That said, according to Pezzullo, we should be more concerned about what’s being done by commercial operators in the name of so-called surveillance capitalism. “It’s more than passing strange to me … that we shed more of our own personal and sometimes quite intimate data in ways that we probably don’t fully understand or appreciate,” Pezzullo said. “I think the more immediate pressing problem for the citizenry is to actually understand what companies are doing with that personal and sometimes intimate data,” he said. “Everything that government will do will always be purposely designed by the parliament to be much more restricted than that.” Pezzullo’s argument is that commercial operators project their gaze as widely as possible to maximise profits, whereas law enforcement and intelligence agencies are required to limit their attention to people who are lawfully being investigated for serious crimes. “That’s very different, a very different direction from the way in which all of society’s otherwise going,” he said. “We’d very much like to land this legislation as a model exemplar back to the private sector about how to engage in moderated self-restraining surveillance.” Katherine Jones, secretary of the Attorney-General’s Department, says she is “on a unity ticket” with Pezzullo in wanting a wide-ranging consultation process. “Working closely with Home Affairs, we’re able to be engaged as these reforms have been considered, discussed, with stakeholders, designed, and ensure that we can put in absolutely the most effective safeguards that are built into the legislation, but also the most effective oversight mechanisms.,” Jones said. “I think we have a generational opportunity to improve in this space,” she said. “We’ve got an opportunity to do that in a much more embedded-by-design way, rather than the ad hoc way it’s been developed over the last 30 years.”
A question of thresholds: Which crimes are ‘serious’?
One question which continues to plague Australia’s patchwork of electronic surveillance laws is about the kinds of crimes against which they can be used. As Rachael Falk, CEO of the Cyber Security Cooperative Research Centre, pointed out, the UN’s International Covenant on Civil and Political Rights does have “clear carve outs regarding when privacy can legitimately be a secondary concern”. “These are extreme circumstances – significant national security threats, threat to life, threat to public order – which must be used proportionately to the threat at hand,” Falk told ZDNet. “In such extreme circumstances, privacy, while still vitally important, comes second place to the common good.” But which crimes are “serious”? For example, as your correspondent has previously noted, Australia’s controversial anti-encryption laws can be use for offences “punishable by a maximum term of imprisonment of 3 years or more or for life”. Looking around the various jurisdictions, this could cover such existential national security threats as graffiti, criminal damage, menacing phone calls, or even pranks. The Home Affairs discussion paper does float the options of setting the thresholds at sentences of three years, or five, or seven. But other measures could also be used, such as for when a crime causes serious harm. A key factor here is gaining the public’s trust that the balance is right, something the UK recognised in the report from its own consultation on these issues, A question of trust: report of the investigatory powers review. The report presented a range of case studies which, while not giving away any classified information, explained how and why the powers were used. As Falk told the ASPI seminar, “They [in the UK] go to great lengths to explain the what and the why”. “It’s important that the public have a clear-eyed view,” she said. Home Affairs is accepting public submissions relating to its discussion paper [PDF] until February 11. Assuming the timeline remains the same after the forthcoming federal election, an exposure draft of the legislation would be published before the end of this year, with another round of public consultation before legislation is introduced into parliament some time in 2023. Richardson estimated that the whole process would take two to three years and cost around AU$100 million, with another couple of years to rework IT systems and retrain staff.
Related Coverage
Telcos to get expanded scam-blocking powers through telecommunications law amendmentLabor wants new anti-scam centre and code of practice for fighting against scamsHome Affairs asks for a rush on Critical Infrastructure Bill to allow ASD to act lawfullyHome Affairs blames legacy visa system for poor customer service experienceNationally-known Australian company lawyered up to resist ASD helpColonial Pipeline attack used to justify Australia’s Critical Infrastructure Bill