Attorney-General's moves fast on new telco security arrangements
The Attorney-General's Department is pursuing a new security framework to bring telecommunications companies and ISPs under tighter government control. But it appears to be treading softly on data retention.
The Attorney-General’s Department has rushed to implement a set of wide-ranging reforms and extensions to telecommunications and IT interception powers for intelligence and law enforcement agencies, new documents reveal.
Within weeks of George Brandis being appointed Attorney-General in September, his department began a concerted push to obtain his approval for the development of a package of reforms along the lines proposed by then-attorney-general Nicola Roxon in 2012, starting with an industry consultation process. Documents obtained under the Freedom of Information Act by Crikey (large PDF) — heavily redacted or exempted — show the department eager to use the report of Parliament’s Joint Committee on Intelligence and Security as a “road map” to implement over 40 reforms.
The JCIS report, under the chairmanship of Labor backbencher Anthony Byrne, assessed the Roxon reforms from May 2012 to June last year in a process that directed much of its focus to the controversial issue of data retention. Brandis himself was a member of the committee and said to be significantly less enthusiastic about data retention than colleagues like Philip Ruddock. Eventually the committee declined to make a recommendation on a data retention scheme, saying it was a matter for government, but suggested if a scheme was under consideration it return to the committee as draft legislation.
The department — consistent with its public submissions elsewhere — appears to be treading softly on the issue, repeatedly noting the committee’s position on data retention in its internal briefs and briefing for Brandis. For internal purposes, the department’s formal “line” on the subject was that it would “carefully consider the guidance of the committee”.
But JCIS is now a very different body from the one of the previous Parliament. Byrne, who guided the committee to a unanimous position in that report amid intense scrutiny from online groups, is now deputy chair to former diplomat Dan Tehan; Andrew Wilkie is no longer a member while several backbenchers with military backgrounds have joined. Deputy Opposition Leader Tanya Plibersek also joined the committee, despite the perception that JCIS works best when it is free of the executive of both government and opposition. It was Plibersek who last weekend suggested she was relaxed about data retention, apparently falling into line with briefings from intelligence agencies that data retention was crucial to security. Intelligence and police agencies insist that mandatory retention of phone and internet records is needed to stop terrorism and solve crime.
The Roxon proposals were a long wishlist of reforms sought by intelligence agencies, including extending surveillance powers to social media companies and giving ASIO the power to break into and install malware on computers in order to get closer to surveillance targets. However, the reform that AGD is pursuing as a priority relates to a new “security framework” as part of a Telecommunications Sector Security Reform process …
The TSSR framework would impose on telecommunications companies, ISPs and, perhaps, other service providers much greater obligations to protect their networks and give the government a much greater range of powers to enforce industry information sharing and compliance compared to current arrangements, which in effect amount to a demand to switch off entire services:
“The proposed security framework seeks to place a universal obligation on all C/CSPs [carriage and carriage service providers] to maintain and demonstrate supervision and effective control of networks and facilities, and information in their control. While the obligation itself provides for an even-playing field, Government will engage more intensively with some C/CSPs based on assessment of threat and risk, taking into account market, customers, and other elements of criticality to the national interest.”
The irony of the framework, of course, is that it is likely Australian companies don’t have effective control of their information given what we know of the mass surveillance techniques of the National Security Agency, Britain’s GCHQ and our own Australian Signals Directorate, which was consulted as part of the preparation of AGD’s briefings.
The department first approached Brandis at the end of October about the framework. While the recommendations are redacted they appear to concern beginning consultations with industry, which would be conducted in secret and protected as “commercial in confidence”. The department was also developing a regulatory impact statement — one of the issues that had bedevilled their data retention efforts under the Rudd government — and guidelines for the framework. The department then returned to Brandis twice more, in November and December, in briefings either nearly or fully redacted; by that stage the matter was being prepared for cabinet.
Other reforms will presumably be pursued, but for the moment the priority is to bring Australian telcos and ISPs more tightly under government direction.