A society’s norms can shift fast. In the last decade, compulsory metadata retention for broad surveillance purposes has gone from a controversy to a scandal, to a fact of Australian life, to an insufficient power that needs to be augmented by yet more invasive ones. Military control over cryptography and other exports has gone from a joke to a harsh reality to, again, an insufficient power that supposedly needs to be expanded.
Australia urgently needs to put our norms of (particularly Commonwealth) government behaviour back on a democratic footing. This article concentrates on tech-related national legislation. Some of it deserves to be amended, but most of it ought to be repealed outright. The undemocratic norms established over the last decade need to be completely reset.
Dr Monique Mann says, “what actually needs to happen is the rolling back of ministerial executive power and replacing it with judicial and independent oversight.” We agree, yet not every order is acceptable in a democracy even if it comes from a judge.
The pervasive assumption of most of this bad legislation is that surveillance equals security–. It doesn’t. For a decade our government has demonised encryption, omitting it entirely from the ACSC essential eight cybersecurity strategies. This decision to renounce perhaps the most effective tool for keeping data safe is simply stupid.
A large part of the reset we need is to distinguish security from surveillance, recognising that safety comes from being in control of our own data and our own systems, not from constantly being watched. End-to-end encryption, secure authentication, and strong privacy laws will protect the security of individual Australians and also protect Australia’s liberal democracy.
Many things need to change, but here are our most urgent priorities.
The Telecommunications Act
Repeal both the Telecommunications and Other Legislation Amendment (Assistance and Access) Act (2018) and the Surveillance Legislation amendment (Identify and Disrupt) Act 2021. If a full repeal is not politically feasible, we have three priorities for removal.
- Remove the powers to force a “person with knowledge of a computer or a computer system” to “assist”. ASIO’s power requires no warrant, just an order from the Attorney General. Even if the order came from a judge (which it must for ACIC and the AFP) it would not be justifiable. A warrant requirement is better than no warrant requirement, but the idea of forcing someone to work for one of these agencies against their will, possibly for a long time and possibly in direct conflict with their other obligations to their work, family or users, is not normal in a democracy.
- Remove Technical Capability Notices, which may require a provider to alter their system to gather or extract data that would otherwise not be available. This has many of the same properties as the other forced-assistance powers mentioned above, with the potential for substantial collateral damage to innocent users of the targeted system.
- End the general and indiscriminate retention of metadata, which has been shown inconsistent with human rights standards in other democracies, and impose a requirement for a warrant for law enforcement access.
There are numerous other serious problems.
The Privacy Act
Let’s see some actual improvements.
We have already made lots of suggestions as part of the consultation process. We also support the proposals made by Salinger Privacy.
Introduce proper protection for ‘de-identified’ data. Legislation needs to explicitly recognise that data that has had obvious identifiers stripped off but remains identifiable deserves the same protection as explicitly-identified data. Unfortunately, the recent Data Availability and Transparency Act (2022), which both major parties just voted for, seems to go in exactly the wrong direction, allowing for the sharing without consent of ‘de-identified’ data even if it is easily identifiable, as long as the receiving party promises not to re-identify it.
Continuing to share data even after people have explicitly opted out should be banned, if it is not already. If it is already illegal, that prohibition should be enforced. See for example the ABC’s failure to action opt-outs for the sharing of detailed identifiable iView viewing data.
Political parties should not be exempt from the Privacy Act.
The Critical Infrastructure Act
Replace it with something oriented around securing critical infrastructure, rather than something oriented around forced takeovers of critical infrastructure. These two things are not the same.
If repeal is not politically feasible, at least
- impose judicial oversight on Critical Infrastructure takeovers, and
- prohibit the exfiltration of identifiable personal data.
Online Safety Act
Scrap age verification plans. Forcing people to identify themselves and divulge their age is not a privacy feature, despite its inclusion in the misleadingly named Online Privacy Bill.
Reorient around a transparent set of censorship standards, rather than arbitrary takedown powers vested in one individual.
The problem of keeping children safe on the Internet is a complex one, but increasing surveillance of children is not the solution. Better solutions involve empowering children (and adults) with better information and tools to protect themselves online, from both human scammers and automated invasions of their privacy. Regulation should restrict corporations’ collection and use of personal data for everyone, rather than insisting that more children should be more extensively monitored.
The Defence Trade Controls Act
The Defence Trade Controls Act takes an admirable proposition, preventing Australians from exacerbating violent conflict overseas, and extends it to a set of technologies and situations that are utterly irrelevant to weaponry. It should have an exemption for fundamental scientific research, so that Australian scientists can continue the international collaboration that is essential to open scientific work, without fear of a decade in jail.
The future
EFA wants technology to work for people rather than against them. We’re delighted that change is already happening. The Cashless welfare card was going to be on our list, but has already been scrapped.
We’d like to bring back:
- Judicial oversight,
- Separation of powers,
- Repercussions for breaking the law, including the Privacy Act,
- Limiting extraordinary powers and access,
- Transparency for the state, privacy for the rest of us.
The onus is on government to rebuild trust with people – there has been an undermining of trust in institutions, which will not automatically be reversed unless the legislation that enabled it is repealed.