Home | Databases | WorldLII | Search | Feedback Precedent (Australian Lawyers Alliance)

Mann, Monique; Murray, Angus --- "Striking a balance: Legislative expansions for electronic communications surveillance" [2021] PrecedentAULA 58; (2021) 166 Precedent 44

STRIKING A BALANCE

LEGISLATIVE EXPANSIONS FOR ELECTRONIC COMMUNICATIONS SURVEILLANCE

By Dr Monique Mann and Angus Murray

This article examines some of the challenges of achieving an adequate and proportionate balance in Australian law through an analysis of the development and introduction of electronic communications surveillance legislation over the past six years.^[1]

In the aftermath of Snowden’s revelations regarding mass and indiscriminate telecommunications surveillance by Five Eyes partners^[2] the Australian Government has significantly increased the electronic communications surveillance power vested with law enforcement and security agencies. In this article we examine the ‘hyper legislative’^[3] approach to the introduction of new and enhanced surveillance powers in the context of Australia’s purported ratification of international human rights law;^[4] analyse four significant pieces of legislation regarding surveillance powers proposed or introduced since 2015; and conclude with commentary about Australia’s underdeveloped human rights framework and the lack of transparent reporting and judicial oversight of these surveillance regimes. Each of the recent legislative amendments has a similar focus – to surveil Australians and access their telecommunications data.^[5]

RECENT ELECTRONIC COMMUNICATIONS SURVEILLANCE LAW

Telecommunications (Interception and Access) Amendment (Data Retention) Act 2015

With effect from 13 October 2015, the Telecommunications (Interception and Access) Amendment (Data Retention) Act 2015 (Metadata Retention Scheme) amended the Telecommunications (Interception and Access) Act 1979 (TIA Act) to require Australian carriage service providers to retain metadata – that is, data about data – relating to telecommunications for 24 months. The Explanatory Memorandum supporting the Metadata Retention Scheme notes that these changes were required because ‘[s]erious and organised criminals and persons seeking to harm Australia’s national security, routinely use telecommunications service providers and communications technology to plan and to carry out their activities. Some activities, including child pornography, are predominantly executed through communications devices such as phones and computers.’^[6] Pursuant to s187AA of the TIA Act as amended, the information to be kept by carriage service providers includes the subscriber of, and accounts, services, telecommunications devices and other relevant services relating to, the relevant service, as well as the source, destination, date, time, duration and type of communication, and the location of equipment used in connection with the communication.

While the Metadata Retention Scheme was being proposed in Australia, the Court of Justice of the European Union found that a similar scheme of indiscriminate metadata retention violated the human rights of Europeans and contravened the European Charter of Human Rights.^[7] Australia’s mandatory Metadata Retention Scheme was widely criticised^[8] by a range of academics, commentators and interested groups (such as civil liberty and digital rights organisations) as an affront to human rights.^[9] Significant concerns were also raised that the Scheme would operate without the authorisation of a warrant (although amendments were made shortly before the passing of the Bill to require the issuing of a warrant when accessing journalists’ metadata, known as a journalist information warrant).^[10]

In a similar context, on review required by s187N of the TIA Act, the Parliamentary Joint Committee on Intelligence and Security (PJCIS) found in its report that:

‘Under the existing legislative thresholds of the TIA Act an individual officer can, without a warrant, authorise the disclosure of historic telecommunications data if he or she is satisfied that the disclosure is reasonably necessary to find a missing person, or for the enforcement of the criminal law or any law imposing a pecuniary penalty ...’^[11]

The PJCIS noted that the requirement governing ‘access to existing information and documents granted for “enforcement of the criminal law” (s178) is drafted broadly and is subject to no limitations’, and recommended that a definition be incorporated to enhance the burden on law enforcement to satisfy the need for access to metadata for the investigation of a ‘serious offence’ as defined in s5D of the TIA Act.^[12] Indeed, available data on the use of metadata by law enforcement shows that it is overwhelmingly being accessed for the investigation of drug offences.^[13]

Although the Metadata Retention Scheme was not focused on content surveillance, it has been argued in Europe that metadata is potentially more privacy invasive than content surveillance because of the inferences that can be made from the data.^[14]

Telecommunications and Other Legislation Amendment (Assistance and Access) Act 2018

There is a long history of governments around the world, and especially Five Eyes partners, seeking to undermine and access encrypted forms of communication.^[15] In Australia, the Telecommunications and Other Legislation Amendment (Assistance and Access) Act 2018 (TOLA Act) was introduced by the Department of Home Affairs on 14 August 2018 and very rapidly progressed to royal assent on 8 December 2018. The TOLA Act is the manifestation of the Australian Government’s ‘war on maths’ against the use of encryption.^[16] The TOLA Act’s Explanatory Memorandum notes that these enhanced powers were required as ‘The increasing use of encryption has significantly degraded law enforcement and intelligence agencies’ ability to access communications and collect intelligence, conduct investigations into organised crime, terrorism, smuggling, sexual exploitation of children ...’.^[17]

The TOLA Act grants the Director-General of Security, the chief officer of an interception agency and the Commonwealth Attorney-General additional powers to issue new types of orders. These include directly and indirectly forcing communications and technology companies to provide information about how networks are built and how information is stored, or to design new capabilities to provide various forms of assistance to access encrypted information.

The substantive powers introduced by the TOLA Act are predicated on the new and broadly defined concept of ‘designated communications provider’ (DCP), created pursuant to s317C of the TOLA Act. A DCP can – through a technical assistance request, technical assistance notice and/or technical capability notice (collectively ‘Notices’) introduced into Part 15 of the Telecommunications Act 1997 (Cth) – be required to do a broad list of ‘acts or things’ defined in s317E of the TOLA Act.

The ‘safeguard’ that any Notices issued must be ‘reasonable and proportionate’^[18] is questionable. This purported balance must be understood in the context of s317RA of the TOLA Act, which prescribes the matters that must be considered when deciding if, for example, a technical assistance notice is ‘reasonable and proportionate’. Most of those considerations^[19] are focused on the interests of law enforcement.^[20] Only two involve the legitimate interests of the DCP^[21] and the interests of the Australian community relating to a conjunctive consideration of privacy and cybersecurity.^[22]

According to the submission of the Australian Federal Police (AFP) to the PJCIS review of the TOLA Act between December 2018 and June 2019, the AFP issued five Technical Assistance Requests (TARs) relating to ‘cybercrime, drug importation and the threat of transnational serious and organised crime’. A further three TARs were issued between July 2019 and June 2020, relating to ‘serious computer offences and other serious crime types’ that were not disclosed in the AFP’s submission. However, the AFP provided three operational case examples that illustrate their use of the TOLA Act and concern the use of remote access trojan malware; a denial of service attack on government infrastructure; and the importation of illegal drugs.^[23] These case examples and the offences the AFP reported investigating to the PJCIS review diverge from the rationale and justification supporting the introduction of the TOLA Act (that is, the investigation of organised crime, terrorism, smuggling and sexual exploitation of children as outlined above). Further, the limited details that are publicly released on the use of the TOLA Act assistance provisions by law enforcement highlight issues of limited transparency.

Aside from the Notices, the TOLA Act also made significant amendments to the Australian Security Intelligence Organisation Act 1979 and the Surveillance Devices Act 2004 (SD Act), including the incorporation of computer access warrants. It also significantly widened the definition of ‘computer’ at s6(1) of the SD Act to encompass: ‘... all or part of ... one or more computers ... or computer systems ... or computer networks; or any combination of the above’. The effect of the amendment of the definition of ‘computer’ is the potential conferral of power on law enforcement to obtain warrants for the entire internet as a network of computer systems and networks.

It is also important to note that the TOLA Act has several potential extraterritorial effects. First, it allows for Australian law enforcement agencies to request or compel assistance from offshore DCPs and for foreign law enforcement to request that Australian agencies exercise surveillance powers to enforce foreign laws (including those involving the death penalty).^[24] This opens the possibility for foreign agencies to funnel requests through Australia in order to exploit its weaker human rights protections, rather than targeting other nations with stronger constitutional protections.^[25]

Surveillance Legislation Amendment (Identify and Disrupt) Bill 2020

In addition to the powers under the TOLA Act, the Australian Government has recently introduced the Surveillance Legislation Amendment (Identify and Disrupt) Bill 2020 (Cth) (ID Bill) before Parliament. If passed as law, the ID Bill will create three significant new powers, including data disruption warrants, network activity warrants and account takeover warrants. Taken together, and with consideration to the amendments relating to controlled operations in the ID Bill, the cumulative use of the three government hacking powers will allow for law enforcement to run ‘honeypot’ operations (where they hack into accounts, take them over, and continue to operate them without the knowledge of users). These proposed powers are particularly pertinent given the strategy adopted by the AFP in Operation Ironside, discussed further below.

The first proposed power – use of data disruption warrants^[26] – will authorise offensive data disruption powers and capabilities to disrupt the commission of an offence using a computer. According to the Explanatory Memorandum supporting the Bill, these are ‘warrants to enable the AFP and the ACIC to disrupt data by modifying, adding, copying or deleting in order to frustrate the commission of serious offences online’.^[27] This represents significant expansions of the existing powers of the AFP and the ACIC from the traditional focus of their investigative powers on collecting admissible evidence of specific criminal offences to offensive powers of disruption, provided with the assistance of the ASD.^[28]

The second proposed power – use of network activity warrants^[29] – will enable the AFP or the ACIC to monitor the computer-related activities of criminal groups for the purpose of collecting intelligence. A ‘criminal group’ is defined as an electronically linked group of individuals, which means any two or more people who use the same electronic service (including a website) or communicate with other individuals in the group electronically.^[30] In its submission to the PJCIS, the Human Rights Law Centre argued that this expansive definition of an electronically linked group is so ‘absurdly’ broad as to be unlimited in potential application and that it provides law enforcement with the ability to monitor a range of networks with a loose potential connection to suspected criminal activity.^[31]

The third and final proposed power – account takeover warrants^[32] – will authorise the AFP or the ACIC to assume control of an online account that is suspected of being used in the commission of an offence that is punishable by at least three years’ imprisonment. It grants law enforcement the power to alter and remove an individual’s access to their online accounts, including email and social media services.

One of the main criticisms concerning the ID Bill is the low threshold for the seriousness of offences, with a maximum penalty of three or more years’ imprisonment.^[33] This is not consistent with the rationale supporting the introduction of the powers. According to the Explanatory Memorandum, the ID Bill ‘addresses gaps in the legislative framework to better enable the AFP and the ACIC to collect intelligence, conduct investigations, disrupt and prosecute the most serious of crimes, including child abuse and exploitation, terrorism, the sale of illicit drugs, human trafficking, identity theft and fraud, assassinations, and the distribution of weapons’.^[34] The low threshold, combined with the definition of an electronically linked group of individuals, means that the warrants can be used to target relatively minor criminal activities, as well as people acting in the public interest such as journalists and whistleblowers. Indeed, the AFP raided journalist Annika Smethurst’s home for reporting on the introduction of these powers.^[35]

It should also be noted that these powers may not relate only to surveillance and disruption of the online activities of Australian citizens. As they are an attempt to uncover ‘dark’ networks that operate through identity and geolocation concealing technologies such as Virtual Private Networks and Tor,^[36] when these powers will be exercised the physical location of the target computer and suspect will not be known by Australian law enforcement.^[37] Therefore, these powers extend the reach of Australian law enforcement (the AFP and the ACIC) outside of the sovereign jurisdiction of Australia.

On 6 August 2021, the PJCIS released its advisory report on the ID Bill which recommended that the Bill pass subject to thirty-three (33) recommendations. These recommendations included that the Home Affairs portfolio include an unclassified submission that expressly addresses the necessity and proportionality of national security powers; increased reporting obligations; increased privacy-focused considerations prior to issuing of warrants; and a revised definition of ‘serious offence’, with the threshold increased to an indictable offence of a minimum period of seven years’ imprisonment.^[38]

Telecommunications Legislation Amendment (International Production Orders) Bill 2020

In 2018 the US introduced the Clarifying Lawful Overseas Use of Data Act (CLOUD Act). This new Act amends the Stored Communications Act,^[39] which provides a framework for the US to access electronic information that is held (and accessible) by US-based technology companies and stored outside the physical territory of the US jurisdiction. The CLOUD Act provides reciprocal arrangements for foreign governments to access telecommunications data stored within the US,^[40] first requiring states to negotiate and enter into bilateral agreements with the US that are subsequently enacted into domestic law. The first bilateral data sharing agreement made under the Act, which entered into force in July 2020, was with the UK.^[41]

At present, the US and Australia are undergoing negotiations, and the Telecommunications Legislation Amendment (International Production Orders) Bill 2020 (Cth) (IPO Bill)^[42] would enact lawful bilateral sharing of information in the Australian legal framework by amending the TIA Act. It would effectively enable Australian law enforcement agencies to access telecommunications data stored in foreign jurisdictions (such as the US) and foreign law enforcement agencies to access data stored in Australia. The Explanatory Memorandum of the IPO Bill notes that Schedule 1 will ‘introduce a regime for Australian agencies to obtain independently-authorised international production orders for interception, stored communications and telecommunications data directly to designated communications providers in foreign countries with which Australia has a designated international agreement’.^[43] That is, it would grant the US access to Australians’ (personal) information and allow foreign governments to seek warrants for domestic interception, stored communications, or authorisations for access to telecommunications data.

The IPO Bill is, at the time of writing, before the Australian Parliament, and has been subject to an inquiry before the PJCIS, which recommended passage of the Bill subject to the incorporation of 23 amendments and other recommendations, including ensuring that the Commonwealth Ombudsman has sufficient resources to provide effective oversight of the TOLA Act powers discussed above.^[44] This recommendation is interesting as it points to the potential interaction of the TOLA Act with the IPO Bill, discussed further below.

A QUESTION OF BALANCE

This overview has demonstrated that over the past six years, the Australian Government has conferred powers for law enforcement to: access retained metadata without a warrant; access and alter software and other electronic communication platforms; monitor internet activity; and, should the ID Bill and IPO Bill be enacted, authorise state-hacking regimes and access information stored offshore directly from US-based technology companies. These significant powers have the potential to erode human rights and demand both scrutiny and protections. It should also be noted that these expanded powers are in addition to the current provisions that allow for telecommunications surveillance under the SD Act and the TIA Act.

Each of the new surveillance laws we have explored introduces a range of serious impacts with regard to human rights, democratic freedoms and the rule of law.^[45] In isolation, each of the legislative developments regarding electronic communications surveillance in Australia has the appearance (at least on the basis of statements made by politicians) of necessary intrusions into fundamental rights, and of being part of a broader political strategy of toughness on issues of national security.^[46] However, taken together, the suite of new and proposed surveillance laws represent a broad and expansive suite of rights-infringing powers enabling the Australian law enforcement community (and its foreign partners) to surveil and intrude on the lives of Australian residents and citizens. These developments are alarming because, even if their necessity were accepted, serious concerns remain regarding their proportionality and transparency and the adequacy of oversight. These concerns are amplified by the lack of appropriate accountability relating to the issuing of warrants and during and after the exercise of the powers (that is, limited transparency and reporting regarding the use of the powers).

There are also unresolved questions about the interaction of the various existing and proposed laws, and their extraterritorial application, as highlighted by the recent Operation Ironside investigation conducted by the AFP in partnership with the US Federal Bureau of Investigation. While the AFP Commissioner stated at the press conference announcing Operation Ironside that the TOLA Act powers were purportedly used to authorise the operation,^[47] these powers came into force after the commencement of the Operation. It is also interesting that while numerous Australians have been charged as part of Operation Ironside as yet no US citizens have been, which may indicate that the information collected cannot be used to support prosecutions in the US.^[48] When the IPO Bill is eventually enacted as law (as the PJCIS has recommended) and Australia enters into a data sharing agreement with the US, mediated by US-based technology companies, it may be possible that, for example, a TOLA Act request from Australia could be combined with an IPO request from the US.

At the heart of all exertions of state power and the surveillance of citizens is a question of balance.^[49] Privacy is not an absolute right, and incursions into privacy may be required if they are deemed to be proportionate and necessary to achieve a legitimate aim. The surveillance powers described in this article have been introduced with the justification of ensuring national security and responding to serious crimes such as child sexual exploitation. However, the limited data available shows that the scope of application tends to be much broader than the rationale supporting the introduction of the laws (as evidenced by the main uses of the Metadata Retention Scheme and the TOLA Act industry assistance provisions). Certainly, enforceable human rights protections that are overseen by a court of human rights would help to ensure that the exercise of surveillance powers are necessary and proportionate to their stated aims and that they represent the least invasive course of action. Ongoing evaluation is required to ascertain whether the exercise of surveillance powers is according to their stated aims, and for this to occur we need more robust reporting and law enforcement and security agency transparency.

In the context of this rapid and broad expansion of surveillance power in Australia, there are further developments ahead, including implementation of the recommendations arising from the recent Richardson Review.^[50] This Review speaks to the outdated and overly complex legal framework governing surveillance in Australia and recommends the need to overhaul the legislative framework by repealing all existing surveillance laws and enacting a consolidated Electronic Communications Surveillance Act. It presents a timely opportunity for reform of the legal framework of telecommunications surveillance in Australia.

CONCLUSION

This article has examined communications surveillance legislation recently introduced into, or currently proposed to be enacted as, Australian law. We need to strike a better balance between the competing (political) desire for intrusive surveillance powers and the preservation and protection of human rights in Australia. While optimism can be found in potential reform following the recent Richardson Review, the impacts of surveillance laws ought to be balanced against strengthened and robust human rights protections rather than a more simplified consolidation of powers.

Note the Surveillance Legislation Amendment (Identify and Disrupt) Bill 2020 was passed by Parliament on 25 August 2021.

The authors would like to thank Drs Bruce Arnold, Ian Warren and Jake Goldenfein for their helpful review and comments on an earlier version of this draft, and also Tamsin Janu and Avril Janks for their excellent editorial assistance.

Dr Monique Mann is a Senior Lecturer in Criminology at the School of Humanities and Social Sciences and a member of the Alfred Deakin Institute for Citizenship and Globalisation at Deakin University. EMAIL monique.mann@deakin.edu.au.

Angus Murray is a Partner and Trade Marks Attorney at Irish Bentley Lawyers and an Adjunct Lecturer at the University of Southern Queensland. PHONE 0405 715 427 EMAIL angus@irishbentley.com.au.

^[1] Note that the scope of this article is limited to electronic surveillance; however, broader and significant legislative amendments have introduced other forms of modern surveillance into Australia, such as biometric facial recognition.

^[2] D Lyon, Surveillance After Snowden, Polity Press, Cambridge, 2015. The Five Eye alliance consists of the US, UK, Canada, Australia and NZ.

^[3] K Roach, The 9/11 Effect: Comparative Counter-Terrorism, Cambridge University Press, Cambridge, 2011.

^[4] See for example the International Covenant on Civil and Political Rights 1966, opened for signature 19 December 1966, 999 UNTS 171 (entered into force 23 March 1976), signed 1972 and ratified 13 August 1980; and commentary in Joint Standing Committee on Foreign Affairs, Defence and Trade, Parliament of Australia, Inquiry into the Status of the Human Right to Freedom of Religion or Belief, [2.6].

^[5] See Explanatory Memorandum, Telecommunications and Other Legislation Amendment (Assistance and Access) Bill 2018 (TOLA Bill), [7]; Revised Explanatory Memorandum, Telecommunications (Interception and Access) Amendment (Data Retention) Bill 2015, [2]; Explanatory Memorandum, Telecommunications Legislation Amendment (International Production Orders) Bill 2020 (IPO Bill), [2]; Explanatory Memorandum, Surveillance Legislation Amendment (Identify and Disrupt) Bill 2020 (ID Bill), [2].

^[6] Explanatory Memorandum, Telecommunications (Interception and Access) Amendment (Data Retention) Bill 2014, [2].

^[7] Joined cases C-698/15 R (Watson, Brice & Lewis) v Secretary of State for the Home Department and C-203/15 Tele2 Sverige AB v Post-och Telestyrelsen, [112], affirming Digital Rights Ireland and Seitlinger and Others (C‑293/12 and C‑594/12).

^[8] See for example Q Dempster, ‘Data retention and the end of Australians’ digital privacy’, Sydney Morning Herald (29 August 2015) <https://www.smh.com.au/technology/data-retention-and-the-end-of-australians-digital-privacy-20150827-gj96kq.html>.

^[9] A commercialist criticism was also made about the requirement that carriage service providers bear (or pass on) the cost of storing telecommunications metadata for two years.

^[10] See Telecommunications (Interception and Access) Act 1979 (Cth) (TIA Act), ch 4, div 4c. Note that these safeguards have been and are being thwarted by law enforcement: see N Suzor, K Pappalardo and N McIntosh, ‘The passage of Australia’s data retention regime: National security, human rights, and media scrutiny’, Internet Policy Review, Vol. 6, No. 1, 2017; S Humphreys, and M de Zwart, ‘Data retention, journalist freedoms and whistleblowers’, Media International Australia, Vol. 165, No, 1, 2017, 103–16.

^[11] Parliamentary Joint Committee on Intelligence and Security (PJCIS), Parliament of Australia, Review of the Mandatory Metadata Retention Regime (Report, October 2020) [5.77].

^[12] Ibid, [5.82]–[5.83].

^[13] M Wilson and M Mann, ‘Police want to read encrypted messages, but they already have significant power to access our data’, The Conversation (8 September 2017) <https://theconversation.com/police-want-to-read-encrypted-messages-but-they-already-have-significant-power-to-access-our-data-82891>; Australian Department of Home Affairs, Telecommunications and surveillance annual reports, <https://www.homeaffairs.gov.au/about-us/our-portfolios/national-security/lawful-access-telecommunications/telecommunications-interception-and-surveillance>.

^[14] See for example Tele2 Sverige AB (C‑203/15) [2016] ECLI:EU, [55].

^[15] For a history of the ‘cryptowars’ see BJ Koops and E Kosta, ‘Looking for some light through the lens of “Cryptowar” history: Policy options for law enforcement authorities against “going dark”’, Computer Law & Security Review, Vol. 34, No. 4, 890–900.

^[16] See M Mann, A Daly and A Molnar, ‘Regulatory arbitrage and transnational surveillance: Australia’s extraterritorial assistance to access encrypted communications’, Internet Policy Review, Vol. 9, No. 3, 2020, 1–20;Telecommunications and Other Legislation Amendment (Assistance and Access) Act 2018 (Cth) (TOLA Act).

^[17] Explanatory Memorandum, TOLA Bill 2018, above note 5, 2.

^[18] TOLA Act, above note 16, ss317JC, 317RA and 317ZAA; see also A Molnar, L O’Shea, M Mann, A Murray, P Tonoli, B Watt and S Dreyfus, Parliamentary Joint Committee on Intelligence and Security, Report on the Telecommunications and Other Legislation Amendment (Assistance and Access) Bill 2018 (Submission No. 29, 10 September 2018) 8.

^[19] TOLA Act, above note 16, ss317RA(b), (d), (e), (ea), (eb) and (g).

^[20] It is also concerning that the ‘safeguard’ in s317ZH of the TOLA Act (in regard to its non-effect in circumstances where a request would require a warrant) is effectively overridden by s317G(2)(b)(v) and/or (vi) where the Director-General of Security makes a request that facilitates the objects of a law.

^[21] TOLA Act, above note 16, s317RA(c).

^[22] Ibid, s317RA(f).

^[23] Australian Federal Police, Submission to the Parliamentary Joint Committee on Intelligence and Security Review of the Telecommunications and other Legislation Amendment (Assistance and Access) Act 2018 (Submission, 2020) <https://www.aph.gov.au/DocumentStore.ashx?id=0d2cbfcb-1463-422a-b2e3-e7f4c16de4bd&subId=690791>; Department of Home Affairs, Telecommunications (Interception and Access Act) 1979 Annual Report 2019–2020 (Report, 2020).

^[24] See D Ford and M Mann, ‘International implications of the Telecommunications and Other Legislation Amendment (Assistance and Access) Act 2018, Australian Privacy Foundation (4 June 2019) <https://privacy.org.au/wp-content/uploads/2019/06/APF_AAAct_FINAL_040619.pdf>.

^[25] See Mann, Daly and Molnar, above note 16.

^[26] ID Bill, above note 5, sch 1.

^[27] Explanatory Memorandum, ID Bill, above note 5, 2.

^[28] The Australian Security Intelligence Organisation also has separate powers that authorise computer network operations. See A Molnar, C Parsons and E Zouave, ‘Computer network operations and “rule-with-law” in Australia’, Internet Policy Review, Vol. 6, No. 1, 2017, 1–15.

^[29] ID Bill, above note 5, sch 2.

^[30] Explanatory Memorandum, ID Bill, above note 5, 63: refers to proposed amendment to s6(1) of the Surveillance Devices Act 2004 (Cth) to include a new definition of ‘criminal network of individuals’.

^[31] Human Rights Law Centre, Submission to the Parliamentary Joint Committee on Intelligence and Security on the Surveillance Legislation Amendment (Identify and Disrupt) Bill 2020 (Submission, 2021) 9, <https://www.aph.gov.au/Parliamentary_Business/Committees/Joint/Intelligence_and_Security/IdentifyandDisruptBill/Submissions>.

^[32] ID Bill, above note 5, sch 3.

^[33] See submission by Queensland Council for Civil Liberties, Liberty Victoria, Electronic Frontiers Australia and the Australian Privacy Foundation to the Parliamentary Joint Committee on Intelligence and Security review of the Surveillance Legislation Amendment (Identify and Disrupt) Bill 2020 (Submission 4, 2020) <https://privacy.org.au/wp-content/uploads/2021/02/110221_Submission-to-PJCIS-Identify-Disrupt-Bill.pdf>.

^[34] Explanatory Memorandum, ID Bill, above note 5, 2.

^[35] See A Remeikis, ‘Police raid on Annika Smethurst shows surveillance expose hit a nerve’, The Guardian (5 June 2019) <https://www.theguardian.com/australia-news/2019/jun/05/police-raid-on-annika-smethurst-shows-surveillance-expose-hit-a-nerve>.

^[36] Submission by the Queensland Council for Civil Liberties et al., above note 33.

^[37] See also I Warren, M Mann and A Molnar, ‘Lawful illegality: Authorising extraterritorial police surveillance’, Surveillance and Society, Vol. 18, No. 3, 2020, 357–69.

^[38] Parliament of Australia, Advisory report on the Surveillance Legislation Amendment (Identify and Disrupt Bill 2020 (Report, August 2021) <https://www.aph.gov.au/Parliamentary_Business/Committees/Joint/Intelligence_and_Security/IdentifyandDisruptBill/Report>.

^[39] 18 USC §§ 2701–2713 (2018).

^[40] S Mulligan, Cross-Border Data Sharing Under the CLOUD Act, Congressional Research Service (Report, 23 April 2018) <https://fas.org/sgp/crs/misc/R45173.pdf>.

^[41] US Department of Justice, Office of Legislative Affairs, ‘Letter regarding the agreement between the United States and the United Kingdom on access to electronic data for the purpose of countering serious crime’ (Letter, 16 January 2020) <https://www.justice.gov/dag/page/file/1236281/download>. See also E Lostri, ‘The Cloud Act’, Center for Strategic and International Studies (2 October 2020) <https://www.csis.org/blogs/technology-policy-blog/cloud-act>.

^[42] See Explanatory Memorandum, IPO Bill, above note 5.

^[43] Ibid, 2.

^[44] PJCIS, Parliament of Australia, Advisory Report on the Telecommunications Legislation Amendment (International Production Orders) Bill 2020 (Report, May 2021).

^[45] See LM Austin, ‘Surveillance and the rule of law’, Surveillance & Society, Vol. 13, No. 2, 2015, 295–9; K Lachmayer and N Witzleb, ‘The challenge to privacy from ever increasing state surveillance: A comparative perspective’, UNSW Law Journal, Vol. 37, No. 2, 2014, 748–83.

^[46] See for example K Hardy, ‘Australia’s encryption laws: Practical need or political strategy’, Internet Policy Review, Vol. 9, No. 3, 1–16.

^[47] Prime Minister of Australia, Press conference (Transcript, 8 June 2021) <https://www.pm.gov.au/media/press-conference-sydney-cpo-nsw>.

^[48] U Malone, ‘Why no-one in America was arrested as part of Operation Ironside’, ABC News (17 June 2021) <https://www.abc.net.au/news/2021-06-15/no-one-in-america-arrested-in-operation-ironside/100213036>.

^[49] M Mann, A Daly, M Wilson and N Suzor, ‘The limits of (digital) constitutionalism? Exploring the privacy-security (im)balance in Australia’, International Communication Gazette, Vol. 80, No. 4, 2018, 369–84.

^[50] Attorney-General’s Department, Australian Government, Report of the Comprehensive Review of the Legal Framework of the National Intelligence Community (Report, December 2020).