Abstract
Modern mobile phones bear no resemblance to rotary-dial phones of the 1960s. The volume and nature of data extracted from intercepting a ‘telecommunications service’ in today’s online world is fundamentally different to ‘wire-tapping’ a phone conversation. Yet the statutory threshold for ASIO to intercept a telecommunications service has not changed since 1960. There is no statutory requirement to consider privacy or proportionality when issuing ASIO a warrant. The situation is similar for access to telecommunications data (metadata), once just a list of numbers dialled but now a rich source of personal information. This article argues that it is time for the law to change.
In 1960, the latest thing in telephony was a phone that matched your décor. There was a choice of six colours, they all had a rotary dial and were wired to the wall. Police were not allowed to tap your phone. However, the Australian Security Intelligence Organisation (ASIO) could get a secret warrant from the Attorney-General to intercept your ‘telephone service’ if they suspected it was used by someone likely to engage in acts of espionage, sabotage or subversion: it was, after all, the height of the Cold War. There were not many restrictions on ASIO retaining, analysing or sharing what they got. There probably did not need to be: magnetic tapes were not easy to analyse or distribute, and who were they going to share it with anyway? Today the same type of warrant gives ASIO authority to intercept everything that passes over a broadband or satellite connection to a home or business. Every email, phone call, text, message, video, website interaction or other form of communication that comes and goes over the service. The threshold for ASIO obtaining a service warrant has not changed. The rules about retaining, analysing and disclosing what they get have not changed much since 1960 either – although it is, of course, much easier to do all of those things now and there is much more data and many more agencies for ASIO to cooperate with.
Telecommunications data (sometimes called metadata) is constantly generated and transmitted by our phones and devices. In 1960, telecommunications data was just the phone numbers called and how long each call lasted. Today the telecommunications data generated by your mobile phone alone probably reveals more about you than some of your friends could. Information about where you are, where you have been, the apps you use and how often you use them, your shopping habits, who you message and even whose phone was near yours when you went to bed last night are all forms of telecommunications data. Since 2015, carriers must retain certain telecommunications data for at least two years and then disclose it in response to ASIO requests. 1 For ASIO the statutory test to access that trove of information is the same as it was in 1991, when ASIO first had the power to request telecommunications data separate to seeking an interception warrant: the requesting ASIO officer just needs to be satisfied that the disclosure would be in connection with the performance by the Organisation of its functions.
This article briefly examines the history of ASIO telecommunications service warrants and telecommunications data access. It shows how these powers have effectively increased due to changes in technology, without any commensurate change to legal thresholds and statutory safeguards. In the context of a current government review of electronic surveillance laws, the article calls for this change to be acknowledged and for statutory safeguards and thresholds to include holistic privacy and proportionality requirements.
This article is not suggesting that ASIO is misusing its powers. The question being examined is whether Parliament needs to revisit those powers to ensure that legislation (and not just guidelines) require their use to be proportionate to the threat being investigated and the privacy impact of the amount of information that can be obtained, retained, analysed and disclosed in today’s technological environment.
ASIO’s power to intercept telecommunications
The early days: Secrecy in telephony but no warrant required for ASIO
Long before ASIO even existed, the law in Australia protected the integrity of telecommunications. The Post and Telegraph Act 1901 required that all officers of the telegraph take an oath to ‘hold strictly secret all telegraphic or other communications that may pass through [their] hands …’. 2 In 1935, it became an offence to listen to any conversation or signal passing over a telephone line without the authority of the Postmaster-General’s Department. 3 Although their format has evolved, these prohibitions on telecommunications employees divulging information, and on people intercepting phone conversations, remain in our law today. 4 ASIO has always been an exception.
ASIO was established in March 1949 in the context of the Cold War and concerns about Soviet spies. By June 1949, ASIO was intercepting the phones of suspected Russian agents. 5 They did this in reliance on executive power. Legal advice from 1959 said the oath that post and telegraph officers took did not preclude disclosures to the Crown and that interception was not prohibited if the Postmaster-General’s Department approved it (which they did, at the Prime Minister’s request). 6 Under this somewhat dubious arrangement the Director-General of ASIO was able to authorise interception if he was satisfied ‘that the person concerned is engaged on [sic], or reasonably suspected of, subversive, sabotage or espionage activity’. 7 There was no requirement that privacy be considered or that the warrant be a reasonable and proportional response to the suspected security issue.
ASIO interception moved to a statutory footing in 1960: The legal threshold stayed the same
These arrangements were put on a statutory footing in 1960. Warrants were issued by the Attorney-General but the basic threshold remained the same as it had been for the previous 10 years. The Attorney-General could issue a warrant if satisfied that the Director-General of ASIO ‘reasonably suspected the person using the phone was engaged in, or likely to engage in, activities prejudicial to the security of the Commonwealth’ (which at the time meant espionage, sabotage or subversion). 8 Today this basic legal threshold and the issuing arrangements are the same. There are now many other types of telecommunications warrants that ASIO can obtain and what is covered by the definition of ‘security’ has expanded significantly. 9 But some things have not changed: warrants are still issued by the Attorney-General and the legal test is still whether the service is ‘used by a person engaged in, or reasonably suspected by the Director-General [of ASIO] of being engaged in, or of being likely to engage in, activities prejudicial to security’. 10 The Telecommunications (Interception and Access) Act 1979 (‘TIA Act’) still does not require that that privacy be considered or that the warrant be a reasonable and proportional response to the suspected security issue.
A telecommunications interception warrant has its origin in the literal ‘wire-tapping’ of the 1950s and as a result allows ASIO to intercept things ‘passing over’ the telecommunications network (ie, during a phone call or when an email is in transit). With the rise of personal computing, ASIO also needed access to records stored in those computers. Since 1999 ASIO has been able to obtain a specific computer access warrant from the Attorney-General. These go beyond interception or search warrants and permit remote access to computers. The legal threshold for computer access warrants has a lot of similarity to the 1960s telecommunications warrants. For a computer access warrant, the Attorney-General must be satisfied ‘there are reasonable grounds for believing that access … will substantially assist the collection of intelligence … that is important in relation to security’. 11 Again, there is no statutory requirement to consider privacy or proportionality.
Dramatic changes in technology in the last 70 years mean that the potential privacy impact of an ASIO warrant is now radically different. In the 1950s and ’60s when the basic warrant threshold was developed, phones were wired to the wall and all that an interception could reveal was what people said to each other over that phone line. In today’s on-line world we reveal a lot more about ourselves over the telecommunications network. The same telecommunications service warrant ASIO could get in 1960 now covers everything that passes over a fibre-optic or satellite connection to a home or business – every email, phone call, text, message sent via an app, video, website interaction or other form of communication and the associated data that goes with it. Plus, computer access warrants potentially reveal everything stored on your device.
Data is digital: Modern retention, analysis and disclosure practices impact privacy more
Not only can ASIO obtain a lot more data from each warrant, data is now digital. That makes it much easier to store, analyse and share with other agencies. In the 1960s ASIO might have typed out what you said in a phone call, they might even have made a carbon copy or two. Record keeping and analysis involved index cards and paper files. Even if your personal information was in those files, it was not going to be easy to retrieve or share with others at scale. Today, most records are digital. Digital records can be searched and analysed quickly. The long-term retention of digital information and its combination with other information, plus the potential for the use of artificial intelligence and other advanced analytic tools, is a significant step-up in the privacy impact of data collection.
There is no regulation on the use of advanced analytic tools or data combining by ASIO. The arrangements for retention of material obtained under warrants has, if anything, become more permissive. In 1960 the Director-General had to cause destruction of any records ‘not likely to assist the Organization in the performance of its functions’ (an objective test). 12 A subtle but significant difference in the current provision is that records only need to be destroyed if the Director-General is satisfied that the record or copy is not required (a subjective test). 13 If the Director-General never turns his or her mind to the question of relevance then there is no destruction requirement. The power isn’t delegable and ASIO has only recently been directed to develop some internal policies about retention of personal information. 14 In the early days of interception, the Attorney-General would personally review transcripts of phone calls and sometimes even listen to the tapes as part of ensuring that everything which was not relevant was destroyed. 15 It is difficult to imagine this would be practical today. Between May 1960 and May 1974, ASIO intercepted an average of around 13 phones per year. 16 The number of services that ASIO intercepts today is not made public but, in 2021–22, police agencies intercepted around 3500. 17
There is an argument that in the 1950s and ’60s it was not really necessary to consider privacy, or the proportionality of interception, given the small number of warrants, analogue records, strict limits on destruction and the practical limits on disclosure of records. The ‘targets’ of these ASIO interceptions were almost all suspected Russian spies and agents. This also was an era before most other express privacy protections – Australia did not ratify the International Covenant on Civil and Political Rights until 1980 and the Commonwealth Privacy Act was passed in 1988. As discussed below, the continuing lack of privacy as part of the statutory threshold for ASIO warrants is inconsistent with the newer police warrants. It is also arguably inconsistent with modern expectations for how Parliament regulates the proportionality of invasive powers. 18
ASIO access to ‘telecommunications data’
The content of a telephone conversation, email or text message is not the only thing of intelligence value that can be derived from the telecommunications system. Telecommunications data and subscriber information is central to virtually every ASIO investigation. 19 ASIO access to this data also has a history and an astonishingly low legal threshold that has not moved in decades, despite advances in technology making the power significantly more invasive. 20 If ASIO wants a carrier to hand over this data, it needs to authorise the carrier to do that – this harks back to that original oath taken by telegraph workers.
As previously outlined, ‘telecommunications data’ was once just a list of phone numbers called and the length of each call. Subscriber information identified who was responsible for paying the bill, including their name and address. It is not entirely clear when or how ASIO started accessing these types of information. However, the legislative history suggests that, from at least 1989, information could be provided to ASIO ‘for the purpose of the issuing of, or in connection with information obtained under, a warrant’. 21 The reference to ‘the issuing of’ a warrant was most likely to do with subscriber information, given that requests for a warrant needed to include the name and address of the subscriber. The phrase ‘in connection with’ was carried forward into the Telecommunications Act 1991, except that from then onwards it clearly covered both subscriber information and telecommunications data, and the disclosure to ASIO no longer needed to be in connection with the issuing of a warrant. Instead, the legal threshold for disclosure to ASIO became that an officer of ASIO had advised the carrier that the disclosure was ‘in connection with the performance by the Organization of its functions’ 22 – clearly a much broader range of purposes than just the issuing of a warrant.
Today the minimum categories of data that a carrier has to retain include not only who you message, when you message and what type of message (eg, was it via SMS, phone call, social media or an app) but also where you are when you send or receive messages. The carrier, of course, also keeps your contact and billing information. Carriers now need to keep all this data for at least two years in case ASIO or police ask for it. 23 They are not required to keep your web browsing history, but websites visited has been described by government as a form of telecommunications data. 24 Any telecommunications data that a carrier keeps beyond the statutory minimum can be handed over along with the rest. For ASIO to access this trove of information the legal test is the same as it was in 1991 (when the iPhone was almost 20 years away and carriers did not have to retain data).
ASIO can retain, analyse and share telecommunications data obtained under an authorisation with even less restrictions than for material obtained under a warrant. There is no statutory requirement to destroy the information, even if it is not relevant. Information can be shared ‘for purposes relevant to security’ or to assist other Australian intelligence and law enforcement agencies in accordance with internal authorisations. 25 Notably, the definition of security today includes the carrying out of Australia’s responsibilities to other countries in relation to security. 26 There is no public reporting on how many authorisations ASIO grants each year. Last year the Australian Federal Police (AFP) issued around 20,000 such authorisations. 27
What about safeguards?
As discussed above, the statutory threshold for ASIO to access telecommunications data or intercept telephone services is low and does not include a test of proportionality or a requirement to consider privacy. Rules around retention, analysis and dissemination are very loose. These laws were made decades ago and the seismic shifts in technology as well as increasing expectations that there will be legislated protections for privacy make them seem very out of date. However, before concluding that law reform is needed, it is important to look at other laws applying to ASIO to see if they contain safeguards that compensate for these apparent inadequacies.
ASIO is exempt from most of the legislation which usually provides a check on executive power including the: Privacy Act 1988, Australian Human Rights Commission Act 1986, Ombudsman Act 1976, Freedom of Information Act 1982, and the Administrative Decisions (Judicial Review) Act 1977. Judicial review of decisions to issue ASIO warrants or data authorisations based on s 75(v) of the Constitution is theoretically possible, but impractical taking into account the secret nature of ASIO operations and the thresholds based on the satisfaction of the decision maker.
Since 1986, ASIO has been required to comply with Guidelines issued by its Minister. These do contain some broad principles about proportionality but provide little detail and in many instances pass control-setting authority back to ASIO. 28 For example the Guidelines say that ‘where possible, the least intrusive techniques for collecting information should be used before more intrusive techniques’. But they give no indication of whether telecommunications data is today to be regarded as more intrusive than access to the content of communications (content which in many cases will be encrypted and unintelligible) or whether retention and analysis is to be considered in assessing invasiveness. The Guidelines acknowledge that ASIO keeps a broad database to check and assess information against.
While it is positive that the Guidelines direct ASIO to consider proportionality, they do not apply to decisions by the Attorney-General to issue warrants and, as guidelines, can be changed by the ASIO Minister (now the Minister for Home Affairs) at any time. They cannot be regarded as a substitute for Parliament setting requirements in relation to privacy and proportionality.
ASIO is subject to the specialist oversight of the Inspector-General of Intelligence and Security (IGIS). IGIS jurisdiction does not extend to decisions to issue warrants, as these are made by a Minister. 29 Decisions by ASIO officers to authorise carriers to provide metadata to ASIO are within IGIS jurisdiction. However, the legal threshold is so low it is unlikely that many legal problems would be identified. 30
There is one category of ASIO metadata access requests which is subject to additional statutory thresholds and reporting – that is, requests for the purpose of identifying a journalist’s source. In these cases privacy, the gravity of the matter being investigated and how much the information would likely assist ASIO and any submissions of a public interest advocate must be taken into account by the decision maker which, in the case of journalists’ sources, is the Attorney-General. The Parliamentary Joint Committee on Intelligence and Security is also notified. 31
Is it different for police?
The AFP have been able to seek a warrant to intercept telecommunications since 1980. Unlike ASIO, which obtains its warrants from the Attorney-General, police warrants are issued by an eligible judge or nominated Administrative Appeals Tribunal (AAT) member. Police, like ASIO, can access telecommunications data and subscriber information on the basis of an internal authorisation. A big difference between the police and ASIO is that police warrants and authorisations both include an express statutory requirement that privacy and proportionality be considered in issuing decisions. This includes how much the privacy of any person would be interfered with, the gravity of the conduct being investigated and the likely usefulness of the information. 32 These proportionality requirements are, in effect, ‘technology neutral’ in that the impact on privacy will change as technology changes.
It is not surprising that ASIO is empowered to seek warrants and authorisations at an earlier stage of investigations than police. It is ASIO’s function to investigate risks rather than crimes. However, this does not mean that privacy and proportionality should not be part of the statutory test.
Current electronic surveillance review
The Attorney-General’s Department is currently conducting a review of electronic surveillance laws – a complex and important task. The Discussion Paper for this review emphasises how changes in technology have in some ways diminished powers and led to a complex array of warrant types. 33 This is true. But there is no discussion of how the basic ASIO ‘service warrant’ and metadata access powers discussed in this article have, over time, increased the quality and quantity of information that ASIO can obtain under the same warrant or authorisation, without any adjustment of the statutory thresholds.
Perhaps more significantly, the Discussion Paper is focused on the point at which information is collected and not on the whole system of interception and access which includes retention, analysis and dissemination. These later steps – the retention, analysis and sharing of digital information – today arguably pose at least the same or even higher privacy intrusion than the initial collection. This is a significant gap in the current approach to the review.
Conclusion
There may still be foreign spies, and phones still come in many colours, but almost everything else about telecommunications technology has changed since ASIO began intercepting phones in 1949. About the only thing that is static is the statutory threshold, which for ASIO service warrants has been the same since it was first enshrined in legislation in 1960. The statutory threshold for accessing telecommunications data without a warrant is more recent: 1991, but that was long before most people had a mobile phone or an email address. Both statutory thresholds are low and neither require privacy or proportionality to be considered. There are Guidelines made under the ASIO Act which direct ASIO to consider proportionality and use ‘less intrusive’ means where possible, but guidelines made by the Minister for Home Affairs are not a substitute for legislated standards, and they do not apply to the Attorney-General who issues ASIO warrants.
With no public reporting on how many ASIO warrants and authorisations are issued each year, or how much of that data is retained or communicated, it is difficult to even get an idea of how extensive the issue may be. The current electronic surveillance review should acknowledge how much more intrusive ASIO service warrants and telecommunications data access powers have become due to changes in technology. It is time that proportionality requirements form part of the legal test for ASIO, as they do for police, and not be contained only in vaguely worded guidelines. The proportionality requirements that currently apply to police interception warrants and to access journalists’ telecommunications data provide a good starting point. It is also time to view and regulate warrants and authorisations as part of a broader system that includes retention, analysis and disclosure, as today these activities are arguably often more invasive than the initial collection of information.
Footnotes
Acknowledgment
Subsequent to this article being accepted for publication, the author was appointed the next Independent National Security Legislation Monitor (INSLM). This article was written in his capacity as an academic, prior to commencing the INSLM role.
Declaration of conflicting interests
The author(s) declared no potential conflicts of interest with respect to the research, authorship, and/or publication of this article.
Funding
The author(s) received no financial support for the research, authorship, and/or publication of this article.
