|
Cryptome DVDs are offered by Cryptome. Donate $25 for two DVDs of the Cryptome 12-years collection of 46,000 files from June 1996 to June 2008 (~6.7 GB). Click Paypal or mail check/MO made out to John Young, 251 West 89th Street, New York, NY 10024. The collection includes all files of cryptome.org, jya.com, cartome.org, eyeball-series.org and iraq-kill-maim.org, and 23,000 (updated) pages of counter-intelligence dossiers declassified by the US Army Information and Security Command, dating from 1945 to 1985.The DVDs will be sent anywhere worldwide without extra cost. | |||
The Walsh Report
CHAPTER 6
COORDINATING PROCESSES AND INVESTIGATIVE CAPABILITY
6.1 Policy Primacy and Coordination
6.1.1 Many departments and agencies have an interest in cryptography
policy. Some of the range was outlined in Chapter 1. The issue of policy
primacy now needs to be established so Ministers and departments are aware
of whom with which they need to consult when policy issues overlapping the
cryptographic area surface and so one Minister and department is viewing the
issue of cryptography policy from a holistic point of view. There is fair
indication that neither of these functions is currently being performed.
Inside and outside the bureaucracy there is some bemusement that no
department has or is even claiming ownership of this policy area. That
diffidence, should it be that, can only confuse. Because of the pervasive
impact of cryptography policy issues on every sphere of activity, not least
the way commerce and government will engage in business, the matter should
be taken to Cabinet promptly for a decision on policy ownership.
6.1.2 It has become self-evident that decisions taken in the areas of
IT industry development, export schemes, broadband communication policy,
intellectual property, criminal justice or law enforcement. each bear on
policy issues associated with encryption, so it is only sensible that one
Minister and one Department coordinate those issues while several may have
responsibility for particular areas. The mystification within government and
in the private sector at the apparent lack of policy coordination is
accentuated by the plethora of committees, working groups and other forms of
review looking at policy issues which embrace or impact upon cryptography
policy issues. Clearly the questions of policy primacy and coordination go
together and, when settled, need to be advised widely.
6.1.3 Which department should have the policy responsibility is an
issue for decision by Ministers. Some of the issues are mentioned at
paragraphs 3.4.3-5.
6.1.4 The option of the Attorney-General's Department was suggested in
light of its interaction with the IT industry, academics, its organising
role in the joint Australian Government/OECD conference on Security Privacy
and Intellectual Property Protection in the Global Information
Infrastructure in February 1996 and its continuing function as chair of the
Ad Hoc Group of Experts tasked with developing draft Guidelines on
Cryptography and leader of the Australian delegation, as well as its
protective security policy, law and legal policy interests. As an
alternative, Cabinet may decide to give it to a sub- committee of Ministers,
but the chair of that sub-committee would likely be decided on the same
basis as a single responsible Minister - congruence with portfolio
interests, best positioned to represent the whole of government interests
and subject to counterbalancing pressures which would likely produce balance
and perspective.
6.2 Maintaining Investigative Capability
6.2.1 Technology continues to develop at an astonishing rate, rendering
inadequate or anachronistic the scope of statutes whose original purpose may
be yet clear but whose specification of the means by which ends are achieved
has rendered them nugatory. The clearest example of this are the listening
device provisions in the AFP Act which specify the purpose to be for
carrying voice transmissions. This degree of specificity about means in the
statute precludes their use to transmit video or other images, or electronic
signals. There is a need to amend the provisions and, just as clearly, to
ensure all these forms of intrusive investigation are couched solely in
terms of purpose or objective, not the means by which those purposes may be
realised. This is important to take account of the constant changes in
technology and the political sensitivity which always surrounds the
introduction to and amendment of such measures by the parliament.
6.2.2 The steadily growing level of dependence of business on computer
and information technology has seen, not surprisingly, a proliferation of
computer and communications crime. That trend is only likely to become more
pronounced. The AFP needs to be able to deploy whatever it judges from a
propriety and operational point of view to be the appropriate means. It is
unable currently to use listening devices against these categories of crime
because of their classification. It seems clear the criteria of Class 2
offences in section 12(B) of the AFP Act should be widened to enable it to
do so.
6.2.3 That increasing reliance on computers for communication, file
storage, word processing and publishing, among other uses, affects the
subjects of investigation of the AFP, the NCA and ASIO as much as the rest
of the community. Computers may be used to prepare for the commission of
Commonwealth offences and assist in the commission of those offences. While
investigative agencies may be unable to introduce human sources, listening
devices or conduct searches because of the standard of protective security
observed, the limited time available or the risk of destroying the integrity
of the investigation, it may be open to them, if the authority existed, to
defeat the access controls on the target's computer and enter the system.
6.2.4 Some anomaly is perceived in the different way obligations are
levied on telecommunications carriers and service providers. The class
licensing system of service providers has not worked as well as might have
been hoped. Dealing with the specific interest of this Review, it has proved
ineffective in dealing with those service providers whose activities
frustrate law enforcement or the preservation of national security. A system
of enrolment as provided in s.225 of the Telecommunications Act 1991 has
been canvassed by LEAC. It was hoped the services to be specified as subject
to this requirement would include the supply of switched services, reselling
capacity on leased lines to the public, reselling airtime on mobile
networks, supply of voice mail and electronic mail services where those
services include the provision of infrastructure, supply of paging services
and the operation of private networks with more than 5,000 lines or which
provide links between more than five distinct places, and providers of
Internet services. The two major drivers of concern for law enforcement and
national security are access to customer information and the kinds of
services which could potentially be legally intercepted. The Department of
Communications and the Arts (DOCA) has opined that a general requirement for
registration of service providers would destroy the integrity of the class
licensing system and it fears further obligations placed on service
providers, whether through a system of enrolment or Ministerial direction,
could deter some from entering or remaining in the industry.
6.2.5 There is broad support for a form of registration/enrolment from
AUSTEL, the service providers themselves and the law enforcement and
national security agencies. The delicate policy question with which DOCA, in
particular, has to grapple is that actions not be taken which may prove
inconsistent with the deregulated environment after 1 July 1997. This is a
strong public interest argument here - but so, too, is the public interest
in the maintenance of law and order and the protection of national security.
Some form of registration or enrolment seems justified.
6.2.6 There has been a need for clear legislative authority for
tracking devices (beacons) for some years. Proposals for draft legislation
have, been considered but never advanced to the stage of a bill being
listed.
It has proved its effectiveness in Britain, the United States and Canada.
obvious application in counter-terrorist situations, in narcotics
investigations and in cases of kidnapping of dignitaries. There is a need
quickly to revive this legislative proposal on which bipartisan support
would likely exist.
6.2.7 The Crimes Act 1914 contains no explicit provision for a covert
search to be undertaken by any constable. It simply speaks of entry being
made 'at any time', with necessary assistance or force as required. It is
understood the execution of a search warrant was intended to be a
transparent process so the owner or occupier might check the details on the
warrant, confirm they were a correct description of his/her property and
then monitor the search and seizure to ensure compliance with the terms of
the warrant. No doubt the powerful place which property occupies in the
common law had something to do with this approach. It is possible,
presumably, for the police to delay execution of a search warrant until no
person is present. That may not offend the terms of a warrant in a literal
sense but it does frustrate the extant intention of the statute. The issue
is raised as occasions will occur when a search of premises may well enable
an investigation to be focussed more sharply, the privacy of others to be
protected from unnecessary intrusion, a prosecution to be achieved and
resources to be saved and directed to other priority tasks.
6.2.8 The ASIO Act provides for the issue of search warrants which may
be executed covertly. 63 Such a provision recognises the value of a search
as an investigative tool, rather than simply a means of publicly announcing
the fact, and likely the conclusion, of the investigation. It also obviates
the dilemma which those who execute a Crimes Act search warrant in covert
fashion may face. That situation should be avoided. The Parliament has
recognised the need for such a covert capability in relation to ASIO, there
are strong grounds to extend that capability to law enforcement.
6.2.9 Tracking devices cater for locating or following the platform on
which they are mounted. To investigate the offences enumerated in 6.2.6, the
capacity to trace communications and identify the location of their source
is just as, if not more, critical. There is extant authority for carriers,
service providers and AFP, NCA or ASIO to cooperate in this regard. A
problem would arise were carriers to confine the test of reasonable
cooperation to life-threatening situations. This would seriously restrict
the use of what would otherwise be a tool of immediate application, enabling
the direction or diversion of resources. With the deregulation of the
telecommunications market from 1 July 1997, this situation may well become
more fraught. There is an issue of costs and the AFP and ASIO should carry a
reasonable proportion for out-of-hours access to the service, but the,
service needs to be available. The prospect of a growing incidence of
encrypted communications will only increase the importance of this facility.
LEAC, with its own reporting arrangements, would seem the most appropriate
forum through which a new cooperative agreement might be negotiated.
[paras 6.2.10 and 6.2.11 not available]
6.2.12 Where sensitive operational sources, targeting or methods are
likely to be disclosed in judicial proceedings, the Commonwealth commonly
mounts a claim of public interest immunity (PII), arguing disclosure would
adversely affect the operational capability of the agency concerned, render
it ineffective in the performance of functions given it by the parliament,
possibly place the lives or well-being of agency employees at risk or face
the compromise of investigations employing similar means. It has been the
experience of the AFP, NCA and ASIO in argument and cross-examination in
support of applications for PII, that some information for which protection
was sought under the aegis of those applications has, in fact, been
disclosed. Indeed, it is not unknown for a judgement upholding a PII claim
to be released, without restriction, when it contained information led in
support of the application but intended to be protected bv the grant of that
application.
[para 6.2.13 not available]
6.2.14 A useful conceptual model is to be found in the ASIO Act. Part
VA of the ASIO Act deals with the Parliamentary Joint Committee (PJC) on
ASIO. After setting out the functions of the Committee, it proceeds to list
what they do not include. Among them:
reviewing a matter, including a matter that relates to intelligence
collection methods or sources of information, that is operationally
sensitive; 64
To that limitation on the function of the PJC is added the power of the
Minister to issue a certificate advising a witness not to give or continue
to give evidence or not produce a requested document for reasons relevant to
security. Notwithstanding those two levels of protection, the legislature
decided nothing should be left to chance when the Committee comes to report
to the Parliament. It prescribed the Committee shall not disclose:
classified material or information on the methods, sources, targets or
results of the operations or procedures of the Organization the public
disclosure of which would, or would be likely to, prejudice the
performance of the Organization of its functions. 65
The statute then proceeds to enjoin the Committee to obtain the advice of
the Minister whether the disclosure of any part of its report would meet the
above or another criterion. 66
6.2.15 The model seems apposite as the restrictions intended to
preserve effectiveness in the performance of function occur later in the
same statute where the Parliament has given a range of intrusive
investigative powers, subject to the application of the Director-General and
the approval of the Attorney-General.
[para 6.2.16 not available]
6.2.17 Invocation in judicial proceedings of such a statutory
protection against disclosure of sensitive operational methods should
properly be accompanied by a certificate from the head of the agency
attesting to the nexus between that matter and the capability of the service
to perform its functions and offset by a privacy oversight mechanism similar
to one discussed later in this chapter.
[para 6.2.18 not available]
6.2.19 In summing up this section, there is a need to remedy some
obvious deficiencies, to provide for new ways of doing old things and to
preserve some existing capacities. The following list, which addresses
concerns of Commonwealth agencies only, is not exhaustive, but illustrates
the issues to be addressed.
[para 6.2.20 not available]
6.2.21 Telecommunications Act
maintain the licence requirement for carriers who wish to market a
service which is not susceptible to interception to first obtain the
explicit approval of the Minister for Communications and the Arts who
shall be required to consult with the Attorney-General.
establish a requirement for all communications service providers to be
registered. to facilitate the service of warrants and access to
customer data bases. There are practical (neither legal ambiguity nor
delay) and natural justice reasons (where some change is made to
licence conditions a guaranteed means of informing the provider should
be available rather than leaving the provider ignorant and potentially
in breach of the law) for taking this step.
[para 6.2.22 not available]
6.2.23 Clearly all proposals made in relation to the AFP (and the NCA)
apply equally to ASIO, both for its security intelligence investigation
purposes and its collection of foreign intelligence in Australia using its
Special Powers.
6.2.24 The establishment of a statutory protection for investigating
agencies from disclosure of sensitive information bearing on operational
capability may exclude certain of those activities from the scrutiny of the
courts or an oversight body charged with monitoring privacy protection. It
is important that the privacy rights and civil liberties of persons the
subject of investigations are preserved and seen to be preserved. There is,
therefore, a need to put some special arrangement in place which will
accommodate this need. A suggestion is made in the following paragraphs.
6.2.25 The task may be assigned to an Ombudsman, Inspector-General of
Intelligence and Security or similar independent person experienced in the
conduct and handling protocols of sensitive matters. The Inspector-General
of Intelligence and Security has this function in his remit as far as ASIO
is concerned. The IGIS Act prescribes the Inspector-General will act for the
Human Rights and Equal Opportunity Commission in respect of the intelligence
community. 67 As far as Commonwealth law enforcement agencies are concerned,
I had been thinking in terms of the Ombudsman, but the function might be
given to the proposed National Integrity and Investigations Commission.
6.2.26 This official concerned would be required to:
review a sample of those cases where the non-disclosure provision had
been invoked in judicial proceedings and intrusive investigations had
been conducted under warrant,
satisfy him/herself that the process by which the inforination/item was
obtained followed Commissioner's/Chairman's/Director-General's
procedures and respected the subject's privacy within the limits of the
operational parameters,
where the reviewer should come to a view that procedures were not
followed or procedures are deficient for circumstances not previously
envisaged, he/she should call a meeting involving the Minister and the
Head of the agency and bring such matters to their attention. A brief
record of fact and recommendation might be prepared and brought to the
meeting by the reviewer. At the conclusion, both Minister and agency
head might initial the piece of paper which would be retained by the
agency head,
no files, papers or records of such operational matters would be
retained outside the agency concerned, but would be produced on request
by the Minister or the reviewer,
the reviewer would provide a one-page annual report to the Minister or
parliament on this area of his/her functions in which mention might be
made of the number of cases examined, the number which resulted in some
recommendation for change and a general judgement of the sensitivity
with which the agency was walking the fine and difficult line between
proper respect for individual privacy and civil liberties on the one
hand and the operational requirements of sensitive investigations on
the other.
6.2.27 This outline is neither suggested as complete nor prescriptive,
but merely an example of an attempt to walk a middle course at risk of some
offence to both sides, yet offering a reasonable compromise.
6.2.28 There is obviously a functional overlap between the AFP and NCA
and the police services of the States and Territories. The offences
attracting the major investigative focus of those agencies are no respecters
of borders, whether national or international. In a report where I urge new
areas and forms of cooperation between the Commonwealth and the States and
Territories, address a challenge which will tax the limited operational
flexibility of those agencies either separately or acting in concert, and
where there must be universal acknowledgement that involuntary or
inadvertent disclosure of effective tradecraft by one will affect all
adversely, the strongest call has to be made for parallel or complementary
legislation between the Commonwealth, the States and Territories.
6.3 Coordination of Operational Capability
6.3.1 A modest but encouraging initiative was taken by DSD in the past
year to bring together agencies facing common problems in the technical
collection of intelligence, to provide a forum for frank exchange and to
ensure coherence and the avoidance of duplication in the research and
developmental work being undertaken by a number of agencies. This grouping
did not involve any law enforcement agency representation. As the Review has
not recommended the establishment of a separate decryption facility for law
enforcement and in light of the reduction in Government outlays, there is an
even greater need to ensure law enforcement agencies are included in this
sort of forum and exchange, as they are likely to experience most acutely
the problem.
6.3.2 This report has earlier (paragraphs 4.4.8-12) suggested the
establishment of an inter-agency forum which would bring together the
Commonwealth law enforcement agencies (AFP and NCA) ASIO and DSD, compliance
agencies such as ACS and AUSTRAC and a coopted representative of a State or
Territory police service. As the National Police Research Unit is involved
in research on the impact of cryptography, it may be appropriate for an
officer working on the project to represent the State and Territory police
services.
[para 6.3.4 not available]
6.3.5 This report has earlier noted the resources dedicated to the
investigation of computer crime among law enforcement and national security
agencies are impressive but seem very meagre. 68 There can be no doubt
increasing demands will be made on these units. There is, in such specialist
and technical areas a critical staffing and capital investment mass below
which staff development and capability enhancement cannot be achieved or
sustained. With agencies, some staffing and budgetary protection will be
required if these purposes are to be met and failure through atrophy
avoided. There would be merit in the proposed inter-agency forum on
cryptography preparing, for the respective agency managements, a staffing,
development and investment plan for the next 5 years. The aim of
coordinating this through the forum would be to ensure its coherence,
resource maximisation and the complementarity of its parts. The reason for
proposing a 5 year time frame rather than the customary triennial basis is
due simply to the pace at which the technology and circumstances change. In
a field in which prediction of the operating context in 3 years time is
hazardous, extension of the horizon to 5 years might lessen the risk of an
inadvertent obstacle being placed in an agency's path by corporate
decisions.
6.4 A New Legislative Approach?
6.4.1 The term normally used by the OECD to cover law enforcement,
counter-terrorist and counter-espionage interests is 'public safety'. It is
a useful and simple description of a class of interests which concern the
community, with which the state must be concerned and which various agencies
must investigate. The means employed to investigate the kidnapping of a
distinguished visitor or internationally protected person, a threat to blow
up an aircraft if demands are not met or money paid, a terrorist threat
against Australian citizens or institutions or a major importation of
narcotics are essentially the same. Putting aside the variety of overt means
which may be employed, the covert ones may include various combinations of
physical, audio and visual surveillance, the search of premises and possible
seizure of items, the interception of various forms of telecommunications
and possibly of the mail. They may include thermal imaging, call tracing,
tracking devices, GPS, or even satellite imagery.
6.4.2 The powers which involve an intrusion into a person's privacy are
located in various statutes administered by several federal Ministers. It
has long been the case that amendment of the investigative sections of these
statutes has been approached with considerable diffidence. Not because of
lack of belief in the merit and necessity of particular amendments but
rather because an excess of hyperbole appears to characterise these public
discussions and often prevents reasoned explanation and ready acceptance by
the community and carries, therefore, the risk of negative electoral impact.
Sometimes that tendency has been positively encouraged with Orwellian titles
to statutes like the 'Electronic Surveillance Act'. Criticism by a court or
oversight body of the manner or circumstances in which some intrusive
investigatory power was exercised appears to increase the degree of
difficulty with which amendments to the relevant statutes are approached. It
seems axiomatic in the Australian community that there is not and will never
be a convenient time to introduce necessary amendments to the investigatory
powers of these agencies. They are generally introduced in isolated fashion
and often have to be argued defensively.
6.4.3 The chancing nature of crime, the proliferation of security
threats with a capacity for violence, the extraordinary burgeoning of
technology, all make regular review and amendment of the investigative
capability of law enforcement and national security agencies a necessity.
The increasing number of dignitaries invited by the Government to visit the
country who face the risk of violence, the rising incidence of attacks
against the institutions of the state and the imminent arranging of a major
world event such as the 2000 Olympic Games suggest a different conceptual
approach might prove rewarding.
[para 6.4.4 not available]
6.4.5 The ready availability of strong data encryption and increasing
difficulty associated with interception, likely to be exacerbated in a
deregulated environment, threatens both the availability and viability of
traditional investigative methods. This will place, for instance, much
greater emphasis on tracing, intercepting and data logging of calls through
multi-carrier and multi- national networks and the local authority to enable
these measures. The suggested statute would be able to make clear the common
purpose and inter- relationship of the various investigative powers.
Oversight or review mechanism procedures could be collocated in the statute
or cross-referenced.
6.4.6 In presentational terms, explanatory memoranda and second reading
speeches could be situated against a clearly drawn public safety backdrop -
threats of kidnapping,, of violence directed against institutions of the
state, of bombing of public buildings, of terrorism directed against
aircraft, of explosive devices in public places. There are, regrettably,
examples in any six month period and the Atlanta Games proved yet a-ain the
drawing power which major events retain for the violent and the deranged. A
schedule might indicate to which departments and agencies the statute
applied and then specify particular provisions by part, section, paragraph
or sub-paragraph.
6.4.7 It is not suggested such an approach would overcome all problems
which have been experienced, but once enacted the process of review and
amendment should be greatly facilitated. Under administrative arrangements
Ministers are responsible for specified statues and it may not be possible
or desirable to bring all intrusive investigative powers into the one Act.
It would, however, make much sense for the law enforcement and national
security related powers which are located in the Attorney-General's
portfolio to be so combined.
[para 6.4.8 not available]
6.4.9 As a discussion paper was issued in early September 1996 by the
Attorney-General on the extension of the Privacy Act to the public sector
and strong elements of preservation of privacy and individual liberty exist
in the public safety purpose of those various investigatory powers, it may
be sensible to couple the matters for legislative consideration. The
security and protection demands associated with staging the 2000 Olympics in
Sydney were always going to be a heavy burden. They have not been lightened
by the loss of the TWA flight from New York to Paris just before the Atlanta
Games nor the bomb which exploded in Centennial Park at the Games site. It
is already evident from media commentary and public discussion that the
community regards the provision of effective security arrangements not only
as a national obligation but also a matter of national honour, reflecting
the distinctive nature and values of our society. This backdrop should
assist acceptance of such an approach.
Footnotes:
63 Australian Security intelligence Organization Act 1979, s. 25 (3) 'A
warrant...may, if the Minister thinks fit, provide that entry may he made,
or that containers may be opened, without permission first sought or demand
made and authorize measures that the Minister is satisfied are necessary for
that purpose.'
64 Australian Security Intelligence Organization Act 1979. s.92C (4)(c).
65 ASIO Act, s. 92N(I)(b).
66 Ibid, s.92N(2).
67 Inspector-General of Intelligence and Security Act 1986, s.8 (1)(a)(v)
68 cf. paragraphs 3.5.4 and 4.4.7
Annexes
----------------------------------------------------------------------------