Dr Renwick said the first exception was that schedule 1 of the legislation should be amended to extend technical assistance requests (TARs), technical assistance notices (TANs) and technical capability notices (TCNs) to integrity agencies, including any future Commonwealth Integrity Commission.
The TCN is one way listed in the legislation whereby law enforcement can get industry to aid in breaking encryption.
A TAR allows for voluntary help by a company; its staff will be given civil immunity from prosecution.
The TCN can be issued by the Attorney-General at the request of an interception agency. This will have to be also approved by the Communications Minister and will force a company to help law enforcement, by building functionality.
However a TCN cannot demand the decryption of information or removal of electronic protection in any system.
The second exception cited by Dr Renwick was in schedule 5 of the legislation where Dr Renwick said one aspect of the voluntary assistance power and corresponding civil immunity in s21A(1) of the Australian Security Intelligence Organisation Act 1979 (Cth) (ASIO Act) was unnecessary and should be amended.
"As to proportionality and proper rights protection, TOLA (the law) will be compliant if, but only if, the central recommendations in this report are implemented," he said. "Most importantly, Schedule 1 should be amended to:
- "a. remove the power from agency heads to issue TANs and from the Attorney-General to approve TCNs;
- "b. vest those issuing and approval powers in the Administrative Appeals Tribunal in a way which will preserve and protect both classified and commercial-in-confidence material and allow independent rulings on technical questions such as ‘systemic weakness’ (definitions which, among others, should be amended); and
- "c. create a new statutory office – the Investigatory Powers Commissioner. The IPC should be a retired judge who will be appointed to the AAT and have access to technical advice. The IPC will assist in approving the issue of TANs and TCNs (as above) while monitoring the operation of Schedule 1 and issuing guidelines. (This can be done with minimal expense.)"
Dr Renwick's report is expected to inform the deliberations of the Parliamentary Joint Committee on Intelligence and Security which has to submit its final report on the law by 30 September.
Only after that will the government consider any changes. A review was instituted by the PJCIS as soon as it was passed, with a reporting date of 3 April 2019. It was expected to make changes that would provide some solace to the technology industry.
But the panel then put off taking any decision, instead asking Dr Renwick to review the law and report back by 1 March. That date was pushed out to 30 June due to the lack of submissions that Dr Renwick received.
In his report, Dr Renwick said he had recommended that there be no change to the way TARs are agreed on between an interception agency and a designated communications provider (DCP) and the manner in which the agreement enables the agency concerned to issue a TAR.
"A related key point is the distinction between TANs and TCNs, which provide technical ‘access’; and warrants (and other similar instruments), which provide ‘content’," he pointed out. "TANs and TCNs do not provide the authority to obtain content from a DCP without an underlying warrant, and the government has submitted that these notices are merely a mechanism to ensure that whatever data is obtained under a lawful warrant is accessible and comprehensible to the interception agency. I have not accepted the government’s argument as to the distinction in this regard."
Dr Renwick noted that his view was that more safeguards were needed in the virtual world. He quoted Professor Peter Leonard from the Law Council of Australia in this regard: "In the digital world, digital trust of citizens is affected by activities that may not relate to their specific digital activities. So we always need to consider, as we look at the digital world, the effect on broader digital trust of citizens, and potentially undermining that trust. Now, often a degree of undermining that trust will be justified in national security or law enforcement, but I do think that you can’t take the digital world as an exact analogue of the physical world, because of that different nature of the digital system."