<div dir="ltr"><div dir="ltr"><div dir="ltr"><div dir="ltr"><div dir="ltr"><div><div>I guess we should anticipate that the PJCIS will ask for further submissions. Probably they will give as little advance warning as possible to conform to their "accelerated timetable". I would think they'll announce their request for submissions as soon as the Labor amendments are dealt with.</div><div><br></div><div>The Labor amendments are critical for:</div><ul><li>Requirements for judicial review of TCNs/TARs, and avenue of judicial appeal for service providers</li><li>Strengthened requirements for necessity and proportionality</li><li>Definitions of system vulnerability and systemic weakness (which preclude mass deployment of patched code)</li></ul></div><div>These amendments are necessary and reasonable. However for me, the following issues still remain to be resolved:</div><div><br></div><div>1 - Granting the police EA powers (rather than the intelligence services - ASIO & AFP) goes too far where the police do not require EA. Rather the least intrusive powers that would still enable them to prosecute serious crime, would be Legal Intercept (basically enough powers to get to the clear text, where they are back to where they were before before the "going dark" due to encryption). This means that Police should get a different category of TAN - where there are no write or modify data powers (ie. read only). Any write or modify capabilities they require should be implemented under a duly authorised TCN.</div><div><br></div><div>2 - Once there is allowance for differentiation in Police vs Intelligence Services powers, there should similarly be differentiation for the seriousness of crimes investigated. The 3 years for Police services (but limited to Legal Intercept) would still allow the police to investigate cyber stalking, but also many other crimes some have suggested is like using a sledge hammer to crack a nut. Given the more intrusive nature of EA vs Legal Intercept, there should be a higher bar for the Intelligence Services to demand EA powers (say 20 years to life). If they need only Legal Intercept, then the bar could remain at 3 years.<br></div><div><br></div><div>3 - It's still not clear that anything doable under a TCN, cannot be compelled under a TAN's write/modify data powers. Hence, there ought to be exclusions of a TAN's powers from compelling the implementation of a capability for which a TCN can be issued.</div><div><br></div><div>4 - I'm still not seeing where a TCN, TAN, or TAR, is disallowed from serving as "authorisation" under s280 / s313 of the Telecommunications Act 1997, sufficient to demand mass access to carrier metadata/ metadata datastreams. There is also lawful disclosure of mass metadata under s177 of the Telecomms Interception and Access Act 1979. If the police and/or intelligence services get access to metadata streams, they will integrate this with their other metadata projects, including CCTV and facial recognition databases. Which is obviously something some in Law Enforcement are advocating for, though I think most citizens would regard this as an alarming move towards mass surveillance and a police state.<br></div><div><br></div><div>5 - Having one agency act as a clearing house for notices and warrant data, is still a preferable framework to access by multiple agencies, and would provide advantages for economy, efficiency, governance, and the secure custody of both warrant data and service provider confidential information.</div><div><br></div><div>6 - Journalists and media organisations ought to be able to mount a public interest defense against the issue of TANs.<br></div><div><br></div><div>7 - Any citizen ought to have standing to mount a public interest defense against the issue of a TCN.<br></div><div><br></div><div>8 - An audit trail be mandated for all TAN/TAR actions.</div><div><br></div><div>Interested to hear if anyone has comments or other concerns.<br></div><div><br></div><div>Kind regards</div><div><br></div><div>Paul Wilkins<br></div></div></div></div></div></div><br><div class="gmail_quote"><div dir="ltr">On Sat, 15 Dec 2018 at 09:29, I <<a href="mailto:beatthebastards@inbox.com">beatthebastards@inbox.com</a>> wrote:<br></div><blockquote class="gmail_quote" style="margin:0px 0px 0px 0.8ex;border-left:1px solid rgb(204,204,204);padding-left:1ex"><u></u>
<div>
<div>GCHQ is going for the same thing</div><a href="https://www.lawfareblog.com/principles-more-informed-exceptional-access-debate" target="_blank">https://www.lawfareblog.com/principles-more-informed-exceptional-access-debate</a>
</div>
_______________________________________________<br>
AusNOG mailing list<br>
<a href="mailto:AusNOG@lists.ausnog.net" target="_blank">AusNOG@lists.ausnog.net</a><br>
<a href="http://lists.ausnog.net/mailman/listinfo/ausnog" rel="noreferrer" target="_blank">http://lists.ausnog.net/mailman/listinfo/ausnog</a><br>
</blockquote></div>