Tag: security

The Redundancy Of New Anti-Terrorism Laws

Incitement to violence is against the law. It’s always been against the law.

Every Australian state penalises incitement. The Commonwealth makes it unlawful to incite the commissioning of any criminal offence, not just violence.

This legal framework has developed over centuries. The prohibition on incitement has ancient common law roots. It is robust. It is coherent. It is a long-established and very well-founded limit on free speech.

So here’s a question: with the rich and robust law against incitement, why is the Abbott Government introducing the new offence of “advocating terrorism”?

Last week the Counter-Terrorism Legislation Amendment (Foreign Fighters) Bill 2014 was introduced into Parliament. Like the first national security bill that preceded it, it is dense and complex – a mix of sensible change mixed in with redundancy and extraordinary overreach.

I argued in The Drum a few weeks ago that the foreign fighter threat is both genuine and pressing. We’ve seen over the last fortnight how events in distant Iraq have materially changed the security environment in Australia. Many proposed legislative changes – particularly to foreign evidence laws and passport confiscation powers – make sense.

But the new bill goes much further than that.

The bill makes it illegal to visit some parts of the world without proving to a court that you visited for family or humanitarian reasons. It extends the control order regime and expands detention powers held by customs.

And it makes it illegal to advocate – counsel, promote, encourage, or urge – the doing of a terrorist act or the commission of a terrorist offense. (The section in the new bill is 80.2C.)

On its face this is extraordinary. The word terrorism is a term of art. A lot of people call Israel a terrorist state. Others respond that Palestine is terroristic.

More concretely, the Commonwealth Criminal Code defines a terrorist act as any action that a) causes or threatens harm to life, property, risk to health, or disruption of electronic infrastructure; b) is motivated by a political, religious or ideological cause; and c) is intended to intimidate the government or the public in general. (See section 100.1 of the Commonwealth Criminal Code here.)

The definition is broad because it has to be. What we describe as “terrorism” is really a collection of offenses. Every part of a terror plot is potentially prosecutable under laws that have been around for centuries. These include the most obvious – murder and attempted murder – down to things like conspiracy and weapons possession.

Indeed, as Bret Walker, the former Independent National Security Legislation Monitor, told the Australian Human Rights Commission’s free speech conference in August: “One of the best arguments against the counter-terrorist laws is that we didn’t need any of them, because we’ve long criminalised murder, conspiracy to murder, and incitement to murder.”

There are, certainly, some conceptual distinctions between traditional crime and terrorism. The latter is primarily intended to create fear. And governments hope to prevent terrorist acts rather than just punish them after the fact. Those differences perhaps justify some distinct anti-terror legislation.

But since September 11 governments have seemed intent on severing the concept of terrorism from its constituent parts – cleaving it off into a distinct body of law. This has created, as Bret Walker pointed out, massive redundancy, complication and confusion. The real winners from this decade of security hyper-legislation are lawyers.

Just how much redundancy has been piled into our anti-terror laws?

Well, in 2005 the Howard government passed sedition law reform that, in the words of the then-attorney general, Philip Ruddock, was intended to prohibit “any conduct or advocacy that is likely to encourage somebody to carry out a terrorist act”. Sound familiar?

It’s striking how little justification the Government has offered for the new advocating terrorism offense – let alone an account of why existing incitement or the 2005 sedition laws are inadequate.

But it appears the advocating terrorism offence isn’t just one of the dozens of new crimes and security powers in the Government’s voluminous anti-terror bills.

No, it seems to be the key to whole thing. It has deep political significance.

Think back to August, when the Government announced its turn towards national security. That announcement was made at a press conference where Tony Abbott also said he was abandoning the promise to repeal section 18C of the Racial Discrimination Act. We were told this was a matter of clearing the decks so everybody could get behind Team Australia.

Yet last week Fairfax reported Abbott shelved free speech reform so section 18C could be used against Islamic hate preachers.

This makes the August press conference even more disingenuous than it appeared at the time.

It seems the Government believes advocating terrorism and offending, insulting, humiliating or intimidating on the basis of race or ethnic origin are two sides of the same coin.

The promised reforms to section 18C weren’t a “complication”. They were directly contrary to the Government’s desire to suppress speech that would otherwise be free.

Don’t Rush To Act On Terrorism Threat

Specific policy problems demand specific policy solutions.

So the Abbott Government has done us a favour by being very specific about the new terrorist threat: Australian residents fighting in Syria and Iraq who come home even more radical and potentially violent.

These “foreign fighters” are a specific threat that demand specific legislative change. It does not demand an overall increase in broad and adaptable police and national security powers.

Let’s start, as all policy discussion should, by being clear about the problem.

One in every nine jihadists who travel overseas to fight in foreign conflicts return to attempt terrorist attacks in the West, according to the best estimate we have.

Considering there could be more than 100 Australians fighting in Syria and Iraq, that ratio is worrying.

The one-in-nine figure was assembled by Thomas Hegghammer and published in the American Political Science Review in February 2013. It’s based on jihadists from the West between 1990 and 2010.

The Syrian conflict started in 2011, outside Hegghammer’s analysis. In an excellent piece in the Age in August, Andrew Zammit detailed some instances of Syrian returnees going on to plot domestic attacks.

One-in-nine is hardly an iron law of terrorism, of course.

Fighting in foreign wars is a very old phenomenon – think George Orwell in the Spanish Civil War – and the motivations for fighting in foreign wars and conducting domestic terrorist attacks differ enormously.

Terrorism remains an extremely low probability event.

But one thing we could say about foreign fighters is that they’ve done law enforcement agencies a huge favour – they’ve self-identified as security threats. As Hegghammer points out, experience in jihad overseas is the biggest predictor of future terrorist intent. So they’re good candidates for close monitoring.

Or good candidates for immediate prosecution. It is illegal under Australian law to engage, or intend to engage, in hostile activity in foreign states. An exception is joining the armed forces of a foreign state. (Australians can’t join Syria’s pro-Assad military, though – we have sanctions prohibiting that.)

Here’s where Parliament can get to work. This law was originally developed to prevent mercenary activity in Angola and Rhodesia in the 1970s. Today it is not particularly fit for purpose.

Bret Walker, until recently the Independent National Security Legislation Monitor, has repeatedly argued for reform of the law governing foreign fighters. Walker’s last annual reportexposes a number of inconsistencies and concerns that the Abbott Government needs to fix.

For instance, it’s hard to prosecute foreign fighters in Australian courts. Laws governing the collection of evidence overseas require the cooperation of foreign states, but what if the offence occurred in a region with no functioning or cooperative government? This is a problem in both Syria and Islamic State-controlled Iraq.

In these very limited circumstances it might be necessary to relax some of the restrictions on what evidence can be admitted into court.

One popular argument is that we should just let foreign fighters go – better they fight and die for jihad overseas than plot terror attacks in Australia. But not all do die.

This New York Times piece points out that many foreign fighters plan to stay in Syria and Iraq for good. Some show their dedication by symbolically burning their Western passports. Yet plans can change.

Anyway, why should we be any more tolerant of those who travel to train and fight in Syria or Iraq than we were of the previous generation of jihadists who joined training camps in Afghanistan? Zammit points out that many of them intended to fight in regional conflicts before being recruited by Al Qaeda to attack the West.

Regardless, it’s probably best that Australia does not act as a staging base for terrorist attacks on foreign civilians. There is no fundamental human right to wage sectarian war.

Walker has identified some serious inconsistencies between the criminal code and the foreign fighter laws.

In large part this is because successive governments have piled terrorism offense-upon-offense into the statute books, rather than systematically reviewing what sort of conduct is already criminalised. George Williams calculated that after the September 11 attack the Howard government introduced new anti-terror legislation every 6.7 weeks.

The Abbott Government is heading down the same path.

The Attorney-General George Brandis has proposed reversing the onus of proof for Australians who travel to dangerous parts of the world – the prove-you’re-not-a-terrorist proposal. Undermining the presumption of innocence is an incredibly ham-fisted way to tackle a genuine evidentiary issue.

The foreign fighter threat doesn’t justify the dangerously broad restrictions on reporting security operations contained in the legislation introduced to Parliament in July.

Nor do a few dozen Australians waging jihad in Syria go anywhere near justifying – for instance – a mandatory data retention scheme, which, by requiring internet service providers to create a database of information solely for the purpose of law enforcement, would treat all Australians as potential criminals.

Taking the foreign fighter threat seriously justifies some legislative change; minor change, yes, but important.

It is not the case that any legislative change will do.

Going Against The Grain On Data Retention

George Brandis claimed last month that data retention was “the way Western nations are going”, but the opposite is true. Australia would be going against the grain, writes Chris Berg.

It would have been good if, at their press conference last Friday, the Australian Security Intelligence Organisation and the Australian Federal Police had been joined by all the other government bureaucracies that passionately support mandatory internet data retention.

Because data retention is not about national security. It’s about collecting data on every Australian for every law enforcement and regulatory compliance agency to use. And for everything from serious crimes to trivial infractions.

So David Irvine of ASIO and Andrew Colvin of the AFP could have been joined by Chris Jordan of the Australian Taxation Office, Rod Sims of the Australian Competition and Consumer Commission, and Greg Medcraft of the Australian Securities and Investment Commission. All have been pushing for data retention in committee hearings and inquiries.

And then, for completeness, we could have had a few of the dozens of state and federal agencies who currently enjoy authorised access to private communications data under the existing Telecommunications (Interception and Access) Act.

Squeeze on stage the Western Australian Department of Fisheries, Racing Queensland, New South Wales Health Care Complaints Commission, RSPCA South Australia, and Wyndham City Council. They would all be beneficiaries of mandatory data retention.

In other words, data retention is hardly a targeted anti-terrorism measure.

There were, in fact, two separate data retention proposals last week.

The first was announced by Tony Abbott and George Brandis on Tuesday. We’ve all seen the muddled interviews but the broad strokes of the policy itself were relatively clear. The Government was planning to force internet service providers to record both the internet protocol (IP) addresses of their customers and the IP addresses of the websites that those consumers visited.

This is sometimes known as “session logging”, or more popularly as “browsing history”.

Abbott and Brandis clearly left the National Security Committee last Monday night, and Cabinet on Tuesday, thinking session logging was what had been agreed to – it was the “in-principle decision”.

Then something changed. A second proposal was announced by Malcolm Turnbull, and confirmed at the ASIO and AFP conference on Friday. In this, the only data that is to be kept is IP addresses matched to customer details. Not a record of all the sites the customers visit.

With the data provided by the Abbott-Brandis session logging policy, it would be possible to map out a person’s entire world. No ISP keeps such a record of its customers’ online lives. Why would it? Anyway, doing so would be in breach of Australian Privacy Principles, which state that no more information ought to be kept than is necessary for business purposes.

The Turnbull policy is still useful for law enforcement, but much, much narrower. It’s only a small step away from billing information. And a few ISPs do keep this data. Storing it consistently might be expensive – very expensive for some ISPs – but it’s hardly the giant threat to privacy and liberty that the Abbott and Brandis policy constitutes.

Most importantly, it is not the mandatory data retention policy proposal that has been on the table for years – large-scale session logging – the policy that Malcolm Turnbull described in 2012 as “the latest effort by the Gillard government to restrain freedom of speech”.

Thank goodness.

As Bernard Keane has found, the Attorney-General’s Department has been pushing for the full version of data retention since at least 2008.

The intellectual genesis of this policy goes back 2006, when the European Union passed the Data Retention Directive. (Australians rarely come up with these ideas themselves.)

The directive instructed all EU member states to retain large quantities of communications data – both source and destination – for the investigation of “serious crime”. You can read it here. Article 5 outlines how just how large those quantities were to be.

European countries did as they were told.

Their experience shows that Tony Abbott was spot on when he said on Wednesday that data retention was designed to fight “general crime”, not just terrorism.

In a sample 12-month period, an Austrian review found that the most common law enforcement use of retained data was for cases of theft, followed by drugs, followed by stalking. Terrorism didn’t rate.

Internet traffic data retained by Poland’s scheme is being used “more and more” for civil disputes – even divorce cases.

The Danish Justice Ministry found only two cases where session logging has been useful in half a decade. Neither concerned terrorism. Denmark gave up data retention in June this year.

Germany’s Federal Crime Agency concluded that data retention had no statistically relevant effect on crime or crime clearance. Crime continued its long-term decline even after data retention was abandoned in Germany in 2010.

We could go on. Brandis claimed last month that data retention was “the way Western nations are going” but the opposite is true. Data retention is being wound back, repealed, and abandoned. In April this year the European Court of Justice found that the EU directive was unconstitutional.

Australia already has a powerful, robust mechanism to monitor suspects online: targeted data preservation notices on the telecommunications of suspects. This regime was updated just two years ago.

But that, perhaps, is beside the point. The last week has demonstrated that the debate over telecommunications surveillance is held in widespread ignorance – ignorance about our existing capabilities, the constantly evolving legal framework, and the architecture of the internet.

Not surprising, of course. This stuff is complicated. Technology policy is hard enough. Add onto that our labyrinth telecommunications intercept laws.

But politicians ought to try to understand the laws their departments insist they introduce.

Abbott and Brandis seem to have thought that merely mentioning the word “terrorism” would be enough to ensure their policy an easy run.

Yet no matter how real the terrorist threat, the pre-emptive surveillance of every single Australian would be an extraordinary policy in every sense of the word – way outside the bounds of proportionality, and way outside the boundaries of legitimate government action in a free country.

Security Bill Widens Government Surveillance Powers

The National Security Amendment Bill (No.1) 2014, introduced into federal Parliament last month, is 128 pages long. The bill’s explanatory memorandum is larger again – 167 pages.

It’s an absolute behemoth – complex, labyrinth, and, to outsiders, entirely opaque. In that sense, the bill is a great metaphor for the massive national security apparatus that has developed since the September 11, 2001 terror attacks.

It’s also the first major piece of Australian national security law reform since Edward Snowden a year ago revealed America’s program of global and indiscriminate mass surveillance.

Timing matters. The Snowden revelations demonstrated that not everything done in our name is done in our interest – and too often it is done without any democratic scrutiny, let alone the approval of voters.

So what should voters make of the Abbott government’s new national security bill?

It seems the three most significant elements are a new power to allow spies to plant software on targeted computers, new penalties for intelligence whistleblowing, and a prohibition on anybody releasing any information about “special intelligence operations”.

But it isn’t clear what the practical implications of these powers are. Are there any boundaries on what constitutes a special intelligence operation? Could journalists be prosecuted for reporting on national security leaks? Getting details out of the government is like pulling fingernails.

National security is a unique area of public policy. It’s one of the most important functions of government. Yet citizens have very little idea of what the government does under the guise of protecting them.

So the debate over national security powers is always held under a veil of ignorance. Usually serious public policy discussion requires evidence. But when we’re talking about security those evidentiary standards go out the window. The best we get is hand-waving about terrorism and, now, Australian residents fighting in Syria. We’re told to take the government on trust.

Given that a basic principle of democracy is that governments must justify themselves to the citizenry, this is a problem. Terrorism is a real threat. But it is not a blank cheque for legislative change.

The democratic accountability problem is enhanced even further by the fact that – as the Edward Snowden leaks have demonstrated – Western governments have repeatedly lied about their national security actions and have kept hidden evidence of their own wrongdoing.

In his recent book, Secrets and Leaks: the Dilemma of State Secrecy, Princeton academic Rahul Sagar argues there are no easy ways to impose democratic accountability on the national security state.

Blind trust isn’t an option. Democracies cannot rely on blind trust. Unfortunately radical openness isn’t an option either. We don’t want the bad guys to know everything about ongoing enforcement operations.

Institutional accountability mechanisms – like parliamentary committees and independent watchdogs – are good, but they tend to be captured by the agencies they are overseeing.

Sagars conclusion is that the best we can hope is that whistleblowers expose wrongdoings.

When America’s mass surveillance program was first revealed by Snowden last year, the Obama administration instinctively responded the program was necessary to prevent terrorism.

Yet in December, 2013 the administration’s own advisory panel concluded that bulk mass surveillance “was not essential to preventing attacks” and traditional, targeted surveillance methods was sufficient. This panel was no naive civil libertarian whitewash. One member was even a former CIA deputy director.

A study by the New America Foundation – a bipartisan thinktank partly funded by the US government – concluded mass surveillance “has had no discernible impact on preventing acts of terrorism”.

Australia is one of the members of America’s Five Eyes surveillance coalition, alongside Canada, the United Kingdom and New Zealand. Unfortunately our governments have been no more honest than American administrations about the need for new security powers.

For instance, the government claims its national security bill is mostly just a long-overdue update of 1970s-era telecommunications interception law. But this argument would be more plausible if the Telecommunications (Interception and Access) Act 1979 had not been updated more than 50 separate times in the past two decades.

The bill is apparently the first of a series. Attorney-General George Brandis said last week a second tranche of reform will make it easier to prosecute Australians fighting overseas, and make it illegal to “promote” terrorism. OK. But it’s already illegal to “incite” terrorism. Is that not enough? Will the government explain, specifically, why changes are needed? Don’t hold your breath.

A third tranche is likely to introduce mandatory data retention. That policy would require internet service providers to record almost everything every Australian does on the internet, just in case law enforcement agencies – from anti-terror spies to competition regulators – decide, in the future, to have a look. Mandatory data retention is both expensive and repressive.

There will probably be a fourth tranche. Tony Abbott wants to be a tough-on-terror prime minister.

The Snowden revelations should teach us one thing. Now, more than ever, the burden of proof rests on those who say we must trade off our liberty and privacy for security. That burden has not been met.

Beware The Border Force Fetish

The Abbott Government’s proposed Australian Border Force is an incredible and serious militarisation of our borders.

On Friday Immigration Minister Scott Morrison announced the Government would create this new top-level super agency to combine all the enforcement functions of Immigration and Customs.

The Australian Border Force will sit beside the Australian Defence Force, Australian Security Intelligence Organisation and the Australian Federal Police as a core national security agency.

The result will be something like America’s Department of Homeland Security.

Morrison’s speech from Friday is worth a look. It is the embodiment of the bizarre border fetishism that has been building over the last decade.

Back when the Coalition unveiled Operation Sovereign Borders, the name seemed like a bizarre non sequitur – how could a border be sovereign?

Turns out there was no such non sequitur. The Coalition is trying to give the border a sort of independent moral value. Morrison wants to elevate the notion of the “border” to the centre of liberal political philosophy:

“Like national defence, protecting Australia’s borders is core business for any national government.”

“Our border is a national asset … Our border creates the space for us to be who we are and to become everything we can be as a nation.”

This is stirring rhetoric but very strange.

A nation’s borders are a means to an end, not an end in and of themselves. They are only useful insofar as they facilitate more central roles for government: that is, national and personal security, the maintenance of a legal order, and the furtherance of social goals.

There is no reason to suggest their function – that is, creating a space for us to be who we are – is under any threat. Certainly no threat that would justify building a grand bureaucratic empire.

For instance, regardless of where you stand on the asylum seeker issue, large scale boat arrivals are only a threat to the orderly management of our refugee quotas, not our borders.

The “securing our borders” stuff is a catchphrase, not a policy. Our borders are among the most secure in the world. Honestly – when asylum seekers arrive in Australian waters, they phone the authorities.

The Australian Border Force is formally part of the 2014-15 Budget. It is supposed to save taxpayer money. We’ll see. Administrative savings have a habit of disappearing.

But Morrison told the Lowy Institute the Australian Border Force is not a mere efficiency measure. It is structural reform. The idea is not just government restructure but to recast immigration control as a pillar of national security. This is a big shift.

Until now, the Immigration Department has had a pretty simple role: to stamp the visas of foreigners. It is a glorified customer service agency.

Accordingly, the department’s role in national security is extremely limited. It administers the Movement Alert List: a database of identities of concern that is triggered when those identities want to have their visa stamped. But Immigration doesn’t create this list. Most of the identities are identified by intelligence agencies.

It’s the same with the famous refugee security assessments. The Immigration Department just administers the assessments made of asylum seekers by ASIO.

Still, while Immigration Department practice may have little to do with national security, the politics of immigration is drenched in it. The Coalition has often tried to tie refugees to national security. And this confected relationship provided the obvious spark for the development of the Australian Border Force.

Immigration is not a national security agency and never should be. Yet as disturbing as that change is, Morrison’s vision appears to be even grander. Customs is receiving a big promotion too.

Until the 2013 election, Customs was part of the Attorney-General’s portfolio. This makes sense. Customs traverses a wide range of ministerial areas. It enforces things like tariffs, import and export controls, as well as prohibitions on importing illegal goods like drugs and firearms.

Where Customs sits in the administrative hierarchy is significant. Before Customs was with the Attorney-General, it was variously ensconced with the Department of Industry, Trade, and Business, reflecting its role enforcing protectionism.

When the Coalition won in September, Customs became the responsibility of the Minister for Immigration.

Recall the big song and dance Morrison made about guns imported to Australia: “If you cannot trust Labor to stop the boats, then it is no surprise that we cannot trust them to stop the guns either.”

Now that it is being integrated into the Australian Border Force, Customs too will be ranked alongside the Australian Federal Police, ASIO and the Defence Force.

Smuggling drugs and firearms are serious crimes, but not quite on the level of terrorism and warfare.

So here’s an easy prediction. Bumping Immigration and Customs up the bureaucratic hierarchy will give those two organisations new influence, ambition, and ultimately power.

And by recasting them as part of our national security infrastructure, those agencies will orientate their core business towards that new, sexier, and more threatening security role.

Why easy to predict? Because that’s exactly what happened when the United States created the Department of Homeland Security. That monstrosity is expensive, expanding, and working to gain new powers. Until recently, its Immigration and Customs Enforcement division was lobbying forthe power to track citizens’ movements through licence plate scanning.

The last thing Australia needs is yet another grand and ambitious security bureaucracy pushing for powers that reduce our civil liberties.

The Australian Border Force may turn out to be one of the most significant, and dangerous, decisions of the 2014-15 Budget.

It’s Power Grabs We Should Fear, Not Cybercrime

“Cybercrime is a systemic risk and I think it is the next black swan event,” the head of the Australian Securities and Investments Commission, Greg Medcraft, told a forum at the end of last month.

That’s just 15 words in which Medcraft squeezed one moral panic and two fashionable but misleading economic concepts.

Catchy, though. Medcraft’s comments were widely reported.

But they demonstrate, once again, how Australian regulators and law enforcement agencies are using the digitisation of the economy as an opportunity for a huge power-grab. More on that in a moment.

Medcraft’s argument is drawn from an unofficial working paper, “Cyber-crime, securities markets and systemic risk”, published mid-last year by the International Organization of Securities Commissions, an association of which ASIC is a member. You can read the paper here.

So, could cybercrime be the next ‘black swan’ event? A black swan (the phrase was coined by the statistician Nassem N. Taleb) is characterised by two things. It is incredibly devastating, and it is incredibly rare. This makes black swan events hard to predict precisely because their probability of occurring is so low.

Crime, whether ‘cyber’ or traditional, does not fit the black swan criteria.

It is not incredibly rare. Financial crime is an already existing, easy-to-quantify, and constant risk.

Nor has it been incredibly devastating. Cybercrime is usually low level. Hackers take down websites, not stock exchanges.

Perhaps they might do worse in the future. But that does not make them a black swan. The very nature of a black swan is that they are unpredictable. You can only recognise them in retrospect.

Nor is cybercrime a ‘systemic risk’. This term refers to the danger that a shock to one institution will have flow-on effects to other institutions in the system. In the Global Financial Crisis, the initial shock was declining house prices, which led to a run on some banks, which spilled over into runs on other banks, and eventually a credit crunch.

It’s plausible to argue that an initial shock could be cybercrime-related. Yet the systemic risk is created by the interconnectedness, not the shock. The worst scenario the International Organization of Securities Commissions can come up with is a cyber-attack on a systemically important institution, or a coordinated attack on a large number of institutions at once. But these are merely more initial shocks.

This might seem a minor objection to Medcraft’s claim. Pedantic, even. It isn’t.

Now that the GFC has passed, financial regulators are quietly changing their approach to regulation. How they see the relationship between micro failures and macro consequences is central to this.

Should regulators try to predict and prevent the crises themselves, as Medcraft seems to argue, or should they instead focus on how the system responds to unforeseeable crises?

Nassem Taleb invented a second famous term: anti-fragility. Anti-fragility describes systems which become stronger when they are stressed. Taleb contrasts this with systems that are simply resilient, designed merely to survive shocks. A resilient system is one which tries to defend itself against known dangers – say, cybercrime. An anti-fragile system is one which accepts uncertainty and is designed to evolve in response.

No surprise then that Greg Medcraft talks about the need for ‘cyber-resilience’. And that makes technology the problem, and ASIC the solution.

Cybercrime is not the bogeyman it is made out to be.

Sure, there is an extraordinary variety of claims about the damage cybercrime does to the economy. Almost all of them are overstated. At Crikey, Bernard Keane has an excellent overview of just how ludicrous these estimates are.

This paper from 2012 finds that traditional crime costs the typical citizen at least a hundred-fold more than computer crime. The paper concludes that the best way to deal with cybercrime is simple law enforcement. Hunt down criminals individually. Throw them in jail. Cybercrime is hardly the sort of policy dilemma that screams black swans and systemic risks.

But not according to the International Organization of Securities Commissions. In its working paper, the black swan event it foresees is a horrifying cyber-catastrophe originally dreamed up by Richard Clarke in his 2010 book Cyber War.

Clarke, a former US counter-terrorism official, warned of a full-blown digital international conflict where cyberwarriors cripple national infrastructure, release chlorine from chemical plants, remotely crash trains, etc, etc, etc.

As Wired magazine put it, Clarke’s prognostications are like “the Book of Revelation re-written for the internet age, with the end-times heralded by the Four Trojan Horses of the Apocalypse”.

Our corporate regulator can’t seriously believe this hyperbolic nonsense. So let’s assume they don’t. Yet that doesn’t give them much credit.

ASIC has a track record of seeking extra powers in response to technological change.

It is the most enthusiastic user of section 313 of the Telecommunications Act, a law that allows it to block (that is, censor) websites from Australian internet users.

And it is one of the big advocates of mandatory data retention, a policy which would force internet service providers to keep records of everything we do online, just in case law enforcement agencies – and regulators – want to look at it in the future.

Medcraft’s dark warnings about cybercrime and black swans need to be seen through this prism: the ongoing battle between government power and digital liberties.

ASIC knows, as all good bureaucracies do, that the best way to get new powers is to massively overstate the problems those powers are supposed to fix. Unfortunately it seems that policymakers are particularly susceptible to technological gobbledygook. Remember the internet filter?

Cybercrime is, undoubtedly, a challenge. But we should be worried when our key regulators, deliberately and explicitly stoke up mindless panic about the impact of new technology.

PM’s ABC Critique Masks Deeper Security Debate

Sometimes the backdrop is more interesting than the performance.

It was significant that, when Prime Minister Tony Abbott launched his critique of the ABC last Wednesday, he singled out the ABC’s apparent promotion of the National Security Agency leaker Edward Snowden, who he described as “a traitor … who has betrayed his country”.

Because it’s easier to argue about the ethics of whistleblowing or the role of public broadcasting than come to terms with the radical changes in the politics and governance of national security over the past decade.

As my Institute of Public Affairs colleague James Paterson wrote in Fairfax papers last week, the case for ABC privatisation isn’t altered one bit by whether the network is pro-Australia or not.

(The hysterical fears about Malcolm Turnbull’s efficiency review are also a bit much. The ABC is a $1.2 billion piece of public policy. Public policy ought to be constantly reviewed – especially public policy that big.)

No, what we are seeing is the antipodean wing of a bigger debate about the place of national security in an open society.

The Indonesian spying revelations and the National Security Agency surveillance scandal are elements of this larger issue.

And with the military secrecy focus of Operation Sovereign Borders, the Abbott government has managed to drag asylum seeker policy into the national security net.

National security has always been an insiders’ game – a privilege of political power. Politicians who win government are suddenly taken into the tent. They’re granted the right to hear secrets kept from the people who elected them.

This is both an honour and a terrible responsibility: Those politicians inevitably get the blame if anything goes wrong.

Their responsibility makes them risk-averse and more sensitive to the desires of intelligence bureaucracies than other bureaucracies. It’s easier to say no to the deputy secretary of the Education Department than the director general of ASIO. It’s easier to bring innovative ideas from outside government to education than to the black box of national security and intelligence.

This has always been the case. What’s changed is the size of that black box.

It’s hard to overestimate the significance of the September 11 terrorist attacks for the development of the modern national security state.

With a decade’s hindsight, it has been as big a deal as the introduction of standing armies in the 19th century – a permanent, impossibly ambitious mass intelligence operation on a constant war footing.

Hence the United States’ historically unprecedented surveillance program, where a secretive bureaucracy hoovers up the world’s internet and phone records under the theory that almost anyone, anywhere is potentially a terror suspect.

The program is either unconstitutional or questionably constitutional. Either way, it certainly exceeds its legislative mandate.

At the end of last month a bipartisan government commission found the National Security Agency was misusing powers in its collection of phone records.

It’s pretty damning. Congress only permitted the collection of material related to ongoing investigations, and, even then, the agency given this power was the FBI, not the NSA. Nor could the commission identify any terrorist attack that had been directly thwarted by the use of this program.

This is all before we get to the grave civil liberties consequences of the mass data collection.

Of course, much of what we know about it comes from the Edward Snowden leaks. It doesn’t matter whether you think Snowden is a traitor or hero or something in-between. It is undeniably true that had those leaks not occurred, we would be none the wiser about the Obama administration’s probably illegal, unquestionably disturbing, and obviously dangerous security program.

It’s an interesting hypothetical as to whether, even had September 11 never occurred, governments would have sought and acquired such powers anyway.

But that’s the key: The NSA surveillance is only possible thanks to technological developments that enable such huge amounts of information to be collected, stored and processed.

And, conversely, it is those technological developments that have made it possible for the new era of whistleblowers and leakers to have the impact they have had.

Daniel Ellsberg had to photocopy the Pentagon Papers by hand on a very new and unfamiliar Xerox machine. It took him and a colleague all night. By contrast, Bradley Manning easily transferred a quarter of a million documents onto a blank CD while pretending to lip-sync a Lady Gaga song. Uploading them to WikiLeaks would have been even quicker.

As explosive as they were, the Pentagon Papers were only an internal history of the Vietnam War up to 1967 – not the raw material of diplomacy and intelligence we’re seeing today.

There’s another important development that has been somewhat obscured by the political contest surrounding our new era of leaks.

What we’re seeing is not the surreptitious transfer of secrets from one country’s intelligence agency to another country’s intelligence agency – as has been the historical norm – but the very open transfer of secrets from intelligence agencies to the public sphere.

All the political sound and fury has been over the release of information to voters. In other words, the opening of the national security black box to democratic scrutiny and debate.

The Indonesian spying scandal was a particularly stark demonstration of that dynamic. Indonesia knows we spy on them, as we know they have spied on us. The political problem is that the Indonesian public now know too.

These leaks will keep happening. Maybe not from Snowden or Manning, but the next person. Embarrassing disclosures about the secret inner workings of the national security state is the new normal. It’s not necessarily a good or a bad thing – it just is.

And democratic governments are just going to have to learn to deal with it.

Opening statement to Commonwealth Legal and Constitutional Affairs References Committee inquiry into Comprehensive revision of the Telecommunications (Interception and Access) Act 1979

With Simon Breheny

Thank you, first of all, to the committee chair, Senator Scott Ludlam, and the other members of the committee for inviting us to speak with you this morning. At the outset, let me make some general statements of principle. These principles should guide any reform to the Telecommunications (Interception and Access) Act 1979.

Interception and access of telecommunications data by government agencies is an intrusion into the human right to privacy. As individuals we have the right to control aspects of our lives that we wish to keep private. Government access to communications data should be strictly limited. The first limitation on access to communications data is the requirement that it must be targeted towards a person reasonably suspected of criminal wrongdoing. The second limitation is that interception of and access to communications data should only be allowed in accordance with a warrant issued by the courts. Warrants allow the interception and access to communications data in limited circumstances. They create a threshold for interception and access and ensure a level of accountability of the law enforcement agencies conducting criminal investigations by judicial oversight.

The proposal to introduce a mandatory data retention regime in Australia is a clear violation of these principles. Mandatory data retention would establish a systematic and ongoing mass surveillance regime on the internet activity of everyone in Australia. It is a very serious breach of privacy; it is easily circumvented and it is likely to suffer significant mission creep. As my colleague Chris Berg has argued, mandatory data retention will also have a chilling effect on free speech. The Australian privacy principles were updated and implemented just six months ago, yet mandatory data retention is a policy that would require the explicit rejection of these principles—namely, that businesses, including internet service providers, should only retain the information that is required for business purposes and should delete that data when it is no longer required for those same purposes.

We have seen in recent times some very significant breaches of privacy by government agencies. Most recently, the Australian Federal Police was responsible for a very serious breach of privacy when it revealed the identities of criminal suspects and other details about criminal investigations. Such inadvertent disclosures are unavoidable, but government should be seeking to reduce the possibility of these disclosures where possible. It is also worth noting that it has not been adequately shown that preservation orders are not adequate to achieve the aims of the law enforcement. Stored preservation orders are targeted, proportional data retention schemes that offer a flexible and privacy-protecting mechanism to law enforcement agencies. It is striking to us how rarely the existence of this mechanism is discussed in the data retention debate when it would seem to resolve all the problems with the TIA act that have been identified by law enforcement agencies.

The authorised access regime established under the TIA act allows for warrantless access to communications data stored by telecommunications companies. This is a clear breach of the principle that access to communications data should not occur unless a warrant has been issued by judicial authority. The TIA act annual report 2012-13 revealed that there were more than 300,000 access authorisations made in that year. Some of these authorisations were made by organisations like Australia Post, the Clean Energy Regulator, Harness Racing New South Wales and the Wyndham City Council. The authorised access regime should be abolished and should be replaced with a regime where communications data may only be accessed in accordance with the warrant issued for that purpose.

One of the problems we have identified in this debate concerns the word ‘metadata’ as opposed to ‘content data’. In our view the word ‘metadata’ describes nothing of analytical value; it is all just data. Indeed, as has often been pointed out in this debate, metadata is capable of revealing even more than what has been described as content data. We are happy to discuss the issue in detail if the committee wishes. Thank you.

Secrets And Fears Of A Paranoid Government

You’re either with us or against us. “Hammer this fact home,” an internal Department of Defense document instructs its readers, “leaking is tantamount to aiding the enemies of the United States.”

That document was itself leaked last week.

It’s part of the Insider Threat Program – a crackdown within the US federal bureaucracy to stop bureaucrats and private contractors sharing secrets with the press. It is the banal bureaucratic background to the espionage charges laid on Edward Snowden and Bradley Manning.

But in a way the Insider Threat Program is as revealing as the secrets the two men have revealed.

America’s national security state is unmanageably big. It is a Leviathan of dysfunction.

More than 4.9 million American government employees and private contractors have security clearances. There are at least 1,200 bureaucracies and 1,900 private companies working on the government’s security and intelligence programs.

Booz Allen Hamilton (the company that employed Edward Snowden) earned $3.8 billion in federal government contracts in 2012. That’s 99 per cent of its total revenue.

During the Cold War the US government was rightly concerned public servants might sell secrets to the Soviet Union.

There actually were spies at the very top of the bureaucracy. If you passed information to Soviet agents, it was reasonable to assume you did so for Soviet benefit.

But now, a decade into the War on Terror, the American government is more concerned secrets might be passed to American newspapers.

There’s a subtle difference. Citizens in a democracy have a right to know what their government is doing. Edward Snowden revealed a massive surveillance program that was, until recently, dismissed as the fantasy of conspiracy theorists. We are better for knowing that program exists.

Yet the US government thinks leaking to journalists is the moral and legal equivalent of spying for foreign governments or terrorists.

Nobody believes the disclosure of classified information should be legal. Any organisation, private or public, needs some degree of confidentiality to function. As the Guardian writer Glenn Greenwald points out, Snowden “made his choice based on basic theories of civil disobedience”. He will bear the consequences.

But an Espionage Act charge goes well beyond that. Disclosing information about the actions of a democratically elected government to the media is not the same as secretly undermining national security for the benefit of the hostile foreign powers – not on any practical, ethical, or philosophical grounds.

The US Espionage Act dates back to 1917. Section 793 of the Act makes it illegal to communicate information to others “with intent or reason to believe that the information is to be used to the injury of the United States, or to the advantage of any foreign nation”.

In its first 90 years the Espionage Act was only used three times against people accused of leaking government secrets to the press.

But the Obama administration has charged eight different whistleblowers under the Espionage Act.

As well as Bradley Manning and Edward Snowden, they’ve also charged a former CIA officer for revealing the names of colleagues involved in torture, a State Department advisor for leaking information about North Korea, and a senior executive at the National Security Agency for exposing the surveillance program. (You can see a full list here.)

One of the few prosecutions for leaking under the Espionage Act before Barack Obama was Daniel Ellsberg. He released the Pentagon Papers to the New York Times and Washington Post in 1971.

The Nixon administration went hard against Ellsberg. So hard, in fact, that they illegally tapped his phones. The case was ultimately thrown out for misconduct.

Yet in retrospect the release of the Pentagon Papers wasn’t that big a deal. They were merely a classified Defence Department history of the Vietnam War. That history stopped in 1967, and the juicy stuff – mostly how the Johnson administration lied about the Gulf of Tonkin incident – damned Richard Nixon’s Democratic opponents.

Ellsberg was prosecuted for espionage not because he had damaged American national security but because he had embarrassed the state. For Nixon – and for Obama – embarrassment is as good as aiding the enemy.

It was embarrassing, but not damaging, when the world read America’s diplomatic cables in 2011. It is embarrassing that the world knows the US government is listening to its phone calls. But have these embarrassments materially hurt American security interests? Not likely. Were they done in the service of a foreign power? Quite the opposite.

Earlier this year, Barack Obama bragged his was the “most transparent administration” in history.

Compare those fine words to a brochure published by the US Defense Security Service, Insider Threats: Combating the ENEMY within your organization. It urges private contractors to report any suspicious behaviour of their colleagues. “It is better to have reported overzealously than never to have reported at all.”

Such is the paranoia of the impotent.

US Surveillance Scandal Just The Tip Of The Iceberg

More than a decade after the September 11 attacks, the US is having a debate about its monstrous national security apparatus. Finally.

In that time, Congress has granted every wish of every security agency. The only condition was those wishes had to be connected, however vaguely, to the war on terror.

Last week, Americans learned the result. They now live in a vast surveillance state run by secretive intelligence bureaucracies and bloated private contractors.

We should care about this, too. Australia’s national security agencies are pushing our Parliament down the same path.

Here is what we know so far about the American scandal. For the past seven years, the US government has been secretly hoovering up records of millions of phone calls. It has been able to gain access to enormous amounts of data from companies such as Google, Facebook and Yahoo on their users. For its legal authority, it relies on the rubber stamp of a secret court.

Those companies targeted are forbidden from discussing what is going on. In March, Director of National Intelligence James Clapper explicitly denied to Congress that the program even existed.
As one Democrat who received a classified briefing this week said, the public has only seen the ”tip of the iceberg”.

Australia has not gotten quite that bad. But every policy change goes one way – towards more state power.

The Attorney-General’s Department wants Parliament to approve a suite of new security powers. This would include a massive data retention scheme, where records of all our internet usage would be kept by internet providers just in case we are later suspected of committing a crime.

The government is not transparent about what exactly these new powers would entail, or what they are supposed to solve. We have to piece together disparate pieces of information to figure out what our own government is doing.

For instance, we learned in February our foreign spy agency ASIS has been lobbying politicians for permission to collect intelligence on Australian citizens. But that is already the job of the domestic agency, ASIO. Why does ASIS want this power? It is not clear.

Earlier this year, we learned Australian bureaucracies are accessing phone and internet records nearly 1000 times a week without a warrant. Even the RSPCA can get access to these records. Yes, that RSPCA, the animal group.

And it is almost certain the American program has been been collecting data on Australians. Parts of the program give moderate privacy protections to American citizens but nothing to people ”reasonably believed to be outside the United States”. It is unclear how involved Australian agencies are. We know British agencies have been, but Canberra won’t disclose anything.

This madness has to stop. The national security state has grown too big. It is too unaccountable. It is fundamentally undemocratic.

When the Attorney-General’s office was questioned about its surveillance activities, a spokesman replied it was the “long-standing practice of successive Australian governments not to comment on national security and intelligence capabilities”.

Such blithe dismissals might have worked in the past. But after what we have seen in the US, there is no longer a reason to give government any benefit of the doubt.

Nobody denies that law enforcement must keep up with the times. Nobody denies terrorism is a real and ongoing concern. But the past decade has seen security agencies use these two facts as leverage for unprecedented funding and power – far out of proportion to the technological problems they are worried about.

Security agencies have an advantage in the political game. They are a black box – opaque and secretive. It is easy to convince politicians they would be endangering lives if Parliament did not grant some new power, or if checks and balances were not relaxed a little bit more.

The agencies are helped by national security apologists, who seem more worried about loyalty to the state than any democratic accountability.

The first reaction of the conservative columnist David Brooks to the US scandal was to surmise that the person who exposed it – 29-year-old security contractor Edward Snowden – was just the product of an overly individualistic society. OK, one of the biggest surveillance programs in history is revealed, and Brooks concludes the real issue is young people?

Columnists say the darndest things. But Brooks’ is not a lone voice. There is an active discussion in the US about Snowden’s motives, his girlfriend and whether he has committed “treason”.

Some perspective, please. Snowden’s character is irrelevant to the question of how powerful security agencies should be in a free country. Those who try to play down, dismiss or deflect this scandal are simply the willing tools of state power.

Just as despicable is the claim (heard occasionally from the left) that citizens have abandoned their right to privacy by handing personal information to companies. Talk about blaming the victim. We share stuff on Facebook, so it’s our fault the government is out of control?

The surveillance scandal is an important moment. Even the most gung-ho conservatives in the US are having second thoughts about the national security state.

Let’s hope that scepticism trickles down to Australia.