Today, Mark spoke about the Greens' support for the encryption provisions in this Government Bill that will enable Police to unlock electronic devices in relation to child exploitation cases while expressing concerns that these powers will also apply to cases that do not involve child exploitation. He outlined the Greens' amendment that would confine these powers to child exploitation cases.
Statutes Amendment (Child Exploitation and Encrypted Material) Bill 2018
Child exploitation is an abominable crime. Perpetrators deserve the harshest punishment and our law enforcement officers need every tool to identify and track down perpetrators, including those involved in the insidious online trade in child exploitation images and videos. In my view, the perpetrators of these serious crimes are the scum of the earth, and I have little sympathy for them. I expect most right-thinking people would agree.
However, other crimes that do not involve child exploitation attract very different reactions within the community, and they require very different responses. That is what makes this bill so insidious. Tacked onto a bill that deals with some of the most abhorrent crimes imaginable are other measures that are overwhelmingly unrelated to child exploitation. These measures are tacked onto the bill and we are told it is a package of responses that must be passed together.
I think this approach is disingenuous and dishonest. It is calculated to put unreasonable pressure on members of parliament who are, quite rightly, fearful of being accused of being soft on child exploitation if they do not support the whole of the bill. It is an all too common political tactic: you take a new law that everyone can agree with, tackling child exploitation, and you tack onto it other measures that are far more contentious and may bear no relationship with the expressed primary aim of the bill.
It is these provisions that the Greens want to see further debated and which we think should effectively be removed from the bill before it is passed. We are happy to give police the powers they have requested in relation to child exploitation, including the so-called encryption provisions, but we want the laws limited to that purpose until we can have a proper debate in the community about our digital privacy rights and the boundaries of police authority to force the unlocking of electronic devices.
In a nutshell, the so-called encryption measures in this bill provide that a magistrate, at the request of a police officer, can order that a person unlock a computer, phone or other device that contains or provides access to data, even in cases that have absolutely nothing to do with child exploitation, and it is these measures which we oppose. We have no problem with the parts of the bill that amend the Child Sex Offenders Registration Act 2006, the Criminal Law Consolidation Act 1935 or the Evidence Act 1929. These provisions all relate to child exploitation material and we support their passage.
The problem area is part 5 of the bill which inserts a new part 16A into the Summary Offences Act 1953. These provisions relate to data that is held electronically and, in particular, data that is password protected, encrypted or otherwise not accessible without a code or a key. The main provision is a new law requiring people subject to an order from a magistrate to provide access to electronic data on pain of a maximum five-year penalty for refusing to comply without good reason. In simple terms, it is up to five years' gaol if you refuse to unlock your device and provide access to its contents.
The way the bill is framed in proposed new section 74BR, the trigger for a police officer to be able to seek an order from a magistrate is whether:
(a) there are reasonable grounds to suspect that data held on a computer or data storage device may afford evidence of a serious offence;
The definition of 'serious offence' in new section 74BN is:
(a) an indictable offence; or
(b) an offence with a maximum penalty of 2 years imprisonment or more.
The order issued by the magistrate does not have to be directed to a suspect in relation to a serious offence, it can be directed to anyone who they believe knows the passwords or has the ability to access the device or data. This could be a family member, it could be an employee or it could be an IT professional. The order need not identify any particular device. It does not even have to specify what information is being sought. In short, you can be ordered to unlock everything or risk five years' gaol.
The question that arises is: what is wrong with that? Why would we not want to give the police every possible tool to catch criminals? I think there are a number of problems with these provisions and I want to go through them one by one. I would point out at this stage that my concerns have also been expressed by the Law Society of South Australia. The society published a submission to the former attorney-general back in October 2017, which was when this bill was first introduced. As members might recall, it did not pass in that last parliament due to parliament being prorogued; it has effectively been brought back now, but the Law Society's concerns back then are pretty well the same as they are today.
The first problem that arises is what is known as the rule against self-incrimination. Members would know that in this place we have debated very many criminal offences and we have almost invariably included provisions that support the longstanding provision in our legal system that a person is not required to incriminate themselves and that it is the job of the prosecution to prove the case against them. There are some important exceptions, of course, but that is the general rule. That is why defendants are advised in their interviews with police that they do not have to answer questions that might tend to incriminate them.
The government says in response to that argument that these so-called electronic warrants are really no different to an old-fashioned physical search warrant, but I would make the point that they are in fact entirely different. The main distinguishing element is that, in terms of a traditional search warrant, the cooperation of the person being searched is not required. It does not take a rocket scientist to realise that if police turn up at the door with a search warrant and say, 'It's the police here, we have a search warrant', and you say, 'Go away', you may get your door broken down. The police then enter and say, 'Can you unlock the filing cabinet to show us the contents?' and you refuse, well it is going to be jemmied open. You are not obliged to cooperate and that has been the law of the land pretty much forever.
The difference is that with these—let us call them electronic search warrants—the obligation on you is to cooperate to the extent, or in the event even, that you will incriminate yourself. You are legally required to assist the police to potentially incriminate yourself. If you do not, you are liable for up to five years' gaol. These are important considerations.
I make the point that the rule against self-incrimination is not absolute. There are some circumstances where parliament has decided that the public interest should prevail and the rule does not apply, but that has to be the exception rather than the rule. What we see in this bill is no such nuanced approach. If you are the subject of an order, you are legally obliged to unlock your devices and provide access to material, regardless of any consequences for you or for others.
The second problem is in relation to privacy considerations. When it comes to evidence of serious criminal offences, most people are not too worried about privacy, they think that prosecuting these offences should take priority. But we need to think a bit deeper because as we get further and further into the digital age increasingly the whole of our lives is digitally recorded. There is now a record of everything we write. There may still be some people with fountain pens; I cannot recall the last time I wrote anything significant with a biro or a pen. It is all written on computers, tablets and phones, and it is recorded digitally—everything we write.
There is a record of every person we talk to on the phone. In the past, I guess, the police may have gone to Telecom (or whoever it was back then) and got a register, if they could, of people who had used landlines and whatever. It is so much easier now; we nearly always use mobile phones for everything. There is a record of every person we talk to on the phone. With every person that we engage with through messaging services, there is a record. I know, from my private conversations with Liberal members, Labor members and Greens members, that most of us are using encrypted messaging services these days, we are trying to secure our internal communications, but all that stuff is on our devices and it is all subject to this bill.
Every photo we take, every diary entry, every appointment we make with someone, is now digitally recorded and subject, potentially, to these new laws. Possibly the most insidious of all: every single place that we go is recorded electronically on devices and would be available if a person was the subject of one of these orders and was forced to unlock, for example, their mobile phone. That information would certainly be of interest to the police in those small number of cases where they need to locate a potential suspect at the scene of a crime—you can sort of get that—but what we are really talking about are the movements of every other citizen at all times of the day or night.
I do not think I am Robinson Crusoe; I am rarely without my phone. If it is not in my pocket, it is on the bedside table. You only have to delve into the settings and have a look and it knows where you are, if you have your settings turned on. Which of us has not gone to the airport and, just as you enter the carpark, found that a message will come up, 'You have arrived at the airport; are you going overseas? Do you need any foreign currency?' I will not acknowledge the Hon. Ian Hunter putting up his hand, he does not use a smart phone in the same way as the rest of us, but for most of us every move that we make is tracked digitally. It is on our devices and it is potentially subject to these orders.
As I say, if the police were trying to locate someone at the scene of a crime, it might be useful information, but 99.9999 per cent of the time where we are at any particular given moment is of absolutely no interest to law enforcement authorities, yet that is information they will have access to.
That brings me to the next concern, which is that anything that is found on a device can be used and used against you. It does not matter that it was not what they were looking for. At first blush this might not seem problematic. If we go to the example of an old-fashioned physical search warrant, if the police believe that stolen goods might be at your property and they enter the property and what they discover instead is a crystal meth drug-making lab, most of us would think, 'Well, that's fair enough, of course you're going to get done for that', that would make absolute sense. But when you look at it in the electronic realm it raises a whole lot of issues.
The threshold test for whether one of these orders can be issued in the first place is that the police suspect that information in relation to a serious crime might be available—if they can convince a magistrate of that—but what they find on your phone is not evidence of a serious crime but evidence of something else; something else that might not be a crime at all; it might be something of purely prurient interest. The question is: what happens to that data? Can it be used?
I will give a couple of examples. Let's say that a person has dashcam footage from their car and they store it on their laptop. If they are forced to unlock the laptop will the police be able to scour through that information and use anything they find to charge the person with some other offence? Maybe you forgot to turn your headlights on until a few minutes after dusk.
We have all been in that position where you know that when the sun goes down you turn your headlights on, it is a safety measure in cars, but what if you had forgotten? What if the dashcam footage shows that you did not turn your headlights on in time? Maybe it showed that you were speeding. Maybe it showed that you went through a red light. Who knows what it would show? The question is: can the police use that information? It was not what they were looking for but it is what they found.
The police could not have got an order looking for that information because it does not relate to serious offences, but if they do not find what it was they were looking for and they do find this information instead, can they use it? I will put that question on the record for the minister to respond to in more general terms. What restrictions exist on the ability of the police to use material found on electronic devices for purposes other than the prosecution of a serious offence?
In terms of privacy the other thing we might want to think about is that some people include very private information on their electronic devices that are of no possible interest to law enforcement authorities. That might include personal photos, intimate text messages or even evidence of affairs or relationships that are of no business to anyone other than those involved. Again, I ask the minister to take that question on notice: what restrictions, if any, are imposed on the use of personal information that is disclosed on electronic devices that have no relationship to any crime, serious or otherwise?
Another concern is that the bill is not just in relation to police because, leaving aside other law enforcement officers like ICAC, there is a provision in here that says the police can take along anyone else they think might be handy, anyone else who might be able to help them. So you have, potentially, people who are not sworn police officers, they are not necessarily trained, they are not bound by any professional standards and yet they may be given access to electronic data that is obtained under an order.
Again, the question for the minister is: what restrictions, if any—I do not think there are any—are in place that limit the number of people or the range of people who can access this information? The order might be made by the police but the bill says that the police can get other people to help them access the data as well. These people, presumably, do get access to that data if they are successful.
There are a couple of other issues that I will raise: one relates to parliamentary privilege and one relates to journalist shield laws. These were two things that jumped out at me as potentially being infringed by these amendments. The first thing I would say in relation to parliamentary privilege is that most of us know that we inherited privileges through the Westminster system. It goes back to 1856, I think it is, and I understand, from my discussions with parliamentary counsel, that there is a provision in the constitution that we cannot expand on those privileges, but they have not been codified.
We do not have a privileges act as they do at the commonwealth level. However, most of us appreciate and accept that communications between constituents and members of parliament in relation to their parliamentary duties are privileged and are not something that is made available to law enforcement officers.
All of us here have received tip-offs from whistleblowers; all of us at some point have received email communications where people are alleging offences that have been committed by others, and we hold these communications in confidence. They are part of parliamentary privilege.
The question that then arises is how do those principles sit with this law? For example, if police manage to convince a magistrate that they believe a certain fictitious member of parliament may be in possession of stolen goods—or some such offence, just to make a hypothetical example—and they want to access the member's phone, tablet and parliamentary computer, the question arises can they do that? How do they do that?
It would seem to me that the first thing that they would probably do if they were determined to have access is ask the member. The member would probably say, 'No. My phone, my computer, my tablet contain information that is privileged.' They are communications between yourself as a member of parliament and constituents.
They possibly would not go to the MP; they would go across the road. They would go to the PNSG, the Parliamentary Network Support Group, and with their order in hand they would go to a public servant—who is, as I understand it, not directly employed by the parliament, certainly not employed by the members of parliament—and they would order them to unlock a member of parliament's computer, unlock every document that they have ever written, unlock every meeting they have ever held through their diary and unlock all of their emails, because the police have managed to convince a magistrate that they think a member might have information about stolen goods or some such thing. That raises very serious questions about privilege.
One amendment that I have moved is to include in this legislation pretty much the same provision that is included in the ICAC legislation, a provision that basically says that these laws do not derogate from parliamentary privilege. However, it is actually not quite that simple, because even though I have drafted that amendment, I do not intend to move it if my first set of amendments is successful.
My first set of amendments is to hold the government to the primary task that they have set, which is child exploitation. If this bill is confined entirely to child exploitation offences, then I do not particularly want to give members of parliament any protection in relation to those offences; I do not want to do that. I will only move an amendment in relation to parliamentary privilege if my first set of amendments is not passed.
The first set of amendments I see as an invitation to the government to accept what the parliament is saying about child exploitation material—I do not think there is any disagreement on that—but to defer to another day and a proper debate consideration on other crimes that might be appropriate to allow the police the ability to access computers.
I have no doubt that we could run through a list of crimes that people might think are appropriate. I am sure terrorism will be up there on the list, but at present I can just pick a couple of crimes that currently are caught by this bill. One is bigamy. I mean—really? That is punishable by two years in prison or more. To what extent is it of any great interest to order someone to unlock their device because there might be evidence of bigamy?
Another is sexual relations between two people, one of whom is one day over 17 and one of whom is one day under 17. You might have two people who are two days apart in age—that is 10 years' gaol. We know that the police are not chasing Romeo and Juliet. They are not out there looking for young lovers. They are not doing that, but technically this bill covers that situation—anything with more than two years' gaol.
There are other crimes; let's accept they are crimes. Someone goes into a shop and changes the price tag so they get the toaster a little bit cheaper. I do not know of anyone who has done that, but apparently it is done because there is a special Criminal Law Consolidation Act provision about changing the price tags in shops. The gaol time for that is more than two years. Is that the sort of offence that we think should be a trigger for a magistrate to be able to order someone, on pain of five years' gaol, to open up every electronic device they own because it may give evidence of the fact that they swapped tags, or someone swapped tags, in a shop?
People might think this is reductio ad absurdum. They might think it is taking it too far, but honestly we pass these laws in full knowledge of the consequences, and the consequences are that there is a range of these relatively minor offences. Yes, they are criminal offences, but should they be the trigger for a magistrate to order you to open up all your devices?
I will finish with this issue of journalist shield laws, because it struck me that, only last year, this parliament decided as a matter of principle that, in order for the fourth estate to operate correctly, journalists should be able to protect their sources. The question then arises as to how these laws interact with that. When I put it to parliamentary counsel, they suggested that an amendment was not required for the journalists because there is a provision in this bill that says that it is in addition to other laws.
It does not necessarily derogate from other laws, but it does not take a great deal of thought to realise that it could still be undone. You could still get a police officer going to a magistrate and the magistrate issuing an order against a journalist to access their devices. It may be that the device, let's call it a mobile phone, might have information about whistleblowers and sources or it might have other material on it as well. How on earth do we manage that impasse?
If the police find something that was not what they were looking for and all of a sudden say, 'We found the whistleblower. We weren't looking for that but we found it', how do they unknow that information? What is to stop them then using a circuitous route to go and find that person through some other avenue so that they can say, 'We didn't get it through the mobile phone, we got it elsewhere, it was just a lucky guess, we came across this person'? It does not take rocket science to imagine the number of scenarios. I think journalists are at risk as well.
I will just put a few more questions on the record for when the minister closes the second reading. Back in relation to parliamentary privilege, the question is does parliamentary privilege apply to documents affecting parliamentary business that are contained on a member's computer, phone or laptop? I think I know the answer and I think it is yes; not all information, but certainly parliamentary privilege applies to a lot of that information. Secondly, does it matter whether that information is physically held inside or outside Parliament House or inside or outside a member's electorate office? Does privilege still apply?
What is the situation for members' documents that are held on parliamentary servers, such as SharePoint or somewhere in the cloud that is managed by the Parliamentary Network Support Group (PNSG)? Would public servants employed by PNSG be caught by the legislation in relation to unlocking information that is held by or on behalf of members? Similarly, with our electorate staff, could the police go to the staff member of a member of parliament and order them, if they have the password to some device or cloud storage, to unlock it? I think these are very serious questions and I do not think they have been properly addressed.
I think the responsible approach for this house to take would be to accept that the primary evil we are trying to overcome here is in relation to child exploitation material. Let's deal with these insidious crimes, let's deal with these people, let's give the police the powers they have asked for. The broader question about the circumstances in which the police should be able to order the unlocking of phones and devices, whether for regular citizens, journalists or members of parliament, let's have a proper debate about that.
Effectively, what I am inviting the government to do is to split the bill. My amendments effectively seek to do that. It confines the encryption provisions to child exploitation cases only and, as I have said, if that amendment is unsuccessful, then I have a catch-all provision that relates to parliamentary privilege, at least. I think our democracy will suffer if members of the public cannot fully trust that they can communicate privately with their members of parliament. That would be a very slippery road to go down. Once citizens lose their trust in the politicians, then democracy is what is at risk. With those brief remarks, the Greens will be supporting the second reading of this bill and we look forward to the committee stage.