Greenleaf, Graham --- "The Barrett Review" [1994] PrivLawPRpr 123; (1994) 1(9) Privacy Law & Policy Reporter 161

The Barrett Review

A blueprint for expanding Australian telecommunications interception

Graham Greenleaf

A report to Australia's Federal Cabinet on the long-term cost-effectiveness of telecommunications interception (TI) reveals the central role that considerations of interception and surveillance play in the development of Australia's telecommunications infrastructure, more than any previous available document. The Barrett Review provides a blueprint for future implementation of Cabinet's 1990 decision that 'all public telecommunications services should be capable of being intercepted for law enforcement and national security purposes'.

The central recommendations of the report are:

1. The scope of the Telecommunications (Interception) Act 1979 (Cth) (TI Act) should be expanded to cover serious offences involving corruption or organised crime, with the core criterion being reduced from offences punishable by seven years' imprisonment to those punishable by three years' imprisonment.
2. Carrier licence conditions should be amended to require them to make call data associated with an interception available to surveillance agencies (law enforcement and national security agencies).
3. Surveillance agencies should be required to obtain a warrant from a State magistrate before obtaining call data (information generated from the telephone system, such as who called who and when) from carriers - whether or not the call data was related to an interception warrant.
4. Carriers should be required to meet the initial capital cost of acquiring an interception capacity, and allowed to recover the cost on a commercial basis as agreed between each carrier and each agency that wishes to use the interception capability for that service.
5. Australia should promote the development of new 'International User Requirements' setting an international standard for telecommunications interception facilities to be 'built in' to new telecommunications technologies, as the best prospect for maintaining long-term TI capacity.
6. AUSTEL's Law Enforcement Access Committee (LEAC) should closely monitor international developments in encryption and its control, and surveillance agencies should monitor the use of encryption by surveillance targets.
7. LEAC should have a general role of co-ordinating consideration of interception issues associated with new technology, and informing ministers. It should also develop guidelines for carriers as to what is required under their licence conditions.
8. Telecommunications equipment suppliers should be invited to participate in consultations on new technology and its interception implications.
9. A further TI review should take place after the 1997 deregulation (in time for the Olympics).

Privacy protections also recommended

The Review also recommends some strengthening of privacy and accountability mechanisms:

1. The Australian Privacy Commissioner should exercise the TI inspection and reporting functions now exercised by the Ombudsman.
2. Surveillance agencies should be required to notify any innocent person whose telephone service has been intercepted of the fact of interception within 90 days. Alternatively, records of such interceptions should be available for inspection by the Privacy Commissioner and report to the Attorney-General.
3. A person whose telephone communication is unlawfully intercepted should have a civil right of action against the person unlawfully intercepting or publishing the communication.
4. Surveillance agencies should be required to report on the proportion of warrants yielding information used in prosecutions and the average cost per warrant.

The Barrett Review

In July 1993 the Security Committee of Federal Cabinet requested Mr Pat Barrett, Deputy Secretary, Department of Finance, to review the long-term cost-effectiveness of telecommunications interception. The 'Barrett Review' (Review of the Long-Term Cost Effectiveness of Telecommunications Interception), delivered in March 1994, is still largely unknown outside those involved in formulating government telecommunications policy, although an edited version has received limited public circulation.

(References in square brackets [n.n] are to paragraph numbers of the Review, with [0.n] referring to paragraphs of the summary chapter, and references preceded by 'R' are to recommendations in that summary chapter.)

The background to the Barrett Review is that in 1990 the Federal Government decided that 'all public telecommunications services should be capable of being intercepted for law enforcement and national security purposes'. In 1992 it decided that the cost of providing investment in new interception facilities should be met through the budget new policy process (NPP) [7.1.1].

The Barrett Review is essentially a response to two perceived problems: (a) that new technological advances may make TI ineffective; and (b) that the sharing of the cost burden of TI is much more problematic in the new multicarrier market (and will be even more so in the post-1997 fully deregulated market). Hence the Review focuses on both cost burdens and effectiveness.

Legislation to implement those aspects of the Review's recommendations favoured by Cabinet is expected to be introduced in the near future, possibly before the end of 1994.

Some facts about interception

The Review is significant in the light it sheds on TI practices in Australia, as much as for its recommendations. It reveals or confirms information such as the following:

1. Law enforcement agencies have approximately 100 telecommunications lines access to TI capabilities, of which the Australian Federal Police has about half [7.3.4]. A total of 527 law enforcement warrants were issued throughout Australia in 1992-1993 [4.2.15]. The number of ASIO lines or warrants is undisclosed for security reasons. These figures give no indication of the number of persons whose calls were intercepted.
2. One reason that TI is a favoured method of surveillance is that it is relatively cheap. The Review estimates from information provided by various agencies that it costs $570 per day, much cheaper than video ($1376), listening devices ($1630), physical surveillance ($1895) or vehicle tracking ($2772) [6.7].
3. Surveillance agencies regularly obtain call data (referred to in other contexts as calling line identification data or CLI) from the carriers, but they do so outside the framework of the TI Act [4.3.11], and without any need for a warrant. The Review indicates that surveillance agencies also obtain call data for purposes not associated with interceptions at all [4.3.11 and p 15].

Threats to interception effectiveness

The Review finds that 'Australia's interception capability in areas of strategic significance has been, until relatively recently, virtually 100 per cent but is being seriously eroded' [0.19].

It identifies the shift from analogue to digital telephony and the wider availability of encryption as the two main current threats to the effectiveness of TI [0.7], and the move toward mobile telecommunications (personal communications services or PCS) as a third [3.2]. The Review considers that it is not possible to be definitive about the impact that these changes in telecommunications will have on TI capabilities, but 'they do indicate that software solutions will increasingly be needed to perform interception' [3.2.4].

Encryption

'There is no legislative constraint on the manufacture and use of encryption devices in Australia', but the agencies 'do not currently consider encryption as a significant threat to interception, at least in the foreseeable future' [3.3.2].

However, condition 3.1 of the General Licences Declaration and 8.1 of the Public Mobile Licence Declaration (made by the Minister under s 64 of the Telecommunications Act 1991 (Cth)) both required that a licensee must not operate a telecommunications network unless:

(a) it is possible to execute a warrant under the Telecommunications (Interception) Act 1979 in relation to a telecommunications service provided by means of that network; or

(b) if it is not, or would not be, possible to execute a warrant issued under that Act - the Minister, after consultation with the Attorney-General, authorises its operation.

Authorisations for non-interceptible services have been issued under (1)(b) in both categories [5.2.12].

The Review does not endorse either the approach taken in France (encryption is illegal unless the keys are deposited with the Government) or advocated in the US (the 'Clipper' proposal of a Federal standard for encryption, the keys to the 'front door' of which would be held by two Federal escrow agents and accessible only via a warrant) [3.3]. (The Review pre-dates the passage of the US Digital Telephony Bill).

Instead, it notes that 'encryption appears to be of lesser concern than in the US because there is less likelihood of and scope for economic espionage, and cheap voice encryption devices are not yet readily available. Also, Australians have available in the GSM digital mobile services an effective means of encrypting their communications for legitimate privacy and commercial security purposes that is not, as yet, available to Americans' [3.3.9]. The Review recommends that LEAC should carefully monitor US and other developments 'to advise the Government of any degradation of TI capacity'.

The solution? - international user agreements

The Review notes that, in order to ensure that law enforcement needs are taken into account in the development of new technology, 'international user requirements are being drafted by law enforcement agencies in North America, Europe and Australia' [5.3]. Such standards have three objectives:

1. Ensuring TI capacity is not eroded by new technology.
2. Minimising each country's cost of maintaining effective TI.
3. Creating 'a benchmark as to what may reasonably be sought by law enforcement agencies in particular countries'.

A key recommendation of the Review is that Australia should promote the development of new international user requirements on telecommunications interception, and should ratify them at the first appropriate international meeting of law enforcement agencies, as the best prospect for a solution to maintaining long-term TI capacity.

The Review rejects the argument that the Australian Government should introduce a unilateral requirement that carriers/service providers only introduce technology that is interceptible, because 'such a unilateral policy runs the risk of implementing less than world class technology which could put Australia at a major disadvantage in a cost-competitive sense'. However, 'the sooner an international requirement for interception is standardised and accepted, the more likely there will be the automatic provision of a TI capability in new technology with similar implications for all users' [0.13, emphasis in original].

The Review states that it is expected to take three to eight years for such an international agreement to be reached, and argues that Australia should support initiatives currently being taken by the US's FBI [0.12].

The Review also notes that, in Australia, parallel work to the 'International User Requirements' work is being done on a 'National Product Delivery Standard' - by whom is not made clear - which should be kept consistent with the international user requirements.

Expanding TI to more offences

The TI Act only allows interception for law enforcement purposes in connection with the investigation of a 'serious offence', defined as a Class 1 or Class 2 offence. More stringent requirements apply to the granting of a warrant for a Class 2 offence. Class 1 offences include murder, kidnapping, narcotics offences and related offences. Class 2 offences are offences punishable by imprisonment for life or for a period of at least seven years, where the conduct involves at least one other indicia of seriousness (serious risk of serious personal injury, serious fraud, etc).

The Review searches for some defensible basis to determine what offences should be interceptible (warrantable). It notes a lengthy 'wish list' of extensions proposed by various law enforcement agencies [2.3.2], that there is 'strong opposition from privacy and civil liberties groups to any extension of the list of warrantable offences' [2.3.8], and that the 1993 amendments to the TI Act included computer offences as warrantable offences, a departure from the 'seven year rule' [2.3.4] (see 1 PLPR 174). It rejects 'corruption' (as in the NSW ICAC legislation) as a defining criterion, on the basis that the Federal Parliament has not taken a view on this.

In the end, the Review tentatively endorses the definition of 'relevant offence' in s 4 of the National Crime Authority Act 1984 (Cth), as an approximation to notions of 'organised crime' or 'corruption'. The NCA Act requires an offence punishable by imprisonment for at least three years, plus that it 'involves two or more offenders and substantial planning in an organisation; involves the use of sophisticated methods and techniques; [and] is of a kind ordinarily committed in conjunction with other like offences' [2.3.5]. The Review argues that this 'may provide guidance' in the 'reformulation of the definition of "serious crime" so as to ensure that it actually covers what needs to be covered but that it also does not exclude crimes more serious than those covered' [2.3.9 and R 2, emphasis in original].

By some rather tortured logic, the Review concludes that privacy and civil liberties groups should not object to this as they accept that the warranting procedure should be available for 'serious crime' [2.3.8] and it would remain necessary for a judge to be satisfied that the circumstances supporting a warrant were satisfied [2.3.9].

The upshot is a recommendation for a very substantial expansion of interceptible offences, with the core criterion being reduced from seven years' imprisonment to three years.

LEAC - AUSTEL's 'anti-privacy' branch

The Telecommunications Act 1991 (Cth), s 47 requires carriers and service providers to give authorities of Australian Governments 'such help as is reasonably necessary' for enforcing the criminal law and laws imposing pecuniary penalties, protecting the public revenue, and safeguarding national security. The Minister is empowered by ss 63-65 to impose such licence conditions and to make declarations imposing other conditions.

AUSTEL's Law Enforcement Privacy Committee (LEAC) was formalised by a Ministerial Direction under s 50 of the Telecommunications Act 1991 (Cth) on 15 July 1992. It had existed since 1990, and then comprised representatives of AUSTEL (Chair), AUSSAT, AFP, State and Territory Police (one representative), ASIO, Customs, Attorney-General's Department, Department of Communications, Defence Signals Directorate, National Crime Authority, OTC and Telecom. Its composition has changed since then. The direction requires, among other things, that AUSTEL identify which agencies require 'assistance' from carriers, and develop principles to assess what help is needed and procedures for resolving disputes about payment (on the principle that carriers will neither profit nor bear the cost of law enforcement responsibilities). It is also required to seek the views of the Minister (for Communications) and the Attorney-General on any matters with significant law enforcement or national security implications [5.2.19]. LEAC's New Technology Subcommittee has concentrated on interception issues.

It is notable that there are no representatives on LEAC who could be considered to have a predominant interest in privacy protection (the departments have some intermittent interest). The Review pre-dates the formation of AUSTEL's Privacy Committee (which also has few privacy interest representatives: see 1 PLPR 125), and it would seem that an obvious role for that Committee would be to provide some missing privacy input into LEAC's considerations.

AUSTEL has issued directions to Telstra and Optus under s 46 (5 August 1993), and Vodafone under s 41 (24 August 1993), requiring that these carriers consult with the New Technology Subcommittee about any 'proposals to develop new technologies', and to comply with LEAC principles 'for assessing what help is reasonably necessary' and for resolving charging disagreements. The agencies that carriers are required to help are: State and Territory Police Forces; ASIO; NCA; AFP; NSW Crime Commission; Qld Criminal Justice Commission; NSW ICAC; Australian Taxation Office; Australian Customs Service; Australian Securities Commission; 'Commonwealth departments and authorities with significant law enforcement or revenue protection responsibilities'; Australian Reports and Analysis Centre; and State and Territory revenue authorities.

Since most of these agencies are not involved in investigation of the types of matters which can be the subject of interceptions (at least not yet), it is clear that the tasks of LEAC and its subcommittee extend to other techniques of law enforcement (see below concerning call data).

LEAC's expanded TI role

LEAC has apparently experienced conflict between surveillance agencies and telecommunications suppliers because of their 'conflicting goals': 'It has been claimed that on occasions an almost confrontationist or, at least, an adversarial role was adopted by the parties' [5.2.25].

Nevertheless, the Review concludes that 'there appears to be no other forum that would be as well placed' to co-ordinate consideration of TI issues [5.2.27], and recommends that LEAC should 'co-ordinate consideration of interception issues associated with the introduction of new technology and ensure that ministers are given early warning of the issues that need to be considered' [R 15], that it should develop guidelines on what is required by carriers 'in areas such as delivery of intercepted information and a capacity for multiple simultaneous intercepts'

[R 17], that it should co-ordinate critical response times between agencies and carriers/service providers when new technologies are being introduced

[R 19], and that AUSTEL be given considerably more funds to support LEAC's expanded TI role [R 18].

LEAC is therefore to become the key co-ordinating body in both planning and implementing TI, even though it is a 'privacy-free zone'.

Call data - beyond interception

The Review states [4.3.11] that:

It is also open to question whether the current arrangements for the supply of call data to law enforcement agencies are as tight as they should be. Such data consists of information on the connections made between parties and is not covered by the TI Act. Administrative arrangements for the supply of such information to law enforcement agencies in accordance with the Privacy Act 1988 and the Telecommunications Act 1991 are being worked out within [LEAC].

Elsewhere, the Review refers to 'the current efforts of [LEAC] to standardise procedures to be followed by agencies and carriers in the provision to agencies of call data that is not associated with an interception' [p 15, emphasis added], indicating that call data is obtained by surveillance agencies in relation to matters which are outside the limited range of offences covered by the TI Act.

It may be that the number of calls subjected to this form of surveillance dwarfs that obtained through interception, though the Review does not quantify the obtaining of call data. The disclosure and use of call data is, of course, a very contentious telecommunications privacy issue in other contexts.

In relation to call data, the Review makes two recommendations:

1. Carrier licence conditions should be amended to require them to make call data associated with an interception available to surveillance agencies [R 14].
2. Law enforcement agencies should be required to obtain a warrant from a State magistrate before obtaining call data from carriers [R 11].

This second recommendation is not restricted to call data associated with intercepts. The Review points out that US and Canadian laws require that call data be supplied under court order provided the agency satisfies the judge or magistrate that the data is required for law enforcement purposes, and recommends such an approach here [4.3.11]. This approach means that call data would continue to be available without any of the restrictions imposed by the TI Act, either in relation to classes of offences, reporting requirements, or audits.

The second part of this analysis of the Barrett Review, in the next issue, will cover issues such as 'who pays to tap your phone', the proposed privacy protections, and the Olympian challenges for surveillance beyond 1997.