The Weekly Cybers #8
Toughest anti-encryption laws still not being used (maybe), the politician-spy was working for China, and much more.
Welcome
A collision of commitments on Friday has meant this edition is appearing a day late, but that’s given me a chance to look through the latest statistics on Australia’s use of its telecommunications interception powers.
There’s also more this week on ASIO’s revelations about a sitting member of parliament working for foreign spies — including that in this case “foreign” means “Chinese”.
Australia’s toughest anti-encryption powers still aren’t being used (maybe)
When the controversial Telecommunications and Other Legislation Amendment (Assistance and Access) Act 2018 was rushed through parliament just before the Christmas break, we were told that the cops and spooks needed these new encryption-busting powers to protect us from the terrorists.
Turns out that hasn’t really been the case.
The compulsory Technical Assistance Notice (TAN), which forces communications providers to help an interception agency break into encrypted messages, has still only been used just once — by NSW Police in 2020–2021 during a homicide investigation.
A Technical Capability Notice (TCN), which forces a communications provider to develop a new capability which can then be used for subsequent TANs, has never been used.
The voluntary Technical Assistant Request (TAR) has been used a few dozen times each year.
As for those TARs, we saw 66 of them being used in 2022–2023, up from 30 in the previous year, and NSW Police was responsible for 53 of them. Six were used by the Australian Criminal Intelligence Commission (ACIC), five by Victoria Police, and one each by Queensland and WA Police.
None appear to be related to terrorism offences.
Some 36 were related to homicide; 11 for illicit drugs; six for a “special ACIC investigation”; five for sexual assault or related offences; three for robbery, extortion, and such; two for fraud or deception; and one each for “acts intended to cause injury”, property damage or environmental pollution, and “other serious Australian offences”.
That said, “interception agency” means the federal and state police forces, the anti-corruption bodies, and a few other players. We do not get to see the numbers for our spook agencies — ASIO, ASIS, or the ASD — and my guess is that they probably aren’t all zeros.
The latest stats were published this week in the 2022-23 Annual Report under the Telecommunications (Interception and Access) Act and Part 15 of the Telecommunications Act (PDF).
This is a detailed report, breaking down the use of every kind of communications surveillance by agency, the offence being investigated, and the specific power being used — everything from good old telephone intercepts to international production orders and, of course, warrantless access to communications metadata.
That last one is the biggest category. In 2022–2023, telco metadata was accessed 326,771 times, up from 306,559 the previous year.
NSW and Victoria’s police forces continue to be the heaviest metadata users by far, with 113,078 and 112,749 accesses respectively. On a per capita basis, that’s 13.9 times per thousand population in NSW, and 17.7 per thousand in Victoria.
It’s then 12.3 per thousand in Western Australia, 8.6 in the Northern Territory, 7.2 in Tasmania, 5.3 in Queensland, and 3.9 in South Australia. We don't have a separate figure for the AFP’s policing of the ACT, only a total for that and their national work.
The most common offences targeted were for illicit drugs, unlawful entry, homicide, and abduction. Terrorism offences accounted for just 0.45% of the total.
There’s no need for me to reproduce the entire 132-page report here. I’ll leave you to read the rest for yourself, including its formal explanation of how the laws work.
If you’d like more background, I’ve previously written quite a bit about Australia’s digital surveillance laws.
For a quick overview, you might try What's actually in Australia's encryption laws? Everything you need to know (9 December 2018), although be aware that the approval and oversight rules have changed since then.
For a more detailed history, there’s the two peer-reviewed papers that I wrote for the Carnegie Endowment for International Peace, The Encryption Debate in Australia (30 May 2019) and The Encryption Debate in Australia: 2021 Update (31 March 2021).
Finally, in 2020 I outlined some of my concerns about the process, including that most interception warrants are issued by Administrative Appeals Tribunal members rather than judges.
Unsurprisingly, that politician-spy was working for China
Last week ASIO warned of “highly sophisticated” planning for cyber sabotage and an “uptick” in nationalist and racist violent extremists advocating such sabotage.
This week Greg Austin, adjunct professor at the UTS Australia-China Relations Institute, wrote that ASIO’s threat assessment is underpinned by confusing logic.
This latest threat assessment, issued personally by the director general, Mike Burgess, calls out one country in particular, but doesn’t name it. He sketches a foreign espionage and influence-seeking campaign that is pervasive and well-resourced. He mentioned the specific case of an Australian politician (way back before 2018) who was, he says, collaborating with the foreign spies and selling out Australia in the process...
This is just one of several points where the logic of the 2024 threat assessment begins to break down. Can the unnamed foreign country really be an existential threat if ASIO has cracked its espionage operations and disrupted its efforts at political influence? Is Australia’s security more threatened by these failed spies than by terrorists who may achieve a mass casualty attack involving Australian victims?
Well, we now know that the country was China. We also know that the Australian who worked for foreign spies was in parliament at the time, although they have not been named.
In a podcast at The Conversation, spy historian Professor John Blaxland says there’s a good reason for keeping their identity secret.
So there’s a question mark now, as to whether the […] nation involved actually knows how effective ASIO has been at disrupting, because […] one of the things that good espionage agencies do is they try and flip their targets so that they become a double agent.
Meanwhile, the Guardian reports that ASIO says it has been cleared by the intelligence watchdog of “allegations of impropriety raised by the Australian citizen Daniel Duggan as he fights extradition to the US”.
Duggan, a former US marines pilot, [is] accused of training Chinese pilots to land fighter jets on aircraft carriers.
This story came from their podcast interview with ASIO chief Mike Burgess.
Also in the news
- Australian news media could seek payment from Meta for content used to train AI. I’m sure that this coming immediately after Meta said they’d stop paying for news under the News Media Bargaining Code is completely coincidental.
- “The CEO and director of the Bureau of Meteorology, Andrew Johnson, revealed to staff the cost of its delayed IT overhaul — one of Australia’s most expensive ever – despite repeatedly telling senators such details must be kept under wraps for cabinet secrecy reasons,” reports the Guardian. The initial funding for the ROBUST program, a project to rebuilt IT after it has been hacked by China, was “nearly a billion dollars... over four-ish years”.
- Public servants were given the chance to grill the public service commissioner and the assistant minister anonymously, and they had many questions about the uncompetitive pay for government IT workers and why government IT projects keep failing.
- “Records practitioners across the country are collectively alarmed of the state of record management practices within the Australian Public Service,” writes Anne Cornish, chief executive of the Records and Information Management Practitioners Alliance.
- “Australian universities, institutes and colleges providing higher education will be asked by the government for a ‘detailed’ and ‘credible’ action plan to address risks stemming from generative AI,” reports iTnews.
- Austrade is expanding its landing pads program, which is a series of hubs to help startups gain a foothold in international markets. The new landing pads will be in Jakarta and Ho Chi Minh City. The first landing pad was set up in Singapore in 2017. The other landing pads are in Bengaluru, London, New York, San Francisco, and Shanghai.
- The fight to define ‘sovereign capability’ heats up. So it’s not just me. As Sandy Plunkett writes, “In Australia, there is no unifying or shared definition of what sovereign capability is and is not,” despite it being quite the buzzword these days. Well worth reading. Feel free to choose your own definition!
Elsewhere
- Optus fined $1.5 million by ACMA for breaches to public safety, customers ‘at risk’.
- “Telstra CEO Vicky Brady says Telstra has put measures in place to prevent a repeat of a triple-zero system outage it experienced late last week, while it continues to investigate the root cause of the problem”, reports iTnews.
- Also at iTnews, NBN Co wants to boost its 100/20Mbps tier to 500/50Mbps.
What’s next?
Parliament will return on Monday 18 March for two weeks of sittings.
On Wednesday 13 March there’s another hearing in the inquiry into the use of generative artificial intelligence in the Australian education system. In Hoppers Crossing, Victoria, for some reason.
And that's it for this week.
Any questions or comments? Just reply to this email. Cheers.
The Weekly Cybers is a personal look at what the Australian government has been saying and doing in the digital and cyber realms, on various adjacent topics, and whatever else interests me, Stilgherrian, published every Friday afternoon (nearly).
If I’ve missed anything, or if there’s any specific items you’d like me to follow, please let me know.
If you find this newsletter useful, please consider throwing a tip into the tip jar.
This is not specifically a cyber *security* newsletter. For that that I recommend Risky Biz News and Cyber Daily, among others.