DOMESTIC CYBER SURVEILLANCE LEGISLATION
DR DALE STEPHENS: In this module, I will be discussing the domestic surveillance legislation that currently exists in Australia, the UK, and US. Understanding the nature of domestic legal frameworks will give a better appreciation of the values at play in this field of law, and create a basis for investigating the international cyber law standards that we will discuss later in this course. In respect to Australia, the federal Privacy Act was, among other reasons, implemented to reflect Australia's privacy responsibilities in accordance with the United Nations International Covenant on Civil and Political Rights and other international standards such as the OECD Guidelines on the Protection of Privacy and Transborder Flows of Personal Data. These privacy obligations regulate the management of personal information by a number of Australian government departments. The Australian intelligence and defence intelligence agencies are explicitly exempt from the direct provisions of the Privacy Act. These exemptions are accepted by bodies such as the Australian Law Reform Commission to be consistent with international standards that come with a number of corresponding safeguards within legislation, accountability processes, and oversight mechanisms that apply to intelligence and defence intelligence agencies. Metadata is often collected by Australian intelligence agencies in accordance with the Telecommunications (Interception and Access) Act. While metadata is not explicitly defined in Australian law, Section 172 of the federal Telecommunications (Interception and Access) Act 1979 negatively defines metadata as the supply of telecommunications data that does not disclose the contents or substance of the communication or document. Metadata is therefore, the information about a communication that remains after its contents are omitted. Requests by intelligence organisations to access existing metadata can be made by the Director General of Security, the Deputy Director General of Security, or an employee of the Australian Security and Intelligence Office, ASIO, or ASIO affiliate. The Telecommunications (Interception and Access) Act specifies that the information may be released if the request is aligned with a purpose of the relevant organisation and its activities. While warrants are not required to obtain metadata, the information available from this data is limited in order to protect the privacy interests of Australians. For example, telecommunication providers have traditionally only been required to provide records of calls that were traditionally maintained for billing purposes. Due to the development of online communication, internet service providers have similarly been obliged to provide IP addresses, sender, recipient, and time and date information for email communications. Again, it is important to note that for both traditional telephonic methods of communication and for online communication records, no content must be recorded or provided to law enforcement unless subject to a warrant. In Australia, there is a general prohibition against the interception of telecommunications. And this is enshrined within Section 7(1) of the Telecommunications (Interception and Access) Act 1979. This means that it is an offence to access stored content or intercept communications through a telecommunications system without the knowledge of the sender or recipient. There are, however, exceptions to this provision, including exceptions for intelligence gathering purposes. There are two warrant-based processes that allow for the interception of the content of communications under the Act. Firstly, there is the ability for the Australian government and state agencies to apply for a warrant from a judge or administrative appeals tribunal member. Additionally, in order for a security organisation to obtain a warrant for surveillance, a request may be made by the Director General of Security to the Attorney General in accordance with Section 9 of the Telecommunications (Interception and Access) Act. Section 9 requires that the Attorney General must be satisfied when granting the warrant that the proposed interception of communications will or is likely to assist the organisation in obtaining intelligence relating to security. Warrants must be similarly obtained to access stored content communications. In 2014, a bill of amendment was proposed to alter the Telecommunications (Interception and Access) Act. These amendments proposed that all service providers in Australia must keep standard records of telecommunications data for two years in order to support the investigation of crimes and threats to national security. Service providers will not be required to retain the content or substance of communications, including posts on social media or email subject fields. The retention of web browsing history is expressly excluded, and there is no requirement to keep detailed location records, avoiding captured data being utilised as a location surveillance device. Turning now to the United Kingdom, two of the most important pieces of legislation pertaining to surveillance in the UK are the Data Retention and Investigatory Powers Act 2014 and the Regulation of Investigatory Powers Act 2000. Under Section 1(1) of the Data Retention and Investigatory Powers Act 2014, the United Kingdom's Secretary of State may require a public telecommunications operator to retain relevant communications data if the UK's Secretary of State considers that the requirement is necessary and proportionate for a purpose that falls within Section 22(2) of the Regulation of Investigatory Powers Act 2000. In particular, Section 22(2) of the Regulation of Investigatory Powers Act 2000 states that obtaining communications data may be deemed necessary in the interests of national security, for the purpose of preventing or detecting crime, or of preventing disorder, in the interest of public safety, or for any purpose not specifically mentioned in Section 22 which is specified for the purposes of subsection 22 by an order made by the Secretary of State. Communications data is defined in the Regulation of Investigatory Powers Act 2000 as any information which includes none of the contents of a communication and is about the use made by any person of any postal service or telecommunication service. A retention notice issued by the Secretary of State may require the retention of all data or any description of data. This notice will specify the period or periods for which data is to be retained. In the United Kingdom, 12 months is currently the maximum period for which data is to be retained under a retention notice. Turning now to legislation in the United States. It is important to acknowledge that there is a significant political debate regarding the classification of metadata collection in the United States. This comes partly through the US constitutional guarantees regarding search and seizure provisions, and whether these provisions, which traditionally related to physically breaking into citizens' homes, can apply in a digital world and to the collection of metadata. Congress established the Foreign Intelligence Surveillance Court in 1978 in accordance with the Foreign Intelligence Surveillance Act of 1978. The court's function is to assess applications made by the US government for electronic surveillance, physical search, and investigative actions for foreign intelligence purposes. In recent times, metadata has been collected in the US in accordance with inter alia Section 215 of the US Patriot Act, which amended the Foreign Intelligence Surveillance Act. The Patriot Act has been interpreted by the US government to authorise on warrant from the FISA court the storage of bulk telephony metadata within the US. Section 215 of the Patriot Act requires there be reasonable grounds to believe that the metadata accessed under the provision is relevant to an authorised national security investigation. The metadata collected includes the numbers of both recipient and outbound caller, the time of calls, and the date of calls. Orders for the collection of metadata are generally authorised ex parte to ensure the success of operations. Mass data collection by the United States government allows security organisations to find patterns and connections, aiming to detect threats and helping the government to rapidly identify terrorist operatives and networks. We heard in an earlier module Mr Renn Gade of the US National Counterterrorist Center speak to the usefulness of this data in the NCTC's mission. A general prohibition against government access to the content of communications exists in the United States. However, similar to the other domestic regimes I have discussed in this module, this prohibition is subject to a number of exceptions. The first exception exists when a warrant is issued by a federal judge on finding of probable cause that an individual has committed, will commit, or is committing a crime. And that communications intercepted will relate to the crime. The second exception exists when a warrant is issued from a judge of the FISA court for the purpose of surveilling an agent of a foreign power who is inside the United States, including individuals engaged in international terrorism, for the purpose of obtaining foreign intelligence information. Executive Order 12333 specifies the missions and authorities of each element of the intelligence community and sets out principles that aim to strike the appropriate balance between personal privacy and the collection of information for intelligence purposes. To briefly summarise this module, it is clear that the collection of metadata is lawful under Australian, UK, and US domestic legislative regimes. If a government or intelligence agency wishes to access the content of communications rather than just the metadata, a further set of requirements need to be met, usually in the form of obtaining a warrant. While the specifics of these warrant applications differ from state to state, it is evident that all three states share the notion that both metadata and the content of communications should be accessible to intelligence agencies in the interests of national security, but only if it is deemed reasonable and necessary that they are allowed access to that information. Clearly, there is a constant drive for balance between the privacy of citizens and the protection of national security within the domestic legislation that I have discussed.
METADATA SUCCESS
DALE STEPHENS: The importance of metadata collection for the purposes of national security is clear when one reviews the successful use of metadata. The metadata may be used exclusively to ground an investigation or more likely in conjunction with other information, possibly through the obtaining of a warrant that facilitates the capture of key information that acts to successfully thwart attacks or other criminal activity. Significantly, it is useful to remember that operations involving the use of metadata are not always disclosed to ensure that national security capabilities are not revealed. Despite this, a handful of successful operations in many countries have been disclosed over recent years and provide significant insight into the capabilities of metadata as part of the tools of an effective national security process. In Australia, authorities report that they have a strong history of damaging terrorist plots with the aid of metadata. For example, it is now public knowledge that the targeted retention of metadata by the Victorian police, the Australian Security Intelligence Organisation, and the Australian Federal Police over 16 months through Operation Pendennis disrupted a terrorist plot against the 2005 AFL Grand Final. Additionally, the Attorney General stated in December, 2013 that Australia's intelligence in the form of metadata has also helped to prevent at least four attacks in Southeast Asia in the last decade and contributed to the arrest of over 20 terrorists in Southeast Asia. In the United States, officials have acknowledged that metadata has been key to thwarting threats to national security. While details of thwarted plots are scarce in order to protect ongoing national security operations, three examples have been publicly disclosed in recent times. It has been acknowledged that NSA provided phone records led authorities to identify a terrorist financier in San Diego. The financier was arrested in 2007 after the analysis of relevant metadata. Metadata compiled by the NSA was also used to thwart a 2009 plot to attack and cause serious damage to the New York City subway system. Once the source of the plot had been established, the phone records collected relating to the perpetrator led investigators to his terrorist associates in other US states. Finally, a plot to bomb the New York Stock Exchange was thwarted in its early stages because the NSA was able to identify an extremist in Yemen who was in touch with a man in Kansas City. This web of linked metadata communications enabled investigators to identify co-conspirators and prevent an attack. While, for obvious reasons, public information about the success of metadata collection is scarce, it is clear that both serious criminal offences and terrorist attacks have been thwarted through the aid of metadata, many of which undoubtedly would not have even been known about until it was too late. The secrecy surrounding the gathering and success of metadata collection does often draw criticism. However, similar to more traditional forms of warfare and the secrecy of these operations, it appears obvious that strategic plans and operations should remain as confidential as possible to ensure that national security is not compromised and the tactical capabilities of the state are not exposed. There seems to be significant debate about the efficacy of cyber surveillance and particularly that pertaining to metadata collection and analysis. For some, while accepting the need for national security measures, it represents too invasive a step. Bruce Schneier, who has already been featured in this MOOC, regards these measures as a very costly insurance policy of negligible effectiveness. But for others, they see the value in maintaining such capabilities. We have previously heard Mr Renn Gade of the National Counterterrorism Center speak to the value of such information and its utility in maintaining national security.
THE NATURE OF THE CONTEMPORARY THREAT
[...contemporary threat] DALE STEPHENS: It is abundantly clear that we live in a world that grapples with new threats to our security. Our cyber capacities have allowed us unlimited opportunities for collaboration, for prosperity, for efficiencies, and for building personal and professional networks. They also represent enormous vulnerabilities. The emergence of the non-state actor in the world of terrorist threat represents a particular challenge rarely faced in the past. Non-state actors have the means to exploit and use cyber networks to deliver their deadly agenda. Security agencies have been compelled to react quickly, and to develop means to counter these existing and emerging threats. This module will start with an outline of the role of the US National Counterterrorism Center. The NCTC was established after 9/11 to coordinate and facilitate the exchange of valuable intelligence between US agencies in order to prevent any future attacks on the US. To that end, Mr Renn Gade, the senior legal counsel to the NCTC, will outline the role and capacities of the NCTC, as well as its background. RENN GADE: The terror attacks of 9/11 prompted the creation of NCTC. If you recall the conclusions of the 9/11 Commission Report-- they concluded that there was a lack of interagency coordination and cooperation, so that forced the creation of the National Counterterrorism Center. Our core missions are derived primarily from our founding statute, other laws, and intelligence directives. If I can, I'll read our mission statement, and I think that'll be a pretty good summary of what we do. I'll go into a little bit greater detail then. The mission statement is, "Lead our nation's effort to combat terrorism at home and abroad by analysing the threat, sharing that information with our partners, and integrating all instruments of national power to ensure unity of effort." Now, what that really means is that on a daily basis our joint operation centre conducts three times a day secure VTCs [video teleconferences] across the interagency, across the intelligence community, to share that information. What that really means is that it operates as a partnership of organisations-- DOD, FBI, Central Intelligence Agency, State Department, and other agency partners. DALE STEPHENS: While a uniquely US agency, many other countries have similar agencies to the NCTC that seek to identify the nature of emerging threats, so as to enable a timely response to any attack. Listen to Mr Gade as he describes the nature of the collection effort, and the effect the Snowden disclosures have had on this effort. RENN GADE: Well I've already referred to the 9/11 Commission Report, but if you remember the 9/11 Commission Report there was a tremendous amount of information that was out there, and the inability of various parts of government to put that information together, so acting on that, then, in October, 2001 Congress passed the Patriot Act. And the idea behind that was to break down the artificial wall between intelligence and law enforcement. So writ simple, that's what that's about. Now since then, of course, it's been reauthorised several times. Next time it will come up is in 2015 for reauthorisation. We've talked -- there are many tools, not just the Patriot Act -- that we've developed since 9/11. We've talked a little bit about the Patriot Act, but as it relates to NCTC it's important to remember that we are-- our statutory mission is -- to serve as the central insured knowledge bank of all known suspected terrorists. So Patriot Act is one part of that tool that's shared across various parts of government. It would be derelict of me if I didn't talk a little bit at this time about the current environment. As you know there have been a number of unauthorised disclosures. And the environment that we're in from a counter-terrorism perspective is increasingly challenging, partly as a result of unauthorised disclosure from Mr Snowden and others. But what we've seen is that terrorists are adapting-- changing their tactics-- to avoid our intelligence collection as a result of the leaks and disclosures. They understand better now, and they watch very closely, to see the scope and scale-- of not just US collection, but generally Western collection efforts. And they are changing their capabilities in a way-- in the way they communicate. They're adopting encryption technologies, shifting accounts-- most recently you know the Paris attacks you saw that one of the attackers had 13 phones. That's a pretty good example in open source about how folks are changing their techniques and tactics. Or, even worse for us, avoiding electronic communications altogether. So in areas where we have, in many cases, limited human intelligence collection, the ability to-- and our dependence on-- intercepted communications is incredibly important to our ability to identify and disrupt those plots. Going back to the 9/11 Commission Report, if we-- we can't connect the dots unless we can collect the dots. And that's what we're seeing right now is the increasing difficulty to collect the dots. DALE STEPHENS: The task is not just to identify patterns and behaviour, but to understand the behaviour in the first place. Listen carefully again to Mr Gade as he further explains the work of the NCTC in relation to metadata-- and poignantly notes that the issue is not just joining the dots, but also identifying the dots in the first place. RENN GADE: Well I think you understand the tactical definition of metadata that's been out in the press. But what we call metadata is otherwise called DRAS-- D-R-A-S-- and that's the dialling, routing, and signalling information. It does not involve the content, the substance, the purpose of that information whatsoever. So as it relates to NCTC, the NCTC is an aggregator of data, aggregator of information. So when we pull that data-- we get that data from elsewhere, from other agencies, the same protections that were applicable to those agencies are applicable to us. So whether it's by statute, court orders, internal regulations, oversight from Congress, the courts, that is all applicable to us from the originating source. Well it's one of the tools you rely on. Remember my last comment about connecting the dots, you have to collect the dots? Those are some of the dots that you have available in the universe of information-- is that metadata. DALE STEPHENS: Finally, while a compelling case can be made for government agencies to have the capacity to collect data relevant to emerging or actual threats to national security, it is important to keep in mind the need for public trust in this activity. The collection of information that can have personal implications necessarily raises a level of anxiety in rational thinking people. Listen, then, as Mr Gade discusses this issue, and speaks to the recognition of agencies like the NCTC to these values. RENN GADE: Well let me start by saying that the NCTC doesn't have any interest in what grandma says on the phone. None. The thought that NCTC or that interagency partners have an interest in what grandma says on the phone, what she purchases, what book she reads, is absolutely preposterous. But your question isn't directed necessarily at NCTC, it's directed at the US government in general. And since those unauthorised disclosures, we've had many of those questions. And if you can put that-- the answer in kind of a historical analysis, I think it's useful. If you take a look at privacy, nobody talked about the right to privacy until the end of the 19th century. You know this probably, but it wasn't until a 1890 article that Louis Brandeis-- later Supreme Court Justice Brandeis-- talked about the right to privacy. Previously the right of privacy was thought about, you know, with peeping toms or something like that. But technology brought about changes and he addressed that in his 1890 article talking about that, and it was addressed to technology of the day-- photographs and newspapers. Today citizens around the globe put troves of data out there for public consumption. Whether it's by way of e-commerce, social media, whatever it might be, we put that out there willingly. That's the way we do business, if you would, these days, and how we conduct our personal lives. Government access to that same information causes concern, for good reason, because of what the government-- whatever government-- can do to us. A little bit of a digression here as it relates to the Snowden disclosures. Nowhere in there is it to be found that there were any violations of law. Nowhere. These are not the FBI abuses-- Federal Bureau of Investigation abuses-- of the '60s and '70s. Nowhere out there are they in violations of law. So put that in context. I think the president last year-- little bit over a year ago now-- issued Presidential Policy Directive 28. And PPD 28 looks to address some of these fundamental concerns we have of privacy in the private sector, privacy in government as well. And the intent behind PPD 28 was to assure not only US citizens but people across the world of how data is handled, particularly in that case signals intelligence. So one last thing I might point to is, since those disclosures, there's been a concerted effort for greater transparency across the US government and across the intelligence community. I think that's true not only from a US perspective, but many of our partners as well. And those should be efforts in a really diverse, complex, and in many cases, violent world, where you're trying to balance privacy and protection. That's what we try to do every day.
No comments:
Post a Comment