THE KEY POINTS IN OUR SUBMISSIONS HAVE BEEN:
1. REMOVE THE POSSIBILITY FOR INDIVIDUAL EMPLOYEES TO BE TARGETED
In its current form, our advice is that the legislation allows a Technical Capability Notice (TCN) to be issued to an individual within a company, without that individual being able to inform management. That would put individuals in an extremely difficult position. It also makes it extremely difficult for companies to assure potential investors and customers that their systems are fully secure.
The agencies empowered by this legislation have made it clear that this part of the legislation is intended to apply in a very limited way to sole traders and individuals acting alone and that they wouldn’t use these provisions to target individuals within larger organisations. Nevertheless, the possibility that, somewhere down that, somewhere down the track, the legislation could be used in this way is unacceptable. Even the perception that it may be possible is harmful for the Australian technology brand, as Atlassian co-founder Scott Farquhar says is already happening for his business.
The good news is that industry and enforcement agencies seem to be aligned on the view that individuals working within a company should not be issued a TCN and that it should instead be issued to the company via management. Formal codification of this in the legislation would add clarity and certainty for companies and employees at no cost to the effect of the legislation.
“It would seem very unlikely that an individual employee would be given a notice in circumstances where the company would have no knowledge of the notice.
“It does remain technically possible however, even if this was not the intention of the drafters. Given the broad definition of acts or things that can be required to be done by a notice, it is not impossible to imagine something like this happening at some point, so if the drafters did not intend it, they should have drafted it differently.”
Elizabeth O’Shea, Director, Digital Rights Watch
2. REDUCE THE BROAD BASIS FOR EXECUTING THE POWERS OF THE ACT
While the justification for TOLA was that it was important for fighting paedophile rings and terrorists, the legislation allows for these powers to be used in the investigation of any crime with a maximum jail sentence of three years - essentially any non-trivial crime. In fact, the maximum penalty for unauthorised disclosure of information pertaining to this Act is five years jail time, qualifying it as a serious offence under the legislation. There is no requirement for the crime to be violent in nature.
What was sold as a critical tool for crisis situations involving the worst criminals may instead become part of the routine toolkit of law enforcement. Given the invasive nature of the powers bestowed under TOLA to access even highly secure personal data, it is appropriate they be restricted for use in only the most serious cases. As it stands, there is a risk that these powers will eventually be applied broadly.
3. REDUCE THE BREADTH OF ORGANISATIONS THAT MAY BE TARGETED
Despite the Act clearly targeting communications between criminals, the definition of a communications provider is so broad that it essentially encompasses any digital product on the internet. Computer games, online shopping, business tools, databases, health and wellbeing products and any application on a smart phone is within the scope of the law. This has the effect of extending the application of the law beyond the boundaries necessary to capture the information required.
4. INCREASE OVERSIGHT AND PROVIDE LIMITS ON USE
Australia’s limited set of constitutionally-protected civil rights means that, unlike in the US and elsewhere, there is no individual right to privacy and/or unreasonable search and seizure. That limits the ability to balance individual rights against the broad application of powers granted under TOLA. Judicial oversight of the process for issuing TCNs would help overcome this concern.
Additionally, terms in the Act designed to limit its power like ‘systematic vulnerability’ and ‘reasonable’ remain undefined. It is critical therefore that the Act include mechanisms for each TCN application to be subject to a rigorous, objective, merits- based review to ensure TOLA powers are used appropriately.
SUBMISSIONS FOR PJCIS REVIEW
STARTUPAUS ANALYSIS AND SUBMISSIONS
StartupAUS has made multiple submissions to the various reviews, attempting to represent a consensus view across Australian emerging technology. Our original submission was initially co-signed by a dozen leaders in the technology ecosystem:
Daniel Petre, Co-Founder & Partner, Airtree
Mike Cannon-Brookes & Scott Farquhar, Co-CEOs & Co-Founders, Atlassian
Niki Scevak, Partner, Blackbird
Katherine McConnell, CEO & Founder
Brighte Didier Elzinga, CEO & Founder, Culture Amp
Melanie Perkins, CEO & Co-Founder, Canva
Cliff Obrecht, COO & Co-Founder, Canva
Matt Barrie, CEO & Founder, Freelancer
Sarah Moran, CEO & Co-Founder, Girl Geek Academy
Luke Anear, CEO & Founder, Safety Culture
Paul Bassat, CEO & Co-Founder, Square Peg Capital
Bede Moore, Executive Chairman, Tech Sydney
Richard White, CEO & Founder, WiseTech Global
Patrick Llewellyn, CEO, 99designs
Once our submission to PJCIS was initially made, 500 members of the Australian technology community expressed a desire to co-sign. Their names were added to the document and remain on all of our subsequent review submissions.