Attorney-General Robert McClelland introduced the bill in June, saying the new laws would allow Australia to join a global treaty on fighting cybercrime. More than 40 nations are signatories to the Council of Europe Convention on Cybercrime, which aims to fight fraud and other offences committed using the internet, such as computer hacking, child pornography and copyright infringement.
But Senator Ludlam said the proposed legislation "goes well beyond the already controversial European convention on which it is based". "The treaty doesn’t require the ongoing collection and retention of communications, but the Australian bill does," he said. "The bill also leaves the door open for Australia to assist in prosecutions (in foreign countries) which could lead to the death penalty.
"No explanation has been provided for this overreach."The Greens were also concerned the process had been rushed. "A disturbing pattern of behaviour has emerged, with the AG's department repeatedly seeking to fast-track legislation which extends well beyond its nominal purpose and encroaches upon civil liberties in the name of security," Senator Ludlam said.
He is a member of the Joint Select committee on Cyber-Safety which today tabled its review of the bill, with a long list of recommended changes. "We have recommended a number of improvements to the bill, fixing the flaws and clarifying the Ombudsman's powers to inspect and audit compliance with the preservation regime," he said.
But Mr McClelland today welcomed the report, saying that "some recent commentary contains inaccuracies which need to be corrected". “The bill does not require ongoing collection and retention of communications,” the attorney-general said.
"The bill requires that information provided (to foreign law enforcement agencies) under mutual assistance occurs only if it is used for the purpose for which it was requested, and that it is destroyed once it is not necessary for that purpose."
Brushing off concerns that the bill does not differentiate between "traffic" and "content" data – potentially opening the way for massive intrusions into personal communications – Mr McClelland said the legislation relied on "existing distinctions" separating the two under the Telecommunications (Interception and Access) Act.
And he said preservation notices could not apply across an entire service provider, "only to a person, phone number or email address". "Moreover, the orders only apply until a law enforcement agency obtains a formal warrant for access; the information is destroyed after 30 days if a warrant is not granted," Mr McClelland said.
The attorney-general said the committee had made a number of detailed and technical recommendations, which the government would consider. Meanwhile, the committee chair, Labor Senator Catryna Bilyik, has also spoken out about "misinformation about this bill".
"This is not a data retention scheme and it does not allow foreign countries to demand access to private communications as has been alleged," she said. "The committee was supportive of the bill, but there is always room for some drafting improvements.
"We had unanimous support for amendments that should allay any fears about the potential to misuse these powers. Some IT security experts believe the convention will fail, because non-European, non-English speaking countries will not participate.
Telstra told the committee the new obligations to preserve data were "beyond business needs", and would place a "significant burden on carriers and service providers in the form of cost and manpower".
It warned that it would take around 18 months to implement the regime once the technical requirements were finalised.