You are here
Inspection of ASIO activities
ASIO's activities have been categorised according to the functions of the agency set out in s 17 of the Australian Security Intelligence Organisation Act 1979 (the ASIO Act) namely:
- intelligence collection
- intelligence communication
- advice about security to Ministers and Commonwealth authorities in relation to their functions and responsibilities
- furnishing security assessments to States and State authorities
- advice to Ministers and Commonwealth authorities about protective security
- collection of foreign intelligence and cooperation with and assistance to other intelligence agencies.
During this reporting period the ASIO investigation and inspection team met the target of inspecting at least 75% of ASIO's activity categories. Priority was given to reviewing ASIO's intelligence collection activities, its security assessments and its advice to Ministers on security matters. There were no inspections of ASIO's provision of advice relating to protective security.
Regular inspections of investigative cases
It is not possible to monitor all ASIO's activities with existing OIGIS resources. Accordingly IGIS officers inspect a sample of activities selected on the basis of risk. The investigation and inspection team has direct access to ASIO's information technology and records management systems. During this reporting period, IGIS staff have liaised with ASIO to acquire increased access to ASIO's systems. This has improved our ability to access, view and interrogate a wider range of ASIO's records.
Throughout 2016-17 the investigation and inspection team focused on reviewing those cases where the most intrusive methods and activities had been used, as well as those activities that presented an increased likelihood of non-compliance with legislation or policy, for example cases with warrants approved by the Attorney-General, access to prospective data authorisations, and investigative activity targeting minors. Inspections of ASIO's investigative cases focused on:
- the legality of ASIO's activities
- the propriety of the investigative activities being proposed and undertaken
- compliance with Ministerial guidelines including formal approval processes, the timeliness of periodic reviews and the proportionality of its methods (that is, using less intrusive methods where possible and only progressing to increasingly intrusive methods as required)
- compliance with internal policies and procedures.
ASIO produces a range of analytic products covering its various functions, including security assessments, applications for warranted powers, investigative reviews and ASIO's published analytic products. Within the Australian intelligence community ASIO has a unique role in collection and assessment. Its assessment activities have a greater potential to intrude into the privacy of Australians than those of the assessment agencies DIO and ONA. They may also result in ASIO providing specific policy guidance to Government. Because of this the OIGIS investigation and inspection team conducts regular reviews of ASIO's intelligence product. These reviews enable the IGIS to monitor the independence, analytic rigour and propriety of the assessments contained in ASIO's products. In the last reporting period the office commenced a new inspection specifically to examine ASIO analytic tradecraft. Two such inspections were conducted in the 2016-17 year. No concerns of legality were identified in the first inspection of the reporting period although the inspection revealed inconsistencies in source referencing indicating the need for some improvement in this area. Following this inspection, ASIO implemented new analytic tradecraft policies which provide more comprehensive advice to analysts concerning referencing practices. The second inspection activity on analytic tradecraft was not finalised at the end of the reporting period.
Human source management
ASIO activities include collection of intelligence through human sources. The details of these activities are highly sensitive and cannot be disclosed in a public report. During the reporting period, OIGIS officers inspected and reviewed ASIO human source case files and met with ASIO staff to discuss related activities. No substantive issues of concern were identified by OIGIS officers when reviewing these activities. One issue identified related to record keeping. This issue was discussed with senior ASIO staff. We are satisfied this issue will be addressed.
In the 2016-17 year IGIS officers inspected a large number of warrants although fewer than in previous years. In part the reduced numbers were due to staffing constraints was well as a move to more in-depth reviews that focus on the analytic integrity of supporting documentation and the execution and conduct of ASIO's warranted operations. The decision to concentrate on these factors rather than procedural aspects of ASIO's warrants reflects ASIO's high degree of compliance with formal and procedural requirements. Notwithstanding the change, it is gratifying to note that during this reporting period ASIO proactively informed this office of three breaches relating to warrants issued under the Telecommunications (Interception and Access) Act 1979 (TIA Act). IGIS staff identified one additional breach not identified by ASIO staff, relating to a warrant authorised under the ASIO Act. The number of breaches in this reporting period is less than in the most recent reporting period. The circumstances of these breaches are summarised below.
Breaches of the TIA Act
Two of the three breaches of the TIA Act referred to above were unauthorised interception of communications. One involved ASIO mistakenly identifying an internet protocol (IP) address which was not authorised for interception; the other occurred when a telecommunications service provider made a mistake and sent ASIO data that was not authorised for interception. In each case ASIO staff discovered the error (within 11 and two days respectively), took action to end the unauthorised interception and advised this office of the breaches. During the 2017-18 reporting period this office will review the efficacy of the actions taken by ASIO in response to these errors.
The TIA Act requires ASIO, within 3 months of a warrant expiring, to give the Attorney-General a written report detailing the extent to which the interception of communications assisted ASIO to carry out its functions. In the case of the third breach, ASIO submitted its report one day after expiry of the prescribed period. This error did not raise any concerns of systemic or cultural problems, especially as ASIO proactively informed the IGIS that the report would be one day overdue and, we understand, that the delay was occasioned by matters outside ASIO's control.
Breach of warrant provision of the ASIO Act
The fourth breach was discovered by OIGIS officers during a warrant inspection. The ASIO Act requires that, among other things, a search warrant must authorise "the use of force against persons and things ... ". No force was to be used by ASIO in the search conducted under this warrant, nor was force used during the execution of the warrant; nevertheless, the omission of the express authorisation breached the requirements of the Act. The IGIS considered that this breach did not invalidate the warrant. ASIO has assured the IGIS that this provision will be included in the future regardless of whether ASIO expects force to be used in the execution of the warrant. Further information about ASIO's use of force is on page 17 of this report.
Other warrant matters
During the current reporting period fewer breaches of legislation were identified, however there has been an increase in minor typographic errors in warrant documents. While reference to wrong warrant numbers or in the identification of an email service can cause confusion, most of these errors are not important in themselves. Nevertheless, we consistently note these minor errors to help us determine if, over time, they indicate a systemic or cultural tendency that would be of concern. In response to these incidents and our concerns, ASIO has implemented new processes, including mandatory peer review processes to ensure that warrant documentation is accurate.
Questioning and detention warrants
The Attorney-General did not authorise any Questioning or Questioning and Detention warrants during the reporting period. The office has procedures in place to oversee ASIO's questioning powers if these powers are used.
In the 2016-17 year, the IGIS made a submission to the Parliamentary Joint Committee on Intelligence and Security regarding ASIO's Questioning and Questioning and Detention powers contained in Division 3 of Part III of the ASIO Act. This submission outlined the role of the IGIS office in relation to ASIO's questioning and detention powers and highlighted a number of safeguards that should be maintained to ensure effective oversight of any new regime of compulsory questioning powers for ASIO that may replace the current regime.
Journalist information warrants
During the reporting period ASIO has complied with the legislative requirements in respect of journalist information warrants set out in Division 4C of the TIA Act. In the course of our regular inspections we have observed that ASIO staff are familiar with ASIO internal policies and procedures relating to journalist information warrants. In one case, ASIO mistakenly obtained call charge records for a telephone service belonging to a newspaper's classifieds service. The metadata was collected due to a typographical error and was subsequently deleted. ASIO's response to this mistaken collection of metadata demonstrated ASIO staff's awareness of the legal requirements for obtaining a journalist information warrant.
Use of force
Warrants issued under the ASIO Act must explicitly authorise the use of force that is necessary and reasonable to do the things specified in the warrant. Under section 31A of the ASIO Act, when force is used in the execution of a warrant ASIO must notify the IGIS in writing, as soon as practicable. The ASIO Act does not specify a timeframe for the provision of these reports but ASIO has developed a policy that requires an initial notification within 72 hours (three days) of the use of force, to be followed by more detailed information within 10 days. During the reporting period, ASIO did not advise this office of any use of force against persons during the execution of ASIO warrants by ASIO or law enforcement officers.
Special intelligence operations
ASIO's special intelligence operations powers introduced in 2014 allow ASIO to seek authorisation from the Attorney-General to undertake activities that would otherwise be unlawful. ASIO can seek these authorisations to assist in the performance of its special intelligence functions, and where the circumstances justify the conduct of a special intelligence operation. The legislation requires ASIO to notify the IGIS as soon as practicable after an authority is given. All special intelligence operations approved during the reporting period were notified to the IGIS on the same day as approval was granted by the Attorney-General.
The legislation also requires ASIO to provide a written report on each special intelligence operation to the Attorney-General and the IGIS. Reporting was made available to IGIS staff who have reviewed documentation on special intelligence operations. There are no outstanding reporting requirements for the 2016-17 reporting period. The details of special intelligence operations are highly sensitive and cannot be included in a public report, however, during the reporting period no substantive issues or concerns were identified when reviewing these activities.
Access to telecommunications data
The TIA Act enables certain persons to authorise the collection of prospective and historical telecommunications data from telecommunications carriers or carriage service providers. Prospective data authorisations are authorised internally at ASIO for the period the authorisation is in force. Collection under a prospective data authority can only be undertaken by ASIO in connection with the performance of its functions and in accordance with the Attorney-General's Guidelines. Our inspections of ASIO's access to prospective telecommunications data and historical telecommunications data showed that the prospective data authorisations reviewed were authorised at the appropriate level, were undertaken in connection with ASIO's functions, and demonstrated regard for the Attorney-General's Guidelines.
In a small number of instances ASIO obtained data under a prospective data authority that did not relate to the subject of the authority. In these instances ASIO deleted the data. The office also identified some record keeping issues with records not saved in accordance with ASIO's internal policies. None of these events was of significant concern, nor did they indicate a systemic problem at ASIO.
ASIO exchange of information with Australian Government agencies
ASIO's relationship with other Australian Government agencies includes the exchange of information. Exchanges of sensitive personal information are of particular interest to the office, and are subject to OIGIS review as part of our periodic inquiry and investigation inspections.
During the reporting period, ASIO undertook exchanges of information with a number of Australian Government agencies including the Australian Criminal Intelligence Commission, the Australian Federal Police, State and Territory police services, the Department of Immigration and Border Protection and the Department of Foreign Affairs and Trade. Regular inspection activity included reviewing these exchanges to assess ASIO's compliance with legislation, the Attorney-General's guidelines and ASIO policy. No major areas of concern were identified during these inspections. A small number of administrative errors were found however, once notified, these were explained and rectified by ASIO.
Access to taxation information
Section 355-70 of Schedule 1 to the Taxation Administration Act 1953 provides that a taxation officer authorised by the Commissioner of Taxation or their delegate may disclose protected information to an authorised ASIO officer if the information is relevant to the performance of ASIO's functions. This access to sensitive information is further governed by a memorandum of understanding between the Commissioner of Taxation and the Director-General of Security; the Attorney-General's Guidelines; and ASIO's internal guidelines and procedures.
ASIO rarely requests access to this type of information. During the reporting period, IGIS staff reviewed ASIO access to sensitive tax information carried over from the previous financial year. No issues of concern were identified in this inspection. IGIS staff will review ASIO access to taxation information for the 2016-2017 period in July 2017. The results for this inspection will be included in next year's annual report.
ASIO exchange of information with foreign liaison
The ASIO Act authorises ASIO to provide and to seek information relevant to Australia's security, or the security of a foreign country, from authorities in other countries. ASIO may only cooperate with foreign authorities approved by the Attorney-General.
ASIO has implemented guidelines for the communication of information on Australians and foreign nationals to approved foreign authorities. These guidelines impose an internal, risk-based framework for assessing and approving the passage of information, based on such factors as ASIO's previous experience dealing with the authority, how the authority manages information, and the authority's history in relation to human rights issues.
During 2016-17 the investigation and inspection team inspected a sample of foreign liaison exchanges through the regular inspections of ASIO cases. These inspections have focused primarily on areas of increased risk to Australian persons, such as persons involved in the conflict in Syria and other high-risk areas. While no major areas of concern were identified, a small number of administrative and record keeping issues were found and brought to ASIO's attention. We will continue to monitor exchanges with foreign countries.
The office of the IGIS regularly reviews a range of submissions to the Attorney-General. During the current reporting period IGIS staff were provided with improved access to these documents. These reviews continue to be useful in obtaining an overview of legality and propriety issues, and to keep the IGIS informed of current operations and emerging issues.
Security assessments can lead to cancellation or refusal of visas or passports. The investigation and review team continued to review a sample of cases where ASIO had requested passport suspension, passport cancellation or emergency visa cancellations. In 2016-2017 IGIS staff conducted two inspections reviewing security assessments that resulted in visa and passport cancellations. In the first inspection no issues of legality were identified, however the office did raise a number of issues regarding record keeping and referencing. The second inspection is currently being finalised and will be reported on in the 2017-2018 annual report. The office will continue to monitor these issues.
Breach of section 38(7) of the ASIO Act
The ASIO Act requires that, where ASIO has issued a qualified or adverse security assessment in respect of a person to a Commonwealth agency or a state or an authority of a state, that agency, state or authority shall give notice the assessment to that person within 14 days. However, the Act also provides that the notice may be withheld, where the Attorney-General certifies that they are satisfied that withholding the notice is essential to the security of the nation. The Act requires that if such certification is issued, the Attorney-General must annually consider if the certificate should remain in force, or whether the subject of the security assessment can be provided with notice of the assessment. While the ASIO Act does not impose a direct obligation on ASIO it is clear that in determining whether to issue the certificate and in reconsidering the matter each year the Attorney-General will need to rely on ASIO advice in order to meet this statutory obligation.
In 2016, ASIO did not provide the Attorney-General with the necessary information to enable the Attorney-General to consider whether a number of certificates should be revoked. Potentially the individuals concerned were denied the benefit of a favourable reconsideration, namely the information that their passports had been cancelled; and that the underlying security assessments could be subject to review.
ASIO identified this oversight and subsequently conducted an internal review of all similar certificates. ASIO did not notify this office of the breach or subsequent review; IGIS staff became aware of the breach and the internal review while inspecting submissions to the Attorney-General.
ASIO's internal review identified four similarly affected cases. In each of those four cases ASIO's subsequent review resulted in ASIO changing its assessment, and recommending to the Attorney-General that withholding notice of the security assessment was no longer essential to the security of the nation. This office had some concern about the length of time taken to rectify ASIO's error; in one instance ASIO took five months to issue its advice to the Attorney-General.
This problem appears to have arisen from an administrative oversight when the provisions came into effect in December 2014. Whilst this oversight has since been rectified, the office was concerned by the significant impact of non-compliance upon the rights of the individuals concerned. Also of great concern was that ASIO had made the determination to delay notifying the Inspector-General of this oversight until after ASIO had fully resolved the matter. This decision was not in accordance with ASIO's longstanding practice of providing timely notification to this office when non-compliance was identified. This issue was further compounded when ASIO incorrectly advised the Attorney-General that ASIO had reported the issue to the IGIS, when this had not occurred. The OIGIS identified this error through the course of its periodic inspections and ASIO subsequently wrote to the Attorney-General to correct this inaccuracy. ASIO has accepted that it should notify this office immediately when issues of non-compliance are identified and has taken a number of steps to ensure that issues of non-compliance are promptly reported to the IGIS.
In December 2015, Parliament introduced sections 33AA and 35 into the Australian Citizenship Act 2007. These amendments provide for the cessation of Australian citizenship where an Australian citizen who also has citizenship of another country engages in conduct specified in section 33AA(2) of that Act. It is noteworthy that these provisions are self-executing, that is they take effect automatically upon a dual citizen engaging in the specified conduct. Formal administrative action by any Australian Government agency is not required for their operation. The office of the IGIS has a continuing interest in the way in which ASIO understands and discharges its responsibilities under the amended legislative framework and this will be a matter of ongoing consideration.
Review of Attorney-General's Guidelines
In addition to inspection activities, the IGIS also provided input into the review of the Attorney-General's Guidelines being undertaken by ASIO and the Attorney-General's Department. The Guidelines are issued under section 8A of the ASIO Act and are to be observed by ASIO in the performance of its functions. The Parliamentary Joint Committee on Intelligence and Security, as part of its review of the National Security Legislation Amendment Bill (No1) 2014, recommended that the Government review these Guidelines. Subsequently the Government initiated the review of the Guidelines which was ongoing at the end of the reporting period.
ASIO Inspection projects
ASIO staff may deploy a range of technical devices to gather intelligence. In November 2016, the IGIS initiated an inspection project focusing on ASIO staff access to surveillance devices and other technical devices used for this purpose. The aim of the project is to provide assurance that ASIO's internal accountability measures ensure that devices are only deployed for the purposes of conducting authorised investigations. This project will continue through 2017-18.
In November 2016 the IGIS initiated an inspection project focusing on ASIO's online investigative activities. This project did not arise in response to a specific concern or complaint, but was considered to be timely noting the proliferation of social media activity amongst investigative targets and the broader public alike. The project is ongoing and will assess the legality and propriety of ASIO's activities and identify high risk activities that may require further consideration by IGIS staff.
Protecting complainant information
Some years ago ASIO and IGIS agreed on a protocol for the management of information concerning complaints or public interest disclosures made to the IGIS. This protocol, which was last updated in 2011, provides guidance for ASIO's management of lawfully intercepted communications which identify, or potentially identify, a person who has made a complaint or public interest disclosure to this office.
In March 2017, the investigation and review team identified a number of instances where this protocol had not been adhered to. ASIO subsequently conducted a comprehensive review, and has proposed a number of improvements to their process to lessen the possibility of recurrence. We will consider the proposed changes in the next reporting period.