Australia's world-first anti-encryption law should be overhauled, independent monitor says

The attorney general should be stripped of the power to approve orders that would force tech and social media companies to help security services to potentially spy on the public, the Independent National Security Legislation Monitor has said.

In a report into the encryption legislation, the outgoing INSLM, James Renwick, called for that power and the ability for agency heads to compel assistance from tech companies to be moved to the Administrative Appeals Tribunal, and a new investigatory powers commissioner within it.

Renwick also called for the threshold for offences that can be investigated by the wide-ranging new powers to be raised to more “serious offences” – such as those punishable by seven years in prison, not the present three-year threshold.

But the attorney general and acting home affairs minister, Christian Porter, gave no commitment to implement the recommendations, citing an ongoing parliamentary review.

Related: Australian federal police ask prosecutors to consider charges against ABC journalist

The changes would require a major overhaul of the world-first national security legislation passed in December 2018, which has been the subject of a long dispute between the Coalition and Labor over mechanisms to improve oversight.

The legislation increases penalties for criminal suspects who refuse to unlock devices such as phones and creates a new framework for law enforcement agencies to request or compel technical assistance from tech companies, even to create new capabilities such as backdoors to get around the encryption in some of their products.

Australia’s spy agency Asio and the Australian federal police called for the law on the basis some 90% of priority cases involved encryption, which protects the messages of criminal suspects with unbreakable codes.

Renwick concluded that the law “is or is likely to be necessary” because there has been “widespread adoption of internet-based encryption by criminals and other bad actors” and it will help counteract suspects “going dark”.

“No country which operates as Australia does under the rule of law can countenance the creation of ungovernable space, free from the rule of law.”

However, Renwick said that powers should be extended to integrity agencies, including a future commonwealth integrity commission, and the ability of Asio to request cooperation should be narrowed.

Renwick said the report’s central recommendations were to remove the power from agency heads to issue technical assistance notices (TANs) and from the attorney general to approve technical capability notices (TCNs).

The powers would instead lie in a new investigatory powers division of the AAT with the ability to “sit in private as necessary” to protect national security and commercial-in-confidence information.

Renwick also called for a new statutory office, the investigatory powers commissioner, a retired judge who will be appointed to the AAT after mandatory consultation with the opposition. The commissioner would have access to technical advice and assist in approving the issue of TANs and TCNs.

Renwick said the changes are needed because the attorney general’s oversight “does not, in substance or perception, amount to an independent or external review of the decision to issue the notice”.

Related: Scott Morrison targets cybercrime with $748m in new initiatives and expanded security workforce

Renwick called for further clarification of the law’s central safeguard, that technology companies cannot be required to introduce a “systemic weakness” into their products.

The law should prevent enforcement agencies creating “a material risk that otherwise secure information” – such as information of people not communicating with the suspect – “will be accessed, used, manipulated, disclosed or otherwise compromised by an unauthorised third party”.

Renwick also recommended the law change so that:

• Individual employees of designated communications providers cannot be targeted with notices, only companies or sole traders.

• The AFP be stripped of its role overseeing state and territory police industry assistance notices.

• The home affairs minister cannot remove material from a commonwealth ombudsman’s report about the regime.

• Public officials can reveal information about TARs, TANs and TCNs “when that disclosure is in the national or public interest” as judged by the agency.

The parliamentary joint committee on intelligence and security – which commissioned the INSLM review – is separately reviewing the encryption legislation and is due to report in September.

Porter said it was “sensible for the government to await [its] findings before responding to the INSLM’s report”.

“What is clear however, is that the counter encryption laws have been critical to helping protect Australia’s national security,” he said.

On Wednesday, Porter announced the new INSLM is Grant Donaldson, who Porter had appointed in 2012 to the position of solicitor general of Western Australia, which he held until 2016.