Bills Digest no. 47 2009–10
Telecommunications (Interception and Access) Amendment
Bill 2009
WARNING:
This Digest was prepared for debate. It reflects the legislation as
introduced and does not canvass subsequent amendments. This Digest
does not have any official legal status. Other sources should be
consulted to determine the subsequent official status of the
Bill.
CONTENTS
Passage history
Purpose
Background
Financial implications
Main provisions
Concluding comments
Contact officer & copyright details
Passage history
Date
introduced: 16
September 2009
House: House of Representatives
Portfolio: Attorney-General
Commencement:
The day after Royal
Assent.
Links: The
relevant links to the Bill, Explanatory Memorandum and second
reading speech can be accessed via BillsNet, which is at http://www.aph.gov.au/bills/.
When Bills have been passed they can be found at ComLaw, which is
at http://www.comlaw.gov.au/.
The Bill amends the
Telecommunications (Interception and Access) Act 1979 (TIA
Act) to introduce a new network protection regime to cover all
Australian computer network owners and operators.
Network protection usually involves establishing perimeters to
defend a network by placing protective tools at different points
within the network to detect and respond to known and predicted
security risks.[1]
Such activities are critical to both the network s efficient
operation and the protection of all data stored on the network.
Such data may include sensitive government and business data held
on the network, as well as any personal and financial data which
individuals have supplied, for example in the course of their
employment or in requesting or purchasing services.[2]
Under the TIA Act, it is prohibited to intercept, or authorise
interception, of a communication passing over[3] a telecommunications system, and to
access stored communications, except in accordance with a
telecommunications warrant.[4]
However an exemption is provided under section 5F to these
prohibitions to the employees of a number of Commonwealth and state
law enforcement and security agencies, if they are responsible for
operating, protecting or maintaining a network or if they are
responsible for enforcement of the professional standards (however
described) of the agency or authority.[5] Similarly, subsection 5G(2) provides an
exemption to a number of law enforcement and security agency
employees in regard to the intended recipient of a communication.
These exemptions authorise these employees, who are the network
administrators of the agencies concerned, to access
telecommunications passing over the agencies networks, without
warrant, for the purposes of network security and enforcement of
professional integrity.[6]
These exemptions, known as the network protection provisions
were inserted by the Telecommunications (Interception)
Amendment Act 2006 and initially only applied to the
Australian Federal Police, although the 2007 amending Act[7] extended this to cover
designated Commonwealth agencies, security authorities and eligible
state authorities.[8]
The provisions originally had a two year sunset clause, which was
then extended to December 2009. The intention of this delayed
sunset clause was to enable law enforcement and security agencies
to continue to protect their networks while a comprehensive
long-term solution covering both the public and private sectors was
developed.[9]
In July 2009, the Government released a discussion paper and
exposure draft Bill aimed at providing the solution to network
protection for all computer networks. In the short consultation
period for this draft, the Attorney-General s Department received
19 substantive submissions, although these were not publicly
released.[10]
Electronic Frontiers Australia (EFA)[11] publicly opposed this draft Bill,
pointing out that it did not provide sufficient clarity or adequate
protections for the privacy of network users . EFA stated that the
exposure draft allowed a very broad discretion to network operators
to intercept communications and that the wording of that Bill would
have permitted network operators to intercept communications, for
example, to determine whether peer-to-peer filesharing traffic was
infringing a third party s copyright interest, or to determine
whether the network was being used for excessive personal use
.[12] It would also
have provided a broad ability for network operators to disclose the
substance of intercepted communications to an unlimited group of
people for undefined disciplinary purposes .[13]
The Minister s Second Reading Speech to the Bill notes that the
exposure draft Bill has been modified to address a number of
concerns raised in submissions in order to strike an effective
balance between protecting networks from malicious activities while
protecting users from unnecessary or unwarranted intrusion.[14]
The Bill has been referred to the Senate Legal and
Constitutional Affairs Committee for inquiry and report by 16
November 2009. Details of the inquiry are at:
http://www.aph.gov.au/senate/committee/legcon_ctte/telecommunications/index.htm
The Digest draws on submissions to the inquiry.
Electronic Frontiers Australia (EFA) in their
submission to the Senate inquiry, notes that the Bill addresses all
of the concerns they raised on the exposure draft.[15] The submission commends the
Attorney-General s Department on achieving a workable legislation
exception to the prohibition on interception of telecommunications
that allows network operators to perform legitimate network
protection duties without unduly burdening the privacy of end
users.[16]
The Office of the Privacy Commissioner (OPC)
recognises the need for an appropriate balance between the public
interest in computer network owners and operators being able to
undertake legitimate activities aimed at detecting and responding
to security risks and maintaining individual privacy. Their
submission suggests a number of amendments to improve this balance.
For example they suggest tightening the provisions dealing with
secondary uses of information and recommend that consideration be
given to including in the Bill a provision to allow individuals
access to intercepted communications, that relate to them, to be
modelled on National Privacy Principle 6.1 in the Privacy Act
1988.[17]
The Internet Industry Association is reportedly
pleased with the Bill and the changes made since the exposure
draft. Their spokesman, John Hilvert, has been reported as saying
that the exposure draft might have given internet service providers
a new discretionary ability that conflicted with their obligations
under privacy laws and the TIA Act generally.[18]
Specific concerns of these and other organisations are referred
to in the main provisions section below.
The Explanatory Memorandum states that the Bill will have no
financial impact.[19]
The Telecommunications (Interception) Amendment Act
2006 inserted the existing network protection provisions into
sections 5F and 5G of the TIA Act. These provisions are limited to
Commonwealth law enforcement agencies and security authorities, and
eligible authorities of a State. They are subject to a sunset
clause and are due to expire at the end of 12 December
2009.[20]
Items 5 8 repeal these provisions as they are to
be replaced with the new network protection regime as set out in
the Schedule.
Items 1 to 4 and 9 provide key
definitions underlying the new network protection provisions. They
are discussed below in their relevant context.
Item 11 amends subsection 7(2) by inserting
proposed paragraph 7(2)(aaa). It is the central
provision of the Bill and creates an exception to the prohibition
on the interception of communications by persons lawfully engaged
in network protection duties in relation to a computer
network where that interception is reasonably necessary for the
person to effectively perform their duties.
Network protection duties are defined in item 2
as relating to:
- the operation, protection or maintenance of the network,
or
- if the computer network is operated by, or on behalf of, a
designated Commonwealth agency, security authority or eligible
authority of a State,
- ensuring that the network is appropriately used by
employees, office holders or contractors of the agency or
authority.
- Appropriately used in this context is defined as:
- when the employee, office holder or contractor have made a
written undertaking to comply with any conditions specified by the
agency or authority,
- those conditions are reasonable, and
- the person complies with those conditions when using the
network (proposed section 6AAA, item 9).
In contrast to the exposure draft, the Bill now
limits network protection duties for all networks to duties
relating to the operation, protection or maintenance of the network
. The ability to intercept communications in order to determine
whether a network is being appropriately used is expressly limited
to operate only in relation to users of certain Commonwealth
agencies, security authorities, or eligible State authorities.
The Explanatory Memorandum states that allowing specified
government agencies and authorities to undertake network protection
activities for disciplinary purposes is consistent with the
existing network protection provisions. These agencies are subject
to additional statutory requirements not applicable to other public
sector or non-government employers which prescribe particular
information handling obligations. The Explanatory Memorandum also
states:
The requirement to act in accordance with
reasonable conditions set out in a written user agreement is new
and will provide additional protection to workers in the agencies
and authorities covered by these provisions.[21]
Paragraph 7(2)(aaa) does not
allow the interception of speech for network protection purposes
(proposed subsection 7(3), item 13). The
Explanatory Memorandum explains that data relating to Voice over
Internet Protocol (VoIP) speech may be interrogated but the data
cannot be reconstructed in order to listen to the actual voice
communication . The rationale given is that this limitation is
intended to preserve the integrity of the interception warrant
regime by excluding telephone conversations and communications from
the exception so that normal voice communications cannot be
listened to.[22]
EFA note that this limitation does not prevent recorded voice
communications embedded in video or audio files such as music
videos or audio files downloaded from the internet that may be
attached to an email communication from being intercepted,
reconstituted and listened to for the purposes of paragraph
7(2)(aaa).
EFA argues that it is not clear why the prohibition on
assembling voice data should apply only to some voice communication
and not to recorded voice communications embedded in video or audio
files. In the absence of a good reason, EFA therefore recommends
that the prohibition on reconstructing voice communications should
be extended to all audiovisual communications.[23]
Item 15 inserts proposed sections 63C,
63D and 63E which are the main provisions
relating to the use and disclosure of intercepted communications by
authorised persons under new paragraph 7(2)(aaa).
Proposed section 63C provides that a person
engaged in network protection duties may, in performing
those duties, use or disclose lawfully intercepted communications
whether originating internally or externally. The lawfully
intercepted communication may be disclosed to either the
responsible person[24] for the network or to another
person if it is reasonably necessary to enable the other person to
perform their duties in relation to protecting the network.
Proposed section 63D deals with the use of
intercepted information for disciplinary purposes. It allows a
person engaged in network protection duties to disclose this
information to another person in order to determine:
- if disciplinary action should be taken in relation to the use
of the network by an employee, office holder or contractor of a
designated Commonwealth agency, security authority or eligible
State authority who has legitimate access to the network,
- taking disciplinary action in relation to the use of the
network by such an employee, office holder or contractor when the
use of the network is not appropriate,[25] or
- reviewing a decision to take such disciplinary action.
Proposed subsection 63D(4) prevents a person
from communicating or making use of information accessed under new
paragraph 7(2)(aaa) relating to disciplinary action if to do so
would contravene another law of the Commonwealth, State or
Territory. The Explanatory Memorandum explains the purpose of this
provision as providing protection for workers by ensuring that
their employer cannot circumvent any relevant workplace relations
requirements or workplace surveillance laws by accessing
information under the TIA Act.[26]
The OPC submission raises a concern with section 63D noting that
it could be lawful for a network owner or operator to use and
disclose an intercepted communication for disciplinary action even
though that use of the network does not pose a network security
risk.[27] OPC
recommends that the Bill should clarify that disciplinary action in
section 63D, regarding misuse of the computer network, applies to
activities that pose a risk to network security only.[28]
Proposed section 63E allows a responsible
person for a computer network to voluntarily communicate lawfully
intercepted information, other than foreign intelligence
information, to an officer of an agency in certain circumstances.
The responsible person may only communicate the information if he
or she suspects, on reasonable grounds, that the information is
relevant to determining whether another person has committed a
prescribed offence. A prescribed
offence is defined in subsection 5(1) and is generally an offence
punishable by imprisonment for a maximum period of at least three
years.
In effect, this provision allows for a person to voluntarily
disclose to a law enforcement agency information which has been
intercepted in the course of undertaking network protection duties.
The Explanatory Memorandum further explains that lawfully
intercepted information may be communicated to an agency regardless
of whether it was collected in accordance with a user
agreement.[29]
The Law Council of Australia, while not objecting in principle
to this provision, would be concerned if law enforcement agencies
were to use this voluntary disclosure provision to obtain
information by request, when they would otherwise require a warrant
to access it.[30]
While acknowledging that the Explanatory Memorandum clarifies
that an agency may not compel or request the disclosure of
information obtained through network protection duties, the Law
Council is concerned that that an agency is not expressly
prohibited or prevented from requesting the disclosure of
information.
The Law Council submits that a further subsection be added to
proposed section 63E which provides that the section does not apply
where an agency has requested the disclosure of the information.
This would safeguard against the potential misuse of the section to
circumvent the warrant requirements of the Act.[31]
Item 22 inserts proposed section
79A which provides the rules regarding the destruction of
a restricted record , that is, a record of a communication that was
intercepted under paragraph 7(2)(aaa). A responsible person for a
computer network must ensure the record be destroyed as soon as
practicable after it is determined that it is not likely to be
required for network security purposes or disciplinary action.
Several submissions to the Senate inquiry commented on this
provision.
The Australian Law Reform Commission and the OPC submissions
note that section 79A extends only to the destruction of the
original record and that there should also be an obligation to
destroy copies of restricted records.[32] The Explanatory Memorandum notes that
this is not practical as often copies of records are no longer in
the possession of the responsible person.[33]
EFA also notes that it is not clear what the requirements are
for the destruction of such records. For example destroy , in this
situation, could mean merely delete where the data remains on the
storage media but the index providing its location is removed. EFA
submits that the requirement to destroy intercepted communication
should explicitly reference acceptable standards of secure
electronic document destruction as appropriate to the sensitive
nature of intercepted communications.[34]
EFA also suggested a further tightening of the wording in
section 79A, noting that the requirement to destroy records only
applies as soon as practicable after [a relevant person becomes]
satisfied that the restricted record is not likely to be required
for network protection duties or for disciplinary action purposes.
EFA argues that the prospective nature of this phrasing suggests
that there is no requirement to destroy a record of an intercepted
communication once the legitimate purpose for which it was
intercepted has been fulfilled. EFA submits that proposed
subsection 79A(2) be amended to additionally require destruction of
applicable records as soon as practicable after the relevant person
becomes satisfied that the record is no longer likely to be
required.
Item 21 is a consequential amendment flowing
from item 22. It clarifies that the destruction of
records requirements in new section 79A (as opposed to those in
existing section 79) will apply to records intercepted for network
protection under new paragraph 7(2)(aaa). The Explanatory
Memorandum explains the rationale for having two different
provisions dealing with destructions of records.[35]
Schedule 2 makes amendments to the TIA Act mainly relating to
the definition of permitted purpose and to the evidential
certificate regime.
Item 2 would amend the definition of permitted
purpose in subsection 5(1). Section 67 of the TIA Act allows
information which has been lawfully intercepted to be used for
certain defined permitted purposes, including a purpose connected
with an investigation by the AFP of a prescribed offence.[36] Item
2 inserts new subparagraphs (5)(1)(b)(v)
and (vi), the effect being that lawfully
intercepted information could be used, communicated, and used in
proceedings by the AFP in applications for control orders and
preventative detention orders under Divisions 104 and 105 of the
Criminal Code Act 1995.[37] The Explanatory Memorandum states that this is
not a new police power but a clarification of an existing
power.[38]
Items 3 and 4 propose further
amendments to the definition of permitted purpose in order to
reflect changes to the powers of the New South Wales Police
Integrity Commission (PIC) made under the Police Integrity Act
1996 (NSW). In the case of item 4, the effect
will be to enable the PIC to use and communicate lawfully
intercepted information for the purpose of an investigation in
relation to any officer within the PIC s jurisdiction.
Items 9 to 13 propose several
amendments regarding the use of evidentiary certificates. Under the
TIA Act an evidentiary certificate may be used in certain
circumstances. Such a certificate may be received in evidence in a
proceeding without further proof and is conclusive evidence of the
matters stated in the documents.[39]
Item 9 would repeal and replace
subsection 18(1). Section 18 deals with
evidentiary certificates that may be issued by the Managing
Director or the Secretary of a telecommunications carrier in
relation to the issuing of ASIO interception warrants. The
new subsection 18(1) would have the effect of
allowing the Managing Director or the Secretary to delegate this
power by authorising employees of the carrier to also issue
certificates. The Explanatory Memorandum notes that the delegation
of this power is consistent with the current evidentiary
certificate regime applying to law enforcement interception
warrants under section 61 of the TIA Act.[40]
Item 11 would repeal and replace
subsection 129(1) and is similar in effect to item
9. It would allow the Managing Director or the Secretary of a
carrier to delegate to employees the power to issue evidentiary
certificates in relation to stored communication warrants.
Chapter 4 of the TIA Act allows access to telecommunications
data obtained under an authorisation. Item 13
inserts proposed sections 185A, 185B and
185C into this Chapter. The effect would be to
extend the evidentiary certificate regime to lawful access to
telecommunications data authorised under this Chapter. The
provisions are modelled on existing evidentiary certificate
provisions contained in other Chapters and include the powers of
delegation mentioned above in items 9 and 11.
Concluding comments
Generally the Bill has been well received. It is seen as an
improvement on the initial exposure draft produced earlier this
year in providing a better balance between the needs of internet
security and the protection of personal privacy. The Office of the
Privacy Commissioner and Electronic Frontiers Australia have
however made recommendations aimed at tightening the use and
disclosure provisions of the proposed regime.
The Senate inquiry into the Bill is due to report on 16 November
2009 and the current arrangements for network protection expire on
12 December 2009. Parliament therefore has a short time frame in
which to consider the Bill and the Report.
Members, Senators and Parliamentary staff can obtain further
information from the Parliamentary Library on (02) 6277
2438.
Mary Anne Neilsen
26 October 2009
Bills Digest Service
Parliamentary Library
© Commonwealth of Australia
This work is copyright. Except to the extent of uses permitted
by the Copyright Act 1968, no person may reproduce or transmit any
part of this work by any process without the prior written consent
of the Parliamentary Librarian. This requirement does not apply to
members of the Parliament of Australia acting in the course of
their official duties.
This work has been prepared to support the work of the Australian
Parliament using information available at the time of production.
The views expressed do not reflect an official position of the
Parliamentary Library, nor do they constitute professional legal
opinion.
Feedback is welcome and may be provided to: web.library@aph.gov.au. Any
concerns or complaints should be directed to the Parliamentary
Librarian. Parliamentary Library staff are available to discuss the
contents of publications with Senators and Members and their staff.
To access this service, clients may contact the author or the
Library’s Central Entry Point for referral.
Back to top