Bills Digest no. 71 2007–08
Telecommunications (Interception and Access) Amendment Bill
2008
WARNING:
This Digest was prepared for debate. It reflects the legislation as introduced
and does not canvass subsequent amendments. This Digest does not have
any official legal status. Other sources should be consulted to determine
the subsequent official status of the Bill.
CONTENTS
Passage history
Purpose
Background
Financial implications
Main provisions
Concluding comments
Endnotes
Contact officer and copyright details
Passage history
Telecommunications
(Interception and Access) Amendment Bill 2008
Date introduced: 20 February 2008
House: House
of Representatives
Portfolio: Attorney-General
Commencement:
Sections 1 to 3 commence upon Royal Assent. Schedule
1, items 1-19, 26-34, 36, and 38-49 will commence on the day after Royal
Assent. Schedule 1, items 20-25, 35 and 37 commence on a day to be fixed
by proclamation, or six months after Royal Assent.
Links: The relevant
links to the bill, Explanatory Memorandum and second reading speech
can be accessed via BillsNet, which is at http://www.aph.gov.au/bills/.
When bills have been passed they can be found at ComLaw, which is at http://www.comlaw.gov.au/.
To amend the Telecommunications
(Interception and Access) Act 1979 (the TIA Act) to extend the
operation of network protection provisions[1] which are due to expire (sunset) on 13 June 2008. The bill also
proposes a number of minor technical amendments to the TIA Act.
Under the TIA Act, it is prohibited to intercept, or authorise interception,
of a communication passing over a telecommunications system. However,
the Act provides a number of exemptions, including to the officers of
law enforcement and security agencies under warrant, if the Attorney-General
is satisfied that the telecommunications system is being used by a person
engaged in, or likely to be engaged in, or reasonably suspected to be
engaged in, activities or purposes that are prejudicial to security.[2]
Given rapid changes in communications technology, it has become possible
to communicate without a message ‘passing over’ the telecommunications
system. For example, those engaged in terrorist activities may use methods
such as storing emails in draft accounts but not sending them, writing
mobile phone texts but not sending them, swapping SIM cards, and using
others’ telephones to record voicemail messages. Such communications are
referred to as ‘stored’ communications.
In 2004 the then government introduced interim legislation which allowed
security and law enforcement agencies access to ‘stored’ communications
using a normal search warrant, rather than a telecommunications interception
warrant (which then only applied to communications ‘passing over’ a system,
and not ‘stored’ communications).
In March 2005 the government appointed Anthony Blunn AO (a former Secretary
of the Attorney-General’s Department) to undertake a review of the regulation
of access to communications under the TIA Act. In August 2005 Mr Blunn
completed his report titled Report
of the Review of the Regulation of Access to Communications.[3] The report, tabled in Parliament
on 14 September 2005, recommended that legislation dealing with access
to telecommunications data for security and law enforcement purposes be
established.
In 2006 the government introduced legislation that responded to the first
tranche of the report’s recommendations. The Telecommunications
(Interception) Amendment Act 2006 established a warrant regime
for access to stored communications, and included some controversial measures
such as ‘B Party Intercepts’.[4]
The government then implemented the second phase of Blunn recommendations
in 2007 with the Telecommunications
(Interception and Access) Amendment Act 2007. This Act transferred
provisions in the Telecommunications Act 1997 which regulated access
to telecommunications data for national security and law enforcement purposes
to the TIA Act. The Act also implemented a new two-tier access regime
for access to historic and ‘prospective’ (ie real-time) telecommunications
data.[5]
Some of the amendments to the TIA Act contained in the 2006 and 2007
amending Acts included sunset clauses, due to expire on 13 June 2008.
This bill seeks to extend those sunset clauses, and to make some technical
amendments.
Further detail is provided in the Main Provisions section.
The Senate Legal and Constitutional Affairs Committee
conducted inquiries into the 2006 and 2007 amending Acts to the TIA
Act. The reports can be found on the Committee’s website.[6] Given that this has been flagged
by the Minister as a ‘time critical’ bill, it is unclear whether this
bill will be referred to the Committee for consideration.
The Opposition and other parties have not made a public statement on
the current bill. In the Senate Committee inquiries into the 2006 and
2007 amending bills, the Australian Democrats supported the Committee’s
recommendations on both bills, but made further recommendations to improve
privacy considerations.
The Explanatory Memorandum states that there will be no financial impact
from this bill.
Items 1 and 2 seek to amend subsections 5F(3) and 5G(3)
of the TIA Act to repeal the existing sunset provision, which is two
years after the 2006 Act’s commencement (13 June 2008), and insert a new
sunset date of 12 December 2009.
Subsection 5F relates to when a communication is taken to be ‘passing
over’ a telecommunications system. The general tenet of the TIA Act is
that interception of a communication that is ‘passing over’ a telecommunications
system is forbidden, except with a telecommunications interception warrant.
However, an exemption is provided to the employees of a number of Commonwealth
and state law enforcement and security agencies, if they are responsible
for operating, protecting or maintaining a network or if they are responsible
for enforcement of the professional standards (however described) of the
agency or authority. Subsection 5F is reproduced below.
5F When a communication
is passing over a telecommunications system
(1) For the purposes of this Act, a communication:
(a) is taken to start passing over a telecommunications
system when it is sent or transmitted by the person sending the communication;
and
(b) is taken to continue to pass over the system until it becomes
accessible to the intended recipient of the communication.
(2) However, if a communication is sent from an address on a computer
network operated by or on behalf of:
(a) a Commonwealth agency; or
(b) a security authority; or
(c) an eligible authority of a State;
the communication is taken not to start passing over a telecommunications
system, for the purposes of this Act, until it is no longer under the
control of any of the following:
(d) any employee, member of staff or officer of
the agency or authority responsible for operating, protecting or maintaining
the network;
(e) any employee, member of staff or officer of the agency or authority
responsible for enforcement of the professional standards (however
described) of the agency or authority.
(3) Subsection (2) ceases to have effect at the end of the period of
2 years starting at the commencement of this section.
5G The intended
recipient of a communication
(1) For the purposes of this Act, the intended recipient of a communication
is:
(a) if the communication is addressed to an individual (either in
the individual's own capacity or in the capacity of an employee or
agent of another person)-the individual; or (b) if the communication
is addressed to a person who is not an individual-the person; or
(c) if the communication is not addressed to a person-the person who
has, or whose employee or agent has, control over the telecommunications
service to which the communication is sent.
(2) In addition to the person who is the intended recipient of a communication
under subsection (1), if a communication is addressed to a person at
an address on a computer network operated by or on behalf of:
(a) a Commonwealth agency; or
(b) a security authority; or
(c) an eligible authority of a State; each of the following is also
an intended recipient of the communication for the purposes of this
Act:
(d) any employee, member of staff or officer of the agency or authority
responsible for operating, protecting or maintaining the network;
(e) any employee, member of staff or officer of the agency or authority
responsible for enforcement of the professional standards (however
described) of the agency or authority.
(3) Subsection (2) ceases to have effect at the end of the period of
2 years starting at the commencement of this section.
The exemptions, dubbed by the Minister as ‘network protection provisions’[7],
were inserted by the Telecommunications (Interception) Amendment
Act 2006 and initially only applied to the Australian Federal Police
(AFP), although the 2007 amending Act extended this to cover Commonwealth
agencies, security authorities and eligible state authorities, as defined
by the TIA Act. The exemptions now include:[8]
- Commonwealth agency – the AFP, the Australian
Commission for Law Enforcement Integrity, or the Australian Crime
Commission
- eligible state agency – the Police Force of
any state, and
- in NSW: the Crime Commission, the Independent Commission Against
Corruption, the Inspector of the Independent Commission Against
Corruption, the Police Integrity Commission or the Inspector of
the Police Integrity Commission
- in Victoria: the Office of Police Integrity
- in Queensland: the Crime and Misconduct Commission
- in Western Australia: the Corruption and Crime Commission or
the Parliamentary Inspector of the Corruption and Crime Commission.
- security authority means an authority of the
Commonwealth that has functions primarily relating to:
- security
- collection of foreign intelligence
- the defence of Australia, or
- the conduct of the Commonwealth’s international affairs.
- According to the Explanatory Memorandum for the 2007 amending
Act, a security authority would therefore include ASIO, the Department
of Defence, and the Department of Foreign Affairs and Trade.[9]
In stating the need for network protection provisions, the Explanatory
Memorandum for this bill states:
Networks are protected from security risks by the use
of gateway control systems. The use of these systems (such as virus
protection software) does not generally violate interception legislation.
Automated systems can screen and reject incoming communications if
they are suspected of containing a virus, and network operators are
able to monitor internal and outbound communications (including emails
and internet browsing) provided they have obtained the consent of
people using the network. However, some network protection activities
that take place at the threshold of a network may constitute a technical
breach of the TIA Act.[10]
In his report Anthony Blunn recognised the problem faced by network
administrators accessing communications for the purpose of ensuring
network security:
Given the ‘rights’ of owners to protect their system,
the potential consequences of not doing so, the universality of the
need and the time-critical nature of the required response, it is
not in my opinion possible to meet the reasonable needs to protect
systems by amending the Interception Act to provide specific exemptions.
However from a privacy point of view uncontrolled access
is simply not satisfactory. An access regime should be established
which provides appropriate protections and prevents back-door use
and access to obtain content. Those protections should in my view
restrict access to that required for the identified purpose i.e. the
protection of the system. There should be clear authorisation and
the persons with that authority should be clearly identified. Those
persons should be required to protect the privacy of any data accessed
in the same way that the employees of C/CSPs are required to protect
data accessed in the course of their employment.[11]
Mr Blunn also recognised the possibility of ‘incidental’ interception
of communications in the course of developing new technologies (in particular,
but not limited to, the defence and security agencies). Blunn recommended:
Subject to appropriate controls, access to communications
without warrant be permitted where it is necessarily incidental to
the protection of data systems or the authorised development or testing
of new technologies or interception capabilities.[12]
The network protection provisions were a last-minute government amendment
to the Telecommunications (Interception) Amendment Bill 2006. The government
stated that the late insertion of the network protection provisions
for the AFP (extended in 2007 to a number of other agencies), rather
than inclusion in the original bill or during the Senate committee inquiry,
was because the AFP had not received final policy approval for the provisions
prior to the Parliamentary debate. Because of the lack of time to examine
the network protection provisions, the ALP and Australian Democrats
opposed the amendments, however they were passed by Parliament. There
was no specific mention of why a two-year sunset clause was included,
but the Minister did refer to the fact that more comprehensive legislation
to deal with the issue would be needed further down the track.[13]
The proposed 18-month extension of the sunset clause in the current
Bill is to allow the drafting of a permanent legislative solution to
implement the Blunn Report recommendation. In his second reading speech
for the bill the Attorney-General stated:
The proposed 18-month extension of the existing network
protection provisions will ensure law enforcement and security agencies
can continue to protect their networks while a comprehensive long-term
solution is developed. My department has already undertaken extensive
work on legislative changes that would implement the Blunn report
recommendation. As mentioned, these measures will have implications
across government, corporate and private networks. They must also
address complex issues associated with privacy, and state and territory
laws. It is important not to rush those changes, and there must be
enough time to consult widely on their impact. An 18-month extension
will enable full consideration of a more complete solution across
all networks. [14]
The proposed extension of the network protection provisions sunset
clauses by another 18 months means that over 20 Commonwealth and state/territory
law enforcement and security agencies will be given access exemptions
until the end of 2009. Blunn noted that unrestricted access is unsatisfactory
and recommended an authorisation process – including a requirement that
the access is strictly for the purpose of maintaining network security,
and that the people who are given authorisation are clearly identified.
While the Minister states that resolving the Blunn recommendation is
complex and requires separate legislation, it could be possible to insert
such authorisation processes into the interim legislation.
A number of the technical amendments are related to a proposed change
to allow named person warrants to apply to ‘multiple telecommunications
devices’, rather than ‘a particular telecommunications device’ as is
currently allowed.
Section 9A of the TIA Act allows the Director-General of Security to
apply to the Attorney-General for the issue of named person warrants.
Named person warrants can apply to either telecommunications services
being used by a particular person, or ‘a particular telecommunications
device’ used or likely to be used by the person.[15]
Item 3 proposes to amend subparagraph 9A(1)(b)(ii) of
the TIA Act to allow a device-based warrant to intercept communications
from multiple telecommunications devices.
Under the TIA Act, a telecommunications device is defined as ‘a terminal
device that is capable of being used for transmitting or receiving a
communication over a telecommunications system.’[16]
It is useful to note that under the TIA Act, warrants for interception
of a telecommunications device are to be used as a ‘second stage’ measure
– only if it would not be practical to intercept the telecommunications
services used, or likely to be used, by the person in respect of whom
the warrant is to be issued:
9A(3): The Attorney‑General must not issue
a warrant that authorises interception of communications made by means
of a telecommunications device identified in the warrant unless he or
she is satisfied that:
(a) there are no other practicable methods available to the Organisation
at the time of making the application to identify the telecommunications
services used, or likely to be used, by the person in respect of whom
the warrant would be issued; or
(b) interception of communications made to or from a telecommunications
service used, or likely to be used, by that person would not otherwise
be practicable.
The Explanatory Memorandum for the 2006 amending Act which introduced
these warrants gives the example of a person using multiple SIM cards
in a mobile phone in quick succession, making it impractical to access
each telecommunications service being used by the relevant person.[17]
Items 4-14 make subsequent amendments to TIA sections 9A, 11B
and 16 relating to the change to ‘multiple telecommunications devices’.
Items 20-25 amend the Part of the TIA Act relating to warrant
applications, to allow an application for ‘multiple telecommunications
devices’ Items 35 and 37 make related amendments to the need
to inform a Managing Director of a carrier to be notified of additional
devices to be added to a device-based named person warrant.[18]
As a result of changes to the TIA Act brought about by the 2006 and
2007 amending Acts, there is some duplication in the notification and
reporting requirements now contained in the consolidated Act. The remaining
items in this bill seek to rectify these problems by:
- repealing some now redundant reporting requirements (items 26-30,
42-48)
- allowing a ‘certifying officer’ of an agency (ie SES level or equivalent)
to notify the Managing Director of a carrier of the issue or revocation
of certain telecommunications interception warrants, rather than a
‘chief officer’ as currently allowed for under the TIA Act. This is
to provide ‘greater operational flexibility for agencies, whilst still
maintaining an appropriate level of accountability’ (items 32,
34, 39-40)[19]
- adding some additional notification requirements for service-based
named person warrants and device-based named person warrants, requiring
that the chief officer of an agency must notify the Secretary of the
Attorney-General’s department of any such warrants, and if any additions
are then proposed to be added to that warrant, a description ‘sufficient
to identify the services or devices to be added to the warrant’ (item
31, proposed section 59A).
Concluding
comments
The Minister has flagged that because of the impending sunset date
of 13 June 2008 for the existing ‘network protection provisions’ in
the TIA Act, the government would like the Parliament to consider this
a time-critical bill.[20]
While the extension of the sunset clauses and the technical amendments
contain no new powers for security or law enforcement agencies, the
extension of the ‘network protection provisions’ for a further 18 months
continues to allow network protection officers, or those responsible
for ‘professional standards’, of more than 20 Commonwealth and state
law enforcement and security agencies access to telecommunications without
a warrant or any legislated authorisation process.
New legislation addressing the need for law enforcement and security
agencies to protect their networks, which the Attorney-General says
will impact on government, corporate and private networks and will involve
complex privacy issues and state and territory laws,[21]
will presumably be introduced well before the new sunset date of 12
December 2009.
Bronwen Jaggers
7 March 2008
Bills Digest Service
Parliamentary Library
© Commonwealth of Australia
This work is copyright. Except to the extent of uses permitted by the
Copyright Act 1968, no person may reproduce or transmit any part of
this work by any process without the prior written consent of the Parliamentary
Librarian. This requirement does not apply to members of the Parliament
of Australia acting in the course of their official duties.
This work has been prepared to support the work of the Australian Parliament
using information available at the time of production. The views expressed
do not reflect an official position of the Parliamentary Library, nor
do they constitute professional legal opinion.
Feedback is welcome and may be provided to: web.library@aph.gov.au.
Any concerns or complaints should be directed to the Parliamentary Librarian.
Parliamentary Library staff are available to discuss the contents of
publications with Senators and Members and their staff. To access this
service, clients may contact the author or the Library’s Central
Entry Point for referral.
|
