2.44 The ABA, for example, indicated in its submission that
a significant proportion of child pornography is produced and/or hosted in Russia and some other Eastern European nations. The
Australian Federal Police (AFP) has advised the ABA that 'authorities in these jurisdictions have
not attached a high priority to investigating such matters.'[18] The Committee shares the ABA’s
concern; on an international level it is clear that the commitment to
developing a framework for detection and enforcement cannot be assumed,
although there are initiatives through The United Nations (Resolution of the
General Assembly no 55/63 'Combating the Criminal Misuse of Information
Technologies' – see extract at Appendix 4) and, as the Committee was informed
by Mr Orlowski, APEC.[19]
2.46 In
evidence, Mr Orlowski told the Committee of APEC projects following
the UN resolution which are designed to assist developing economies:
[APEC] have done a report on what economies [countries] are
doing to implement the United Nations General Assembly resolution. ... At the
moment ... we are running a workshop to assist developing economies, in
particular, to develop cybercrime legislation. At the last count, we had 120
representatives nominated for that workshop, which is quite a large number by
APEC standards. That will be followed up by in-country training provided by the
United States Department of Justice. They will go to the different economies
and work with them to try to get that legislation at least underway by October
2003.[21]
2.47
The
Australian arrangements for the areas of UN concern are contained in
legislation and in particular, mutual assistance arrangements. The Attorney
General’s Department submission outlined these.[22] They include the Mutual Assistance
Unit in the Attorney-General’s Department. The unit has the following
functions:
·
Making requests for assistance in criminal
matters to foreign jurisdictions on behalf of the Australian law enforcement
authorities, including the Australian Crime Commission.
·
Coordinating the provision of assistance from
other countries for the investigation and prosecution of crime and the
restraint and confiscation of assets of crime.
2.48 In
addition, the submission advised that Australia is party to a number of bilateral Mutual
Assistance in Criminal Matters treaties. Assistance can be provided to
countries with which Australia does not have formal treaties, through the Mutual Assistance in Criminal Matters Act
1987. This legislation enables Australia to provide assistance on request
in relation to taking of evidence, issuing of search warrants, forfeiture,
confiscation, or restraining of dealings in property associated with criminal
offences, and the recovery of penalties.
2.49
Section 8
of the Mutual Assistance in Criminal
Matters Act 1987 specifically provides that the Attorney General must
refuse the requested assistance in cases where the death penalty may be
imposed, unless the Attorney is persuaded that special circumstances exist.
Cases in which the request may be refused include political prosecutions, and
the prosecution of a person for an act or omission that if it had occurred in
Australia, would have been an offence under the military law of Australia but
not also under the ordinary criminal law of Australia.
2.50 There are
several international treaties which affect Cybercrime, including the UN
Convention on Transnational Organised Crime, which focuses on international
co-operation against crimes such as money laundering. In addition the Council
of Europe and the Lyon Group have established networks of law enforcement
officers which are operated by Interpol. The AFP is the contact point with this
network.[23]
2.51
The
Committee also notes that limitations in Australia’s domestic legislation
prevents assistance being provided to other countries in cases in which
telecommunications intercept and listening device material is requested.
2.52 The Telecommunications (Interception) Act 1979 does
not allow Australia to gather intercept and listening device
material on behalf of another country. The exception is where the material has
already been obtained for an investigation of an Australian offence.[24]
2.53 There are
also least 13 Commonwealth Acts of Parliament which have some regulatory
relevance to cybercrime (see Appendix 5). In addition, states and territories
have their own legislation which is not uniform, either in offence provision or
in penalties. The ACC submission gives the example of a lack of uniformity in
Commonwealth and State laws as they apply to Internet Content Hosts (ICH)[25] and Internet Service Providers
(ISPs). Commonwealth law applies to ICHs but not to content providers, creators
or ordinary Internet users. State legislation applies to content providers and
ordinary Internet users.[26]
2.54
The state
governments focus on the offences which, while they can be committed by
electronic means, are 'traditional' criminal offences
– for example
– fraud, or possession of
child pornography. The means to these offences is via a telephone connection,
and this is an area of Commonwealth responsibility.
2.55
The
Committee notes that there are at least two bodies which could address this
lack of consistency, and promote a more focussed and unified approach to the
investigation, detection and prosecution of cybercrime. They are: the Standing
Committee of Attorneys General, and the Police Ministers’ Council.
2.56
The
Committee is concerned that while there is no common cybercrime regime in Australia, there is an increasing likelihood of this
weakness being exploited by criminal elements.
Internet Service Providers (ISPs) and Internet Content Hosts
ISP’s
2.57
Internet
Service Providers sell Internet access. The Internet Industry Association
website explains the process of providing Internet access. In short, clients
require a modem (computer access to a telephone system) and usually enter a
contract to pay a monthly fee to use the service. This is usually paid by
credit card. The ISP provides software, and a telephone number to provide the
Internet access. The client selects a user name and password – which identify
him or her to the ISP when access to the Internet is required. The client can
then use the World Wide Web, and send and receive email. In addition to serving
individuals, ISPs also serve large companies, providing a direct connection
from the company's networks to the Internet. ISPs themselves are connected to
one another through Network Access Points (NAPs). ISPs are also called IAPs
(Internet Access Providers).[27]
2.58
ISP’s are
not licensed. Anyone (with appropriate information technology skills) can establish
themselves as a provider. In this unregulated environment, a number of concerns
have emerged.
2.59
The
resources of less reputable ISPs can become a storehouse for records of
criminal activity. Further there is potential for ISP’s to obtain material from
client addresses which is confidential, in addition to the credit card payment
information which is supplied by the clients when they join the service.
2.60
ISP’s are
not nationally limited. They can operate from Australia to anywhere in the world, as can international
operators operate in Australia. There would be a significant expense for
small providers to do this, but it is possible.
2.61
There have
been some initiatives in other jurisdictions to minimise the criminal potential
associated with ISPs. In evidence Mr. Greg Melick told the Committee that the United Kingdom has legislation which specifies that acts or
results occurring in the UK are subject to UK jurisdiction. He continued:
... until we start enacting appropriate laws, both as to
jurisdiction and preservation of evidence, we are not going to get very far.[28]
Internet Content Hosts
2.62
The
expression Internet Content Host (ICH) is one which appears to be used in Australia, and few other places. It is defined in Clause
3 of Schedule 5 of the Broadcasting Services
Act 1992 as:
... A person who hosts Internet content in Australia,
or who proposes to host Internet content in Australia.
The Schedule also states that Internet content means
information that:
(a) is kept on a data storage
device; and
(b) is accessed, or available for
access, using an Internet carriage service;
but does not include:
(c) ordinary electronic mail; or
(d) information that is transmitted
in the form of a broadcasting service.
2.63
An
Internet Service Provider can also host Internet content, and in practice many
do so. These are services which organise
and design materials for persons who wish to provide information on the
Internet.
2.64 Invitations
were extended to Internet Service Providers, and the Internet Industry
Association to provide the Committee with a submission to give the Committee an
opportunity to hear first-hand what the issues are which are most significant
for the service providers and the industry as a whole. None was forthcoming. The
Internet Industry Association did provide the Committee with a copy of the
draft code of conduct which is discussed below. However, the Committee had no
opportunity to discuss the Code of Conduct or to address associated issues to
the industry peak body and industry participants.
Co-operative schemes, and codes of conduct
2.65
The
Committee heard that there are international, interdepartmental, Federal/ State
government and private sector committees examining the issue of Internet
regulation. The Attorney General’s Department submission lists no fewer than
nine ‘cybercrime stakeholders’,[29]
each of which is working on its own projects involving cybercrime. The
submission notes that the Australian Securities and Investments Commission
(ASIC) has been working with the Internet Industry Association on a Cybercrime
Code of Practice. The association has a wide ranging membership which includes
telecommunications carriers, ISPs, e-commerce solution architects, hardware and
software vendors and content providers.
The Internet Industry Code of Practice
2.66
The
Internet Industry Code of Practice was released by the Internet Industry
Association on 21 July 2003, and was provided to the Committee on 8 September
2003. Through self
regulation, the Code aims to establish a co-operative working environment
between law enforcement agencies (LEAs) and the Internet Industry Association.
The code aims to:
·
Establish clear guidelines for criminal and
civil investigations within the provisions of the Telecommunications Act 1997 (the Act).
·
Establish clear guidelines (within standards of confidentiality
and privacy established under the Act) agreed between industry and LEAs as to
what constitutes 'such help as is reasonably necessary'. This also is intended
to establish public confidence in, and promote the use of the Internet.
·
Provide a transparent mechanism for the handling
of LEA’s investigations for the Internet industry which is clearly understood
by both parties.
·
Promote positive relations between the LEAs and
the Internet industry.
·
Give users of the Internet confidence that their
privacy and the confidentiality of their transactions will be guarded from
unlawful intrusion by LEAs.[30]
2.67
The
Committee is concerned about the persuasive effect of the Code. If the Code of
Conduct applies only to those who agree to be bound by it, there is still a
potential for the problems which the Committee’s terms of reference identifies
to remain unsolved, as those who wish to operate free of sanctions will still
be able to do so.
2.68
The
Committee considers that the matter of regulation of ISPs should be examined
more closely, not only in the context of ensuring the compliance of ISPs with a
set of standards, but also in the context of the jurisdictional and evidentiary
issues which have emerged in the Internet environment, and which rely on the
material held by ISPs.
Recommendation 1
The Committee recommends that the House of Representatives
Committee on Communications, Information Technology and the Arts examine the
regulation of Internet Service Providers, including codifying the
jurisdictional and evidentiary matters involving material which is transmitted
or held by the Provider.
2.69
The
Committee considers that there is a very strong case for a central
co-ordinating body for Cybercrime offences, and a form of regulation which
applies to those who refrain from endorsing the Code of Conduct.
Detecting and prosecuting cybercrime
2.70
During the
inquiry the Committee became aware of a number of issues that apply generally
to the detection of cybercrime and the collection of evidence for prosecution. With anonymising
software (which can redirect and divert material), and the ease with which free
email addresses can be obtained without supporting identification, detection of
cybercrime is difficult and resource intensive.
2.71 The NSW Police also told
the Inquiry that it is possible to compromise the actual domain server, 'thereby
being able to re-route traffic, say from an Internet banking site.[31] While the Police said this had not
actually occurred, the Committee considers it is a possibility which any protective
strategy must bear in mind.
2.72 Other
methods of masking illegal Internet activity include cryptography and
steganography. The former involves encrypting of data so that it is
unintelligible; steganography allows illegal data to be contained in seemingly
innocuous files, such as photographs, which can then be reworked at its
destination so as to allow access to the illegal data.
2.73 One important issue drawn to the Committee’s attention was the gathering of evidence in the cybercrime environment. The Committee observed that the in the cyber environment the evidence trail disappears rapidly. There are devices which allow material to be 'scrubbed' from a storage medium; further, as ISPs are not required to retain records, there can be little material left to investigate.
2.74 While it is
possible to obtain search warrants to seize computer hard drives, discs and
other records, there appears to be no legal way in which Internet activity can
be monitored in 'real time' as can be done with an authorised telephone
intercept device, obtained under the Telecommunications
(Interception) Act 1979 (Cth).
2.75
The ACC
suggested in its submission[32] that
the powers available under section 25A of the Australian Security Intelligence Organisation Act 1979 (the ASIO
Act) might also be made available to
the ACC in cybercrime investigations (although in giving evidence in Sydney the
ACC clarified this and indicated that this was one possibility among many for
the future).[33] These powers would allow real time surveillance of computer based activity to search computer
data for a period up to 6 months. The ACC proposed that this – as with the ASIO
legislation – would be subject to the issuing Minister being satisfied on reasonable
grounds that the intelligence collection will be substantially assisted by the
content which is obtained under the warrant.
2.76 The ACC
did not press this, and explained that:
... we are just scoping into
the future of electronic policing requirements maybe five or 10 years away. We
are not saying that the ACC should have these
powers; we are just saying that this is another law enforcement tool that in
the future may be directly related to electronic crime investigation.[34]
2.77
The powers
suggested effectively offer a licence to hack into other computers. The ACC
presented the argument that:
Such a monitoring warrant enables law enforcement to use
investigative tools ... to intercept and collect the communications of the
subject of the warrant while ignoring those communications which the
authorisation to intercept does not cover.
Analogous to telephone intercept warrants in all material
respects computer monitoring warrants, issued subject to the same
administrative and judicial requirements and safeguards as telephone intercept
warrants – would significantly enhance the investigative tool kit available to
law enforcement.[35]
2.78 The
Committee notes that the provisions of section 25A of the ASIO Act are very
limited in their application: they apply only to instances where national
security is threatened. There was some discussion during the hearings as to
whether powers such as this were appropriate in this context, or whether they
should be limited to the provisions of the ASIO Act.
2.79 The practicalities and likely benefits were canvassed in evidence by Mr Gregory Melick, who told the Inquiry:
Most of your
relevant data and evidence for law enforcement purposes will come from computer
hard drives. Once you get that information, you then should be able to go to
the various Internet providers to get the preserved data to get your
evidentiary trail to lead you to the perpetrator ... To randomly try to pluck
something out of the ether and interpret it to see what is going on will be
almost impossible. You also have the other problems of encryption and
steganography.[36]
2.80
The
proposed warrants were for telecommunications devices. However, as was pointed
out to the Committee, wireless technology, which is not covered by the
telecommunications legislation, is being used increasingly in communications.[37] In his submission Mr. Steve Orlowski
said
... failure to develop secure
wireless products and applications could raise public concerns over wireless
security and slow the spread of this potentially valuable new technology.
Economic progress and the strengthening of cyber-security require addressing
these concerns.
2.81
Accordingly, any regulating of the Internet
environment must account for those who will use wireless technology as well as
telecommunications.[38]
2.82
The
Committee notes that the need for continuous legislative review, in the light
of operational information is fundamental to the detection and prosecution of
cybercrime.
Privacy
2.83
The
Committee noted that there was some concern regarding privacy and the
collection of evidence. In their submission to the Inquiry, Electronic
Frontiers said:
We are concerned ... by the increasing prevalence of
legislative proposals and laws concerning the Internet that fail to contain an
appropriate balance between individuals'
privacy and the legitimate needs of law enforcement agencies.[39]
2.84 In
evidence to the hearing, the AHTCC indicated that it is aware of the need to
balance the right of individuals to privacy of communications and the right of
individuals to be protected against criminal activities.[40] A similar sentiment was expressed by
ASIC which has been involved with other agencies in advising the Internet
Industry Association on its proposals for a code of practice which seeks also
to address the privacy issue. [41]
2.85
The
Committee noted that there is an overall tension between the preservation of
privacy and protection of children from unsuitable content and consumers
generally from unwanted emails and from malicious material such as viruses.
Technological development
2.86
It has
become clear to the Committee that crime authorities must be able to keep pace
with the advance of technology. The latest (at the time of writing) 'g3
technology' which allows the mobile telephone to become a portable multi media
device will require a reconsideration of the differentiated approaches to the
regulation of single function devices.
2.87 The
Committee observed that organised crime is well able to fund its own
development in this area, for obvious reasons. Further, advances in
communications technology enhance the ability of criminal groups to organise
themselves at an international level.
2.88
Law
enforcement will usually be in a reactive rather than an active position, but
the Committee considers that with the right strategic development, agencies
will be well placed to at least meet, if not anticipate the increasing
challenges of rapid technological development. There appears to be a
considerable amount of work being undertaken: there is legislation being
prepared by the Attorney General’s Department, numerous Committees and
interagency discussions, but the Committee considers that this activity needs a
well resourced co-ordinating body. The following chapters detail examples which
illustrate this more clearly.
Navigation: Previous Page | Contents | Next Page